yuzuru: Init

This commit is contained in:
Simon Bruder 2024-01-02 23:26:46 +01:00
parent 1d84379383
commit 0393661579
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
10 changed files with 221 additions and 30 deletions

View file

@ -5,12 +5,12 @@ keys:
- &vueko 4EA330328CD0D3076E90960194DFA4953D8729DE - &vueko 4EA330328CD0D3076E90960194DFA4953D8729DE
- &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
- &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
- &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
- &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -37,11 +37,6 @@ creation_rules:
- pgp: - pgp:
- *simon - *simon
- *mayushii - *mayushii
- path_regex: machines/yuzuru/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *yuzuru
- path_regex: machines/okarin/secrets\.yaml$ - path_regex: machines/okarin/secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:
@ -67,6 +62,11 @@ creation_rules:
- pgp: - pgp:
- *simon - *simon
- *nazuna - *nazuna
- path_regex: machines/yuzuru/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *yuzuru
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:

View file

@ -1,28 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde xsFNBAAAAAABEACrSqXAEWHXWjyl/FX+r6d0WQmn7/40slxrnBQzl5ERnEOKtzR5
9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx hMPioWhfFFKeNbTxYp6tV6mbiIm7NKSCOC0o1lkt16Sb8SU3Tzi8uF4gCl6gxmwW
T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ iHG4k5CYij/jMw3YMX9NEpCVPjita/FXVxrN2aq96cMEgf7kQU9Bs+VmN2nlGCl0
GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+ ATI4tZyJrxjO2okWEfsK3OT0qhqsQrQdsv8QhsG455pv1tmhvgwDY22swORQbBYC
9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2 4Jgp2mtPX/LPXzr3cxnG3hz+d/A9tDtZK9t/uEc1sMMSEws6FiKofVNL00KTvx5/
tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS 1N5PPEACovBmGx17KLYZVo0pNDvIzPvp7UdZ3gbdoK7KvRPzzJ8EdSB/IPP2883w
zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB bAplPpP6aGkYog3bPsp9o9t5il5hm5ASlKchKZjUp5Mes6sRrnSAnq5zJGpE3bMz
cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W 0NnbcOcuRBNF/cie0eX2XpL4ooI+OTUC0cUa/nnmvRbvH9INVydAhiJmzxhduLvz
TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si 586SzGRoHG1FNumT/I+jQDXgb2hIpZy4keDzsBlfuOCixjKyJPKf39hCbKbiNyed
Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP R+e8EqqqSwKBdN6neha5o0NPldQRp9BV+uSaVtr6NwmG6nRKMg5QSuxuab0qckwG
q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB 3C33xjBFvodVoYLKTgvYR2qw8QFgI33MKrctQsUW4od1w5rfPVsWTsboowARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q AQgAFgUCAAAAAAkQZJ53DsbqFuQCGw8CGQEAAKv8EABzl8YKtwB0NEfR54L4fC65
Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ /068DC+BqeT5rMI0T/f9yax9CNWH/j359GGal5TjWaOxZzY5g6KgIzsn/GBo0kNt
g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5 /XhEuNv2zfjeGsF+bugTO+qipZV7hGq3tV8JHqsmRnafoAH+tOIkIKYtL4B5jT6w
SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl KjOO70WDak0tnO8s5jMAqONf6Ny3OT8Xqy5yZhUvvSqfOY488rkMjbY5hGkuU1+z
eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ 7vOppJRZIIXHQeZZWM4OXXcVayHiVjAKXpVoQ8XGGPL82Io1kDf39lWyIUUk5jCc
l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW 1S0fSyMCZfC8nAprKmXMUZdeQUs4k7BCMmreKTa4G58LMnm6T/rtdoqwnTjk/fIB
gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376 SVea86wcjN7zhXZbrDMVSbHtToX95287kpsXCRmIglX9KNhbT3IPpEz5sq9/9/YA
nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU fhyXu1lnu2JbGt01lRuBUPlVx1qEQ9Gor1PmOORfMR19KXpVXci+JIhWA8KxMnSv
eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3 Hbj6Iqh/EdhctlrvAnjC4ERA3Om3m6SfrJm+e3kmSpV8Hq2f7gDeDbrruy78AAMv
0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb RLabJ0+RPBOFCU5XFs+li2t1xgeR8XVgSrMafHbjNREvytLKG0y21kkY+O1Pg0/c
XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq PuxFfEqzXeH+pqa9Dv/TCXpbkGuos8c3WpFjNmt+XTULfrUvMc0/ClfVqVAfic4H
Ky38rXnis6Hpih/z6/7HOg== GjYdNSdHdZaTkT/4WjVD4A==
=5Ki8 =5kkr
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

View file

@ -67,4 +67,9 @@ in
targetHost = "nazuna.sbruder.de"; targetHost = "nazuna.sbruder.de";
}; };
yuzuru = {
system = "x86_64-linux";
targetHost = "yuzuru.sbruder.de";
};
} }

View file

@ -70,6 +70,7 @@ in
"okarin.vpn.sbruder.de:9100" "okarin.vpn.sbruder.de:9100"
"shinobu.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100"
"nazuna.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100"
]; ];
relabel_configs = lib.singleton { relabel_configs = lib.singleton {
target_label = "instance"; target_label = "instance";

18
machines/yuzuru/README.md Normal file
View file

@ -0,0 +1,18 @@
# yuzuru
## Hardware
[Strato VPS Entry Linux VC1-1](https://www.strato.de/server/linux-vserver/mini-vserver/) (1 AMD EPYC Milan vCPU, <1GiB RAM, 30GiB SSD).
## Purpose
It will host services I want to have separated from the rest of my infrastructure.
## Name
Yuzuru Nishimiya is a character from *A Silent Voice*
## Setup
The setup is very similar to that of `okarin`,
please see the description there.

View file

@ -0,0 +1,34 @@
{ pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
];
sbruder = {
nginx.hardening.enable = true;
full = false;
wireguard.home.enable = true;
};
networking.hostName = "yuzuru";
system.stateVersion = "23.11";
services.nginx = {
enable = true;
virtualHosts."yuzuru.sbruder.de" = {
enableACME = true;
forceSSL = true;
root = pkgs.sbruder.imprint;
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

View file

@ -0,0 +1,69 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
kernelModules = [ ];
extraModulePackages = [ ];
kernelParams = [ "ip=dhcp" ];
initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
kernelModules = [ ];
network = {
enable = true; # remote unlocking
# For some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands.
# This works around this, but is arguably quite hacky.
postCommands = ''
ip route add 85.215.73.1 dev eth0
ip route add default via 85.215.73.1 dev eth0
'';
};
luks.devices."root".device = "/dev/disk/by-uuid/d166ff83-dcc6-4700-95b5-bffae202d985";
};
loader.grub.device = "/dev/vda";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/3c91488f-0505-4df6-bf76-96a539dcc27a";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
};
"/boot" = {
device = "/dev/disk/by-uuid/f271b335-9174-47a9-bcca-04ce59ce5708";
fsType = "ext2";
};
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/5edbf393-b83e-4d3f-82d1-f07870df40ed";
randomEncryption.enable = true;
}
];
zramSwap = {
enable = true;
memoryPercent = 150;
};
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
};
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
};
};
};
}

View file

@ -0,0 +1,52 @@
wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-01-02T22:37:47Z"
mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str]
pgp:
- created_at: "2024-01-02T22:37:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAA1V2B8s1NyyJFa+nbKo2sFoubX9OKNYkzib6uvjs2eiOp
XuUsqxYZrUXCjwvWpvb9GT4neBV68mqVZMwkt6qQuiwyxSdrx+G8qKT5do0gjwmm
BTjOlJnUAWKn5/kzJKG9Yb+RiQZD2rV5/xj6roImCLt6lg97howP5n5PNO+TcDM0
0Mz2vJJHbKEgeIjnRPG3MB5IS3WFHkmSe0jBIKXRFuiP9bdVgPAaoXk1v3KmeO3i
c2BDOxLWjq4kHzAT/GIRQJxA4/8f6vMVfUlepmhL2jUmw72WrfSC2EfZeWnlm1np
M/kAVU+Gd+d2fzv9f+Ut+K8Id5vBDANlp7m5KVJV0howrCxaV/TZ9kiReWpePP8U
4EDx2cVi/FDlnDJEr6qDfYZ5bguYeTD0X6c8IK8r6NlWPbQD7W6cvHto71EtXKqG
R2XZYVbsRGufNLeNUCcfz1ev+x6Ix9VqsDzkwUFfgXMS4FavQ84TzJV9Z0zhRCme
yFGD8lW6LliUxUF5YDRqiceJdDV7Nx+TRIRXXNJq4Fid7b1M+7fdI0JlU3xTPqwm
kZFfgAAwt1ji0AtGd4khC30XSr29V3YjqX1ow0wYJ9rYEhnrexS+/iOJvygQ1AcZ
nzajsK7dHidC9RNpr2PHqL46KtoksdoL4DT80uT+mwevb8w2wG949WQ+KJOlez3S
XAH0NywA6R4KaW6fOShYtL0nDPfYOCm31t4sWpQfxJSQt/6p2fDobbz4q5tTQfjf
/Zq8fstojMtM8C5eur4ASa9H8dckRW6Lk/VzsW3u2tP3rl3js1eumcvYumLK
=bwxH
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2024-01-02T22:37:37Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2Sedw7G6hbkAQ//Y+ZDDXUxCRqwjTWRz9uoIHcQBrCI2LhecCt8uWRMXbyV
q/HaDIjYO5fLrpZ8HGzS4C9B5QH3Vr0yzbGR6l3i77W1FpzY0KYQ5jicttQ56rDL
n3APgqBL8sdcq90Hs9iqG4AA9/QhCIupzG18BQ8zWCqJ/2uMx2ddRYxxa3FEgCdi
1C0wH2kLlZT7aRH7OlKFbX8QABpGEvBQpG456XghsX92wXou/pJfcrgqh9H0Px+i
5kvcSHERq97+2DIQYcck9DfZ6Pf2lfnoM3f2c7Ln3OeaPrnl5wLPrIP/KQBLd8AC
6hU8zrsTM4dSSopXnAjc9PEi4kmfLwrcZiokw5kjfaolyRilX8V6+ewaWF6jK2Yo
IwsQ09ElGzfXmmkqMrUEGnWr55WZgvDXABMwTr9VwIej47ef1HcqNxwmFe37XndA
UDfJ+GUGOkqLBLpamhHp/A/UM8+wrUZIOXJWsJdpP5194wKXBD0zjd+HMxfq+RTk
4ICLChn2+MzU58V8FP9WRdYOLQWcHVAfBP8zba9zFf/FCnHrXQjv9lwadYQ8YkhN
uSzPB5yvzfa1YOl7PXDn/5EBu5WYGxdTNHouP1hbk8Nxmt37+0VCMDgkUln6qans
5FzmAlrFHTX/887d1rP2Rc2HT58Qmgou355UmnkjxMWH6b5WSOo5p+KEHkHwW+7S
VgF5p8vBWd9cISMG5aetMpyBwhZAcx5XTXV74pJ8Zc15B0mYvz+BcYM+1Nlqdp0g
NVpa3jISybMeGqkbeQmjoT05J5REmYszhGg6SEMyuiLrC64lwDy9
=A8pI
-----END PGP MESSAGE-----
fp: a1ee5bc0249163a047440ef2649e770ec6ea16e4
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -75,5 +75,13 @@
hostNames = [ "[nazuna.sbruder.de]:2222" ]; hostNames = [ "[nazuna.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3";
}; };
yuzuru = {
hostNames = [ "yuzuru" "yuzuru.sbruder.de" "yuzuru.vpn.sbruder.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXCG8Dck3bELx7NaKgDnFAUjO/o1iEnq0VT5dZ2P/+m";
};
yuzuru-initrd = {
hostNames = [ "[yuzuru.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
};
}; };
} }

View file

@ -40,6 +40,10 @@ let
address = "10.80.0.13"; address = "10.80.0.13";
publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ="; publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
}; };
yuzuru = {
address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
};
}; };
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;