From 85c7ce19350e03a33eb5cf42ad38f87a2bb29959 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Sun, 10 Nov 2024 21:18:08 +0100
Subject: [PATCH] new tor

---
 hosts/tor/default.nix  |  6 ++----
 hosts/tor/hardware.nix | 19 +++++++++++++++++++
 hosts/tor/network.nix  | 13 +++++--------
 hosts/tor/tor.nix      | 10 +++-------
 4 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/hosts/tor/default.nix b/hosts/tor/default.nix
index 4686cfe..ae7e5e5 100644
--- a/hosts/tor/default.nix
+++ b/hosts/tor/default.nix
@@ -12,10 +12,8 @@
 
   boot = {
     loader = {
-      grub = {
-        enable = true;
-        device = "/dev/vda";
-      };
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
     };
     initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted";
   };
diff --git a/hosts/tor/hardware.nix b/hosts/tor/hardware.nix
index 5f2eda7..8e079e7 100644
--- a/hosts/tor/hardware.nix
+++ b/hosts/tor/hardware.nix
@@ -11,6 +11,25 @@
 
   boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
   boot.initrd.kernelModules = ["dm-snapshot"];
+
+  # https://wiki.nixos.org/wiki/Remote_disk_unlocking
+  # > ssh -o HostKeyAlias=tor-initrd root@tor
+  # > cryptsetup-askpass
+  boot.initrd.network = {
+    enable = true;
+    # Clear initrd network configuration before stage 2
+    flushBeforeStage2 = true;
+    ssh = {
+      enable = true;
+      authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys;
+      # NOTE: the key is stored insecurely in the global Nix store and
+      # unencrypted boot partition, which is why we use a separate key.
+      # > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key
+      hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"];
+    };
+  };
+  boot.kernelParams = ["ip=192.121.119.58::192.121.119.1:255.255.255.0::enp0s18:none"];
+
   boot.kernelModules = [];
   boot.extraModulePackages = [];
 
diff --git a/hosts/tor/network.nix b/hosts/tor/network.nix
index ac60e16..cc1e7bf 100644
--- a/hosts/tor/network.nix
+++ b/hosts/tor/network.nix
@@ -8,19 +8,16 @@
 
   systemd.network = {
     networks."10-lan" = {
-      # IPv4 settings are from `sudo dhcpcd --test`.
-      # IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
-      matchConfig.Name = "ens3";
+      matchConfig.Name = "enp0s18";
       address = [
-        "91.210.59.57/25"
-        "2a12:bec4:11d3:de9f::1/64"
+        "192.121.119.58/24"
+        "2001:67c:bec:b:c88c:dfff:fe75:3aab/64"
       ];
       routes = [
-        {routeConfig = {Gateway = "91.210.59.1";};}
+        {routeConfig = {Gateway = "192.121.119.1";};}
         {
           routeConfig = {
-            Gateway = "2a12:bec4:11d3::1";
-            GatewayOnLink = true;
+            Gateway = "2001:67c:bec:b::1";
           };
         }
       ];
diff --git a/hosts/tor/tor.nix b/hosts/tor/tor.nix
index 17c9ffe..ebb02c4 100644
--- a/hosts/tor/tor.nix
+++ b/hosts/tor/tor.nix
@@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
   services.tor = {
     enable = true;
     openFirewall = true;
@@ -15,11 +11,11 @@
       ContactInfo = "admin@caspervk.net";
       ORPort = [
         {
-          addr = "91.210.59.57";
+          addr = "192.121.119.58";
           port = 443;
         }
         {
-          addr = "[2a12:bec4:11d3:de9f::1]";
+          addr = "[2001:67c:bec:b:c88c:dfff:fe75:3aab]";
           port = 443;
         }
       ];