okarin: Migrate to different VPS

Previously, it was hosted on Ionos’s VMware-based infrastructure. I already had a VPS on their new KVM-based infrastructure, as I was planning to migrate okarin to it eventually (as it is cheaper). However, the new infrastructure does not offer PTR records for IPv6 addresses. Therefore, I was waiting until they would implement that feature (as the support promised me they would to in the near future). However, they are now migrating the (at least my) guests from their VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to them. This makes the old VPS essentially the same as the old one, but with less memory and more expensive. So I decided to migrate now.
2023-12-21 15:06:16 +01:00 · 2023-12-21 15:06:16 +01:00 · 16cf73afb9
parent 853e817901
commit 16cf73afb9
10 changed files with 134 additions and 124 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -15,7 +15,7 @@ keys:
  - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
  - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
  - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
-  - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &okarin e7370b48016c961ef8ad792fda66b19d845b3156
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
--- a/keys/machines/okarin.asc
+++ b/keys/machines/okarin.asc
@ -1,28 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg
+xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
-Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT
+Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
-ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG
+twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
-jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw
+cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
-KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1
+va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
-NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7
+vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
-jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr
+5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
-YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF
+HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
-a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD
+ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
-uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr
+0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
-/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB
+TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
-AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG
+AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
-yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR
+O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
-Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf
+B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
-K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN
+uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
-DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi
+3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
-xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt
+t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
-CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4
+fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
-RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn
+qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
-xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP
+uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
-Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn
+2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
-rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0
+TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
-MsxjN+we2woCXG5SJGYOyA==
+NxR1Jvm5bnGfUcnNlzoB4Q==
-=UTw1
+=6o0h
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/okarin/README.md
+++ b/machines/okarin/README.md
@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
+SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0
 ## Hardware
-[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
+[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
 ## Purpose
@ -22,32 +22,50 @@ Okabe Rintaro is a mad scientist from *Steins;Gate*
 Much like the namesake,
 this server requires a “mad scientist” approach to set up.
 However, it is much easier than setting up its predecessor,
 which had just above 400 MiB usable memory.
 Ionos does not offer any NixOS installation media.
-I could only choose between a Debian installation media, Knoppix and GParted.
+I could only choose between various installation media and rescue systems.
-Also, installing with a very low amount of memory is quite hard.
+Also, installing NixOS with a low amount of memory is problematic.
 I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
 On there, I installed NixOS.
-Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
+Because encryption with `argon2id` as PBKDF is quite memory intensive,
-What I settled on was
+I had to tune the parameters to ensure decryption was still possible on the target.
-`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
+This can be done quite easily by interactively running the following command on the build VM:
-To make btrfs use its SSD optimizations,
+    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
 I had to force the kernel to see the device as non-rotational:
 `echo 0 > /sys/block/dm-0/queue/rotational`
-Another problem was the usage of VMware by Ionos.
+The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
-The VM I set this up with was obviously using KVM/QEMU,
+
-so it needed different kernel modules at boot.
+However, since those parameters are not ideal,
-What worked was setting it up in the local VM with both libvirt and vmware modules,
+the following should later be run on the target host itself:
-and then removing the libvirt modules once it was installed on the target.
+
    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
 This will determine the memory usage automatically,
 use one thread
 and set the parameters so that decryption takes 10 seconds (10000 ms).
 The memory usage will not be as high as it could,
 but it will be better.
 Getting the disk image onto the server was done
 by first `rsync`ing the image to another server (to allow for incremental iterations),
 which then provided it via HTTP.
-Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
+Using the Debian installation media in rescue mode
-it was possible to just `curl http://server/okarin.img > /dev/sda`.
+(as for some reason most other options tried to cache the file in memory and became very slow)
 it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
 Because of all the pitfalls of this,
 you probably need more than one try.
 To make debugging easier on the target, the following option can be set:
 ```nix
 { pkgs, ... }:
 {
  boot.initrd.preLVMCommands = ''
    ${pkgs.bashInteractive}/bin/bash
  '';
 }
 ```
--- a/machines/okarin/configuration.nix
+++ b/machines/okarin/configuration.nix
@ -21,7 +21,7 @@
  networking.hostName = "okarin";
-  system.stateVersion = "22.11";
+  system.stateVersion = "23.11";
  networking.firewall.allowedTCPPorts = [
    80
--- a/machines/okarin/hardware-configuration.nix
+++ b/machines/okarin/hardware-configuration.nix
@ -5,6 +5,10 @@
 { lib, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
  sbruder.machine.isVm = true;
  boot = {
@ -12,41 +16,34 @@
    extraModulePackages = [ ];
    kernelParams = [ "ip=dhcp" ];
    initrd = {
-      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ];
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
-      kernelModules = [ "dm-snapshot" "vmw_balloon" ];
+      kernelModules = [ ];
      network = {
        enable = true; # remote unlocking
        # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
        # this works around this, but is arguably quite hacky
        postCommands = ''
-          ip route add 10.255.255.1 dev eth0
+          ip route add 85.215.165.1 dev eth0
-          ip route add default via 10.255.255.1 dev eth0
+          ip route add default via 85.215.165.1 dev eth0
        '';
      };
-      luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267";
+      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
    };
-    loader.grub.device = "/dev/sda";
+    loader.grub.device = "/dev/vda";
  };
  fileSystems = {
    "/" = {
-      device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41";
+      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
      fsType = "btrfs";
-      options = [ "compress=zstd" "discard" "noatime" ];
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
    };
    "/boot" = {
-      device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518";
+      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
      fsType = "ext2";
    };
  };
  swapDevices = [
    {
      device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079";
      randomEncryption.enable = true;
    }
  ];
  zramSwap = {
    enable = true;
    memoryPercent = 150;
@ -63,11 +60,6 @@
        name = "eth0";
        DHCP = "yes";
        domains = [ "sbruder.de" ];
        address = [ "2001:8d8:1800:8627::1/64" ];
        gateway = [ "fe80::1" ];
        networkConfig = {
          IPv6AcceptRA = "no";
        };
      };
    };
  };
--- a/machines/okarin/secrets.yaml
+++ b/machines/okarin/secrets.yaml
@ -1,80 +1,80 @@
-wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-05-06T08:49:32Z"
+    lastmodified: "2023-12-25T22:06:33Z"
-    mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str]
+    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
    pgp:
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw
+            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
-            faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6
+            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
-            hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w
+            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
-            aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1
+            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
-            hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w
+            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
-            RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0
+            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
-            1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE
+            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
-            zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2
+            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
-            PWZwSFBCZEg=
+            hRlLbnUDE1Q=
-            =r7sK
+            =ol1Y
            -----END PGP MESSAGE-----
          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw
+            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
-            zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709
+            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
-            hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw
+            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
-            f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz
+            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
-            hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw
+            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
-            Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI
+            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
-            1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/
+            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
-            aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V
+            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
-            B8h2L/JR7Yo=
+            G+tyNMgCYhM=
-            =/wMt
+            =2QnY
            -----END PGP MESSAGE-----
          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww
+            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
-            uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc
+            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
-            hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw
+            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
-            zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP
+            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
-            hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw
+            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
-            mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817
+            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
-            1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL
+            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
-            8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S
+            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
-            Gzwk8dC0wdc=
+            VOK1Bc67BzU=
-            =BWUr
+            =3z3V
            -----END PGP MESSAGE-----
          fp: 403215E0F99D2582C7055C512C77841620B8F380
-        - created_at: "2024-01-22T00:20:17Z"
+        - created_at: "2024-01-24T12:19:03Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B
+            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
-            lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp
+            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
-            jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0
+            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
-            ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq
+            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
-            tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ
+            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
-            T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb
+            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
-            YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2
+            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
-            qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T
+            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
-            nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R
+            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
-            LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al
+            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
-            a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS
+            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
-            VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd
+            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
-            QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6
+            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
-            =sy/X
+            =F0pC
            -----END PGP MESSAGE-----
-          fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+          fp: e7370b48016c961ef8ad792fda66b19d845b3156
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/machines/okarin/services/proxy.nix
+++ b/machines/okarin/services/proxy.nix
@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
--- a/modules/authoritative-dns.nix
+++ b/modules/authoritative-dns.nix
@ -15,7 +15,7 @@ let
  addresses = {
    vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
    renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ];
-    okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
+    okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ];
    yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ];
  };
 in
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -60,12 +60,12 @@
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
    };
    okarin = {
-      hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ];
+      hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
    };
    okarin-initrd = {
      hostNames = [ "[okarin.sbruder.de]:2222" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
    };
    shinobu = {
      hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -33,8 +33,8 @@ let
      publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
    };
    okarin = {
-      address = "10.80.0.10";
+      address = "10.80.0.14";
-      publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
+      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
    };
    shinobu = {
      address = "10.80.0.12";