new tor

2024-11-10 21:18:08 +01:00 · 2024-11-10 21:18:08 +01:00 · 23b8d63908
commit 23b8d63908
parent 40fa98a67c
3 changed files with 27 additions and 15 deletions
--- a/hosts/tor/hardware.nix
+++ b/hosts/tor/hardware.nix
@ -11,6 +11,25 @@

  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
  boot.initrd.kernelModules = ["dm-snapshot"];
+
+  # https://wiki.nixos.org/wiki/Remote_disk_unlocking
+  # > ssh -o HostKeyAlias=tor-initrd root@tor
+  # > cryptsetup-askpass
+  boot.initrd.network = {
+    enable = true;
+    # Clear initrd network configuration before stage 2
+    flushBeforeStage2 = true;
+    ssh = {
+      enable = true;
+      authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys;
+      # NOTE: the key is stored insecurely in the global Nix store and
+      # unencrypted boot partition, which is why we use a separate key.
+      # > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key
+      hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"];
+    };
+  };
+  boot.kernelParams = ["ip=192.121.119.58::192.121.119.1:255.255.255.0::enp0s18:none"];
+
  boot.kernelModules = [];
  boot.extraModulePackages = [];

--- a/hosts/tor/network.nix
+++ b/hosts/tor/network.nix
@ -8,19 +8,16 @@

  systemd.network = {
    networks."10-lan" = {
-      # IPv4 settings are from `sudo dhcpcd --test`.
-      # IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
-      matchConfig.Name = "ens3";
+      matchConfig.Name = "enp0s18";
      address = [
-        "91.210.59.57/25"
-        "2a12:bec4:11d3:de9f::1/64"
+        "192.121.119.58/24"
+        "2001:67c:bec:b:c88c:dfff:fe75:3aab/64"
      ];
      routes = [
-        {routeConfig = {Gateway = "91.210.59.1";};}
+        {routeConfig = {Gateway = "192.121.119.1";};}
        {
          routeConfig = {
-            Gateway = "2a12:bec4:11d3::1";
-            GatewayOnLink = true;
+            Gateway = "2001:67c:bec:b::1";
          };
        }
      ];
--- a/hosts/tor/tor.nix
+++ b/hosts/tor/tor.nix
@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
  services.tor = {
    enable = true;
    openFirewall = true;
@ -15,11 +11,11 @@
      ContactInfo = "admin@caspervk.net";
      ORPort = [
        {
-          addr = "91.210.59.57";
+          addr = "192.121.119.58";
          port = 443;
        }
        {
-          addr = "[2a12:bec4:11d3:de9f::1]";
+          addr = "[2001:67c:bec:b:c88c:dfff:fe75:3aab]";
          port = 443;
        }
      ];