Add ssh keys; persist dhcp leases; move stuff around

author: Mathias Magnusson <mathias@magnusson.space> 2025-10-14 11:44:19 +0200
committer: Mathias Magnusson <mathias@magnusson.space> 2025-10-19 15:36:05 +0200
commit: d37d79b96d7d5d262345ab122fd2cb7a66e0bdc2 (patch)
tree: a9091da5fdb5c6244a26806e1f1defd0e9609c2f
parent: 2d2d3463f3fd9fc495662ddd2758d89569a89d21 (diff)
download: oden-d37d79b96d7d5d262345ab122fd2cb7a66e0bdc2.tar.gz
3 files changed, 92 insertions, 73 deletions
diff --git a/configuration.nix b/configuration.nix
index b066ff3..78a98a1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -32,12 +32,15 @@
     extraGroups = [ "wheel" "wireshark" ];
     shell = pkgs.fish;
     hashedPassword = "REDACTED";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF"
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdUe7mxGdV/Q37RKndPzDHisFb7q/xm+L97jcGluSDOA8MGt/+wTxpyGxfyEqaMvwV2bakaMVHTB3711dDu5kE="
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLZ6OVyjTvWx9gvS+/DvkQW5VvLBbykq/0AV5mYDLADDtIOaDVscQ3lGOcUsga1ODNSl14MSV63bE8VtHfG1HOc="
+    ];
   };
 
   programs.fish.enable = true;
 
-  programs.wireshark.enable = true;
-
   environment.systemPackages = with pkgs; [
     neovim
     curl
@@ -74,6 +77,4 @@
   #
   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
   system.stateVersion = "25.05"; # Did you read the comment?
-
 }
-
diff --git a/impermanence.nix b/impermanence.nix
index 0592049..d3dae53 100644
--- a/impermanence.nix
+++ b/impermanence.nix
@@ -1,40 +1,56 @@
-{ lib, ... }: {
-  boot.initrd.postResumeCommands = lib.mkAfter ''
-    mkdir /btrfs_tmp
-    mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt
-    if [[ -e /btrfs_tmp/root ]]; then
-      mkdir -p /btrfs_tmp/old_roots
-      timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
-      mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
-    fi
+# sudo mount --ro /dev/nvme0n1p2 ./mnt --mkdir
+# ls mnt/old_roots
 
-    delete_subvolume_recursively() {
-      IFS=$'\n'
-      for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-        delete_subvolume_recursively "/btrfs_tmp/$i"
-      done
-      btrfs subvolume delete "$1"
-    }
+{ lib, config, ... }:
+let
+  cfg = config.oden.persist;
+in
+{
+  options.oden.persist = with lib; with types; {
+    directories = mkOption {
+      type = listOf str;
+      default = [];
+      description = "Directories that should be persisted";
+    };
+  };
+  config = {
+    boot.initrd.postResumeCommands = lib.mkAfter ''
+      mkdir /btrfs_tmp
+      mount /dev/disk/by-partlabel/disk-main-root /btrfs_tmp # CONFIRM THIS IS CORRECT FROM findmnt
+      if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+      fi
 
-    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-      delete_subvolume_recursively "$i"
-    done
+      delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+          delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+      }
+
+      for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+        delete_subvolume_recursively "$i"
+      done
 
-    btrfs subvolume create /btrfs_tmp/root
-    umount /btrfs_tmp
-  '';
+      btrfs subvolume create /btrfs_tmp/root
+      umount /btrfs_tmp
+    '';
 
-  environment.persistence."/nix/persist" = {
-    hideMounts = true;
-    directories = [
-      "/var/log"
-      "/var/lib/nixos"
-      "/var/lib/systemd/coredump"
-    ];
-    files = [
-      "/etc/machine-id"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-    ];
+    environment.persistence."/nix/persist" = {
+      hideMounts = true;
+      directories = cfg.directories ++ [
+        "/var/log"
+        "/var/lib/nixos"
+        "/var/lib/systemd"
+      ];
+      files = [
+        "/etc/machine-id"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+      ];
+    };
   };
 }
diff --git a/router.nix b/router.nix
index 3c75169..2285c84 100644
--- a/router.nix
+++ b/router.nix
@@ -5,22 +5,44 @@ let
 in
 {
   boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
-  networking.nftables.enable = true;
-  networking.firewall.filterForward = true;
-  networking.nat = {
+
+  networking = {
+    nftables.enable = true;
+    firewall.filterForward = true;
+    nat = {
+      enable = true;
+      externalInterface = "enp8s0";
+      internalInterfaces = [ "br0" ];
+      # forwardPorts = [{ sourcePort = 1234; destination = "10.69.0.2:12345"; }];
+    };
+    bridges.br0.interfaces = [ lanInterface wifiInterface ];
+    interfaces.br0.ipv4.addresses = [{
+      address = "10.69.0.1";
+      prefixLength = 16;
+    }];
+    networkmanager = {
+      enable = true;
+      unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ];
+    };
+  };
+  services.hostapd = {
     enable = true;
-    externalInterface = "enp8s0";
-    internalInterfaces = [ "br0" ];
-    # forwardPorts = [{
-    #   sourcePort = 1234;
-    #   destination = "10.69.0.2:12345";
-    # }];
+    radios.${wifiInterface} = {
+      countryCode = "SE";
+      band = "2g";
+      channel = 12;
+      networks.${wifiInterface} = {
+        ssid = "Heidrun";
+        authentication = {
+          mode = "wpa3-sae";
+          saePasswords = [
+            { password = "REDACTED"; }
+          ];
+        };
+      };
+    };
   };
-  networking.bridges.br0.interfaces = [ lanInterface wifiInterface ];
-  networking.interfaces.br0.ipv4.addresses = [{
-    address = "10.69.0.1";
-    prefixLength = 16;
-  }];
+
   services.kea.dhcp4 = {
     enable = true;
     settings = {
@@ -49,25 +71,5 @@ in
       }];
     };
   };
-  networking.networkmanager = {
-    enable = true;
-    unmanaged = [ "interface-name:${lanInterface}" "interface-name:${wifiInterface}" ];
-  };
-  services.hostapd = {
-    enable = true;
-    radios.${wifiInterface} = {
-      countryCode = "SE";
-      band = "2g";
-      channel = 12;
-      networks.${wifiInterface} = {
-        ssid = "Heidrun";
-        authentication = {
-          mode = "wpa3-sae";
-          saePasswords = [
-            { password = "REDACTED"; }
-          ];
-        };
-      };
-    };
-  };
+  oden.persist.directories = [ "/var/lib/private/kea" ];
 }
author	Mathias Magnusson <mathias@magnusson.space>	2025-10-14 11:44:19 +0200
committer	Mathias Magnusson <mathias@magnusson.space>	2025-10-19 15:36:05 +0200
commit	d37d79b96d7d5d262345ab122fd2cb7a66e0bdc2 (patch)
tree	a9091da5fdb5c6244a26806e1f1defd0e9609c2f
parent	2d2d3463f3fd9fc495662ddd2758d89569a89d21 (diff)
download	oden-d37d79b96d7d5d262345ab122fd2cb7a66e0bdc2.tar.gz