diff --git a/.sops.yaml b/.sops.yaml index aa4eb59..0af6825 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -19,6 +19,7 @@ keys: - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 + - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643 creation_rules: - path_regex: machines/nunotaba/secrets\.yaml$ key_groups: @@ -97,6 +98,13 @@ creation_rules: - *simon-alpha - *simon-beta - *yuzuru + - path_regex: machines/koyomi/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *simon-alpha + - *simon-beta + - *koyomi - path_regex: secrets\.yaml$ key_groups: - pgp: @@ -109,3 +117,4 @@ creation_rules: - *fuuko - *mayushii - *renge + - *koyomi diff --git a/keys/machines/koyomi.asc b/keys/machines/koyomi.asc new file mode 100644 index 0000000..15e3005 --- /dev/null +++ b/keys/machines/koyomi.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi +bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa +VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ +bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg +JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG +8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I +y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3 +eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1 ++VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR +KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2 +1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN +/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q +CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN +/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U +J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh +gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j +QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP +MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt +HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0 +DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/ +kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL +CxhNpGhTpzl96WA2WsNP9Q== +=slmv +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index 34641e0..5829bb9 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -76,4 +76,13 @@ in targetHost = "yuzuru.sbruder.de"; }; + koyomi = { + system = "x86_64-linux"; + extraModules = [ + hardware.common-cpu-intel + hardware.common-pc-ssd + ]; + + targetHost = "koyomi.sbruder.de"; + }; } diff --git a/machines/koyomi/README.md b/machines/koyomi/README.md new file mode 100644 index 0000000..f6d5d36 --- /dev/null +++ b/machines/koyomi/README.md @@ -0,0 +1,37 @@ + + +# koyomi + +## Hardware + +System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb). + +- Motherboard: FUJITSU D3401-H1 +- CPU: Intel Core i7-6700 +- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz) +- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000 + +## Setup + +As it is a physical server (not a VM) in a remote location, +extra care must be taken when installing. +Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting) +and a rescue system that can be activated before a reboot. +Additionally, there is also a *vKVM* rescue system, +that boots a hypervisor from the network and runs a VM which boots from the physical disks. + +The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators). +Ideally, everything goes well and the next reboot works, +but in the case it does not, the vKVM rescue system can be used for debugging. + +## Purpose + +Hypervisor. Exact scope is to be determined. + +## Name + +Araragi Koyomi is a student from the *Monogatari Series*. diff --git a/machines/koyomi/configuration.nix b/machines/koyomi/configuration.nix new file mode 100644 index 0000000..0898a80 --- /dev/null +++ b/machines/koyomi/configuration.nix @@ -0,0 +1,23 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../modules + + ./services/hypervisor.nix + ]; + + sbruder = { + wireguard.home.enable = true; + podman.enable = true; + }; + + networking.hostName = "koyomi"; + + system.stateVersion = "23.11"; +} diff --git a/machines/koyomi/hardware-configuration.nix b/machines/koyomi/hardware-configuration.nix new file mode 100644 index 0000000..c5d7647 --- /dev/null +++ b/machines/koyomi/hardware-configuration.nix @@ -0,0 +1,72 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ modulesPath, pkgs, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + swraid.enable = true; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "ip=dhcp" ]; + loader = { + grub = { + devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + }; + }; + initrd = { + availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ]; + kernelModules = [ "dm-snapshot" ]; + network.enable = true; # remote unlocking + luks.devices = { + koyomi-pv = { + name = "koyomi-pv"; + device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd"; + preLVM = true; + allowDiscards = true; + }; + }; + + # FIXME XXX HACK + # This is required to have the md device available under /dev/disk/by-uuid. + # Both commands are run as part of the regular stage-1 init script, + # but for some reason, they need to be run twice. + preLVMCommands = '' + udevadm trigger + udevadm settle + ''; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4"; + fsType = "btrfs"; + options = [ "discard=async" "noatime" "compress=zstd" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/12CE-A600"; + fsType = "vfat"; + }; + }; + + networking.useDHCP = false; + networking.usePredictableInterfaceNames = false; + systemd.network = { + enable = true; + networks = { + eth0 = { + name = "eth0"; + DHCP = "yes"; + domains = [ "sbruder.de" ]; + address = [ "2a01:4f8:151:712d::1/64" ]; + gateway = [ "fe80::1" ]; + }; + }; + }; +} diff --git a/machines/koyomi/secrets.yaml b/machines/koyomi/secrets.yaml new file mode 100644 index 0000000..e54ba17 --- /dev/null +++ b/machines/koyomi/secrets.yaml @@ -0,0 +1,72 @@ +wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-05-11T21:49:03Z" + mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str] + pgp: + - created_at: "2024-05-11T21:48:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww + qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl + hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw + in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+ + hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw + dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8 + 1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58 + TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD + iXDXWxIe5PY= + =zp+l + -----END PGP MESSAGE----- + fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 + - created_at: "2024-05-11T21:48:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw + WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK + 1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW + dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy + 8GoFUoOn6tE= + =A7C7 + -----END PGP MESSAGE----- + fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 + - created_at: "2024-05-11T21:48:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w + pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh + 1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE + rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK + K0oWZqedIzU= + =Z8wz + -----END PGP MESSAGE----- + fp: 403215E0F99D2582C7055C512C77841620B8F380 + - created_at: "2024-05-11T21:48:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg + exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC + UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv + ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE + uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD + OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l + OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8 + cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9 + Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf + gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6 + HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS + VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj + +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr + =bvPZ + -----END PGP MESSAGE----- + fp: a53d4ca8d2cf54613822c81d660e69babee42643 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/koyomi/services/hypervisor.nix b/machines/koyomi/services/hypervisor.nix new file mode 100644 index 0000000..51a09d5 --- /dev/null +++ b/machines/koyomi/services/hypervisor.nix @@ -0,0 +1,127 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ lib, pkgs, ... }: +let + guests = { }; + + # port forwarding for IPv4 + portForwards = { + tcp = { }; + udp = { }; + }; +in +{ + virtualisation.libvirtd = { + enable = true; + qemu.package = pkgs.qemu_kvm; + }; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + systemd.network = { + enable = true; + netdevs = { + br-virt = { + netdevConfig = { + Name = "br-virt"; + Kind = "bridge"; + }; + }; + }; + networks = { + br-virt = { + name = "br-virt"; + address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ]; + }; + }; + }; + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + + settings = { + interface = [ "br-virt" ]; + + bind-interfaces = true; # do not bind to the wildcard interface + bogus-priv = true; # do not forward revese lookups of internal addresses + dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS + domain-needed = true; # do not forward names without domain + no-hosts = true; # do not resolve hosts from /etc/hosts + no-resolv = true; # only use explicitly configured resolvers + + domain = [ "sbruder.de" ]; + + enable-ra = true; # required to tell clients to use DHCPv6 + + # Force static configuration + dhcp-range = [ + "10.80.32.0,static,255.255.255.0" + "2a01:4f8:151:712d:1::,static,80" + ]; + + dhcp-host = lib.flatten (lib.mapAttrsToList + (name: { mac, v4, v6 }: [ + "${mac},${v4},${name}" + "${mac},[${v6}],${name}" + ]) + guests); + + # Hetzner recursive name servers + # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/ + server = [ + "185.12.64.1" + "185.12.64.2" + "2a01:4ff:ff00::add:1" + "2a01:4ff:ff00::add:2" + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp); + allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp); + + interfaces.br-virt = { + allowedTCPPorts = [ 53 ]; # EDNS + allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6 + }; + }; + + networking.nftables = { + enable = true; + ruleset = '' + # only IPv4 + table ip hypervisor-nat { + chain postrouting { + type nat hook postrouting priority filter; policy accept + oifname eth0 masquerade + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept + ${lib.concatStrings (lib.mapAttrsToList (port: guest: '' + iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4} + '') portForwards.tcp)} + ${lib.concatStrings (lib.mapAttrsToList (port: guest: '' + iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4} + '') portForwards.udp)} + } + } + + table inet hypervisor-filter { + chain forward { + type filter hook forward priority filter; policy drop + + iifname br-virt oifname eth0 counter accept + iifname eth0 oifname br-virt counter accept + } + } + ''; + }; +} diff --git a/machines/renge/services/prometheus.nix b/machines/renge/services/prometheus.nix index f36c6b9..5c617db 100644 --- a/machines/renge/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -75,6 +75,7 @@ in "shinobu.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100" "yuzuru.vpn.sbruder.de:9100" + "koyomi.vpn.sbruder.de:9100" ]; relabel_configs = lib.singleton { target_label = "instance"; diff --git a/modules/ssh.nix b/modules/ssh.nix index c1de1d4..b0605bf 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -87,5 +87,13 @@ hostNames = [ "[yuzuru.sbruder.de]:2222" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8"; }; + koyomi = { + hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz"; + }; + koyomi-initrd = { + hostNames = [ "[koyomi.sbruder.de]:2222" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI"; + }; }; } diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index 8da9798..eb735cd 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -48,6 +48,10 @@ let address = "10.80.0.16"; publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU="; }; + koyomi = { + address = "10.80.0.17"; + publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE="; + }; }; cfg = config.sbruder.wireguard.home;