okarin2: Init

.sops.yaml

@@ -9,6 +9,7 @@ keys:
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
   - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &okarin2 e7370b48016c961ef8ad792fda66b19d845b3156
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
 creation_rules:
@@ -47,6 +48,11 @@ creation_rules:
     - pgp:
       - *simon
       - *okarin
+  - path_regex: machines/okarin2/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *okarin2
   - path_regex: machines/renge/secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/okarin2.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
++B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+NxR1Jvm5bnGfUcnNlzoB4Q==
+=6o0h
+-----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -67,4 +67,9 @@ in
 
     targetHost = "nazuna.sbruder.de";
   };
+  okarin2 = {
+    system = "x86_64-linux";
+
+    targetHost = "okarin2.sbruder.de";
+  };
 }

machines/okarin2/README.md

@@ -0,0 +1,65 @@
+# okarin
+
+## Hardware
+
+[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
+
+## Purpose
+
+It will host services I want to have separated from the rest of my infrastructure.
+
+## Name
+
+Okabe Rintaro is a mad scientist from *Steins;Gate*
+
+## Setup
+
+Much like the namesake,
+this server requires a “mad scientist” approach to set up.
+However, it is much easier than setting up its predecessor,
+which had just above 400 MiB usable memory.
+
+Ionos does not offer any NixOS installation media.
+I could only choose between various installation media and rescue systems.
+Also, installing NixOS with a low amount of memory is problematic.
+
+I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
+On there, I installed NixOS.
+Because encryption with `argon2id` as PBKDF is quite memory intensive,
+I had to tune the parameters to ensure decryption was still possible on the target.
+This can be done quite easily by interactively running the following command on the build VM:
+
+    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
+
+The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+
+However, since those parameters are not ideal,
+the following should later be run on the target host itself:
+
+    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
+
+This will determine the memory usage automatically,
+use one thread
+and set the parameters so that decryption takes 10 seconds (10000 ms).
+The memory usage will not be as high as it could,
+but it will be better.
+
+Getting the disk image onto the server was done
+by first `rsync`ing the image to another server (to allow for incremental iterations),
+which then provided it via HTTP.
+Using the Debian installation media in rescue mode
+(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
+
+Because of all the pitfalls of this,
+you probably need more than one try.
+To make debugging easier on the target, the following option can be set:
+```nix
+{ pkgs, ... }:
+
+{
+  boot.initrd.preLVMCommands = ''
+    ${pkgs.bashInteractive}/bin/bash
+  '';
+}
+```

machines/okarin2/configuration.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    full = false;
+    wireguard.home.enable = true;
+  };
+
+  networking.hostName = "okarin2";
+
+  system.stateVersion = "23.11";
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."okarin2.sbruder.de" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = pkgs.sbruder.imprint;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}

machines/okarin2/hardware-configuration.nix

@@ -0,0 +1,65 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
+      network = {
+        enable = true; # remote unlocking
+        # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
+        # this works around this, but is arguably quite hacky
+        postCommands = ''
+          ip route add 85.215.165.1 dev eth0
+          ip route add default via 85.215.165.1 dev eth0
+        '';
+      };
+      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
+    };
+    loader.grub.device = "/dev/vda";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
+      fsType = "ext2";
+    };
+  };
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 150;
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+      };
+    };
+  };
+
+  # no smart on virtual disk
+  services.smartd.enable = false;
+}

machines/okarin2/secrets.yaml

@@ -0,0 +1,52 @@
+wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-12-25T22:06:33Z"
+    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
+    pgp:
+        - created_at: "2023-12-25T22:06:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDgSONkM+d4AQ//SKeZaVHSgO+vjWxkJgLUo6rJy27G0f5lU3WQ2fluZRm6
+            ZpEJpPQQocJhPO6Ag1LEMt/FPOk57O4whCMnimWyTh6r3xWExB08b9BTnQcicYxs
+            7dVvUX/WfjHLP27X1rJXM+p1GqAdjCARabuNeVqmOg5dtJlS+6744f6hcS1FrfJj
+            7WbV2Y7uq/DVH/+HO5ha2WK6+QXTJ/gbGbU6K4s6hrd+BjCu5+XKEFqxIByWK5Q1
+            SvU8/K15MrNwmjftGlNx2iYmTvf1xvrp8TBLQuwwnj3bcXwERBtHnjvJ5qtxHzPZ
+            KMkvDdZhxp9Dq8unfqXRTSbIV2j1Fd+FwIDJPds7xy2BunVonzci5eREPLqXxSwA
+            gO1wLM6knHNzzwCrCVhxZJtwunb4EPP5n43wfZvXh6L1HRqphwaIWaS8kFCvNNrj
+            uZ2FnLKQ22FchSE7l8U09XBvMKkXpDbyjn9Jeh5LOocdalxm5MKu2sriu19XGqcJ
+            aWcyJMsljGbHtEViYxaFXz+c8YCZQeb7+zxN5+9IWkQLxrxQJ1Wy+kKB9+TXfNrG
+            shL5Sssfih7FTAJNvPF6lToJmdsEkN4lOCR6wieovDTCoINeuR1uYS4R5r88Y1dr
+            jrPlpX2fgCqoiuALxDEz7L6sOZojwM/kIVGgbQoQHYnqk91VZozsmR9XqiWIio/S
+            XAGql22HI7tRnZmgXxc+rNPpysTVhcm4n/GaY8xAgCFfoI6gdPFtCpl5J4GyUVWc
+            fmfRNpantZdu3zaAGKxBUFlVMU0H/HckLgZ7PCNFW56HvkAXw7WDygjnAVDm
+            =W/jx
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2023-12-25T22:06:24Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9pmsZ2EWzFWAQ//WLJme0kJzXcAYteyabHrYjtSrLZdPhzHF0t4toLhoQf/
+            8vBQQHOssJ87IH6HYyVUd3Ch+PTWEY1FZ3OUkbCuy2ogepA2BPeQK+AJE9hH2lXM
+            /YmR5LW32Cv1HRJP/ZwSt3r6dPKVAIdDeqc1svIv20D913xszAWZLZNMilWdGBMJ
+            61zvugy42eQtWjWnuNZkmUCz9IdQWzBF1Tju8IgGTTkL7lrOn9puXd/w0kxaBWTl
+            HHYvVaZrCCk0+sNdHd6H4v1Y6/eR5PE2RFs4Yc4M6dpyZ3y9gjntIAwHXcVidILN
+            recSXivwz9+bCKVyUyFoqX9NDPDTV2KSq4kNw8KzwGl8daL0SIZj8TJ7c0izJ4Fj
+            d28KjSnUjXiEROH/KuvAJfbgHsu5EqDVm+gfqhR/q53QcQEX/444oy/hRTTvAMC6
+            55SbhFOeNhWfHdlI8TGw2mOqRNl+kuJhF2nusL4iX2mvFfVmjvdi95qBBVJOmho8
+            7+DzQwUGDU0VeDN4WbtQiXRQ6eAQGB+3CBPfI3J+I8a0SBIIvXQAEupv11LwmdXr
+            6ykZFTsR3Fp0lzDQTOqVV58kaXea3wVdH/Sa3rVRY92Rn36EwvPkVInv+pFyuQxv
+            cr82VGpdY47wqHnok1bA+xe2J1oo9pIwZL30Ob3Ao2Kfk66WDQc0vsPEs2DPhWHS
+            VgEqq/JJUD0oHm6guT1FK7xmWMLdroTXPxe4hUMKpKbikZkeYwm2pgJKW7HBKCtV
+            5j3AlTD8m7s7gFmSyYN4nxCxGqJV7y52S5I0Z9Xu7PqY+Rf7VoQ8
+            =SnAV
+            -----END PGP MESSAGE-----
+          fp: e7370b48016c961ef8ad792fda66b19d845b3156
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/renge/services/prometheus.nix

@@ -68,6 +68,7 @@ in
           "hitagi.vpn.sbruder.de:9100"
           "vueko.vpn.sbruder.de:9100"
           "okarin.vpn.sbruder.de:9100"
+          "okarin2.vpn.sbruder.de:9100"
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
         ];

modules/ssh.nix

@@ -75,5 +75,13 @@
       hostNames = [ "[nazuna.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3";
     };
+    okarin2 = {
+      hostNames = [ "okarin2" "okarin2.sbruder.de" "okarin2.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
+    };
+    okarin2-initrd = {
+      hostNames = [ "[okarin2.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
+    };
   };
 }

modules/wireguard/home.nix

@@ -32,6 +32,10 @@ let
       address = "10.80.0.10";
       publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
     };
+    okarin2 = {
+      address = "10.80.0.14";
+      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
+    };
     shinobu = {
       address = "10.80.0.12";
       publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";