2024-01-06 01:19:35 +01:00
|
|
|
|
<!--
|
|
|
|
|
SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
|
|
|
|
|
|
|
|
|
SPDX-License-Identifier: CC-BY-SA-4.0
|
|
|
|
|
-->
|
|
|
|
|
|
2023-05-06 10:54:03 +02:00
|
|
|
|
# okarin
|
|
|
|
|
|
|
|
|
|
## Hardware
|
|
|
|
|
|
|
|
|
|
[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
|
|
|
|
|
|
|
|
|
|
## Purpose
|
|
|
|
|
|
|
|
|
|
It will host services I want to have separated from the rest of my infrastructure.
|
|
|
|
|
|
|
|
|
|
## Name
|
|
|
|
|
|
|
|
|
|
Okabe Rintaro is a mad scientist from *Steins;Gate*
|
|
|
|
|
|
|
|
|
|
## Setup
|
|
|
|
|
|
|
|
|
|
Much like the namesake,
|
|
|
|
|
this server requires a “mad scientist” approach to set up.
|
|
|
|
|
|
|
|
|
|
Ionos does not offer any NixOS installation media.
|
|
|
|
|
I could only choose between a Debian installation media, Knoppix and GParted.
|
|
|
|
|
Also, installing with a very low amount of memory is quite hard.
|
|
|
|
|
|
|
|
|
|
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
|
|
|
|
|
On there, I installed NixOS.
|
|
|
|
|
Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
|
|
|
|
|
What I settled on was
|
|
|
|
|
`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
|
|
|
|
|
|
|
|
|
|
To make btrfs use its SSD optimizations,
|
|
|
|
|
I had to force the kernel to see the device as non-rotational:
|
|
|
|
|
`echo 0 > /sys/block/dm-0/queue/rotational`
|
|
|
|
|
|
|
|
|
|
Another problem was the usage of VMware by Ionos.
|
|
|
|
|
The VM I set this up with was obviously using KVM/QEMU,
|
|
|
|
|
so it needed different kernel modules at boot.
|
|
|
|
|
What worked was setting it up in the local VM with both libvirt and vmware modules,
|
|
|
|
|
and then removing the libvirt modules once it was installed on the target.
|
|
|
|
|
|
|
|
|
|
Getting the disk image onto the server was done
|
|
|
|
|
by first `rsync`ing the image to another server (to allow for incremental iterations),
|
|
|
|
|
which then provided it via HTTP.
|
|
|
|
|
Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
|
|
|
|
|
it was possible to just `curl http://server/okarin.img > /dev/sda`.
|
|
|
|
|
|
|
|
|
|
Because of all the pitfalls of this,
|
|
|
|
|
you probably need more than one try.
|