koyomi: Init

2024-05-11 21:14:17 +02:00 · 2024-05-11 21:14:17 +02:00 · ef488cdfd9
parent 828d76e96e
commit ef488cdfd9
11 changed files with 390 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -19,6 +19,7 @@ keys:
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
+  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
  - path_regex: machines/nunotaba/secrets\.yaml$
    key_groups:
@ -97,6 +98,13 @@ creation_rules:
      - *simon-alpha
      - *simon-beta
      - *yuzuru
+  - path_regex: machines/koyomi/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *simon-alpha
+      - *simon-beta
+      - *koyomi
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
@ -109,3 +117,4 @@ creation_rules:
      - *fuuko
      - *mayushii
      - *renge
+      - *koyomi
--- a/keys/machines/koyomi.asc
+++ b/keys/machines/koyomi.asc
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
+bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
+VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
+bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
+JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
+8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
+y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
+eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
+KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
+1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
+/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
+CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
+/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
+J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
+gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
+QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
+MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
+HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
+DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
+kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
+CxhNpGhTpzl96WA2WsNP9Q==
+=slmv
+-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -76,4 +76,13 @@ in

    targetHost = "yuzuru.sbruder.de";
  };
+  koyomi = {
+    system = "x86_64-linux";
+    extraModules = [
+      hardware.common-cpu-intel
+      hardware.common-pc-ssd
+    ];
+
+    targetHost = "koyomi.sbruder.de";
+  };
 }
--- a/machines/koyomi/README.md
+++ b/machines/koyomi/README.md
@ -0,0 +1,37 @@
+<!--
+SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# koyomi
+
+## Hardware
+
+System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
+
+- Motherboard: FUJITSU D3401-H1
+- CPU: Intel Core i7-6700
+- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
+- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
+
+## Setup
+
+As it is a physical server (not a VM) in a remote location,
+extra care must be taken when installing.
+Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
+and a rescue system that can be activated before a reboot.
+Additionally, there is also a *vKVM* rescue system,
+that boots a hypervisor from the network and runs a VM which boots from the physical disks.
+
+The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
+Ideally, everything goes well and the next reboot works,
+but in the case it does not, the vKVM rescue system can be used for debugging.
+
+## Purpose
+
+Hypervisor. Exact scope is to be determined.
+
+## Name
+
+Araragi Koyomi is a student from the *Monogatari Series*.
--- a/machines/koyomi/configuration.nix
+++ b/machines/koyomi/configuration.nix
@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+
+    ./services/hypervisor.nix
+  ];
+
+  sbruder = {
+    wireguard.home.enable = true;
+    podman.enable = true;
+  };
+
+  networking.hostName = "koyomi";
+
+  system.stateVersion = "23.11";
+}
--- a/machines/koyomi/hardware-configuration.nix
+++ b/machines/koyomi/hardware-configuration.nix
@ -0,0 +1,72 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    swraid.enable = true;
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [ "ip=dhcp" ];
+    loader = {
+      grub = {
+        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+      };
+    };
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
+      kernelModules = [ "dm-snapshot" ];
+      network.enable = true; # remote unlocking
+      luks.devices = {
+        koyomi-pv = {
+          name = "koyomi-pv";
+          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+
+      # FIXME XXX HACK
+      # This is required to have the md device available under /dev/disk/by-uuid.
+      # Both commands are run as part of the regular stage-1 init script,
+      # but for some reason, they need to be run twice.
+      preLVMCommands = ''
+        udevadm trigger
+        udevadm settle
+      '';
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+    };
+  };
+
+  networking.useDHCP = false;
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+        address = [ "2a01:4f8:151:712d::1/64" ];
+        gateway = [ "fe80::1" ];
+      };
+    };
+  };
+}
--- a/machines/koyomi/secrets.yaml
+++ b/machines/koyomi/secrets.yaml
@ -0,0 +1,72 @@
+wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-11T21:49:03Z"
+    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
+    pgp:
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
+            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
+            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
+            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
+            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
+            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
+            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
+            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
+            iXDXWxIe5PY=
+            =zp+l
+            -----END PGP MESSAGE-----
+          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
+            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
+            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
+            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
+            8GoFUoOn6tE=
+            =A7C7
+            -----END PGP MESSAGE-----
+          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
+            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
+            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
+            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
+            K0oWZqedIzU=
+            =Z8wz
+            -----END PGP MESSAGE-----
+          fp: 403215E0F99D2582C7055C512C77841620B8F380
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
+            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
+            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
+            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
+            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
+            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
+            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
+            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
+            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
+            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
+            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
+            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
+            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
+            =bvPZ
+            -----END PGP MESSAGE-----
+          fp: a53d4ca8d2cf54613822c81d660e69babee42643
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/koyomi/services/hypervisor.nix
+++ b/machines/koyomi/services/hypervisor.nix
@ -0,0 +1,127 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ lib, pkgs, ... }:
+let
+  guests = { };
+
+  # port forwarding for IPv4
+  portForwards = {
+    tcp = { };
+    udp = { };
+  };
+in
+{
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs.qemu_kvm;
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      br-virt = {
+        netdevConfig = {
+          Name = "br-virt";
+          Kind = "bridge";
+        };
+      };
+    };
+    networks = {
+      br-virt = {
+        name = "br-virt";
+        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
+      };
+    };
+  };
+  services.resolved.enable = false;
+
+  services.dnsmasq = {
+    enable = true;
+
+    settings = {
+      interface = [ "br-virt" ];
+
+      bind-interfaces = true; # do not bind to the wildcard interface
+      bogus-priv = true; # do not forward revese lookups of internal addresses
+      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
+      domain-needed = true; # do not forward names without domain
+      no-hosts = true; # do not resolve hosts from /etc/hosts
+      no-resolv = true; # only use explicitly configured resolvers
+
+      domain = [ "sbruder.de" ];
+
+      enable-ra = true; # required to tell clients to use DHCPv6
+
+      # Force static configuration
+      dhcp-range = [
+        "10.80.32.0,static,255.255.255.0"
+        "2a01:4f8:151:712d:1::,static,80"
+      ];
+
+      dhcp-host = lib.flatten (lib.mapAttrsToList
+        (name: { mac, v4, v6 }: [
+          "${mac},${v4},${name}"
+          "${mac},[${v6}],${name}"
+        ])
+        guests);
+
+      # Hetzner recursive name servers
+      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
+      server = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
+    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
+
+    interfaces.br-virt = {
+      allowedTCPPorts = [ 53 ]; # EDNS
+      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
+    };
+  };
+
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      # only IPv4
+      table ip hypervisor-nat {
+        chain postrouting {
+          type nat hook postrouting priority filter; policy accept
+          oifname eth0 masquerade
+        }
+
+        chain prerouting {
+          type nat hook prerouting priority dstnat; policy accept
+          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
+            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
+          '') portForwards.tcp)}
+          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
+            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
+          '') portForwards.udp)}
+        }
+      }
+
+      table inet hypervisor-filter {
+        chain forward {
+          type filter hook forward priority filter; policy drop
+
+          iifname br-virt oifname eth0 counter accept
+          iifname eth0 oifname br-virt counter accept
+        }
+      }
+    '';
+  };
+}
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -75,6 +75,7 @@ in
          "shinobu.vpn.sbruder.de:9100"
          "nazuna.vpn.sbruder.de:9100"
          "yuzuru.vpn.sbruder.de:9100"
+          "koyomi.vpn.sbruder.de:9100"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -87,5 +87,13 @@
      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
    };
+    koyomi = {
+      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
+    };
+    koyomi-initrd = {
+      hostNames = [ "[koyomi.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
+    };
  };
 }
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -48,6 +48,10 @@ let
      address = "10.80.0.16";
      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
    };
+    koyomi = {
+      address = "10.80.0.17";
+      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
+    };
  };

  cfg = config.sbruder.wireguard.home;