From 0393661579184581cd6018e1d070c8dd82896353 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Tue, 2 Jan 2024 23:26:46 +0100 Subject: [PATCH] yuzuru: Init --- .sops.yaml | 12 ++-- keys/machines/yuzuru.asc | 48 +++++++-------- machines/default.nix | 5 ++ machines/renge/services/prometheus.nix | 1 + machines/yuzuru/README.md | 18 ++++++ machines/yuzuru/configuration.nix | 34 +++++++++++ machines/yuzuru/hardware-configuration.nix | 69 ++++++++++++++++++++++ machines/yuzuru/secrets.yaml | 52 ++++++++++++++++ modules/ssh.nix | 8 +++ modules/wireguard/home.nix | 4 ++ 10 files changed, 221 insertions(+), 30 deletions(-) create mode 100644 machines/yuzuru/README.md create mode 100644 machines/yuzuru/configuration.nix create mode 100644 machines/yuzuru/hardware-configuration.nix create mode 100644 machines/yuzuru/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index f5b23ff..ea839ac 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,12 +5,12 @@ keys: - &vueko 4EA330328CD0D3076E90960194DFA4953D8729DE - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - - &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c + - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 creation_rules: - path_regex: machines/nunotaba/secrets\.yaml$ key_groups: @@ -37,11 +37,6 @@ creation_rules: - pgp: - *simon - *mayushii - - path_regex: machines/yuzuru/secrets\.yaml$ - key_groups: - - pgp: - - *simon - - *yuzuru - path_regex: machines/okarin/secrets\.yaml$ key_groups: - pgp: @@ -67,6 +62,11 @@ creation_rules: - pgp: - *simon - *nazuna + - path_regex: machines/yuzuru/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *yuzuru - path_regex: secrets\.yaml$ key_groups: - pgp: diff --git a/keys/machines/yuzuru.asc b/keys/machines/yuzuru.asc index 6f18a44..dd4ca9a 100644 --- a/keys/machines/yuzuru.asc +++ b/keys/machines/yuzuru.asc @@ -1,28 +1,28 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde -9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx -T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ -GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+ -9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2 -tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS -zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB -cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W -TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si -Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP -q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB +xsFNBAAAAAABEACrSqXAEWHXWjyl/FX+r6d0WQmn7/40slxrnBQzl5ERnEOKtzR5 +hMPioWhfFFKeNbTxYp6tV6mbiIm7NKSCOC0o1lkt16Sb8SU3Tzi8uF4gCl6gxmwW +iHG4k5CYij/jMw3YMX9NEpCVPjita/FXVxrN2aq96cMEgf7kQU9Bs+VmN2nlGCl0 +ATI4tZyJrxjO2okWEfsK3OT0qhqsQrQdsv8QhsG455pv1tmhvgwDY22swORQbBYC +4Jgp2mtPX/LPXzr3cxnG3hz+d/A9tDtZK9t/uEc1sMMSEws6FiKofVNL00KTvx5/ +1N5PPEACovBmGx17KLYZVo0pNDvIzPvp7UdZ3gbdoK7KvRPzzJ8EdSB/IPP2883w +bAplPpP6aGkYog3bPsp9o9t5il5hm5ASlKchKZjUp5Mes6sRrnSAnq5zJGpE3bMz +0NnbcOcuRBNF/cie0eX2XpL4ooI+OTUC0cUa/nnmvRbvH9INVydAhiJmzxhduLvz +586SzGRoHG1FNumT/I+jQDXgb2hIpZy4keDzsBlfuOCixjKyJPKf39hCbKbiNyed +R+e8EqqqSwKBdN6neha5o0NPldQRp9BV+uSaVtr6NwmG6nRKMg5QSuxuab0qckwG +3C33xjBFvodVoYLKTgvYR2qw8QFgI33MKrctQsUW4od1w5rfPVsWTsboowARAQAB zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q -Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ -g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5 -SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl -eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ -l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW -gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376 -nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU -eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3 -0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb -XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq -Ky38rXnis6Hpih/z6/7HOg== -=5Ki8 +AQgAFgUCAAAAAAkQZJ53DsbqFuQCGw8CGQEAAKv8EABzl8YKtwB0NEfR54L4fC65 +/068DC+BqeT5rMI0T/f9yax9CNWH/j359GGal5TjWaOxZzY5g6KgIzsn/GBo0kNt +/XhEuNv2zfjeGsF+bugTO+qipZV7hGq3tV8JHqsmRnafoAH+tOIkIKYtL4B5jT6w +KjOO70WDak0tnO8s5jMAqONf6Ny3OT8Xqy5yZhUvvSqfOY488rkMjbY5hGkuU1+z +7vOppJRZIIXHQeZZWM4OXXcVayHiVjAKXpVoQ8XGGPL82Io1kDf39lWyIUUk5jCc +1S0fSyMCZfC8nAprKmXMUZdeQUs4k7BCMmreKTa4G58LMnm6T/rtdoqwnTjk/fIB +SVea86wcjN7zhXZbrDMVSbHtToX95287kpsXCRmIglX9KNhbT3IPpEz5sq9/9/YA +fhyXu1lnu2JbGt01lRuBUPlVx1qEQ9Gor1PmOORfMR19KXpVXci+JIhWA8KxMnSv +Hbj6Iqh/EdhctlrvAnjC4ERA3Om3m6SfrJm+e3kmSpV8Hq2f7gDeDbrruy78AAMv +RLabJ0+RPBOFCU5XFs+li2t1xgeR8XVgSrMafHbjNREvytLKG0y21kkY+O1Pg0/c +PuxFfEqzXeH+pqa9Dv/TCXpbkGuos8c3WpFjNmt+XTULfrUvMc0/ClfVqVAfic4H +GjYdNSdHdZaTkT/4WjVD4A== +=5kkr -----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index 6fa7c50..245ebe5 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -67,4 +67,9 @@ in targetHost = "nazuna.sbruder.de"; }; + yuzuru = { + system = "x86_64-linux"; + + targetHost = "yuzuru.sbruder.de"; + }; } diff --git a/machines/renge/services/prometheus.nix b/machines/renge/services/prometheus.nix index 3efae4f..4f25426 100644 --- a/machines/renge/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -70,6 +70,7 @@ in "okarin.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100" + "yuzuru.vpn.sbruder.de:9100" ]; relabel_configs = lib.singleton { target_label = "instance"; diff --git a/machines/yuzuru/README.md b/machines/yuzuru/README.md new file mode 100644 index 0000000..4848bc2 --- /dev/null +++ b/machines/yuzuru/README.md @@ -0,0 +1,18 @@ +# yuzuru + +## Hardware + +[Strato VPS Entry Linux VC1-1](https://www.strato.de/server/linux-vserver/mini-vserver/) (1 AMD EPYC Milan vCPU, <1 GiB RAM, 30 GiB SSD). + +## Purpose + +It will host services I want to have separated from the rest of my infrastructure. + +## Name + +Yuzuru Nishimiya is a character from *A Silent Voice* + +## Setup + +The setup is very similar to that of `okarin`, +please see the description there. diff --git a/machines/yuzuru/configuration.nix b/machines/yuzuru/configuration.nix new file mode 100644 index 0000000..2424e65 --- /dev/null +++ b/machines/yuzuru/configuration.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../modules + ]; + + sbruder = { + nginx.hardening.enable = true; + full = false; + wireguard.home.enable = true; + }; + + networking.hostName = "yuzuru"; + + system.stateVersion = "23.11"; + + services.nginx = { + enable = true; + + virtualHosts."yuzuru.sbruder.de" = { + enableACME = true; + forceSSL = true; + + root = pkgs.sbruder.imprint; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/machines/yuzuru/hardware-configuration.nix b/machines/yuzuru/hardware-configuration.nix new file mode 100644 index 0000000..132a5e0 --- /dev/null +++ b/machines/yuzuru/hardware-configuration.nix @@ -0,0 +1,69 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + sbruder.machine.isVm = true; + + boot = { + kernelModules = [ ]; + extraModulePackages = [ ]; + kernelParams = [ "ip=dhcp" ]; + initrd = { + availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ]; + kernelModules = [ ]; + network = { + enable = true; # remote unlocking + # For some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands. + # This works around this, but is arguably quite hacky. + postCommands = '' + ip route add 85.215.73.1 dev eth0 + ip route add default via 85.215.73.1 dev eth0 + ''; + }; + luks.devices."root".device = "/dev/disk/by-uuid/d166ff83-dcc6-4700-95b5-bffae202d985"; + }; + loader.grub.device = "/dev/vda"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/3c91488f-0505-4df6-bf76-96a539dcc27a"; + fsType = "btrfs"; + options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational + }; + "/boot" = { + device = "/dev/disk/by-uuid/f271b335-9174-47a9-bcca-04ce59ce5708"; + fsType = "ext2"; + }; + }; + + swapDevices = [ + { + device = "/dev/disk/by-partuuid/5edbf393-b83e-4d3f-82d1-f07870df40ed"; + randomEncryption.enable = true; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 150; + }; + + networking = { + useDHCP = false; + usePredictableInterfaceNames = false; + }; + systemd.network = { + enable = true; + networks = { + eth0 = { + name = "eth0"; + DHCP = "yes"; + domains = [ "sbruder.de" ]; + }; + }; + }; +} diff --git a/machines/yuzuru/secrets.yaml b/machines/yuzuru/secrets.yaml new file mode 100644 index 0000000..b113f2f --- /dev/null +++ b/machines/yuzuru/secrets.yaml @@ -0,0 +1,52 @@ +wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-01-02T22:37:47Z" + mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str] + pgp: + - created_at: "2024-01-02T22:37:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4ARAA1V2B8s1NyyJFa+nbKo2sFoubX9OKNYkzib6uvjs2eiOp + XuUsqxYZrUXCjwvWpvb9GT4neBV68mqVZMwkt6qQuiwyxSdrx+G8qKT5do0gjwmm + BTjOlJnUAWKn5/kzJKG9Yb+RiQZD2rV5/xj6roImCLt6lg97howP5n5PNO+TcDM0 + 0Mz2vJJHbKEgeIjnRPG3MB5IS3WFHkmSe0jBIKXRFuiP9bdVgPAaoXk1v3KmeO3i + c2BDOxLWjq4kHzAT/GIRQJxA4/8f6vMVfUlepmhL2jUmw72WrfSC2EfZeWnlm1np + M/kAVU+Gd+d2fzv9f+Ut+K8Id5vBDANlp7m5KVJV0howrCxaV/TZ9kiReWpePP8U + 4EDx2cVi/FDlnDJEr6qDfYZ5bguYeTD0X6c8IK8r6NlWPbQD7W6cvHto71EtXKqG + R2XZYVbsRGufNLeNUCcfz1ev+x6Ix9VqsDzkwUFfgXMS4FavQ84TzJV9Z0zhRCme + yFGD8lW6LliUxUF5YDRqiceJdDV7Nx+TRIRXXNJq4Fid7b1M+7fdI0JlU3xTPqwm + kZFfgAAwt1ji0AtGd4khC30XSr29V3YjqX1ow0wYJ9rYEhnrexS+/iOJvygQ1AcZ + nzajsK7dHidC9RNpr2PHqL46KtoksdoL4DT80uT+mwevb8w2wG949WQ+KJOlez3S + XAH0NywA6R4KaW6fOShYtL0nDPfYOCm31t4sWpQfxJSQt/6p2fDobbz4q5tTQfjf + /Zq8fstojMtM8C5eur4ASa9H8dckRW6Lk/VzsW3u2tP3rl3js1eumcvYumLK + =bwxH + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: "2024-01-02T22:37:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2Sedw7G6hbkAQ//Y+ZDDXUxCRqwjTWRz9uoIHcQBrCI2LhecCt8uWRMXbyV + q/HaDIjYO5fLrpZ8HGzS4C9B5QH3Vr0yzbGR6l3i77W1FpzY0KYQ5jicttQ56rDL + n3APgqBL8sdcq90Hs9iqG4AA9/QhCIupzG18BQ8zWCqJ/2uMx2ddRYxxa3FEgCdi + 1C0wH2kLlZT7aRH7OlKFbX8QABpGEvBQpG456XghsX92wXou/pJfcrgqh9H0Px+i + 5kvcSHERq97+2DIQYcck9DfZ6Pf2lfnoM3f2c7Ln3OeaPrnl5wLPrIP/KQBLd8AC + 6hU8zrsTM4dSSopXnAjc9PEi4kmfLwrcZiokw5kjfaolyRilX8V6+ewaWF6jK2Yo + IwsQ09ElGzfXmmkqMrUEGnWr55WZgvDXABMwTr9VwIej47ef1HcqNxwmFe37XndA + UDfJ+GUGOkqLBLpamhHp/A/UM8+wrUZIOXJWsJdpP5194wKXBD0zjd+HMxfq+RTk + 4ICLChn2+MzU58V8FP9WRdYOLQWcHVAfBP8zba9zFf/FCnHrXQjv9lwadYQ8YkhN + uSzPB5yvzfa1YOl7PXDn/5EBu5WYGxdTNHouP1hbk8Nxmt37+0VCMDgkUln6qans + 5FzmAlrFHTX/887d1rP2Rc2HT58Qmgou355UmnkjxMWH6b5WSOo5p+KEHkHwW+7S + VgF5p8vBWd9cISMG5aetMpyBwhZAcx5XTXV74pJ8Zc15B0mYvz+BcYM+1Nlqdp0g + NVpa3jISybMeGqkbeQmjoT05J5REmYszhGg6SEMyuiLrC64lwDy9 + =A8pI + -----END PGP MESSAGE----- + fp: a1ee5bc0249163a047440ef2649e770ec6ea16e4 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/ssh.nix b/modules/ssh.nix index ecc3170..93076e3 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -75,5 +75,13 @@ hostNames = [ "[nazuna.sbruder.de]:2222" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3"; }; + yuzuru = { + hostNames = [ "yuzuru" "yuzuru.sbruder.de" "yuzuru.vpn.sbruder.de" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXCG8Dck3bELx7NaKgDnFAUjO/o1iEnq0VT5dZ2P/+m"; + }; + yuzuru-initrd = { + hostNames = [ "[yuzuru.sbruder.de]:2222" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8"; + }; }; } diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index 33167ff..b45ce83 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -40,6 +40,10 @@ let address = "10.80.0.13"; publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ="; }; + yuzuru = { + address = "10.80.0.16"; + publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU="; + }; }; cfg = config.sbruder.wireguard.home;