Update ninurta config

nixos/ninurta/configuration.nix

@@ -10,6 +10,7 @@ let
   wgHydraPrivKey = "${config.networking.hostName}-wg-hydra-key";
   wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key";
   hydraGitHubAuth = "hydra-github-authorization";
+  initrdPrivateKey = "${config.networking.hostName}-initrd_ssh_host_ed25519_key.age";
 in
 {
   imports = [
@@ -19,9 +20,6 @@ in
 
   networking.hostName = "ninurta";
 
-  networking.useDHCP = false;
-  networking.interfaces.enp86s0.useDHCP = true;
-
   networking.hosts = {
     "127.0.0.1" = hostAliases;
     "::1" = hostAliases;
@@ -30,13 +28,43 @@ in
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  # TODO enable
+  assertions = lib.singleton {
-  # fileSystems."/mnt/storage" = {
+    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
-  #   device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+    message = "Refusing to store private keys in store";
-  #   mountPoint = "/mnt/storage";
+  };
-  #   neededForBoot = false;
+
-  #   options = [ "nofail" ];
+  boot.initrd = let initrdKeyPath = "/etc/ssh/a_initrd_ssh_host_ed25519_key"; in {
-  # };
+    network = {
+      enable = true;
+      flushBeforeStage2 = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        authorizedKeys = config.dadada.admin.users.dadada.keys;
+        hostKeys = [ config.age.secrets.${initrdPrivateKey}.path ];
+      };
+    };
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        networks = {
+          "10-lan" = {
+            matchConfig.Name = "enp*";
+            networkConfig.DHCP = "ipv4";
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+    mountPoint = "/mnt/storage";
+    neededForBoot = false;
+    options = [ "nofail" ];
+  };
 
   # TODO enable
   # dadada.borgServer = {
@@ -113,35 +141,90 @@ in
   age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
   age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
   age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age";
+  age.secrets.${initrdPrivateKey}.file = "${secretsPath}/${initrdPrivateKey}.age";
 
-  networking.wireguard = {
+  services.snapper = {
-    enable = true;
+    cleanupInterval = "1d";
-    interfaces.uwupn = {
+    snapshotInterval = "hourly";
-      allowedIPsAsRoutes = true;
+    configs.var = {
-      privateKeyFile = config.age.secrets.${wg0PrivKey}.path;
+      SUBVOLUME = "/var";
-      ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ];
+      TIMELINE_CREATE = true;
-      peers = [
+      TIMELINE_CLEANUP = true;
-        {
+      TIMELINE_LIMIT_HOURLY = 24;
-          publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
+      TIMELINE_LIMIT_DAILY = 13;
-          allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+      TIMELINE_LIMIT_WEEKLY = 6;
-          endpoint = "53c70r.de:51820";
+      TIMELINE_LIMIT_MONTHLY = 3;
-          persistentKeepalive = 25;
-          presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
-        }
-      ];
     };
-    interfaces.hydra = {
+  };
-      allowedIPsAsRoutes = true;
+
-      privateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
+  services.smartd.enable = true;
-      ips = [ "10.3.3.3/32" ];
+
-      peers = [
+  systemd.network = {
-        {
+    enable = true;
-          publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
+    networks = {
-          allowedIPs = [ "10.3.3.1/32" ];
+      "10-lan" = {
-          endpoint = "hydra.dadada.li:51235";
+        matchConfig.Name = "enp*";
-          persistentKeepalive = 25;
+        networkConfig.DHCP = "ipv4";
-        }
+        linkConfig.RequiredForOnline = "routable";
-      ];
+      };
+      "10-hydra" = {
+        matchConfig.Name = "hydra";
+        address = [ "10.3.3.1/24" ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = "no";
+        routes = [
+          { routeConfig = { Gateway = "10.3.3.3"; Destination = "10.3.3.3/32"; }; }
+        ];
+      };
+      "10-uwu" = {
+        matchConfig.Name = "uwu";
+        address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = "no";
+        routes = [
+          { routeConfig = { Destination = "10.11.0.0/22"; }; }
+          { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; }
+        ];
+      };
+    };
+    netdevs = {
+      "10-hydra" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "hydra";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
+          ListenPort = 51235;
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
+            AllowedIPs = [ "10.3.3.1/32" ];
+            PersistentKeepalive = 25;
+          };
+        }];
+      };
+      "10-uwu" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "uwu";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path;
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
+            AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+            PersistentKeepalive = 25;
+            PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
+            Endpoint = "53c70r.de:51820";
+          };
+        }];
+      };
     };
   };
 
@@ -160,12 +243,9 @@ in
     ];
   };
 
+  services.resolved.enable = true;
   networking.networkmanager.enable = false;
 
-  dadada.networking.localResolver.enable = true;
-  dadada.networking.localResolver.uwu = true;
-  dadada.networking.localResolver.s0 = true;
-
   # Desktop things for media playback
 
   services.xserver.enable = true;
@@ -196,5 +276,5 @@ in
   documentation.enable = true;
   documentation.nixos.enable = true;
 
-  system.stateVersion = "22.11";
+  system.stateVersion = "23.05";
 }

nixos/ninurta/hardware-configuration.nix

@@ -2,63 +2,81 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
+
 {
   imports =
     [
       (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
-  boot.initrd.luks.devices."dm-ninurta".device = "/dev/disk/by-uuid/a64f1e3f-ea13-43b6-83de-2ba4e45e8a3f";
 
   fileSystems."/" =
     {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
       fsType = "btrfs";
-      options = [ "compress=zstd,subvol=root" ];
+      options = [ "compress=zstd" ];
     };
 
-  fileSystems."/home" =
+  boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae";
-    {
-      device = "/dev/disk/by-label/ninurta";
-      fsType = "btrfs";
-      options = [ "compress=zstd,subvol=home" ];
-    };
 
-  fileSystems."/var" =
+  fileSystems."/swap" =
     {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
       fsType = "btrfs";
-      options = [ "subvol=var" ];
+      options = [ "subvol=swap" "noatime" ];
     };
 
   fileSystems."/nix" =
     {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
       fsType = "btrfs";
-      options = [ "compress=zstd,noatime,subvol=nix" ];
+      options = [ "subvol=nix" "noatime" "compress=zstd" ];
+    };
+
+  fileSystems."/var" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=var" "compress=zstd" ];
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=home" "compress=zstd" ];
+    };
+
+  fileSystems."/root" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=root" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-label/boot";
+      device = "/dev/disk/by-uuid/2E20-49CB";
       fsType = "vfat";
     };
 
-  swapDevices = [
+  swapDevices = [{
-    { device = "/var/swapfile"; size = 65536; }
+    device = "/swap/swapfile";
-  ];
+    size = 32 * 1024; # 32 GByte
+  }];
 
+  # TODO systemd networkd
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

secrets/ninurta-initrd_ssh_host_ed25519_key.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 J6ROvw 9g8A25DusoNFdNBRMiVXi99j+P2G/ZAoHq2kFD6tKEA
+pS5yrQhW8IvNG/v1z0JKOROaJmdQGCRXHGHci/BrrhI
+-> ssh-ed25519 Otklkw 9heLCSrhZs0PzOSX2C+RufrQML5QVMFXpeE2raTrQ24
+Pks8xA8BI89Cb9PzCyPKYwOfGfITX14ZTbcyQbcT3oA
+-> E`3VAEs-grease Jkxdo0~
+WhLwTnCoplc8L5WegLX2A37lppw/De0alZgOuGPv9JYqFIS1DPNPBYz5aVNWUk7z
+FYGtHrYTbg0ylTZ+e4mcSA
+--- c3gW3L9HNYcqdnz7IptzALRR4YtjWJvXo9/0MEmcXn4
+5xXG,»©òp<C3B2>AøÀ~á\¨‚­•Êœ×æìâüº@CXo{7Ö<0E>˜{
ÎEÙCC´×~Ë|Žpêw3‘mÜ°.­°p»ÖIL<1D>~ø<>°†N䊺:ˆ“p`fˆþ<CB86>q3‰KIŸ6ˆGF@1—íeXó„…ú¿¾|×'O<>ŠïuØö…´	-SÊBàRÄS„<1D>EÃCs‘ä1[·¯YÍ
+0nXlgacJ¿P Ž']¬qmBµkàÊc¬%Œ{5Ÿ:>¼y
;æ¿wKïǯ!‹Ú¥¸
‡Pû`%ë&Ut+Ô8qœÐ¹Qš¸g»û`ÿ¶Z¬(=®ÿ´Á;Þ¦§˜èŸþù5é<35>Žv£rL²<4C><C2B2>9Ž~»þ·åËGÝ(s.ljίò}PL¶-ïð^VóBíJ)íÈHWÄ“ÝK‘ 	`è)I/ÃðÝU_<1A>C™T~u†1æ»<C3A6>û’­¿Í™Ÿ·þÙü§Å?â5h®`~
+u
_…Êb¯Ë;Ä_ÎÎeÍï”â}´§°ÅAÊz_ª¯d‘ÖâÝši,&Ž˜ªª¹¨^ÌbH<›jR

secrets/secrets.nix

@@ -4,6 +4,7 @@ let
     agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos";
     gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon";
     ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos";
+    ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
     pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
     surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
   };
@@ -21,6 +22,7 @@ in
   "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
   "paperless.age".publicKeys = [ systems.gorgon dadada ];
   "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
+  "ninurta-initrd_ssh_host_ed25519_key.age".publicKeys = [ systems.ninurta dadada ];
 } //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //