koyomi: Init

2024-05-11 21:14:17 +02:00 · 2024-05-11 21:14:17 +02:00 · ef488cdfd9
parent 828d76e96e
commit ef488cdfd9
11 changed files with 390 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -19,6 +19,7 @@ keys:
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
  - path_regex: machines/nunotaba/secrets\.yaml$
    key_groups:
@ -97,6 +98,13 @@ creation_rules:
      - *simon-alpha
      - *simon-beta
      - *yuzuru
  - path_regex: machines/koyomi/secrets\.yaml$
    key_groups:
    - pgp:
      - *simon
      - *simon-alpha
      - *simon-beta
      - *koyomi
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
@ -109,3 +117,4 @@ creation_rules:
      - *fuuko
      - *mayushii
      - *renge
      - *koyomi
--- a/keys/machines/koyomi.asc
+++ b/keys/machines/koyomi.asc
@ -0,0 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
 bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
 VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
 bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
 JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
 8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
 y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
 eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
 +VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
 KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
 1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
 AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
 /1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
 CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
 /xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
 J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
 gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
 QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
 MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
 HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
 DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
 kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
 CxhNpGhTpzl96WA2WsNP9Q==
 =slmv
 -----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -76,4 +76,13 @@ in
    targetHost = "yuzuru.sbruder.de";
  };
  koyomi = {
    system = "x86_64-linux";
    extraModules = [
      hardware.common-cpu-intel
      hardware.common-pc-ssd
    ];
    targetHost = "koyomi.sbruder.de";
  };
 }
--- a/machines/koyomi/README.md
+++ b/machines/koyomi/README.md
@ -0,0 +1,37 @@
 <!--
 SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 SPDX-License-Identifier: CC-BY-SA-4.0
 -->
 # koyomi
 ## Hardware
 System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
 - Motherboard: FUJITSU D3401-H1
 - CPU: Intel Core i7-6700
 - RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
 - SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
 ## Setup
 As it is a physical server (not a VM) in a remote location,
 extra care must be taken when installing.
 Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
 and a rescue system that can be activated before a reboot.
 Additionally, there is also a *vKVM* rescue system,
 that boots a hypervisor from the network and runs a VM which boots from the physical disks.
 The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
 Ideally, everything goes well and the next reboot works,
 but in the case it does not, the vKVM rescue system can be used for debugging.
 ## Purpose
 Hypervisor. Exact scope is to be determined.
 ## Name
 Araragi Koyomi is a student from the *Monogatari Series*.
--- a/machines/koyomi/configuration.nix
+++ b/machines/koyomi/configuration.nix
@ -0,0 +1,23 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { config, lib, pkgs, ... }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../modules
    ./services/hypervisor.nix
  ];
  sbruder = {
    wireguard.home.enable = true;
    podman.enable = true;
  };
  networking.hostName = "koyomi";
  system.stateVersion = "23.11";
 }
--- a/machines/koyomi/hardware-configuration.nix
+++ b/machines/koyomi/hardware-configuration.nix
@ -0,0 +1,72 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { modulesPath, pkgs, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
    swraid.enable = true;
    kernelModules = [ "kvm-intel" ];
    kernelParams = [ "ip=dhcp" ];
    loader = {
      grub = {
        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
      };
    };
    initrd = {
      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
      kernelModules = [ "dm-snapshot" ];
      network.enable = true; # remote unlocking
      luks.devices = {
        koyomi-pv = {
          name = "koyomi-pv";
          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
          preLVM = true;
          allowDiscards = true;
        };
      };
      # FIXME XXX HACK
      # This is required to have the md device available under /dev/disk/by-uuid.
      # Both commands are run as part of the regular stage-1 init script,
      # but for some reason, they need to be run twice.
      preLVMCommands = ''
        udevadm trigger
        udevadm settle
      '';
    };
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
      fsType = "btrfs";
      options = [ "discard=async" "noatime" "compress=zstd" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/12CE-A600";
      fsType = "vfat";
    };
  };
  networking.useDHCP = false;
  networking.usePredictableInterfaceNames = false;
  systemd.network = {
    enable = true;
    networks = {
      eth0 = {
        name = "eth0";
        DHCP = "yes";
        domains = [ "sbruder.de" ];
        address = [ "2a01:4f8:151:712d::1/64" ];
        gateway = [ "fe80::1" ];
      };
    };
  };
 }
--- a/machines/koyomi/secrets.yaml
+++ b/machines/koyomi/secrets.yaml
@ -0,0 +1,72 @@
 wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-05-11T21:49:03Z"
    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
    pgp:
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
            iXDXWxIe5PY=
            =zp+l
            -----END PGP MESSAGE-----
          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
            8GoFUoOn6tE=
            =A7C7
            -----END PGP MESSAGE-----
          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
            K0oWZqedIzU=
            =Z8wz
            -----END PGP MESSAGE-----
          fp: 403215E0F99D2582C7055C512C77841620B8F380
        - created_at: "2024-05-11T21:48:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
            =bvPZ
            -----END PGP MESSAGE-----
          fp: a53d4ca8d2cf54613822c81d660e69babee42643
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/machines/koyomi/services/hypervisor.nix
+++ b/machines/koyomi/services/hypervisor.nix
@ -0,0 +1,127 @@
 # SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 { lib, pkgs, ... }:
 let
  guests = { };
  # port forwarding for IPv4
  portForwards = {
    tcp = { };
    udp = { };
  };
 in
 {
  virtualisation.libvirtd = {
    enable = true;
    qemu.package = pkgs.qemu_kvm;
  };
  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  systemd.network = {
    enable = true;
    netdevs = {
      br-virt = {
        netdevConfig = {
          Name = "br-virt";
          Kind = "bridge";
        };
      };
    };
    networks = {
      br-virt = {
        name = "br-virt";
        address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
      };
    };
  };
  services.resolved.enable = false;
  services.dnsmasq = {
    enable = true;
    settings = {
      interface = [ "br-virt" ];
      bind-interfaces = true; # do not bind to the wildcard interface
      bogus-priv = true; # do not forward revese lookups of internal addresses
      dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
      domain-needed = true; # do not forward names without domain
      no-hosts = true; # do not resolve hosts from /etc/hosts
      no-resolv = true; # only use explicitly configured resolvers
      domain = [ "sbruder.de" ];
      enable-ra = true; # required to tell clients to use DHCPv6
      # Force static configuration
      dhcp-range = [
        "10.80.32.0,static,255.255.255.0"
        "2a01:4f8:151:712d:1::,static,80"
      ];
      dhcp-host = lib.flatten (lib.mapAttrsToList
        (name: { mac, v4, v6 }: [
          "${mac},${v4},${name}"
          "${mac},[${v6}],${name}"
        ])
        guests);
      # Hetzner recursive name servers
      # https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
      server = [
        "185.12.64.1"
        "185.12.64.2"
        "2a01:4ff:ff00::add:1"
        "2a01:4ff:ff00::add:2"
      ];
    };
  };
  networking.firewall = {
    allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
    allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
    interfaces.br-virt = {
      allowedTCPPorts = [ 53 ]; # EDNS
      allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
    };
  };
  networking.nftables = {
    enable = true;
    ruleset = ''
      # only IPv4
      table ip hypervisor-nat {
        chain postrouting {
          type nat hook postrouting priority filter; policy accept
          oifname eth0 masquerade
        }
        chain prerouting {
          type nat hook prerouting priority dstnat; policy accept
          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
            iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
          '') portForwards.tcp)}
          ${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
            iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
          '') portForwards.udp)}
        }
      }
      table inet hypervisor-filter {
        chain forward {
          type filter hook forward priority filter; policy drop
          iifname br-virt oifname eth0 counter accept
          iifname eth0 oifname br-virt counter accept
        }
      }
    '';
  };
 }
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -75,6 +75,7 @@ in
          "shinobu.vpn.sbruder.de:9100"
          "nazuna.vpn.sbruder.de:9100"
          "yuzuru.vpn.sbruder.de:9100"
          "koyomi.vpn.sbruder.de:9100"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -87,5 +87,13 @@
      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
    };
    koyomi = {
      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
    };
    koyomi-initrd = {
      hostNames = [ "[koyomi.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
    };
  };
 }
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -48,6 +48,10 @@ let
      address = "10.80.0.16";
      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
    };
    koyomi = {
      address = "10.80.0.17";
      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
    };
  };
  cfg = config.sbruder.wireguard.home;