From d93d724b9f480e08d74547dfcfc5eefdae61cf42 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 21 Dec 2023 15:06:16 +0100 Subject: [PATCH] okarin: Migrate to different VPS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, it was hosted on Ionos’s VMware-based infrastructure. I already had a VPS on their new KVM-based infrastructure, as I was planning to migrate okarin to it eventually (as it is cheaper). However, the new infrastructure does not offer PTR records for IPv6 addresses. Therefore, I was waiting until they would implement that feature (as the support promised me they would to in the near future). However, they are now migrating the (at least my) guests from their VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to them. This makes the old VPS essentially the same as the old one, but with less memory and more expensive. So I decided to migrate now. --- .sops.yaml | 2 +- keys/machines/okarin.asc | 48 +++++----- machines/okarin/README.md | 52 ++++++---- machines/okarin/configuration.nix | 2 +- machines/okarin/hardware-configuration.nix | 34 +++---- machines/okarin/secrets.yaml | 106 ++++++++++----------- modules/authoritative-dns.nix | 2 +- modules/ssh.nix | 6 +- modules/wireguard/home.nix | 4 +- 9 files changed, 133 insertions(+), 123 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 8fdefb7..aa4eb59 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,7 +15,7 @@ keys: - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - &renge 06a917fc4a2a1b6b0f69a830285075cac85b7035 - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa + - &okarin e7370b48016c961ef8ad792fda66b19d845b3156 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 diff --git a/keys/machines/okarin.asc b/keys/machines/okarin.asc index 92c8d37..fbeebd4 100644 --- a/keys/machines/okarin.asc +++ b/keys/machines/okarin.asc @@ -1,28 +1,28 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -xsFNBAAAAAABEACgnoiAZQChPJOD9Bh4VxtX+/KWZXBrw9HhK1aufLH2Q4bS+mrg -Te5SgFrfsiiYOvo8O2rESmMIWAHRSGxcdcT09+ZZtZxlxW7dmoUXLaPY+Xft0oDT -ekLBs/g3N9qAXYq8XC/YNw0R1FzhComq/enQT2OTcaWES3b2OlFAkn8SVSTTdKgG -jfmPPjDuTTYWPDPPmVRhaRkT/AcByyRcEcYxw4Zn+62iY9ZuV8FG0O0UcR2I/vEw -KwYxHBC4IiqWvCmeJ3mEcf2NBbLwp2hB79dyo9RN8zxbu2mwrCNNO0hbkJGsxom1 -NjKh7KZz0eaIpb/WAesimHCaAXcB9ovGiyyHjECmZkvKlAXMttrPkF5QJZW2Iao7 -jcdcT0CNhC9fUwdBPIVRVjQQPyCWrqZEas+zG0tU8nbMy+uI/rT8ALC0zSgQMVyr -YDIM7tYHbuBjgHja8gvwAa116L+uTXzkCTuH3OQHowtuvDjorXDKNs5akqJpAPHF -a/fhXzjtY6RfLVp0Hj1+fnwrzMs0D1YdlJEjsBxvpieMTGPXH0YA5ondK/OsHsQD -uzUgKzgGpq8Kp7hXhxi8gevHmNgVN1F4CNlTy0qOkFgD8U11Fk9O4svI+OtzslPr -/EXRC/faJeFdT20M0BIqhQVWZFiRRMMsHJgZ04mWG40Wysm8esZ3dwS53QARAQAB +xsFNBAAAAAABEADJ6iuUnKyoNZU26YWhsIHwTIkhxnNCNDHrq42wSqDgBFU8QyzC +Nd8c34QghVGeqCFr/Md5xXMtgCmoNzFCMullb6PwDIYZ+9SP03B2seoqhnRwp1WG +twejt/dP3QgOBP3G4Tr8uxcdHFnLDvkzN66QyV+LcnzrEf0Dw/9y31Nuo5TlG7UT +cUCg36a3l+1tTlc3VnGwjt5jc59teD619h1s5tU5zMlcgjhFMMVKHXH1oc8zK0Q4 +va2YyfW+yWZx9Fm9BWF3VLuBdVlPuHVSCZ/Qf/ykDs8nm7Jvwi/I2TQiAeFN7ln9 +vPAYy4z0SQP/w44kVLCe5Mkw4H53LRocPBgxSflzqnJuuEQGroq0xgbP8+xJ8R0h +5WPqLuy86PhslFsuIfKJgzVsNsz3svBxHO6G5bIsVgIjdfT4QPGxVQSvXG0RpdV0 +HzhUKojENcS2MEB7MJOLu200Ce3tjuaZD+nPUyH9LilNVgEJXMN0+9SfXmzyH1mE +ENW6JWUC+oDgweodltJJ2z3kiaXf0GUNWFEv5P0uxkky3nsed4lDmEs0j0nT3YoS +0hemgdK8X3ZRMuLAxGLCL0SykmsbOdTTzZ/QCak8/0jI8iko9eDrmJ4rNkrQYT4+ +TM0JEpI3wA4ksl5WcB2cpM/G8buw/zNTycgbjcKoYL+E2K+L7JeR9F1DgQARAQAB zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT -AQgAFgUCAAAAAAkQ5fw8qjuBB6oCGw8CGQEAAOyUEAAHW0hbAjCKylnIaezMqNiG -yDwfM+MpNXaqB4sG0UUiIdgSUTk06PN5dlQ0Jfvh1I7P9y8CxqamlqCUXiqqWEOR -Am3Q7oxQKQdSDz//2ijWLdNFcT7bxZvNKQ/T78UYka/qmuLHx2jSuakAX2pAUrOf -K7mbElSu8LD0y8hIDEyxuzB/aL13sHh1LkOUCSEgZ977EEfIEgPidPwEtGJvEbhN -DaP94cLNapv/lWux8+O5dzKi4R7ghXl6IvrP2LPXQSPF7C3mMZ1ZSX1nFxRjALXi -xiFbrJFkwEQQmVro/3wX9BZSmt6VnFRKkXnsCLlf9eT0aTmTirtqHgfet0PHqTNt -CxrlLKTZFN3ZFropGZ070ESs4i6WZUBpTdsYh/htyo5bWMcHO8J+K+Ttd1M8btM4 -RtpAc/2UXa4+dVpLOGqdqkmUEJLVLyGnj9wZZgkx3tWGhjnSohCW3YqffQYlXUFn -xuiQQ8jKM6luuunMXLt6D9dzOch70z9bnjOm1Z6q/S3PIzn++awzA6N3VTKNuUBP -Phs6hlcAeqdQ6Q2EiS5iXKqPdK1nd9cPKzHOJf1fwlaRPSKeCtXUgkjAClu+heEn -rst1nggIhCBs+rHc518BVZvISLNVlj5LVwN0mKOk9YPuZItBCGX96WWJZdMHeZk0 -MsxjN+we2woCXG5SJGYOyA== -=UTw1 +AQgAFgUCAAAAAAkQ2maxnYRbMVYCGw8CGQEAAMkCEAClRHcH4fUUpdXroevY9qpR +O6op26pqBZ839HoD9f4kaZXerhURWVGPcV81uUapR5/B8Pk/OK9LskBetDvoc+J1 ++B3vM34cRIzbSs55BVrx/Mk6Vn9utPoyutlaJ/b5VMCmz4f2zU/XwPbXOzouvVrn +uy/bqY7aNz0eoeU7lKXrXc9as+VoJgc3Ty9Tt1vPi8lfTeQfmxUDtoer47dhn89C +3fL9R5/4utKt5nRtweOh6+z9T36jNodeHy3VhpuMnUBKsWSQn6Op2sLoeb6FJbh0 +t5Tz1AZhqjT4HY8bGWK8v2i916BmGseFjge7CECYg9M5MydznHl9z87sBUiruGs4 +fQTZi8IQySaQ8jCqCx+PB1PYUAsZj4j3o74mx2/erAw8gxBlrme44CuikVdbEKMV +qYzW/jVJ6EPobtmq+XN8UzU/arf5/BelcU73sQK9fbvCqi47ZMyjC/3UqZ0O12xt +uUjf2IcDl8TyWZ3nSSUV7npXrrT05kC6WMK46TwO9wv8F3v3/35UmonAJt8qp/lw +2PNR5W8Sqxr2s+yhkOsh2xwuqBQkdxhqRKeqTv4+kdGAk6ZUmuHmGa1Qni6VsaKT +TuNRRTEBfQ0QiqF8+lleT2dP4cKI2vAbI0zvyjX6KvNGRb1VlJw3D6Pa0nXW/YQU +NxR1Jvm5bnGfUcnNlzoB4Q== +=6o0h -----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/okarin/README.md b/machines/okarin/README.md index b9eea31..decac96 100644 --- a/machines/okarin/README.md +++ b/machines/okarin/README.md @@ -1,5 +1,5 @@ @@ -8,7 +8,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 ## Hardware -[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD). +[Ionos VPS Linux XS](https://www.ionos.de/server/vps) S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD). ## Purpose @@ -22,32 +22,50 @@ Okabe Rintaro is a mad scientist from *Steins;Gate* Much like the namesake, this server requires a “mad scientist” approach to set up. +However, it is much easier than setting up its predecessor, +which had just above 400 MiB usable memory. Ionos does not offer any NixOS installation media. -I could only choose between a Debian installation media, Knoppix and GParted. -Also, installing with a very low amount of memory is quite hard. +I could only choose between various installation media and rescue systems. +Also, installing NixOS with a low amount of memory is problematic. I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. On there, I installed NixOS. -Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some. -What I settled on was -`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`. +Because encryption with `argon2id` as PBKDF is quite memory intensive, +I had to tune the parameters to ensure decryption was still possible on the target. +This can be done quite easily by interactively running the following command on the build VM: -To make btrfs use its SSD optimizations, -I had to force the kernel to see the device as non-rotational: -`echo 0 > /sys/block/dm-0/queue/rotational` + cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3 -Another problem was the usage of VMware by Ionos. -The VM I set this up with was obviously using KVM/QEMU, -so it needed different kernel modules at boot. -What worked was setting it up in the local VM with both libvirt and vmware modules, -and then removing the libvirt modules once it was installed on the target. +The memory size was obtained by a successful run of `cryptsetup benchmark` inside the initrd on the target. + +However, since those parameters are not ideal, +the following should later be run on the target host itself: + + cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3 + +This will determine the memory usage automatically, +use one thread +and set the parameters so that decryption takes 10 seconds (10000 ms). +The memory usage will not be as high as it could, +but it will be better. Getting the disk image onto the server was done by first `rsync`ing the image to another server (to allow for incremental iterations), which then provided it via HTTP. -Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui), -it was possible to just `curl http://server/okarin.img > /dev/sda`. +Using the Debian installation media in rescue mode +(as for some reason most other options tried to cache the file in memory and became very slow) +it was possible to write the image to disk with `wget -O /dev/sda http://server/okarin.img`. Because of all the pitfalls of this, you probably need more than one try. +To make debugging easier on the target, the following option can be set: +```nix +{ pkgs, ... }: + +{ + boot.initrd.preLVMCommands = '' + ${pkgs.bashInteractive}/bin/bash + ''; +} +``` diff --git a/machines/okarin/configuration.nix b/machines/okarin/configuration.nix index 3624de1..c2075df 100644 --- a/machines/okarin/configuration.nix +++ b/machines/okarin/configuration.nix @@ -21,7 +21,7 @@ networking.hostName = "okarin"; - system.stateVersion = "22.11"; + system.stateVersion = "23.11"; networking.firewall.allowedTCPPorts = [ 80 diff --git a/machines/okarin/hardware-configuration.nix b/machines/okarin/hardware-configuration.nix index 1715572..6179035 100644 --- a/machines/okarin/hardware-configuration.nix +++ b/machines/okarin/hardware-configuration.nix @@ -5,6 +5,10 @@ { lib, modulesPath, ... }: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + sbruder.machine.isVm = true; boot = { @@ -12,41 +16,34 @@ extraModulePackages = [ ]; kernelParams = [ "ip=dhcp" ]; initrd = { - availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "vmxnet3" "vmw_pvscsi" "vmw_vmci" ]; - kernelModules = [ "dm-snapshot" "vmw_balloon" ]; + availableKernelModules = [ "aesni_intel" "ahci" "sd_mod" "sr_mod" "virtio_net" "virtio_pci" "xhci_pci" ]; + kernelModules = [ ]; network = { enable = true; # remote unlocking # for some reason, the DHCP server does not transmit the static route to the gateway in a form udhcpc understands # this works around this, but is arguably quite hacky postCommands = '' - ip route add 10.255.255.1 dev eth0 - ip route add default via 10.255.255.1 dev eth0 + ip route add 85.215.165.1 dev eth0 + ip route add default via 85.215.165.1 dev eth0 ''; }; - luks.devices."root".device = "/dev/disk/by-uuid/67f2990c-636a-4d80-9f6d-7096fec9e267"; + luks.devices."root".device = "/dev/disk/by-uuid/1dcb9ee1-5594-4174-98a7-a362da09f131"; }; - loader.grub.device = "/dev/sda"; + loader.grub.device = "/dev/vda"; }; fileSystems = { "/" = { - device = "/dev/disk/by-uuid/8e3082d1-4af3-4d5d-9fde-d30dc7552d41"; + device = "/dev/disk/by-uuid/3ab8f4a7-952c-4b6c-93c6-7b307d5bb88b"; fsType = "btrfs"; - options = [ "compress=zstd" "discard" "noatime" ]; + options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational }; "/boot" = { - device = "/dev/disk/by-uuid/883c77e8-53bf-4330-bd9e-89ef71ad9518"; + device = "/dev/disk/by-uuid/97aec56b-5fea-4445-83dc-4a20dcf482ce"; fsType = "ext2"; }; }; - swapDevices = [ - { - device = "/dev/disk/by-partuuid/d9cf5716-25c8-4f72-80e3-696e0dfe1079"; - randomEncryption.enable = true; - } - ]; - zramSwap = { enable = true; memoryPercent = 150; @@ -63,11 +60,6 @@ name = "eth0"; DHCP = "yes"; domains = [ "sbruder.de" ]; - address = [ "2001:8d8:1800:8627::1/64" ]; - gateway = [ "fe80::1" ]; - networkConfig = { - IPv6AcceptRA = "no"; - }; }; }; }; diff --git a/machines/okarin/secrets.yaml b/machines/okarin/secrets.yaml index dcd40c2..60f8a19 100644 --- a/machines/okarin/secrets.yaml +++ b/machines/okarin/secrets.yaml @@ -1,80 +1,80 @@ -wg-home-private-key: ENC[AES256_GCM,data:4L8aIvgFi+mBjnyVy5IkPaeJRadJ5NCKZprSkBPwMNiVaIscjAdp2yinBSk=,iv:6pBo+6M4EkEjz184XvisWXEoomqJXa4M8Qa4nJHI65U=,tag:3DEsmA2xxAlx/PSbD3HOIA==,type:str] +wg-home-private-key: ENC[AES256_GCM,data:RkdgneGhH7prr/tkvHJeChQku2eXve9pV/SvtwsOjeinYO9veHw0rimdonY=,iv:vK6zNpu8F+TSLDTaif686Awjhs8WS2XJHzMtlvqlsIM=,tag:aKhV+kspVu+0CgPmYersxw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-05-06T08:49:32Z" - mac: ENC[AES256_GCM,data:B7e3sh96p2DlqM2SgHWoJ7RZ2q5tnZ6lohNc7UKmwG1HTkrPKW/6jobW2InQnbZn1bPmCERoJIF9QyUz+OxotTiKIXxSL7BJkkfpIkWy9IgjIeADjevHkplm2rXONiXaM2sD46bPKbuRzuhbCZtNwUH74gTVfKPVLVrzpnPRC74=,iv:TTXlBGhO7xLCC3Ad+xiQKmy4b0n0vuQRaCdoe7vpzSE=,tag:dZCharRGK//w48ePu7d2eQ==,type:str] + lastmodified: "2023-12-25T22:06:33Z" + mac: ENC[AES256_GCM,data:VbjyqrqDLCBDD9vGOHxSzsr9a5ZFFBJUkBRxJYBLereMDvInPFZnTwplHHkS5TdDFFAsjrcCgpCuPsUIbDdxFUNNtjdIe5JJwFMwT8XEFrgcswMGSKD6mIH2VBWop5pqoAV0eQ3YfKtDyhNHwixR8a+Z+hbGAY01Z19yteo51ZM=,iv:69EeBag+iUEoa18I0w1HeJKRwSQVCMRqUdV2CzUzMnY=,tag:WViKXJExL33jQAIWHUS8xw==,type:str] pgp: - - created_at: "2024-01-22T00:20:17Z" + - created_at: "2024-01-24T12:19:03Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DLHeEFiC484ASAQdALOHWjRYEy+oURe+ERyiQYDjFPDniV0awCBMahhaLzCMw - faMYpJTpirKixpFnPQ1W0aIiQ2/grcEJ4qYyXYG7GrqLcFMQfZOV8humZOLnZNB6 - hF4Dub78fMESoMASAQdAhpmpD8cyJSauuTHM/RTjLybR1VUGcIY7kLqrB33QLG8w - aLu7q0wjY0Rs+7PtJiSKd6O4VOBRrsBmLc7QuBZ4cgBwUfE38g8LuXayuOLZQNb1 - hF4DM6AcvgVUx2MSAQdARr9S5DSGRJOcv2IgYMzko8fkMHlIR9uIJdJLMdcJER4w - RjcC/s5+P0b7wy9bIaAv3vk3FX4hw56QzhqAXcA1zU1kyjEHPnv3qsiiQbcKDjb0 - 1GYBCQIQG5VczwWUidoTYkHgZveZhkVyYIiZc/YQrY6n71OrVnUKaH5kZn1XrMKE - zRzcc4XCiu8CaSkQp68eqKeHwI8U5N/LAtjHbACxAq6GHatf/+LvJx4CbUrPZxw2 - PWZwSFBCZEg= - =r7sK + hF4DLHeEFiC484ASAQdA4PdmtZTlpcdfuYKSuKN6X4EGjh/l2D8Jxt7dg1y/Z0kw + ScG/nWs9hVMFTBeqSM0eHgFfcZhBB/L85eNf9thktTUbcWq0GEUcz5mwUqILtkfA + hF4Dub78fMESoMASAQdAMcVZokes0YKtbUZp7b9zq303WXPga5yn8LbhnaRrHycw + +ECn4t8y8SXFICpAZ5n+xj5U8MdmdKOzhNQLleFKIHtWdyeUlwFi0qYYP8MRCLTB + hF4DM6AcvgVUx2MSAQdAIzXqgZ8WiIxIV05BumWLsyZUChwvDQc47NMd5ehhBEQw + I1LY11LTNENypr5q0mhy615kIbsdhpzAVLf4Bkf921zABsfFzuY5zJHqi8SKVm7/ + 1GYBCQIQHPC99/GrpHG703gozt2I0P2XMhlRpzj359qStWaQZ8NBL5Ugo5BLvphf + 1/WYAlvnH4Uov2TxKdQs65IJSadQgs7lBWB5gqHklZ76E4Q+00oMQxwGjzMdddA/ + hRlLbnUDE1Q= + =ol1Y -----END PGP MESSAGE----- fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 - - created_at: "2024-01-22T00:20:17Z" + - created_at: "2024-01-24T12:19:03Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DLHeEFiC484ASAQdAGdRYvRfki1zKA2YHnPprf1ld5kJkai4fzxuuH1D3DRQw - zt5XhSFMx5ii7C3LIVjGgKnn6A6KTe1Tj314OYtrLeCGV8Eli+eOiSgi4c0nL709 - hF4Dub78fMESoMASAQdAb38j/KxQlLRJLrtE5mS1XVCmaEIvyJU1uVcSVU3Bdhgw - f3iepOZgggHOCiHOCs+UWRmiudwoYqMzXF8G9pb6ESsy01cc1y6mXPh6sftKc6Iz - hF4DM6AcvgVUx2MSAQdAhq0ynXfS/eYrDAYdxj/qyEg8c2lHFYSaUVtr6v3B/Rcw - Su08ppwK9wSbVaEL6p4NPJ0q9mt/36OsvZNaEWL2i7kkrD6q+2yvaGwh/fPcokWI - 1GYBCQIQRzg0YDKpmBGZY0sC37nIkUC4blEpFTgl+lma0ZQ9PUfbRP3ijRrxyPv/ - aNkUpVAVxjh3VnV/NEm2s03x62iO4uiGoU0BUeI8Jjy4Tvuuodvmfpd4wZw7Mq+V - B8h2L/JR7Yo= - =/wMt + hF4DLHeEFiC484ASAQdAaXq+nn0DDx+RAkEC+x+yeP5xbCIdXkR9tQCgWx1s0jkw + VRgFkiBa6IsS0vmYknobXkizETtNjEhJ8vNw9nP0zPdjuUZBId2/bJZa7aFdIFRU + hF4Dub78fMESoMASAQdAMLbBcLnc+5UVDsx50SgCVjQoHO4JGE53DE6Q+frDEiow + rVFbLxWlJ/aw9baRdKUMkIUJftnImUQgolXvEfUjdS/oOdY69r4psLlHLQX11Ow1 + hF4DM6AcvgVUx2MSAQdAUZV3q/IXwUbRv9EokTe+4o83XzeS1h4GK3/3wjnKDHkw + xHFJR2clEMDlaq7Rx3FTr2a7MlzSnzBLtIwdw5b9ytuRvHjD5q7zCf5bihYnvdjV + 1GYBCQIQFt+CYziUXtEHjJFC1t+S3qkyPRAsVgZL8WlxbKzteW0NOdIZofHx6skG + Ebn8aadKcGg534DkwEt5DpIosXKUx4LN5xsCNoU9dHFYMSFE2nzJE4KNFJ8tzRQk + G+tyNMgCYhM= + =2QnY -----END PGP MESSAGE----- fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 - - created_at: "2024-01-22T00:20:17Z" + - created_at: "2024-01-24T12:19:03Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DLHeEFiC484ASAQdAoM3SQYYUQq6OGImJaecw42BZOwOec75IWS00ZorR31ww - uaRdi54liGiKpjaebhPcLkX+0TKcW0h11kw6X1wrru1JWi3YLbjohv0qCtfa4wpc - hF4Dub78fMESoMASAQdASH4+jxa7Qr9AkJpHHPmMx9cj3XyPXLpfzXJ7Yb40pHMw - zBiVmQApa4K+ZOVw/vpcSNaN6FufFoDb5IguwHIq+9vILvjvku6YFgAJ4gC76LOP - hF4DM6AcvgVUx2MSAQdAZGNp/j1sF0rmHhImhnuhgpn9NgRuFtL+BH5dorvrPwIw - mK5LsWHvyBFyC+SDNe4mrRkdia/xPECmcWrbvptGVjqlZnjmUbtrYhG+j5O6/817 - 1GYBCQIQ/du7No+ULrBrjWc3q826ju8AqekySHtteKZclRmcHSNP4UEXcmTEMRNL - 8lMJYK0G3uA9FXO9+2E39k/nIatBGuoaukW7zCouB3bLARZE00Oqh6qHCWVyFJ/S - Gzwk8dC0wdc= - =BWUr + hF4DLHeEFiC484ASAQdA6ojEbZ8HccTtorNbyw9aVKO73AJy6jTGV/qLt+FWoRgw + SsOLiL0UmF1OV7zmXE0ihkWivPqLHtp1U89aYucpAA69DIh4+6M7GUk1xDMxFfRo + hF4Dub78fMESoMASAQdAV2z2DgUz2xWopnDzXywdpHb9eMe9ZxdABxpOJ0ECeBww + wOC1x+IKIbIRZBDL7jbVUOk1G+GzCL4M7/G7XFSTFYMKvMKkc0Rh69pywFuGaqG8 + hF4DM6AcvgVUx2MSAQdA7bKGjcW81bzf58FlGGVDy/HjNyuEPNSVZXy0M+/WZAcw + 3iXR9MecA97bKKKhLyNSdYmYlAjZJVIdwd6vjNWjxaB7BIWTYhudTjHesLMxB0vc + 1GYBCQIQlp1TDaBVxalDkeCEjDMRFatgJ3CwulzzW9B8qywOooS0BNtNbtTKGwEh + AxDL+wdeqkPABQ0wQ8hYGOw5z665jEOC2JbqbQ7N6LPQZRx/MowO2dGT/kKh2U9H + VOK1Bc67BzU= + =3z3V -----END PGP MESSAGE----- fp: 403215E0F99D2582C7055C512C77841620B8F380 - - created_at: "2024-01-22T00:20:17Z" + - created_at: "2024-01-24T12:19:03Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA+X8PKo7gQeqARAAhtUvR20r2NV8SNWVuVSopTfCGwaJV99+PEp/l0UjHX6B - lpHgQNHegP6YEsAj5HNFEcV3vM+nbC0hbTtcERBZoxTkyDPOaRAyJpNfGniZVxxp - jxSr/unCN6aJCbdqJZZZlitq84brMQWUE373Rb9B4cNdTYONabZbzZmwTDyzkVR0 - ctjmkdBG0upqNn7vukSIg7DM7D9pFolS9142reF7e5jTlxBFWR1Jt+O9A1zypfvq - tK2z9C1pM9LDRmUrKJ/HOKwu6P6USeTKFrp7Gfjr1UkmbgNunxgsdI6gwKY38SpJ - T+tELs68oC5pGFpZufnYkrGL313HC7Vp/+2+m+W5qXbyNqhDS6uVQHjqz/ROqByb - YwJw+x7810nL8+SleXst8oZpxDNDm+TnvWQAH6WiRBSpgVwy945SMvGG+1FLYps2 - qOsRMjr+titLZAaUpmIh/oDHG/XOpKPQflcc4/V7t2HK6vLX+xvPIQU8Y5TJkr1T - nIIh7sMZBUldnUGUfFE3ksP5Gje5OHqK8xoFwYHFGK4QQzXFjPFN2QNvni2z9Y4R - LLMvyEavqgIa6AeseqMnLuB2hz6wy/JNU/EPUalNca6RleoVA0DjKgjgDTlhQ5Al - a6sRTy+KmXFfzdO97MJJEkNgA1Hbi1/IpREeA50lYtrDqUvhxw+l1V8N7jw+ZWTS - VgHYyLUxdmOUsqEgQPVA7jiqWePwFEuEDEDVE+d6CcuvFuHFNV1jJEjit3R0wJOd - QpqnfxW4QTD+JFNJgrD7bj4y1Gu9Z6Lg1IBnHnOwDIoCJoAHp0y6 - =sy/X + hQIMA9pmsZ2EWzFWAQ/9Gl4dO83SmvGHyhEfile6G9ZUmhxwU2RFpPwEmjh4CV/v + z1k2zgdF200a6tj96977VhjhIG/LZioEi41M1QdIqgkGsKy89DluCY9RDTqMmqzo + w65JhI+PQqdQuKlsbUh2VLql7LijoIUxuBPowWG1lULZtEvRuCchM5rLFiBSC2YO + DA0T73kC2P89CNZlOllZNnVRCRrxm7IsEO6Mo1yOeJL16mYqC9qGGKnvYEbsSm4n + 7ZZJvxXGnNzaXisyyjcJNgtsJAUX4TTlPH+Y2jpkhdHUvOkiwVQEokmnqTIKUp0e + 7Dc6ZXApFQ1DlMMsjLwy+5AQJQZbY4p4jo9rvmON5i5DLPy4rN5yf8W7zwkuy2gN + Id53gxDZxHw0+mRsfYRrdOvmfUqqz79TyWVV8bvHR2Mo3shdL1fsWOzTlm66Y9Vt + 4coJxgUsJEFdnsnXAFep2V18Ypg36b9wQXtZDXWtTg36UliZZ95sUAG2vHQDS50b + 5XG07m1w8YgQSeiCObteAt4PqxEs1GYWmtRUmr4jvRQQzmVXCQP6+o0QJ5WK9bKl + auwT+H7POBJ3l+h9ykvmOidkAzeN7EWIirzvhDHsxvCklGCyo+Y3W5ZaLaFGfc/3 + pdj1G/REVT6aQMtSuYUsD7QoZeiNNBNJXAtUuUS6mWxch8RnkW718wxYZLvi03jS + VgHaVWepbw/q0COmjyofCt1qZH+WMKSAguiQ6PHWAdP3hnzGgd7Qo84W54Fb3m1R + da72FFnILc3IYImbJI6QgJxAeS2K95nIWKdSix07c+m0zzFkemnB + =F0pC -----END PGP MESSAGE----- - fp: 868497ac4266a4d137e0718ae5fc3caa3b8107aa + fp: e7370b48016c961ef8ad792fda66b19d845b3156 unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/modules/authoritative-dns.nix b/modules/authoritative-dns.nix index ff756e3..238488c 100644 --- a/modules/authoritative-dns.nix +++ b/modules/authoritative-dns.nix @@ -15,7 +15,7 @@ let addresses = { vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ]; renge = [ "152.53.13.113" "2a03:4000:6b:d2::1" ]; - okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ]; + okarin = [ "85.215.165.213" "2a01:239:24b:1c00::1" ]; yuzuru = [ "85.215.73.203" "2a02:247a:272:1600::1" ]; }; in diff --git a/modules/ssh.nix b/modules/ssh.nix index e643930..c1de1d4 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -60,12 +60,12 @@ publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo"; }; okarin = { - hostNames = [ "okarin" "okarin.sbruder.xyz" "okarin.vpn.sbruder.de" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaev8K5KhRovW75IdZ0HYlzvxxo0haeCM0xCVEOuDSa"; + hostNames = [ "okarin" "okarin.sbruder.de" "okarin.vpn.sbruder.de" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJvRAiEAV0Oulii0w3xcHCb0/oHqpA0hz3bn//BQnR8T"; }; okarin-initrd = { hostNames = [ "[okarin.sbruder.de]:2222" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOV+azRrT1zICmDe9D7bm3pOaFzaT+cVXCvxgY1bAbP"; }; shinobu = { hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ]; diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index bb81b53..8da9798 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -33,8 +33,8 @@ let publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8="; }; okarin = { - address = "10.80.0.10"; - publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk="; + address = "10.80.0.14"; + publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA="; }; shinobu = { address = "10.80.0.12";