2024-01-06 01:19:35 +01:00
|
|
|
|
<!--
|
2023-12-21 15:06:16 +01:00
|
|
|
|
SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
|
2024-01-06 01:19:35 +01:00
|
|
|
|
|
|
|
|
|
|
SPDX-License-Identifier: CC-BY-SA-4.0
|
|
|
|
|
|
-->
|
|
|
|
|
|
|
2023-05-06 10:54:03 +02:00
|
|
|
|
# okarin
|
|
|
|
|
|
|
|
|
|
|
|
## Hardware
|
|
|
|
|
|
|
2023-12-21 15:06:16 +01:00
|
|
|
|
[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
|
|
|
|
|
## Purpose
|
|
|
|
|
|
|
|
|
|
|
|
It will host services I want to have separated from the rest of my infrastructure.
|
|
|
|
|
|
|
|
|
|
|
|
## Name
|
|
|
|
|
|
|
|
|
|
|
|
Okabe Rintaro is a mad scientist from *Steins;Gate*
|
|
|
|
|
|
|
|
|
|
|
|
## Setup
|
|
|
|
|
|
|
|
|
|
|
|
Much like the namesake,
|
|
|
|
|
|
this server requires a “mad scientist” approach to set up.
|
2023-12-21 15:06:16 +01:00
|
|
|
|
However, it is much easier than setting up its predecessor,
|
|
|
|
|
|
which had just above 400 MiB usable memory.
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
|
|
|
|
|
Ionos does not offer any NixOS installation media.
|
2023-12-21 15:06:16 +01:00
|
|
|
|
I could only choose between various installation media and rescue systems.
|
|
|
|
|
|
Also, installing NixOS with a low amount of memory is problematic.
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
|
|
|
|
|
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
|
|
|
|
|
|
On there, I installed NixOS.
|
2023-12-21 15:06:16 +01:00
|
|
|
|
Because encryption with `argon2id` as PBKDF is quite memory intensive,
|
|
|
|
|
|
I had to tune the parameters to ensure decryption was still possible on the target.
|
|
|
|
|
|
This can be done quite easily by interactively running the following command on the build VM:
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
2023-12-21 15:06:16 +01:00
|
|
|
|
cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
2023-12-21 15:06:16 +01:00
|
|
|
|
The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
|
|
|
|
|
|
|
|
|
|
|
|
However, since those parameters are not ideal,
|
|
|
|
|
|
the following should later be run on the target host itself:
|
|
|
|
|
|
|
|
|
|
|
|
cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
|
|
|
|
|
|
|
|
|
|
|
|
This will determine the memory usage automatically,
|
|
|
|
|
|
use one thread
|
|
|
|
|
|
and set the parameters so that decryption takes 10 seconds (10000 ms).
|
|
|
|
|
|
The memory usage will not be as high as it could,
|
|
|
|
|
|
but it will be better.
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
|
|
|
|
|
Getting the disk image onto the server was done
|
|
|
|
|
|
by first `rsync`ing the image to another server (to allow for incremental iterations),
|
|
|
|
|
|
which then provided it via HTTP.
|
2023-12-21 15:06:16 +01:00
|
|
|
|
Using the Debian installation media in rescue mode
|
|
|
|
|
|
(as for some reason most other options tried to cache the file in memory and became very slow)
|
|
|
|
|
|
it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
|
2023-05-06 10:54:03 +02:00
|
|
|
|
|
|
|
|
|
|
Because of all the pitfalls of this,
|
|
|
|
|
|
you probably need more than one try.
|
2023-12-21 15:06:16 +01:00
|
|
|
|
To make debugging easier on the target, the following option can be set:
|
|
|
|
|
|
```nix
|
|
|
|
|
|
{ pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
boot.initrd.preLVMCommands = ''
|
|
|
|
|
|
${pkgs.bashInteractive}/bin/bash
|
|
|
|
|
|
'';
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
