shinobu: Init

.sops.yaml

@@ -9,6 +9,7 @@ keys:
   - &renge FD4E1FB15DD0F36A77790229826C04C0BE319FA2
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
   - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -55,6 +56,11 @@ creation_rules:
     - pgp:
       - *simon
       - *nunotaba
+  - path_regex: machines/shinobu/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *shinobu
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/shinobu.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADNBcn9+nyc5vgZt2xhOwKnNaLys5m7Ve59YWvCcFMaObVufaT3
+Xa99ysURbmvHLVxBF9rzhWgIlw6yLjfEku0/KsKN1PTc6MnmIV9s5SYy+3d1aqh/
+8iJyVjag3lqGX2NwgGRKrWeluTlp+GEtqf0hZwEyC/JIIWY7gZZMRbc+IiOY5dd1
+YkQBr4GsLfwDPMp0VX9TslaWGTVpFeM9m6Nw/3I5qXZugC7nIesNnuzFktW2d8CU
+tIdX1Bn/I0DQKUP/RyVPkfBEM8ECpBiJHs6W9owmoXFV/BFUmk28rdI4XSwlmOMf
+nsCVvhQwpm86401Ukzglf4s+Ng8QYlOZ4bKlEWEhqqG93283588NjDUHNEFkfakv
+65V9Q8qfmBpkUPHvjoIXdl9O4yzPTL+QTWzIwLBaeTjN90PFq2DMPi0NREsFNAgE
+vRrFkDckSGIt/7vK6q/QbsjaSMvTJoXU3pltncrJ/pfDhvZhyBXLJS+zEpjRiQf1
+krQbTxy2rqgLBYqBog4qjEsTE8Xuz8Ru9hZkzct5DCgZ906wjW0ilZ+dJeIOIDaj
+5wycryWCpHqu4j2XdubWfp4acVcU6yOBqaPwuWeIobzht0Ja68vbAnhvqZGx+86l
+qS2v6cfzmpvyvA3ICWwYuKam0j7H/X9DlgI/qEYGnGjWvi5XWACG3KWHRQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQr0ReuznIgrcCGw8CGQEAAOPzEACQyu6j5yZQQ05eE0kmIzXq
+cg/kazCqmHXHXNydxiEvKYySUW0ln4EE1bIxXAkWIVkmqvtOg5LqaqNfaPWkMHAz
+VX3O6aCYp0mKmMQnfjYq7zlErXsdU3d7k06AGrs6US7o6N9pnkO0/hT0KJrHyATb
+rAbAd7sUXcS/zogL8EQ65l6RWkElzqXDqlmUNwTfmwgb/Yhjk2130aDqZSBU17o+
+NTv2GQbW+HPWE1QWJV4h1/G4b1u4eeCTh3QvlTRcM95oRxCH+BYmJnQm6CRNgs6b
+601na1JRqRIDa8ttcAgXxn1PRbJquMSXD1xqDCAROvaiTVn47CXwhv5GPK290bqm
+jVwbIojzpJyOPkVdT/9+caOqevte/IbdVYcfAKNrGbF1FXanItlgrMfhsWN9MKh2
+B0Er/7yFEg12uMU4+I4T+NYEbn4x6KIA/I4xOkveXm4ik6zV6lbJmAVeof/H9YY5
+u5fMv+90ACbq6wJB7B+LMg493CiOGNK1GyakwWn+caENaHBiK1/60WigMpZESTBy
+yMqQvktilbU0dUdRwpLz+E7CtqyZzuMNbqBuT98GNSCYjLWMo/gF8WNQc4SLo0kG
+66hDrzhS9YLz9KmbsAjRl9E0lSygsqkjw0TguKh4DDuJGyAzgE+6Vl5vshDBNJRW
+qQBAOHjMg4kGZX2E3RbLCQ==
+=9i5r
+-----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -29,8 +29,7 @@ in
       hardware.common-pc-ssd
     ];
 
-    #targetHost = "fuuko.home.sbruder.de";
+    targetHost = "fuuko.home.sbruder.de";
-    targetHost = "10.80.1.1";
   };
   mayushii = {
     system = "x86_64-linux";
@@ -54,4 +53,13 @@ in
 
     targetHost = "okarin.sbruder.xyz";
   };
+  shinobu = {
+    system = "x86_64-linux";
+    extraModules = [
+      hardware.common-cpu-intel
+      hardware.common-pc-ssd
+    ];
+
+    targetHost = "shinobu.home.sbruder.de";
+  };
 }

machines/fuuko/README.md

@@ -15,28 +15,12 @@ Custom build in a be quiet! Pure Base 600.
  * Case fan: Noctua NF-A9 PWM
  * Blu-ray burner LG WH16NS60
  * Additional NIC: Intel I225-V
- * Wireless card Gigabyte GC-WB1733D-I
-   (includes user-serviceable Intel Wireless-AC 9260 card)
 
 ## Purpose
 
 It is my main storage server
 that is responsible for handling storage and processing of big files
 to which I need a high throughput connection.
-It also acts as a router for my home network
-and provides a wireless access point.
-
-## Notes on Wireless
-
-TL;DR: Never try to build an AP yourself, just get a dedicated AP and use OpenWrt.
-
- * Wireless cards are M.2 A+E key and don’t fit in a M.2 E key slot,
-   because apparently using USB for Bluetooth is a good idea.
- * Intel Wireless cards only support AP mode on 2.4 GHz [because of broken LAR](https://bugzilla.kernel.org/show_bug.cgi?id=206469).
- * Almost all wireless cards only support one band at the same time (no dual-band AP).
- * Realtek Wireless cards don’t work at all (no wonder).
- * Hostapd’s configuration file is … interesting.
- * Regulatory stuff is fun.
 
 ## Name
 

machines/fuuko/configuration.nix

@@ -9,7 +9,6 @@
     ./services/languagetool.nix
     ./services/media-backup.nix
     ./services/media.nix
-    ./services/router.nix
     ./services/torrent.nix
   ];
 

machines/fuuko/hardware-configuration.nix

@@ -13,10 +13,7 @@
       options gigabyte_wmi force_load=1
     '';
     supportedFilesystems = [ "btrfs" ];
-    # FIXME this doesn’t work because (AFAIK) there is no VLAN support in the ip= parameter
+    kernelParams = [ "ip=dhcp" ];
-    kernelParams = [
-      (with config.systemd.network.networks; "ip=${lib.elemAt br-lan.address 0}::::${config.networking.hostName}:${lan.name}")
-    ];
     initrd = {
       availableKernelModules = [
         "aesni_intel" # hardware crypto for luks
@@ -92,6 +89,11 @@
 
   powerManagement.cpuFreqGovernor = "schedutil";
 
+  networking = {
+    useDHCP = false;
+    interfaces.enp10s0.useDHCP = true;
+  };
+
   services.logind.extraConfig = ''
     HandlePowerKey=suspend
   '';

machines/renge/services/prometheus.nix

@@ -68,6 +68,7 @@ in
           "hitagi.vpn.sbruder.de:9100"
           "vueko.vpn.sbruder.de:9100"
           "okarin.vpn.sbruder.de:9100"
+          "shinobu.vpn.sbruder.de:9100"
         ];
       }
       {
@@ -97,10 +98,10 @@ in
       )
       {
         job_name = "dnsmasq";
-        static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
+        static_configs = mkStaticTarget "shinobu.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
         relabel_configs = lib.singleton {
           target_label = "instance";
-          replacement = "fuuko.home.sbruder.de";
+          replacement = "shinobu.home.sbruder.de";
         };
       }
       {

machines/shinobu/README.md

@@ -0,0 +1,34 @@
+# shinobu
+
+## Hardware
+
+Protectli Vault Pro VP2420.
+
+ * CPU: [Intel Celeron J6412](https://ark.intel.com/content/www/us/en/ark/products/214758/intel-celeron-processor-j6412-1-5m-cache-up-to-2-60-ghz.html) (4 × 2.0 GHz)
+ * RAM: [8 GB Crucial DDR4-2666 SO-DIMM `CT8G4SFRA266.M8FRS`](https://www.crucial.com/memory/ddr4/ct8g4sfra266)
+ * PSU: Channel Well Technology 60 W (12 V, 3.333 A)
+ * SSD: 120 GB Protectli SATA M.2
+ * NIC: 4 Intel i225-V (2.5GbE)
+ * Wireless: Intel Wireless-AC 9260
+ * FINTEK F81232 USB to UART bridge (for easy serial console)
+ * Dasharo coreboot firemware
+
+## Purpose
+
+It is the main router for my home network.
+
+## Notes on Wireless (copied from fuuko’s previous README)
+
+TL;DR: Never try to build an AP yourself, just get a dedicated AP and use OpenWrt.
+
+ * Wireless cards are M.2 A+E key and don’t fit in an M.2 E key slot,
+   because apparently using USB for Bluetooth is a good idea.
+ * Intel Wireless cards only support AP mode on 2.4 GHz [because of broken LAR](https://bugzilla.kernel.org/show_bug.cgi?id=206469).
+ * Almost all wireless cards only support one band at the same time (no dual-band AP).
+ * Realtek Wireless cards don’t work at all (no wonder).
+ * Hostapd’s configuration file is … interesting.
+ * Regulatory stuff is fun.
+
+## Name
+
+Shinobu Oshino (previously known as Kiss-Shot Acerola-Orion Heart-Under-Blade) is a Vampire Oddity from the Monogatari Series.

machines/shinobu/configuration.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+
+    ./services/router.nix
+  ];
+
+  sbruder = {
+    wireguard.home.enable = true;
+    nginx.hardening.enable = true;
+  };
+
+  networking.hostName = "shinobu";
+
+  system.stateVersion = "23.05";
+}

machines/shinobu/hardware-configuration.nix

@@ -0,0 +1,52 @@
+{ config, lib, modulesPath, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    loader = {
+      grub.enable = false;
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+    supportedFilesystems = [ "btrfs" ];
+    kernelParams = [
+      "console=ttyS0,115200n8"
+    ];
+    initrd = {
+      availableKernelModules = [
+        "aesni_intel" # hardware crypto for luks
+        "ahci"
+        "sd_mod"
+        "sdhci_pci"
+        "usb_storage"
+        "xhci_pci"
+      ];
+      kernelModules = [ ];
+      luks.devices = {
+        root = {
+          device = "/dev/disk/by-uuid/66b38a54-13b4-4c56-a1b7-d45e789e6718";
+          allowDiscards = true;
+        };
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/7fd4f8f4-0a36-424b-b7cc-f7df49781c7f";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/446B-FC4C";
+      fsType = "vfat";
+    };
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+}

machines/shinobu/secrets.yaml

@@ -0,0 +1,54 @@
+wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str]
+wg-mullvad-private-key: ENC[AES256_GCM,data:yJ3+/rc3EQPhCMlHQ5BNA/NmPZiinjgV4A34UkmZgABvYLWzQMEQH5S8K9Q=,iv:YsGvRIaLbsYkbYCoD+szTIFPgBeyq/hoO4ljFSvp9f8=,tag:oil95breVKac7CdH/pA8FA==,type:str]
+hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-06-29T17:51:22Z"
+    mac: ENC[AES256_GCM,data:1mkrR2swPTwV5VzClUSfp+VdYXOXRD3hxITS1r3y3kmc7c4XDPJPiNuYXzgvLr6LN4xoAteVgYY+McVT3/JKykENtgpoiMVeWBvJvLPjFPt8FufnhqqCmlsVM17C5dlxdTvdtZtAPrebNqgxvVOdBfUcNugMx52ngmMNv9E7r1o=,iv:h8z5XO0r2zCA/gZSuLgFCupHizc4OMZeiBP+oHiXEBo=,tag:BzgBhgQIikNHSmYgNfPppA==,type:str]
+    pgp:
+        - created_at: "2023-06-29T16:44:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAwDgSONkM+d4AQ//XL7P5/P31g5aA3wEuLI2Fv6NuNnf3/M2R3jpy/dMVvM4
+            rH+c3aDH6QnXvA2JzPAz235m60LKlKQPCQbakiBucuPm0al/lFf3YblEaW4l68ZG
+            75sKk5YZqVpBqoirQTT/o4/lD1pLset5UM4OJ1Tq8t6FlNVasFah1YBKbe7I9l53
+            4Y85y1/dCcuAfRTM21l54+iL5Lhz/CPd0B1glfgszI0Lh0bPoB+HHGi3HNb/S3PP
+            L91892RCF2EYVb0aK54mpeq6ZVrpdnH37mFuNOHTha6qvpklreIcUSP9TNT4UEQW
+            Pz+YytPH0vGeIq26Eb/1pfLiZvqn3eHs7p2hrV3sDXFdrAnG6MO/vy5rRd4vyTUM
+            GmUBGUHS6acaOLdnDFHMQ/+tewreq9NnJFppBQz8t/hk9mjz1XWnflMHipKe+t6V
+            kflhjDi7kwndG9sxHn7Mqj059ZKcKs8o8BTqPMgBAp/Z1IvSVyj+Q/nM/RpNZim3
+            bs5z9PY8KUzD+4Biabitj21c4ah9pFXw/6W2sesAlFQGP+DkgIKuIEhyuV6HSshn
+            m/M2Q9Ma0rgKCgtgse41TbMMQASiJPA1mdtO7RE92t5gMKVVAiVHD6kTfOJZSAkx
+            TbxGjlXDLuqugKnZI41NwnHUdCUfxTGoeFqtaqYiWQ0hdgsziHHEkMxlPEGDFjfS
+            UQGlBUSl6nB1+RI2x9lLSoQbz3x5ZdXnapi+KGLfQZb11nCegTLVyO5NO+sI54+Z
+            umyIAqj6/MqgQQGt9oWJnybbFnhcjwdfEIwW4sSWJA5geQ==
+            =y5Sy
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2023-06-29T16:44:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA69EXrs5yIK3ARAAvjxMdia3YDWmBDM27K/om1wUtZk+isrQ5r8U1Di6uF0Q
+            qImLsCXRPumL3ZtzZ9qls2OJlUvZQkfE9Ek2/hHINGfUIdNGkXCgJs42Edcfd6tK
+            bd8hZf/kCJSX3V3c13sUdVQWy8RavUAb0Ezc0H1rZq8K1Gp8iMO9NAm/m8UJe2tM
+            +cBVvzhBoI+onkrWBCsiquPuts+hgiWMwr+hOPsQhT5VP1HM/si7k9JgEEMlqnMo
+            NOJUaqbYSR8Q/cy3jjfkAbrpYJ/ZuvZefvU2j+nlfnyzmiWV/Xh6QVseaq1IvFqg
+            ZmdFLyursv19xTYE0HOBX3c1QlEK5vMFdzADOdu3KDO0JpGwLMcR2dzX8CRYNzyR
+            B3cbfwp679B3RvKhMHKuVTy9bdb5df6CGBjVeQCNFmBSbimVTjTpFxMk5rusp/j9
+            Ql8h4ULajrfSmN4T5xoIShsmAAFeeSdHCLrACXHjHU0v2xh+MG5dTZTLa9V+4s7e
+            wIeq4v9ED5PFFRr+mQUdlmQP+fdH4Cwor8OZxA4g09RFoo3MUgLHWaa5emL1z1YN
+            fWgZs6EsFFTNYtUoey91eFzhKYYKa1P1gXztgEbc0L95Qqa15QPeWGYgf1WIRASZ
+            POTGCjleDuqnEoFFdt+qaVYtpCoJnAKjhSFf10DvN6AQ0zraXldHdx4B1wYBLQTS
+            WAG5qS56CCwMxqjic2OfdSul2zHsCSsoXrWmqG1vtv2WGE7iIsseUor7eeLxbHIW
+            /8Y9+kx+ZcTSXcs9t1xBHCEv3LAgwneVorOhiHVS4gu6R7crYLKpygE=
+            =7Sdh
+            -----END PGP MESSAGE-----
+          fp: 28677f2e3584b39f528a779caf445ebb39c882b7
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

machines/shinobu/services/router.nix

@@ -1,18 +1,24 @@
 # Home network configuration
+#            (2.5GbE clients)
+#                  | |
+#     +----------+ +----------+
+#     |          | | | |      | (1GbE clients)
+#     |          | | | |     +|-|-|-|-|+
+# +---+----+   +-+-+-+-+-+   |5 4 3 2 1|
+# |upstream|   | 1 2 3 4 |   |TL-SG105 |
+# +--------+   | shinobu |   +---------+
+#              +---------+
 #
-#     +----------+ +------+
+# It consists of shinobu as a router (this configuration),
-#     |          | |      | ( clients )
-#     |          | |     +|-|-|-|-|+
-# +---+----+   +-+-+-+   |5 4 3 2 1|
-# |upstream|   |fuuko|   |TL-SG105 |
-# +--------+   +-----+   +---------+
-#
-# It consists of fuuko as a router (this configuration),
 # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
 # The upstream comes from some plasic Huawei router/AP I don’t control.
 #
-# fuuko has two physical network interfaces,
+# Because the switch only supports GbE,
-# because remote unlocking (which requires network in initrd) is hard with VLANs.
+# the two clients I currently have with support for 2.5GbE are connected
+# directly to the two remaining network interfaces on shinobu.
+# Once I have more devices with support for 2.5GbE
+# or I find a good deal on a matching switch,
+# I will change this.
 #
 # Wireless is configured by providing the whole hostapd configuration file as a secret.
 # Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
@@ -49,6 +55,8 @@ in
 
   systemd.network = {
     enable = true;
+    # not all interfaces need to be up
+    wait-online.extraArgs = [ "--any" ];
     netdevs = {
       br-lan = {
         netdevConfig = {
@@ -77,7 +85,7 @@ in
     };
     networks = {
       wan = {
-        name = "enp9s0";
+        name = "enp1s0";
         networkConfig = {
           # Upstream provides no IPv6 :(
           # If this is not set, it waits and fails systemd-networkd-wait-online
@@ -89,8 +97,16 @@ in
           UseDNS = "no";
         };
       };
-      lan = {
+      lan1 = {
-        name = "enp10s0";
+        name = "enp2s0";
+        bridge = [ "br-lan" ];
+      };
+      lan2 = {
+        name = "enp3s0";
+        bridge = [ "br-lan" ];
+      };
+      lan3 = {
+        name = "enp4s0";
         bridge = [ "br-lan" ];
       };
       br-lan = {
@@ -209,8 +225,8 @@ in
   # The service is mostly taken from nixpkgs pr 222536.
   systemd.services.hostapd = {
     path = with pkgs; [ hostapd ];
-    after = [ "sys-subsystem-net-devices-wlp8s0.device" ];
+    after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
-    bindsTo = [ "sys-subsystem-net-devices-wlp8s0.device" ];
+    bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {

modules/ssh.nix

@@ -63,5 +63,9 @@
       hostNames = [ "[okarin.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
     };
+    shinobu = {
+      hostNames = [ "shinobu" "shinobu.home.sbruder.de" "shinobu.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJNZPT2Mmys2nw/ovX6Z1Cb4WDAaWBWanycNwF9IEjl";
+    };
   };
 }

modules/wireguard/home.nix

@@ -32,6 +32,10 @@ let
       address = "10.80.0.10";
       publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
     };
+    shinobu = {
+      address = "10.80.0.12";
+      publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
+    };
   };
 
   cfg = config.sbruder.wireguard.home;