From ab3161521180fba5cafd9add2a62efb132f0f1c1 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 21 Dec 2023 15:06:16 +0100 Subject: [PATCH] okarin2: Init --- .sops.yaml | 8 +++ keys/machines/okarin2.asc | 28 ++++++++ machines/default.nix | 5 ++ machines/okarin2/README.md | 71 ++++++++++++++++++ machines/okarin2/configuration.nix | 38 ++++++++++ machines/okarin2/hardware-configuration.nix | 66 +++++++++++++++++ machines/okarin2/secrets.yaml | 80 +++++++++++++++++++++ machines/renge/services/prometheus.nix | 1 + modules/ssh.nix | 8 +++ modules/wireguard/home.nix | 4 ++ 10 files changed, 309 insertions(+) create mode 100644 keys/machines/okarin2.asc create mode 100644 machines/okarin2/README.md create mode 100644 machines/okarin2/configuration.nix create mode 100644 machines/okarin2/hardware-configuration.nix create mode 100644 machines/okarin2/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 8fdefb7..5b72185 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,6 +16,7 @@ keys: - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa + - &okarin2 e7370b48016c961ef8ad792fda66b19d845b3156 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 @@ -62,6 +63,13 @@ creation_rules: - *simon-alpha - *simon-beta - *okarin + - path_regex: machines/okarin2/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *simon-alpha + - *simon-beta + - *okarin2 - path_regex: machines/renge/secrets\.yaml$ key_groups: - pgp: diff --git a/keys/machines/okarin2.asc b/keys/machines/okarin2.asc new file mode 100644 index 0000000..fbeebd4 --- /dev/null +++ b/keys/machines/okarin2.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC +Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG +twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT +cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4 +va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9 +vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h +5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0 +HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE +ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS +0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+ +TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR +O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1 ++B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn +uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C +3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0 +t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4 +fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV +qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt +uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw +2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT +TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU +NxR1Jvm5bnGfUcnNlzoB4Q== +=6o0h +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index 34641e0..ef29037 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -76,4 +76,9 @@ in targetHost = "yuzuru.sbruder.de"; }; + okarin2 = { + system = "x86_64-linux"; + + targetHost = "okarin2.sbruder.de"; + }; } diff --git a/machines/okarin2/README.md b/machines/okarin2/README.md new file mode 100644 index 0000000..decac96 --- /dev/null +++ b/machines/okarin2/README.md @@ -0,0 +1,71 @@ + + +# okarin + +## Hardware + +[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD). + +## Purpose + +It will host services I want to have separated from the rest of my infrastructure. + +## Name + +Okabe Rintaro is a mad scientist from *Steins;Gate* + +## Setup + +Much like the namesake, +this server requires a “mad scientist” approach to set up. +However, it is much easier than setting up its predecessor, +which had just above 400 MiB usable memory. + +Ionos does not offer any NixOS installation media. +I could only choose between various installation media and rescue systems. +Also, installing NixOS with a low amount of memory is problematic. + +I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. +On there, I installed NixOS. +Because encryption with `argon2id` as PBKDF is quite memory intensive, +I had to tune the parameters to ensure decryption was still possible on the target. +This can be done quite easily by interactively running the following command on the build VM: + + cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3 + +The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target. + +However, since those parameters are not ideal, +the following should later be run on the target host itself: + + cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3 + +This will determine the memory usage automatically, +use one thread +and set the parameters so that decryption takes 10 seconds (10000 ms). +The memory usage will not be as high as it could, +but it will be better. + +Getting the disk image onto the server was done +by first `rsync`ing the image to another server (to allow for incremental iterations), +which then provided it via HTTP. +Using the Debian installation media in rescue mode +(as for some reason most other options tried to cache the file in memory and became very slow) +it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`. + +Because of all the pitfalls of this, +you probably need more than one try. +To make debugging easier on the target, the following option can be set: +```nix +{ pkgs, ... }: + +{ + boot.initrd.preLVMCommands = '' + ${pkgs.bashInteractive}/bin/bash + ''; +} +``` diff --git a/machines/okarin2/configuration.nix b/machines/okarin2/configuration.nix new file mode 100644 index 0000000..18b1267 --- /dev/null +++ b/machines/okarin2/configuration.nix @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2023-2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../modules + ]; + + sbruder = { + nginx.hardening.enable = true; + full = false; + wireguard.home.enable = true; + }; + + networking.hostName = "okarin2"; + + system.stateVersion = "23.11"; + + services.nginx = { + enable = true; + + virtualHosts."okarin2.sbruder.de" = { + enableACME = true; + forceSSL = true; + + root = pkgs.sbruder.imprint; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/machines/okarin2/hardware-configuration.nix b/machines/okarin2/hardware-configuration.nix new file mode 100644 index 0000000..6179035 --- /dev/null +++ b/machines/okarin2/hardware-configuration.nix @@ -0,0 +1,66 @@ +# SPDX-FileCopyrightText: 2023-2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + sbruder.machine.isVm = true; + + boot = { + kernelModules = [ ]; + extraModulePackages = [ ]; + kernelParams = [ "ip=dhcp" ]; + initrd = { + availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ]; + kernelModules = [ ]; + network = { + enable = true; # remote unlocking + # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands + # this works around this, but is arguably quite hacky + postCommands = '' + ip route add 85.215.165.1 dev eth0 + ip route add default via 85.215.165.1 dev eth0 + ''; + }; + luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131"; + }; + loader.grub.device = "/dev/vda"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b"; + fsType = "btrfs"; + options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational + }; + "/boot" = { + device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce"; + fsType = "ext2"; + }; + }; + + zramSwap = { + enable = true; + memoryPercent = 150; + }; + + networking = { + useDHCP = false; + usePredictableInterfaceNames = false; + }; + systemd.network = { + enable = true; + networks = { + eth0 = { + name = "eth0"; + DHCP = "yes"; + domains = [ "sbruder.de" ]; + }; + }; + }; +} diff --git a/machines/okarin2/secrets.yaml b/machines/okarin2/secrets.yaml new file mode 100644 index 0000000..60f8a19 --- /dev/null +++ b/machines/okarin2/secrets.yaml @@ -0,0 +1,80 @@ +wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-12-25T22:06:33Z" + mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str] + pgp: + - created_at: "2024-01-24T12:19:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw + ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA + hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw + +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB + hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw + I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/ + 1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf + 1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/ + hRlLbnUDE1Q= + =ol1Y + -----END PGP MESSAGE----- + fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 + - created_at: "2024-01-24T12:19:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw + VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU + hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow + rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1 + hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw + xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV + 1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG + Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk + G+tyNMgCYhM= + =2QnY + -----END PGP MESSAGE----- + fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 + - created_at: "2024-01-24T12:19:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw + SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo + hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww + wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8 + hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw + 3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc + 1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh + AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H + VOK1Bc67BzU= + =3z3V + -----END PGP MESSAGE----- + fp: 403215E0F99D2582C7055C512C77841620B8F380 + - created_at: "2024-01-24T12:19:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v + z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo + w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO + DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n + 7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e + 7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN + Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt + 4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b + 5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl + auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3 + pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS + VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R + da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB + =F0pC + -----END PGP MESSAGE----- + fp: e7370b48016c961ef8ad792fda66b19d845b3156 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/renge/services/prometheus.nix b/machines/renge/services/prometheus.nix index 495bf16..cfe5384 100644 --- a/machines/renge/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -72,6 +72,7 @@ in "hitagi.vpn.sbruder.de:9100" "vueko.vpn.sbruder.de:9100" "okarin.vpn.sbruder.de:9100" + "okarin2.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100" "yuzuru.vpn.sbruder.de:9100" diff --git a/modules/ssh.nix b/modules/ssh.nix index e643930..8ff8f8a 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -87,5 +87,13 @@ hostNames = [ "[yuzuru.sbruder.de]:2222" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8"; }; + okarin2 = { + hostNames = [ "okarin2" "okarin2.sbruder.de" "okarin2.vpn.sbruder.de" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T"; + }; + okarin2-initrd = { + hostNames = [ "[okarin2.sbruder.de]:2222" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP"; + }; }; } diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index bb81b53..25a241f 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -36,6 +36,10 @@ let address = "10.80.0.10"; publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk="; }; + okarin2 = { + address = "10.80.0.14"; + publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA="; + }; shinobu = { address = "10.80.0.12"; publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";