koyomi: Init

This commit is contained in:
Simon Bruder 2024-05-11 21:14:17 +02:00
parent 828d76e96e
commit ef488cdfd9
Signed by: simon
GPG key ID: 347FF8699CDA0776
11 changed files with 390 additions and 0 deletions

View file

@ -19,6 +19,7 @@ keys:
- &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
- &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -97,6 +98,13 @@ creation_rules:
- *simon-alpha - *simon-alpha
- *simon-beta - *simon-beta
- *yuzuru - *yuzuru
- path_regex: machines/koyomi/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *koyomi
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:
@ -109,3 +117,4 @@ creation_rules:
- *fuuko - *fuuko
- *mayushii - *mayushii
- *renge - *renge
- *koyomi

28
keys/machines/koyomi.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
CxhNpGhTpzl96WA2WsNP9Q==
=slmv
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -76,4 +76,13 @@ in
targetHost = "yuzuru.sbruder.de"; targetHost = "yuzuru.sbruder.de";
}; };
koyomi = {
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
hardware.common-pc-ssd
];
targetHost = "koyomi.sbruder.de";
};
} }

37
machines/koyomi/README.md Normal file
View file

@ -0,0 +1,37 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# koyomi
## Hardware
System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
- Motherboard: FUJITSU D3401-H1
- CPU: Intel Core i7-6700
- RAM: 4×16GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133MHz)
- SSD: 2×512GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
## Setup
As it is a physical server (not a VM) in a remote location,
extra care must be taken when installing.
Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
and a rescue system that can be activated before a reboot.
Additionally, there is also a *vKVM* rescue system,
that boots a hypervisor from the network and runs a VM which boots from the physical disks.
The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
Ideally, everything goes well and the next reboot works,
but in the case it does not, the vKVM rescue system can be used for debugging.
## Purpose
Hypervisor. Exact scope is to be determined.
## Name
Araragi Koyomi is a student from the *Monogatari Series*.

View file

@ -0,0 +1,23 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/hypervisor.nix
];
sbruder = {
wireguard.home.enable = true;
podman.enable = true;
};
networking.hostName = "koyomi";
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,72 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, pkgs, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
swraid.enable = true;
kernelModules = [ "kvm-intel" ];
kernelParams = [ "ip=dhcp" ];
loader = {
grub = {
devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
};
};
initrd = {
availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
kernelModules = [ "dm-snapshot" ];
network.enable = true; # remote unlocking
luks.devices = {
koyomi-pv = {
name = "koyomi-pv";
device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
preLVM = true;
allowDiscards = true;
};
};
# FIXME XXX HACK
# This is required to have the md device available under /dev/disk/by-uuid.
# Both commands are run as part of the regular stage-1 init script,
# but for some reason, they need to be run twice.
preLVMCommands = ''
udevadm trigger
udevadm settle
'';
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
};
};
networking.useDHCP = false;
networking.usePredictableInterfaceNames = false;
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
address = [ "2a01:4f8:151:712d::1/64" ];
gateway = [ "fe80::1" ];
};
};
};
}

View file

@ -0,0 +1,72 @@
wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-05-11T21:49:03Z"
mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
pgp:
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
iXDXWxIe5PY=
=zp+l
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
8GoFUoOn6tE=
=A7C7
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
K0oWZqedIzU=
=Z8wz
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-05-11T21:48:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
+Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
=bvPZ
-----END PGP MESSAGE-----
fp: a53d4ca8d2cf54613822c81d660e69babee42643
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,127 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
let
guests = { };
# port forwarding for IPv4
portForwards = {
tcp = { };
udp = { };
};
in
{
virtualisation.libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
systemd.network = {
enable = true;
netdevs = {
br-virt = {
netdevConfig = {
Name = "br-virt";
Kind = "bridge";
};
};
};
networks = {
br-virt = {
name = "br-virt";
address = [ "10.80.32.1/24" "2a01:4f8:151:712d:1::1/80" ];
};
};
};
services.resolved.enable = false;
services.dnsmasq = {
enable = true;
settings = {
interface = [ "br-virt" ];
bind-interfaces = true; # do not bind to the wildcard interface
bogus-priv = true; # do not forward revese lookups of internal addresses
dhcp-fqdn = true; # only insert qualified names of DHCP clients into DNS
domain-needed = true; # do not forward names without domain
no-hosts = true; # do not resolve hosts from /etc/hosts
no-resolv = true; # only use explicitly configured resolvers
domain = [ "sbruder.de" ];
enable-ra = true; # required to tell clients to use DHCPv6
# Force static configuration
dhcp-range = [
"10.80.32.0,static,255.255.255.0"
"2a01:4f8:151:712d:1::,static,80"
];
dhcp-host = lib.flatten (lib.mapAttrsToList
(name: { mac, v4, v6 }: [
"${mac},${v4},${name}"
"${mac},[${v6}],${name}"
])
guests);
# Hetzner recursive name servers
# https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/
server = [
"185.12.64.1"
"185.12.64.2"
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
};
};
networking.firewall = {
allowedTCPPorts = map lib.toInt (lib.attrNames portForwards.tcp);
allowedUDPPorts = map lib.toInt (lib.attrNames portForwards.udp);
interfaces.br-virt = {
allowedTCPPorts = [ 53 ]; # EDNS
allowedUDPPorts = [ 53 67 547 ]; # DNS / DHCP / DHCPv6
};
};
networking.nftables = {
enable = true;
ruleset = ''
# only IPv4
table ip hypervisor-nat {
chain postrouting {
type nat hook postrouting priority filter; policy accept
oifname eth0 masquerade
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 tcp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.tcp)}
${lib.concatStrings (lib.mapAttrsToList (port: guest: ''
iifname eth0 udp dport ${port} dnat to ${guests.${guest}.v4}
'') portForwards.udp)}
}
}
table inet hypervisor-filter {
chain forward {
type filter hook forward priority filter; policy drop
iifname br-virt oifname eth0 counter accept
iifname eth0 oifname br-virt counter accept
}
}
'';
};
}

View file

@ -75,6 +75,7 @@ in
"shinobu.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100"
"nazuna.vpn.sbruder.de:9100" "nazuna.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100" "yuzuru.vpn.sbruder.de:9100"
"koyomi.vpn.sbruder.de:9100"
]; ];
relabel_configs = lib.singleton { relabel_configs = lib.singleton {
target_label = "instance"; target_label = "instance";

View file

@ -87,5 +87,13 @@
hostNames = [ "[yuzuru.sbruder.de]:2222" ]; hostNames = [ "[yuzuru.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
}; };
koyomi = {
hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
};
koyomi-initrd = {
hostNames = [ "[koyomi.sbruder.de]:2222" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
};
}; };
} }

View file

@ -48,6 +48,10 @@ let
address = "10.80.0.16"; address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU="; publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
}; };
koyomi = {
address = "10.80.0.17";
publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
};
}; };
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;