new tor

Flake lock file updates:

• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7?narHash=sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg%3D' (2024-11-06)
  → 'github:NixOS/nixos-hardware/184687ae1a3139faa4746168baf071f60d0310c8?narHash=sha256-0ctfVp27ingWtY7dbP5%2BQpSQ98HaOZleU0teyHQUAw0%3D' (2024-11-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07)
  → 'github:NixOS/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884?narHash=sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc%3D' (2024-11-10)

flake.lock

@@ -136,11 +136,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1730919458,
+        "lastModified": 1731332224,
-        "narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
+        "narHash": "sha256-0ctfVp27ingWtY7dbP5+QpSQ98HaOZleU0teyHQUAw0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
+        "rev": "184687ae1a3139faa4746168baf071f60d0310c8",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730963269,
+        "lastModified": 1731239293,
-        "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
+        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
+        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
         "type": "github"
       },
       "original": {

hosts/alpha/knot-dns.nix

@@ -53,12 +53,22 @@
           # Enable ACME ACL on all zones
           acl = ["acme"];
           # Enable automatic DNSSEC signing on all zones. The KSK must be
-          # configured in the parent zone. Use the following command to get the
+          # configured in the parent zone through the registrar. Either the
-          # required record(s):
+          # DNSKEY or DS, depending on registrar:
+          #
+          # > sudo keymgr caspervk.net dnskey
+          # [<zone> <record-type> <key-type> <protocol> <algorithm-type> <public-key>]
+          #
+          # OR
+          #
           # > sudo keymgr caspervk.net ds
           # [<zone> <record-type> <key-tag> <algorithm-type> <digest-type> <digest>]
+          #
           # https://knot.readthedocs.io/en/master/configuration.html#automatic-dnssec-signing
-          # DNSSEC can be validated using https://dnsviz.net.
+          #
+          # DNSSEC can be validated using:
+          #  - https://dnssec-debugger.verisignlabs.com
+          #  - https://dnsviz.net
           dnssec-signing = "on";
           dnssec-policy = "default";
           # Knot overwrites the zonefiles with auto-generated DNSSEC records by

hosts/tor/default.nix

@@ -12,10 +12,8 @@
 
   boot = {
     loader = {
-      grub = {
+      efi.canTouchEfiVariables = true;
-        enable = true;
+      systemd-boot.enable = true;
-        device = "/dev/vda";
-      };
     };
     initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted";
   };

hosts/tor/hardware.nix

@@ -11,6 +11,25 @@
 
   boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
   boot.initrd.kernelModules = ["dm-snapshot"];
+
+  # https://wiki.nixos.org/wiki/Remote_disk_unlocking
+  # > ssh -o HostKeyAlias=tor-initrd root@tor
+  # > cryptsetup-askpass
+  boot.initrd.network = {
+    enable = true;
+    # Clear initrd network configuration before stage 2
+    flushBeforeStage2 = true;
+    ssh = {
+      enable = true;
+      authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys;
+      # NOTE: the key is stored insecurely in the global Nix store and
+      # unencrypted boot partition, which is why we use a separate key.
+      # > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key
+      hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"];
+    };
+  };
+  boot.kernelParams = ["ip=192.121.119.58::192.121.119.1:255.255.255.0::enp0s18:none"];
+
   boot.kernelModules = [];
   boot.extraModulePackages = [];
 

hosts/tor/network.nix

@@ -8,19 +8,16 @@
 
   systemd.network = {
     networks."10-lan" = {
-      # IPv4 settings are from `sudo dhcpcd --test`.
+      matchConfig.Name = "enp0s18";
-      # IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
-      matchConfig.Name = "ens3";
       address = [
-        "91.210.59.57/25"
+        "192.121.119.58/24"
-        "2a12:bec4:11d3:de9f::1/64"
+        "2001:67c:bec:b:c88c:dfff:fe75:3aab/64"
       ];
       routes = [
-        {routeConfig = {Gateway = "91.210.59.1";};}
+        {routeConfig = {Gateway = "192.121.119.1";};}
         {
           routeConfig = {
-            Gateway = "2a12:bec4:11d3::1";
+            Gateway = "2001:67c:bec:b::1";
-            GatewayOnLink = true;
           };
         }
       ];

hosts/tor/tor.nix

@@ -1,8 +1,4 @@
-{
+{pkgs, ...}: {
-  config,
-  pkgs,
-  ...
-}: {
   services.tor = {
     enable = true;
     openFirewall = true;
@@ -15,11 +11,11 @@
       ContactInfo = "admin@caspervk.net";
       ORPort = [
         {
-          addr = "91.210.59.57";
+          addr = "192.121.119.58";
           port = 443;
         }
         {
-          addr = "[2a12:bec4:11d3:de9f::1]";
+          addr = "[2001:67c:bec:b:c88c:dfff:fe75:3aab]";
           port = 443;
         }
       ];