yuzuru: Init

.sops.yaml

@@ -5,12 +5,12 @@ keys:
   - &vueko 4EA330328CD0D3076E90960194DFA4953D8729DE
   - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
   - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
-  - &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
   - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
+  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -37,11 +37,6 @@ creation_rules:
     - pgp:
       - *simon
       - *mayushii
-  - path_regex: machines/yuzuru/secrets\.yaml$
-    key_groups:
-    - pgp:
-      - *simon
-      - *yuzuru
   - path_regex: machines/okarin/secrets\.yaml$
     key_groups:
     - pgp:
@@ -67,6 +62,11 @@ creation_rules:
     - pgp:
       - *simon
       - *nazuna
+  - path_regex: machines/yuzuru/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *yuzuru
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/yuzuru.asc

@@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde
-9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx
-T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ
-GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+
-9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2
-tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS
-zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB
-cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W
-TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si
-Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP
-q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB
+xsFNBAAAAAABEACrSqXAEWHXWjyl/FX+r6d0WQmn7/40slxrnBQzl5ERnEOKtzR5
+hMPioWhfFFKeNbTxYp6tV6mbiIm7NKSCOC0o1lkt16Sb8SU3Tzi8uF4gCl6gxmwW
+iHG4k5CYij/jMw3YMX9NEpCVPjita/FXVxrN2aq96cMEgf7kQU9Bs+VmN2nlGCl0
+ATI4tZyJrxjO2okWEfsK3OT0qhqsQrQdsv8QhsG455pv1tmhvgwDY22swORQbBYC
+4Jgp2mtPX/LPXzr3cxnG3hz+d/A9tDtZK9t/uEc1sMMSEws6FiKofVNL00KTvx5/
+1N5PPEACovBmGx17KLYZVo0pNDvIzPvp7UdZ3gbdoK7KvRPzzJ8EdSB/IPP2883w
+bAplPpP6aGkYog3bPsp9o9t5il5hm5ASlKchKZjUp5Mes6sRrnSAnq5zJGpE3bMz
+0NnbcOcuRBNF/cie0eX2XpL4ooI+OTUC0cUa/nnmvRbvH9INVydAhiJmzxhduLvz
+586SzGRoHG1FNumT/I+jQDXgb2hIpZy4keDzsBlfuOCixjKyJPKf39hCbKbiNyed
+R+e8EqqqSwKBdN6neha5o0NPldQRp9BV+uSaVtr6NwmG6nRKMg5QSuxuab0qckwG
+3C33xjBFvodVoYLKTgvYR2qw8QFgI33MKrctQsUW4od1w5rfPVsWTsboowARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q
-Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ
-g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5
-SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl
-eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ
-l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW
-gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376
-nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU
-eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3
-0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb
-XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq
-Ky38rXnis6Hpih/z6/7HOg==
-=5Ki8
+AQgAFgUCAAAAAAkQZJ53DsbqFuQCGw8CGQEAAKv8EABzl8YKtwB0NEfR54L4fC65
+/068DC+BqeT5rMI0T/f9yax9CNWH/j359GGal5TjWaOxZzY5g6KgIzsn/GBo0kNt
+/XhEuNv2zfjeGsF+bugTO+qipZV7hGq3tV8JHqsmRnafoAH+tOIkIKYtL4B5jT6w
+KjOO70WDak0tnO8s5jMAqONf6Ny3OT8Xqy5yZhUvvSqfOY488rkMjbY5hGkuU1+z
+7vOppJRZIIXHQeZZWM4OXXcVayHiVjAKXpVoQ8XGGPL82Io1kDf39lWyIUUk5jCc
+1S0fSyMCZfC8nAprKmXMUZdeQUs4k7BCMmreKTa4G58LMnm6T/rtdoqwnTjk/fIB
+SVea86wcjN7zhXZbrDMVSbHtToX95287kpsXCRmIglX9KNhbT3IPpEz5sq9/9/YA
+fhyXu1lnu2JbGt01lRuBUPlVx1qEQ9Gor1PmOORfMR19KXpVXci+JIhWA8KxMnSv
+Hbj6Iqh/EdhctlrvAnjC4ERA3Om3m6SfrJm+e3kmSpV8Hq2f7gDeDbrruy78AAMv
+RLabJ0+RPBOFCU5XFs+li2t1xgeR8XVgSrMafHbjNREvytLKG0y21kkY+O1Pg0/c
+PuxFfEqzXeH+pqa9Dv/TCXpbkGuos8c3WpFjNmt+XTULfrUvMc0/ClfVqVAfic4H
+GjYdNSdHdZaTkT/4WjVD4A==
+=5kkr
 -----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -67,4 +67,9 @@ in
 
     targetHost = "nazuna.sbruder.de";
   };
+  yuzuru = {
+    system = "x86_64-linux";
+
+    targetHost = "yuzuru.sbruder.de";
+  };
 }

machines/renge/services/prometheus.nix

@@ -70,6 +70,7 @@ in
           "okarin.vpn.sbruder.de:9100"
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
+          "yuzuru.vpn.sbruder.de:9100"
         ];
         relabel_configs = lib.singleton {
           target_label = "instance";

machines/yuzuru/README.md

@@ -0,0 +1,18 @@
+# yuzuru
+
+## Hardware
+
+[Strato VPS Entry Linux VC1-1](https://www.strato.de/server/linux-vserver/mini-vserver/) (1 AMD EPYC Milan vCPU, <1 GiB RAM, 30 GiB SSD).
+
+## Purpose
+
+It will host services I want to have separated from the rest of my infrastructure.
+
+## Name
+
+Yuzuru Nishimiya is a character from *A Silent Voice*
+
+## Setup
+
+The setup is very similar to that of `okarin`,
+please see the description there.

machines/yuzuru/configuration.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    full = false;
+    wireguard.home.enable = true;
+  };
+
+  networking.hostName = "yuzuru";
+
+  system.stateVersion = "23.11";
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."yuzuru.sbruder.de" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = pkgs.sbruder.imprint;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}

machines/yuzuru/hardware-configuration.nix

@@ -0,0 +1,69 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
+      network = {
+        enable = true; # remote unlocking
+        # For some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands.
+        # This works around this, but is arguably quite hacky.
+        postCommands = ''
+          ip route add 85.215.73.1 dev eth0
+          ip route add default via 85.215.73.1 dev eth0
+        '';
+      };
+      luks.devices."root".device = "/dev/disk/by-uuid/d166ff83-dcc6-4700-95b5-bffae202d985";
+    };
+    loader.grub.device = "/dev/vda";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3c91488f-0505-4df6-bf76-96a539dcc27a";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/f271b335-9174-47a9-bcca-04ce59ce5708";
+      fsType = "ext2";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-partuuid/5edbf393-b83e-4d3f-82d1-f07870df40ed";
+      randomEncryption.enable = true;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 150;
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+      };
+    };
+  };
+}

machines/yuzuru/secrets.yaml

@@ -0,0 +1,52 @@
+wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-02T22:37:47Z"
+    mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str]
+    pgp:
+        - created_at: "2024-01-02T22:37:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDgSONkM+d4ARAA1V2B8s1NyyJFa+nbKo2sFoubX9OKNYkzib6uvjs2eiOp
+            XuUsqxYZrUXCjwvWpvb9GT4neBV68mqVZMwkt6qQuiwyxSdrx+G8qKT5do0gjwmm
+            BTjOlJnUAWKn5/kzJKG9Yb+RiQZD2rV5/xj6roImCLt6lg97howP5n5PNO+TcDM0
+            0Mz2vJJHbKEgeIjnRPG3MB5IS3WFHkmSe0jBIKXRFuiP9bdVgPAaoXk1v3KmeO3i
+            c2BDOxLWjq4kHzAT/GIRQJxA4/8f6vMVfUlepmhL2jUmw72WrfSC2EfZeWnlm1np
+            M/kAVU+Gd+d2fzv9f+Ut+K8Id5vBDANlp7m5KVJV0howrCxaV/TZ9kiReWpePP8U
+            4EDx2cVi/FDlnDJEr6qDfYZ5bguYeTD0X6c8IK8r6NlWPbQD7W6cvHto71EtXKqG
+            R2XZYVbsRGufNLeNUCcfz1ev+x6Ix9VqsDzkwUFfgXMS4FavQ84TzJV9Z0zhRCme
+            yFGD8lW6LliUxUF5YDRqiceJdDV7Nx+TRIRXXNJq4Fid7b1M+7fdI0JlU3xTPqwm
+            kZFfgAAwt1ji0AtGd4khC30XSr29V3YjqX1ow0wYJ9rYEhnrexS+/iOJvygQ1AcZ
+            nzajsK7dHidC9RNpr2PHqL46KtoksdoL4DT80uT+mwevb8w2wG949WQ+KJOlez3S
+            XAH0NywA6R4KaW6fOShYtL0nDPfYOCm31t4sWpQfxJSQt/6p2fDobbz4q5tTQfjf
+            /Zq8fstojMtM8C5eur4ASa9H8dckRW6Lk/VzsW3u2tP3rl3js1eumcvYumLK
+            =bwxH
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2024-01-02T22:37:37Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2Sedw7G6hbkAQ//Y+ZDDXUxCRqwjTWRz9uoIHcQBrCI2LhecCt8uWRMXbyV
+            q/HaDIjYO5fLrpZ8HGzS4C9B5QH3Vr0yzbGR6l3i77W1FpzY0KYQ5jicttQ56rDL
+            n3APgqBL8sdcq90Hs9iqG4AA9/QhCIupzG18BQ8zWCqJ/2uMx2ddRYxxa3FEgCdi
+            1C0wH2kLlZT7aRH7OlKFbX8QABpGEvBQpG456XghsX92wXou/pJfcrgqh9H0Px+i
+            5kvcSHERq97+2DIQYcck9DfZ6Pf2lfnoM3f2c7Ln3OeaPrnl5wLPrIP/KQBLd8AC
+            6hU8zrsTM4dSSopXnAjc9PEi4kmfLwrcZiokw5kjfaolyRilX8V6+ewaWF6jK2Yo
+            IwsQ09ElGzfXmmkqMrUEGnWr55WZgvDXABMwTr9VwIej47ef1HcqNxwmFe37XndA
+            UDfJ+GUGOkqLBLpamhHp/A/UM8+wrUZIOXJWsJdpP5194wKXBD0zjd+HMxfq+RTk
+            4ICLChn2+MzU58V8FP9WRdYOLQWcHVAfBP8zba9zFf/FCnHrXQjv9lwadYQ8YkhN
+            uSzPB5yvzfa1YOl7PXDn/5EBu5WYGxdTNHouP1hbk8Nxmt37+0VCMDgkUln6qans
+            5FzmAlrFHTX/887d1rP2Rc2HT58Qmgou355UmnkjxMWH6b5WSOo5p+KEHkHwW+7S
+            VgF5p8vBWd9cISMG5aetMpyBwhZAcx5XTXV74pJ8Zc15B0mYvz+BcYM+1Nlqdp0g
+            NVpa3jISybMeGqkbeQmjoT05J5REmYszhGg6SEMyuiLrC64lwDy9
+            =A8pI
+            -----END PGP MESSAGE-----
+          fp: a1ee5bc0249163a047440ef2649e770ec6ea16e4
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

modules/ssh.nix

@@ -75,5 +75,13 @@
       hostNames = [ "[nazuna.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3";
     };
+    yuzuru = {
+      hostNames = [ "yuzuru" "yuzuru.sbruder.de" "yuzuru.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXCG8Dck3bELx7NaKgDnFAUjO/o1iEnq0VT5dZ2P/+m";
+    };
+    yuzuru-initrd = {
+      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
+    };
   };
 }

modules/wireguard/home.nix

@@ -40,6 +40,10 @@ let
       address = "10.80.0.13";
       publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
     };
+    yuzuru = {
+      address = "10.80.0.16";
+      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
+    };
   };
 
   cfg = config.sbruder.wireguard.home;