feat(nixos): add kanata

1 files changed, 112 insertions, 0 deletions

diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
new file mode 100644
index 0000000..b7933c0
--- /dev/null
+++ b/nixos/kanata/configuration.nix
@@ -0,0 +1,112 @@
+{ config, lib, input, pkgs, ... }:
+
+let
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+in
+{
+  imports = [ ];
+
+  deployment = {
+    targetHost = "kanata.bee-polaris.ts.net";
+    targetUser = "root";
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.supportedFilesystems = [ "zfs" ];
+  networking.hostId = "31cc5527";
+
+  networking.hostName = "kanata";
+
+  # Erase your darlings
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r rpool/local/root@blank
+  '';
+
+  boot.kernelModules = [ "r8169" ];
+  boot.initrd.kernelModules = [ "r8169" ];
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+
+    # Using the same port as the actual SSH daemon will cause the clients to
+    # throw errors related to host key mismatch.
+    port = 2222;
+
+    hostKeys = [
+      # XXX: This has to be manually generated during NixOS install.
+      # The files are then copied to initrd secrets during activation.
+      "/persist/initrd/ssh_host_rsa_key"
+      "/persist/initrd/ssh_host_ed25519_key"
+    ];
+
+    authorizedKeys = maintainerKeys;
+  };
+
+  boot.initrd.network.postCommands = ''
+    cat <<EOF > /root/.profile
+    if pgrep -x "zfs" > /dev/null
+    then
+      zfs load-key -a
+      killall zfs
+    else
+      echo "ZFS is not running -- this could be a sign of failure."
+    fi
+    EOF
+  '';
+
+  modules.tailscale-initrd = {
+    enable = true;
+    # XXX: This has to be manually generatd during NixOS install.
+    # The files are then copied to initrd secrets during activation.
+    tailscaleStatePath = "/persist/initrd/tailscale-initrd.state";
+  };
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  fileSystems."/persist".neededForBoot = true;
+
+  services.openssh.hostKeys = [
+    {
+      path = "/persist/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+    {
+      path = "/persist/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+  ];
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "both";
+  };
+
+  environment.persistence."/persist".directories = [ "/var/lib/tailscale" ];
+
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+}