From 6f75453e7c5d2ddd1c97b5facfd5218cec430f27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Sat, 3 Feb 2024 20:58:18 +0100
Subject: [PATCH] droppie: reinstall droppie, update keys

---
 hosts/default.nix                        |  2 +
 hosts/droppie/configuration.nix          | 23 +++++---
 hosts/droppie/hardware-configuration.nix | 68 ++++++++++++++++--------
 hosts/droppie/networking.nix             |  1 +
 hosts/pie/configuration.nix              |  2 +-
 hosts/stroopwafel/persistence.nix        | 26 ---------
 modules/default.nix                      |  1 +
 modules/persistence/default.nix          | 30 +++++++++++
 users/b12f/default.nix                   |  3 --
 users/yule/default.nix                   |  3 +-
 10 files changed, 97 insertions(+), 62 deletions(-)
 create mode 100644 modules/persistence/default.nix

diff --git a/hosts/default.nix b/hosts/default.nix
index 7dc14a7..a14b93a 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -15,6 +15,7 @@
           self.nixosModules.graphical
           self.nixosModules.nextcloud
           self.nixosModules.office
+          self.nixosModules.persistence
           self.nixosModules.printing
           self.nixosModules.wireguard-client
         ];
@@ -66,6 +67,7 @@
           ./droppie
           self.nixosModules.yule
           self.nixosModules.wireguard-client
+          self.nixosModules.persistence
         ];
       };
 
diff --git a/hosts/droppie/configuration.nix b/hosts/droppie/configuration.nix
index 90b30a5..b4f1f98 100644
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@@ -9,16 +9,9 @@ with lib; let
   psCfg = config.pub-solar;
   xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in {
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    device = "nodev";
-  };
+  boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  hardware.cpu.intel.updateMicrocode = true;
-
   services.openssh.openFirewall = true;
 
   pub-solar.core.disk-encryption-active = false;
@@ -27,6 +20,20 @@ in {
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
   ];
 
+  boot.kernelParams = [
+    "boot.shell_on_fail=1"
+    "ip=dhcp"
+  ];
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 2222;
+    authorizedKeys = psCfg.user.publicKeys;
+    hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
+    shell = "/bin/cryptsetup-askpass";
+  };
+
   # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
   age.secrets."droppie-ssh-root.key" = {
     file = "${flake.self}/secrets/droppie-ssh-root.key.age";
diff --git a/hosts/droppie/hardware-configuration.nix b/hosts/droppie/hardware-configuration.nix
index 9428220..2f30972 100644
--- a/hosts/droppie/hardware-configuration.nix
+++ b/hosts/droppie/hardware-configuration.nix
@@ -1,30 +1,23 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+{ config, lib, pkgs, modulesPath, ... }:
 
-  boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"];
-  boot.initrd.kernelModules = ["dm-snapshot"];
-  boot.kernelModules = ["kvm-amd"];
-  boot.extraModulePackages = [];
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" "tg3" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/sdb2";
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
-      fsType = "xfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A24C-F252";
-      fsType = "vfat";
+    { device = "none";
+      fsType = "tmpfs";
     };
 
   fileSystems."/media/internal" =
@@ -32,10 +25,39 @@
       fsType = "ext4";
     };
 
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
+      fsType = "ext4";
+    };
+
+  fileSystems."/persist" =
+    { device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
+      fsType = "ext4";
+      neededForBoot = true;
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/991E-79C1";
+      fsType = "vfat";
+    };
+
   swapDevices =
-    [ { device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852"; }
+    [ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
     ];
 
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp2s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
diff --git a/hosts/droppie/networking.nix b/hosts/droppie/networking.nix
index 39f81c1..2be1e8a 100644
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@@ -24,6 +24,7 @@
 
   # Allow pub.solar restic backups
   services.openssh.allowSFTP = true;
+  services.openssh.openFirewall = true;
 
   pub-solar.wireguard-client = {
     ownIPs = [
diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix
index d8a1aad..8b7a4ee 100644
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@@ -23,7 +23,7 @@ in {
 
   boot.kernelParams = [
     "boot.shell_on_fail=1"
-    "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie.b12f.io::off"
+    "ip=192.168.178.2::192.168.178.1:255.255.255.255:pie-initrd.b12f.io::off"
   ];
 
   boot.initrd.network.enable = true;
diff --git a/hosts/stroopwafel/persistence.nix b/hosts/stroopwafel/persistence.nix
index db4cab5..46e49a4 100644
--- a/hosts/stroopwafel/persistence.nix
+++ b/hosts/stroopwafel/persistence.nix
@@ -2,31 +2,5 @@
 {
   systemd.tmpfiles.rules = [
     "L /etc/nixos - - - - /home/${config.pub-solar.user.name}/Workspace/os"
-
-    "L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
-    "d /persist/var/lib/bluetooth 0500 root root"
-
-    "L /var/lib/docker - - - - /persist/var/lib/docker"
-    "d /persist/var/lib/docker 0510 root root"
-
-    "L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
-    "d /persist/etc/NetworkManager/system-connections 0700 root root"
-
-    "d /persist/etc/ssh 0400 root root"
   ];
-
-  services.openssh = {
-    enable = true;
-    hostKeys = [
-      {
-        path = "/persist/etc/ssh/ssh_host_ed25519_key";
-        type = "ed25519";
-      }
-      {
-        path = "/persist/etc/ssh/ssh_host_rsa_key";
-        type = "rsa";
-        bits = 4096;
-      }
-    ];
-  };
 }
diff --git a/modules/default.nix b/modules/default.nix
index 2f04d7e..a021d85 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -20,6 +20,7 @@
       nix = import ./nix;
       nextcloud = import ./nextcloud;
       office = import ./office;
+      persistence = import ./persistence;
       printing = import ./printing;
       terminal-life = import ./terminal-life;
       user = import ./user;
diff --git a/modules/persistence/default.nix b/modules/persistence/default.nix
new file mode 100644
index 0000000..8b6500a
--- /dev/null
+++ b/modules/persistence/default.nix
@@ -0,0 +1,30 @@
+{ lib, config, ... }:
+{
+  systemd.tmpfiles.rules = [
+    "L /var/lib/bluetooth - - - - /persist/var/lib/bluetooth"
+    "d /persist/var/lib/bluetooth 0500 root root"
+
+    "L /var/lib/docker - - - - /persist/var/lib/docker"
+    "d /persist/var/lib/docker 0510 root root"
+
+    "L /etc/NetworkManager/system-connections - - - - /persist/etc/NetworkManager/system-connections"
+    "d /persist/etc/NetworkManager/system-connections 0700 root root"
+
+    "d /persist/etc/ssh 0400 root root"
+  ];
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      {
+        path = "/persist/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+}
diff --git a/users/b12f/default.nix b/users/b12f/default.nix
index 7b2c2af..7f9567e 100644
--- a/users/b12f/default.nix
+++ b/users/b12f/default.nix
@@ -37,9 +37,6 @@ in {
         email = "git@benjaminbaedorf.eu";
         gpgKeyId = "FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B";
         publicKeys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== b12f@biolimo"
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
           "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
           "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
diff --git a/users/yule/default.nix b/users/yule/default.nix
index 1003fd8..90f4e12 100644
--- a/users/yule/default.nix
+++ b/users/yule/default.nix
@@ -20,8 +20,9 @@ in {
         email = "hello@benjaminbaedorf.eu";
         gpgKeyId = "4406E80E13CD656C";
         publicKeys = [
-          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
+          "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
+          "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
         ];
       };
     };