okarin2: Init

.sops.yaml

@@ -16,6 +16,7 @@ keys:
   - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035
   - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b
   - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa
+  - &okarin2 e7370b48016c961ef8ad792fda66b19d845b3156
   - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
@@ -62,6 +63,13 @@ creation_rules:
       - *simon-alpha
       - *simon-beta
       - *okarin
+  - path_regex: machines/okarin2/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *simon-alpha
+      - *simon-beta
+      - *okarin2
   - path_regex: machines/renge/secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/okarin2.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC
+Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG
+twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT
+cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4
+va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9
+vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h
+5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0
+HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE
+ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS
+0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+
+TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR
+O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1
++B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn
+uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C
+3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0
+t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4
+fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV
+qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt
+uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw
+2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT
+TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU
+NxR1Jvm5bnGfUcnNlzoB4Q==
+=6o0h
+-----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -76,4 +76,9 @@ in
 
     targetHost = "yuzuru.sbruder.de";
   };
+  okarin2 = {
+    system = "x86_64-linux";
+
+    targetHost = "okarin2.sbruder.de";
+  };
 }

machines/okarin2/README.md

@@ -0,0 +1,71 @@
+<!--
+SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# okarin
+
+## Hardware
+
+[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
+
+## Purpose
+
+It will host services I want to have separated from the rest of my infrastructure.
+
+## Name
+
+Okabe Rintaro is a mad scientist from *Steins;Gate*
+
+## Setup
+
+Much like the namesake,
+this server requires a “mad scientist” approach to set up.
+However, it is much easier than setting up its predecessor,
+which had just above 400 MiB usable memory.
+
+Ionos does not offer any NixOS installation media.
+I could only choose between various installation media and rescue systems.
+Also, installing NixOS with a low amount of memory is problematic.
+
+I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
+On there, I installed NixOS.
+Because encryption with `argon2id` as PBKDF is quite memory intensive,
+I had to tune the parameters to ensure decryption was still possible on the target.
+This can be done quite easily by interactively running the following command on the build VM:
+
+    cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
+
+The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target.
+
+However, since those parameters are not ideal,
+the following should later be run on the target host itself:
+
+    cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
+
+This will determine the memory usage automatically,
+use one thread
+and set the parameters so that decryption takes 10 seconds (10000 ms).
+The memory usage will not be as high as it could,
+but it will be better.
+
+Getting the disk image onto the server was done
+by first `rsync`ing the image to another server (to allow for incremental iterations),
+which then provided it via HTTP.
+Using the Debian installation media in rescue mode
+(as for some reason most other options tried to cache the file in memory and became very slow)
+it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`.
+
+Because of all the pitfalls of this,
+you probably need more than one try.
+To make debugging easier on the target, the following option can be set:
+```nix
+{ pkgs, ... }:
+
+{
+  boot.initrd.preLVMCommands = ''
+    ${pkgs.bashInteractive}/bin/bash
+  '';
+}
+```

machines/okarin2/configuration.nix

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    full = false;
+    wireguard.home.enable = true;
+  };
+
+  networking.hostName = "okarin2";
+
+  system.stateVersion = "23.11";
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."okarin2.sbruder.de" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = pkgs.sbruder.imprint;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}

machines/okarin2/hardware-configuration.nix

@@ -0,0 +1,66 @@
+# SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ];
+      kernelModules = [ ];
+      network = {
+        enable = true; # remote unlocking
+        # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands
+        # this works around this, but is arguably quite hacky
+        postCommands = ''
+          ip route add 85.215.165.1 dev eth0
+          ip route add default via 85.215.165.1 dev eth0
+        '';
+      };
+      luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131";
+    };
+    loader.grub.device = "/dev/vda";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce";
+      fsType = "ext2";
+    };
+  };
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 150;
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+      };
+    };
+  };
+}

machines/okarin2/secrets.yaml

@@ -0,0 +1,80 @@
+wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-12-25T22:06:33Z"
+    mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str]
+    pgp:
+        - created_at: "2024-01-24T12:19:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw
+            ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA
+            hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw
+            +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB
+            hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw
+            I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/
+            1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf
+            1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/
+            hRlLbnUDE1Q=
+            =ol1Y
+            -----END PGP MESSAGE-----
+          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
+        - created_at: "2024-01-24T12:19:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw
+            VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU
+            hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow
+            rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1
+            hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw
+            xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV
+            1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG
+            Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk
+            G+tyNMgCYhM=
+            =2QnY
+            -----END PGP MESSAGE-----
+          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
+        - created_at: "2024-01-24T12:19:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw
+            SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo
+            hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww
+            wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8
+            hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw
+            3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc
+            1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh
+            AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H
+            VOK1Bc67BzU=
+            =3z3V
+            -----END PGP MESSAGE-----
+          fp: 403215E0F99D2582C7055C512C77841620B8F380
+        - created_at: "2024-01-24T12:19:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v
+            z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo
+            w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO
+            DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n
+            7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e
+            7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN
+            Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt
+            4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b
+            5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl
+            auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3
+            pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS
+            VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R
+            da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB
+            =F0pC
+            -----END PGP MESSAGE-----
+          fp: e7370b48016c961ef8ad792fda66b19d845b3156
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/renge/services/prometheus.nix

@@ -72,6 +72,7 @@ in
           "hitagi.vpn.sbruder.de:9100"
           "vueko.vpn.sbruder.de:9100"
           "okarin.vpn.sbruder.de:9100"
+          "okarin2.vpn.sbruder.de:9100"
           "shinobu.vpn.sbruder.de:9100"
           "nazuna.vpn.sbruder.de:9100"
           "yuzuru.vpn.sbruder.de:9100"

modules/ssh.nix

@@ -87,5 +87,13 @@
       hostNames = [ "[yuzuru.sbruder.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
     };
+    okarin2 = {
+      hostNames = [ "okarin2" "okarin2.sbruder.de" "okarin2.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T";
+    };
+    okarin2-initrd = {
+      hostNames = [ "[okarin2.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP";
+    };
   };
 }

modules/wireguard/home.nix

@@ -36,6 +36,10 @@ let
       address = "10.80.0.10";
       publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
     };
+    okarin2 = {
+      address = "10.80.0.14";
+      publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
+    };
     shinobu = {
       address = "10.80.0.12";
       publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";