shinobu: Init

This commit is contained in:
Simon Bruder 2023-07-01 12:37:12 +02:00
parent 9039e60225
commit 1b44e31627
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
14 changed files with 250 additions and 40 deletions

View file

@ -9,6 +9,7 @@ keys:
- &renge FD4E1FB15DD0F36A77790229826C04C0BE319FA2
- &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
- &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$
key_groups:
@ -55,6 +56,11 @@ creation_rules:
- pgp:
- *simon
- *nunotaba
- path_regex: machines/shinobu/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *shinobu
- path_regex: secrets\.yaml$
key_groups:
- pgp:

28
keys/machines/shinobu.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADNBcn9+nyc5vgZt2xhOwKnNaLys5m7Ve59YWvCcFMaObVufaT3
Xa99ysURbmvHLVxBF9rzhWgIlw6yLjfEku0/KsKN1PTc6MnmIV9s5SYy+3d1aqh/
8iJyVjag3lqGX2NwgGRKrWeluTlp+GEtqf0hZwEyC/JIIWY7gZZMRbc+IiOY5dd1
YkQBr4GsLfwDPMp0VX9TslaWGTVpFeM9m6Nw/3I5qXZugC7nIesNnuzFktW2d8CU
tIdX1Bn/I0DQKUP/RyVPkfBEM8ECpBiJHs6W9owmoXFV/BFUmk28rdI4XSwlmOMf
nsCVvhQwpm86401Ukzglf4s+Ng8QYlOZ4bKlEWEhqqG93283588NjDUHNEFkfakv
65V9Q8qfmBpkUPHvjoIXdl9O4yzPTL+QTWzIwLBaeTjN90PFq2DMPi0NREsFNAgE
vRrFkDckSGIt/7vK6q/QbsjaSMvTJoXU3pltncrJ/pfDhvZhyBXLJS+zEpjRiQf1
krQbTxy2rqgLBYqBog4qjEsTE8Xuz8Ru9hZkzct5DCgZ906wjW0ilZ+dJeIOIDaj
5wycryWCpHqu4j2XdubWfp4acVcU6yOBqaPwuWeIobzht0Ja68vbAnhvqZGx+86l
qS2v6cfzmpvyvA3ICWwYuKam0j7H/X9DlgI/qEYGnGjWvi5XWACG3KWHRQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQr0ReuznIgrcCGw8CGQEAAOPzEACQyu6j5yZQQ05eE0kmIzXq
cg/kazCqmHXHXNydxiEvKYySUW0ln4EE1bIxXAkWIVkmqvtOg5LqaqNfaPWkMHAz
VX3O6aCYp0mKmMQnfjYq7zlErXsdU3d7k06AGrs6US7o6N9pnkO0/hT0KJrHyATb
rAbAd7sUXcS/zogL8EQ65l6RWkElzqXDqlmUNwTfmwgb/Yhjk2130aDqZSBU17o+
NTv2GQbW+HPWE1QWJV4h1/G4b1u4eeCTh3QvlTRcM95oRxCH+BYmJnQm6CRNgs6b
601na1JRqRIDa8ttcAgXxn1PRbJquMSXD1xqDCAROvaiTVn47CXwhv5GPK290bqm
jVwbIojzpJyOPkVdT/9+caOqevte/IbdVYcfAKNrGbF1FXanItlgrMfhsWN9MKh2
B0Er/7yFEg12uMU4+I4T+NYEbn4x6KIA/I4xOkveXm4ik6zV6lbJmAVeof/H9YY5
u5fMv+90ACbq6wJB7B+LMg493CiOGNK1GyakwWn+caENaHBiK1/60WigMpZESTBy
yMqQvktilbU0dUdRwpLz+E7CtqyZzuMNbqBuT98GNSCYjLWMo/gF8WNQc4SLo0kG
66hDrzhS9YLz9KmbsAjRl9E0lSygsqkjw0TguKh4DDuJGyAzgE+6Vl5vshDBNJRW
qQBAOHjMg4kGZX2E3RbLCQ==
=9i5r
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -29,8 +29,7 @@ in
hardware.common-pc-ssd
];
#targetHost = "fuuko.home.sbruder.de";
targetHost = "10.80.1.1";
targetHost = "fuuko.home.sbruder.de";
};
mayushii = {
system = "x86_64-linux";
@ -54,4 +53,13 @@ in
targetHost = "okarin.sbruder.xyz";
};
shinobu = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
targetHost = "shinobu.home.sbruder.de";
};
}

View file

@ -15,28 +15,12 @@ Custom build in a be quiet! Pure Base 600.
* Case fan: Noctua NF-A9 PWM
* Blu-ray burner LG WH16NS60
* Additional NIC: Intel I225-V
* Wireless card Gigabyte GC-WB1733D-I
(includes user-serviceable Intel Wireless-AC 9260 card)
## Purpose
It is my main storage server
that is responsible for handling storage and processing of big files
to which I need a high throughput connection.
It also acts as a router for my home network
and provides a wireless access point.
## Notes on Wireless
TL;DR: Never try to build an AP yourself, just get a dedicated AP and use OpenWrt.
* Wireless cards are M.2 A+E key and dont fit in a M.2 E key slot,
because apparently using USB for Bluetooth is a good idea.
* Intel Wireless cards only support AP mode on 2.4GHz [because of broken LAR](https://bugzilla.kernel.org/show_bug.cgi?id=206469).
* Almost all wireless cards only support one band at the same time (no dual-band AP).
* Realtek Wireless cards dont work at all (no wonder).
* Hostapds configuration file is … interesting.
* Regulatory stuff is fun.
## Name

View file

@ -9,7 +9,6 @@
./services/languagetool.nix
./services/media-backup.nix
./services/media.nix
./services/router.nix
./services/torrent.nix
];

View file

@ -13,10 +13,7 @@
options gigabyte_wmi force_load=1
'';
supportedFilesystems = [ "btrfs" ];
# FIXME this doesnt work because (AFAIK) there is no VLAN support in the ip= parameter
kernelParams = [
(with config.systemd.network.networks; "ip=${lib.elemAt br-lan.address 0}::::${config.networking.hostName}:${lan.name}")
];
kernelParams = [ "ip=dhcp" ];
initrd = {
availableKernelModules = [
"aesni_intel" # hardware crypto for luks
@ -92,6 +89,11 @@
powerManagement.cpuFreqGovernor = "schedutil";
networking = {
useDHCP = false;
interfaces.enp10s0.useDHCP = true;
};
services.logind.extraConfig = ''
HandlePowerKey=suspend
'';

View file

@ -68,6 +68,7 @@ in
"hitagi.vpn.sbruder.de:9100"
"vueko.vpn.sbruder.de:9100"
"okarin.vpn.sbruder.de:9100"
"shinobu.vpn.sbruder.de:9100"
];
}
{
@ -97,10 +98,10 @@ in
)
{
job_name = "dnsmasq";
static_configs = mkStaticTarget "fuuko.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
static_configs = mkStaticTarget "shinobu.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "fuuko.home.sbruder.de";
replacement = "shinobu.home.sbruder.de";
};
}
{

View file

@ -0,0 +1,34 @@
# shinobu
## Hardware
Protectli Vault Pro VP2420.
* CPU: [Intel Celeron J6412](https://ark.intel.com/content/www/us/en/ark/products/214758/intel-celeron-processor-j6412-1-5m-cache-up-to-2-60-ghz.html) (4 × 2.0GHz)
* RAM: [8GB Crucial DDR4-2666 SO-DIMM `CT8G4SFRA266.M8FRS`](https://www.crucial.com/memory/ddr4/ct8g4sfra266)
* PSU: Channel Well Technology 60W (12V, 3.333A)
* SSD: 120GB Protectli SATA M.2
* NIC: 4 Intel i225-V (2.5GbE)
* Wireless: Intel Wireless-AC 9260
* FINTEK F81232 USB to UART bridge (for easy serial console)
* Dasharo coreboot firemware
## Purpose
It is the main router for my home network.
## Notes on Wireless (copied from fuukos previous README)
TL;DR: Never try to build an AP yourself, just get a dedicated AP and use OpenWrt.
* Wireless cards are M.2 A+E key and dont fit in an M.2 E key slot,
because apparently using USB for Bluetooth is a good idea.
* Intel Wireless cards only support AP mode on 2.4GHz [because of broken LAR](https://bugzilla.kernel.org/show_bug.cgi?id=206469).
* Almost all wireless cards only support one band at the same time (no dual-band AP).
* Realtek Wireless cards dont work at all (no wonder).
* Hostapds configuration file is … interesting.
* Regulatory stuff is fun.
## Name
Shinobu Oshino (previously known as Kiss-Shot Acerola-Orion Heart-Under-Blade) is a Vampire Oddity from the Monogatari Series.

View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/router.nix
];
sbruder = {
wireguard.home.enable = true;
nginx.hardening.enable = true;
};
networking.hostName = "shinobu";
system.stateVersion = "23.05";
}

View file

@ -0,0 +1,52 @@
{ config, lib, modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "btrfs" ];
kernelParams = [
"console=ttyS0,115200n8"
];
initrd = {
availableKernelModules = [
"aesni_intel" # hardware crypto for luks
"ahci"
"sd_mod"
"sdhci_pci"
"usb_storage"
"xhci_pci"
];
kernelModules = [ ];
luks.devices = {
root = {
device = "/dev/disk/by-uuid/66b38a54-13b4-4c56-a1b7-d45e789e6718";
allowDiscards = true;
};
};
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/7fd4f8f4-0a36-424b-b7cc-f7df49781c7f";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/446B-FC4C";
fsType = "vfat";
};
};
powerManagement.cpuFreqGovernor = "powersave";
}

View file

@ -0,0 +1,54 @@
wg-home-private-key: ENC[AES256_GCM,data:gm4INfmp226u4wp+LuKgf5m2nTFFw4S24w4PRPcW/A7CU713c9NtQ+kPDKg=,iv:JAir9z5/Db6+Oroq+0vXPZLZLA2gjY2Be6hRAmgV5AE=,tag:fxL9nK3v5xERfcoBbCUsXg==,type:str]
wg-mullvad-private-key: ENC[AES256_GCM,data:yJ3+/rc3EQPhCMlHQ5BNA/NmPZiinjgV4A34UkmZgABvYLWzQMEQH5S8K9Q=,iv:YsGvRIaLbsYkbYCoD+szTIFPgBeyq/hoO4ljFSvp9f8=,tag:oil95breVKac7CdH/pA8FA==,type:str]
hostapd-config: ENC[AES256_GCM,data:a0ESrrsquLq6VRJM588C5A+FmVxJwJSzwRuv2o//LL5OybcDS8jkVUajosXEs0qmQ6Xfc1gFDcevCYUwJ24eZ+ynKLWwoNx8RXXwbpllO7FkI68vcauUij1CtUgVb8aHheKfrFuyW7WU1wE3NTtOt2gij1+nM3iKS3vFXtX2n9L2fuy2b3EhOUBiakxAeQmyVmclSVBDYt12i4h4tW7GpPr8AjoIiZgz0Hyx5zA5f/JTPzz/P200eM0tCttNPbMNPBGztJfw7raRIX+v6xw7QNPMgf03TOae17mt6uggTNKJfEPeanzcEMA3xR6xoFUqJL6Hvowyl4MrSFc+E5Rvft+qhp8m6tAqQln9Z3MzaDtxSBWnWdvWEcyeK1aDBQ57/aIwo8kVs47Iblqbi5+jM/n4DoeQtqTM1kS7sZ3XDQ26suW5KCw+VIeqEEqdu6g5ZXMO2SipSOzP5jPjX+5ubX3SXcyoAIo41Efa6YGdWtl3,iv:oLk5tatZEY5AI/PlTBJHShGCKiyvve9rPhGARAtMMj4=,tag:Bkan2Hff8L8ZcC67r+fWjg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-06-29T17:51:22Z"
mac: ENC[AES256_GCM,data:1mkrR2swPTwV5VzClUSfp+VdYXOXRD3hxITS1r3y3kmc7c4XDPJPiNuYXzgvLr6LN4xoAteVgYY+McVT3/JKykENtgpoiMVeWBvJvLPjFPt8FufnhqqCmlsVM17C5dlxdTvdtZtAPrebNqgxvVOdBfUcNugMx52ngmMNv9E7r1o=,iv:h8z5XO0r2zCA/gZSuLgFCupHizc4OMZeiBP+oHiXEBo=,tag:BzgBhgQIikNHSmYgNfPppA==,type:str]
pgp:
- created_at: "2023-06-29T16:44:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAwDgSONkM+d4AQ//XL7P5/P31g5aA3wEuLI2Fv6NuNnf3/M2R3jpy/dMVvM4
rH+c3aDH6QnXvA2JzPAz235m60LKlKQPCQbakiBucuPm0al/lFf3YblEaW4l68ZG
75sKk5YZqVpBqoirQTT/o4/lD1pLset5UM4OJ1Tq8t6FlNVasFah1YBKbe7I9l53
4Y85y1/dCcuAfRTM21l54+iL5Lhz/CPd0B1glfgszI0Lh0bPoB+HHGi3HNb/S3PP
L91892RCF2EYVb0aK54mpeq6ZVrpdnH37mFuNOHTha6qvpklreIcUSP9TNT4UEQW
Pz+YytPH0vGeIq26Eb/1pfLiZvqn3eHs7p2hrV3sDXFdrAnG6MO/vy5rRd4vyTUM
GmUBGUHS6acaOLdnDFHMQ/+tewreq9NnJFppBQz8t/hk9mjz1XWnflMHipKe+t6V
kflhjDi7kwndG9sxHn7Mqj059ZKcKs8o8BTqPMgBAp/Z1IvSVyj+Q/nM/RpNZim3
bs5z9PY8KUzD+4Biabitj21c4ah9pFXw/6W2sesAlFQGP+DkgIKuIEhyuV6HSshn
m/M2Q9Ma0rgKCgtgse41TbMMQASiJPA1mdtO7RE92t5gMKVVAiVHD6kTfOJZSAkx
TbxGjlXDLuqugKnZI41NwnHUdCUfxTGoeFqtaqYiWQ0hdgsziHHEkMxlPEGDFjfS
UQGlBUSl6nB1+RI2x9lLSoQbz3x5ZdXnapi+KGLfQZb11nCegTLVyO5NO+sI54+Z
umyIAqj6/MqgQQGt9oWJnybbFnhcjwdfEIwW4sSWJA5geQ==
=y5Sy
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2023-06-29T16:44:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA69EXrs5yIK3ARAAvjxMdia3YDWmBDM27K/om1wUtZk+isrQ5r8U1Di6uF0Q
qImLsCXRPumL3ZtzZ9qls2OJlUvZQkfE9Ek2/hHINGfUIdNGkXCgJs42Edcfd6tK
bd8hZf/kCJSX3V3c13sUdVQWy8RavUAb0Ezc0H1rZq8K1Gp8iMO9NAm/m8UJe2tM
+cBVvzhBoI+onkrWBCsiquPuts+hgiWMwr+hOPsQhT5VP1HM/si7k9JgEEMlqnMo
NOJUaqbYSR8Q/cy3jjfkAbrpYJ/ZuvZefvU2j+nlfnyzmiWV/Xh6QVseaq1IvFqg
ZmdFLyursv19xTYE0HOBX3c1QlEK5vMFdzADOdu3KDO0JpGwLMcR2dzX8CRYNzyR
B3cbfwp679B3RvKhMHKuVTy9bdb5df6CGBjVeQCNFmBSbimVTjTpFxMk5rusp/j9
Ql8h4ULajrfSmN4T5xoIShsmAAFeeSdHCLrACXHjHU0v2xh+MG5dTZTLa9V+4s7e
wIeq4v9ED5PFFRr+mQUdlmQP+fdH4Cwor8OZxA4g09RFoo3MUgLHWaa5emL1z1YN
fWgZs6EsFFTNYtUoey91eFzhKYYKa1P1gXztgEbc0L95Qqa15QPeWGYgf1WIRASZ
POTGCjleDuqnEoFFdt+qaVYtpCoJnAKjhSFf10DvN6AQ0zraXldHdx4B1wYBLQTS
WAG5qS56CCwMxqjic2OfdSul2zHsCSsoXrWmqG1vtv2WGE7iIsseUor7eeLxbHIW
/8Y9+kx+ZcTSXcs9t1xBHCEv3LAgwneVorOhiHVS4gu6R7crYLKpygE=
=7Sdh
-----END PGP MESSAGE-----
fp: 28677f2e3584b39f528a779caf445ebb39c882b7
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -1,18 +1,24 @@
# Home network configuration
# (2.5GbE clients)
# | |
# +----------+ +----------+
# | | | | | | (1GbE clients)
# | | | | | +|-|-|-|-|+
# +---+----+ +-+-+-+-+-+ |5 4 3 2 1|
# |upstream| | 1 2 3 4 | |TL-SG105 |
# +--------+ | shinobu | +---------+
# +---------+
#
# +----------+ +------+
# | | | | ( clients )
# | | | +|-|-|-|-|+
# +---+----+ +-+-+-+ |5 4 3 2 1|
# |upstream| |fuuko| |TL-SG105 |
# +--------+ +-----+ +---------+
#
# It consists of fuuko as a router (this configuration),
# It consists of shinobu as a router (this configuration),
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
# The upstream comes from some plasic Huawei router/AP I dont control.
#
# fuuko has two physical network interfaces,
# because remote unlocking (which requires network in initrd) is hard with VLANs.
# Because the switch only supports GbE,
# the two clients I currently have with support for 2.5GbE are connected
# directly to the two remaining network interfaces on shinobu.
# Once I have more devices with support for 2.5GbE
# or I find a good deal on a matching switch,
# I will change this.
#
# Wireless is configured by providing the whole hostapd configuration file as a secret.
# Once nixpkgs PR 222536 is merged, I will migrate to using the NixOS module.
@ -49,6 +55,8 @@ in
systemd.network = {
enable = true;
# not all interfaces need to be up
wait-online.extraArgs = [ "--any" ];
netdevs = {
br-lan = {
netdevConfig = {
@ -77,7 +85,7 @@ in
};
networks = {
wan = {
name = "enp9s0";
name = "enp1s0";
networkConfig = {
# Upstream provides no IPv6 :(
# If this is not set, it waits and fails systemd-networkd-wait-online
@ -89,8 +97,16 @@ in
UseDNS = "no";
};
};
lan = {
name = "enp10s0";
lan1 = {
name = "enp2s0";
bridge = [ "br-lan" ];
};
lan2 = {
name = "enp3s0";
bridge = [ "br-lan" ];
};
lan3 = {
name = "enp4s0";
bridge = [ "br-lan" ];
};
br-lan = {
@ -209,8 +225,8 @@ in
# The service is mostly taken from nixpkgs pr 222536.
systemd.services.hostapd = {
path = with pkgs; [ hostapd ];
after = [ "sys-subsystem-net-devices-wlp8s0.device" ];
bindsTo = [ "sys-subsystem-net-devices-wlp8s0.device" ];
after = [ "sys-subsystem-net-devices-wlp5s0.device" ];
bindsTo = [ "sys-subsystem-net-devices-wlp5s0.device" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {

View file

@ -63,5 +63,9 @@
hostNames = [ "[okarin.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
};
shinobu = {
hostNames = [ "shinobu" "shinobu.home.sbruder.de" "shinobu.vpn.sbruder.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJNZPT2Mmys2nw/ovX6Z1Cb4WDAaWBWanycNwF9IEjl";
};
};
}

View file

@ -32,6 +32,10 @@ let
address = "10.80.0.10";
publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
};
shinobu = {
address = "10.80.0.12";
publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
};
};
cfg = config.sbruder.wireguard.home;