router: initial commit

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ../../modules/common/default.nix
+    ./hardware-configuration.nix
+    ./persist.nix
+  ];
+
+  config = {
+    system.stateVersion = "22.11";
+
+    networking.hostName = "router";
+    networking.domain = "home.ts.hillion.co.uk";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    ## Tailscale
+    age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
+    };
+
+    ## Enable btrfs compression
+    fileSystems."/data".options = [ "compress=zstd" ];
+    fileSystems."/nix".options = [ "compress=zstd" ];
+  };
+}

hosts/router.home.ts.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,61 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/A05C-EC0A";
+      fsType = "vfat";
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/5704642a-887e-48ab-b904-752d6301388d";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/data" =
+    {
+      device = "/dev/disk/by-uuid/5704642a-887e-48ab-b904-752d6301388d";
+      fsType = "btrfs";
+      options = [ "subvol=data" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

hosts/router.home.ts.hillion.co.uk/persist.nix

@@ -0,0 +1,52 @@
+{ config, lib, ... }:
+
+{
+  config = {
+    # Persist files (due to tmpfs root)
+    ## Set root tmpfs to 0755
+    fileSystems."/".options = [
+      "mode=0755"
+      "size=4G"
+    ];
+
+    ## Require data at boot (to have access to host keys for agenix)
+    fileSystems."/data".neededForBoot = true;
+
+    ## OpenSSH Host Keys (SSH + agenix secrets)
+    services.openssh = {
+      hostKeys = [
+        {
+          path = "/data/system/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+        {
+          path = "/data/system/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+          bits = 4096;
+        }
+      ];
+    };
+
+    ## Persistent directories and symlinks
+    systemd.tmpfiles.rules = [
+      ### Persistent home subdirectories
+      "L /root/local - - - - /data/users/root"
+      "L /home/jake/local - - - - /data/users/jake"
+    ];
+
+    ## Persistent /etc/nixos
+    fileSystems."/etc/nixos" = {
+      device = "/data/users/root/repos/nixos";
+      options = [ "bind" ];
+    };
+
+    ## Persistent zsh history
+    programs.zsh.histFile = lib.mkForce "$HOME/local/.zsh_history";
+
+    ## Tailscale
+    fileSystems."/var/lib/tailscale" = {
+      device = "/data/system/var/lib/tailscale";
+      options = [ "bind" ];
+    };
+  };
+}

hosts/router.home.ts.hillion.co.uk/system

@@ -0,0 +1 @@
+x86_64-linux

secrets/secrets.nix

@@ -12,7 +12,10 @@ let
       co = {
         hillion = {
           ts = {
-            home = { microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver"; };
+            home = {
+              microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
+              router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router";
+            };
             parents = { microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver"; };
             strangervm = { vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm"; };
             terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; };
@@ -31,9 +34,10 @@ in
 
   # Tailscale Pre-Auth Keys
   "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ];
-  "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
   "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ];
   "tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.parents.microserver ];
+  "tailscale/router.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.router ];
+  "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
 
   # Resilio Sync Secrets
   ## Encrypted Resilio Sync Secrets

secrets/tailscale/router.home.ts.hillion.co.uk.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+B0Hxv1+zuENTd2JU5zSqivSZq2vD/ruRY9/Ggkz9j1Gt9x52tjaOKbhnSiN86Ng3
+C48BsAhDEQoQJSDdIzwlvi3pi4OO9UghZOjwbghQJUxJ0WEXS82+jg2uBeezCZsN
+3hkOHO+ghOHo+HfZnxVrYW/uKJ199yOdt2bOi+OC0ldiPa5XR5QeE9no1xybYHge
+gBrux5ByKXtQLG+MUhe4PJ+i/Vpifw+bg2X9tE0gYEvQVbfvCH7MFPLkKVzyVfe4
+1W01R3j2yhlTHlQFIEvWOcSEqX6MQHquL/bkS/BeTf6EUgAUjz+PajGbP1+0tlWE
+k+kCcarmfUlGXwmWQC7E+w
+-> ssh-rsa K9mW1w
+WZxcPgcqkvkE+/cKysGb9W/NcLDT7bFLylos4gTpY7bvxA7AeaE2GLSn7XkhOa1U
+2SC31Tp11UOBrpuzT21OEXt/i2mf3Qc1M7PBzDUlfWKAkxShCgpItToHlkx7PEA2
+53vZe/OeHbTd8lcQvxYJvEK3vnnvqRJabfIr5ADuGyjvrWEBBuJmnoCIiNbQlgut
+FQ1gj335lX5pim4BzWhrZ4BuGcA2AjDKPJvwN3OS9p/tNuVdaBheBVFZP1xnK/6m
+J+DoE4Q18ruFHHt3WBwC4PdNVE2AZ7ugh+5HXVmtlaILztZ2Pxq9oNGpgUWPkWra
+207iwHYMXECZLLlCAfgaEQ
+-> ssh-ed25519 8+Ls0w Z9h9EPtKnNg9TIxk/Hc9D9UJCtWEXQS8HIPAaMKfvlM
+Ast5W/usVzLUpIjJJEiJ1cvlbki9+kR4CnjT6982Cqo
+-> bg-grease lQj9K~"
+yTRo2eEIy6tJEs0EwC76TkInD/dy3JoSZqlKn63AcBc4hZEU0tDO
+--- dtMRU0R43ACrGnwzZnHFmsyMla9Zv252FXP1kZIyimo
+À¡M<EFBFBD><EFBFBD>—<EFBFBD>mö
¬|‡‰þÈlz2èªtýÎÒ¶ƒqÆ
+.q
+œ<EFBFBD>¬.ToêGG•Œ=eZˆ[P€ã™G—:57+— XŠª‘g²½+æ#IùPTf´/