fixup! koyomi: Init

WIP: koyomi libvirt
koyomi: Init
2024-05-12 01:33:35 +02:00 · 2024-05-12 01:01:31 +02:00 · 2024-05-12 01:01:31 +02:00 · 2024-05-12 01:01:18 +02:00
11 changed files with 270 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -19,6 +19,7 @@ keys:
  - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7
  - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
  - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
+  - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
 creation_rules:
  - path_regex: machines/nunotaba/secrets\.yaml$
    key_groups:
@ -97,6 +98,13 @@ creation_rules:
      - *simon-alpha
      - *simon-beta
      - *yuzuru
+  - path_regex: machines/koyomi/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *simon-alpha
+      - *simon-beta
+      - *koyomi
  - path_regex: secrets\.yaml$
    key_groups:
    - pgp:
@ -109,3 +117,4 @@ creation_rules:
      - *fuuko
      - *mayushii
      - *renge
+      - *koyomi
--- a/flake.nix
+++ b/flake.nix
@ -156,12 +156,11 @@
                pkgs.writeShellScript "unlock-${hostname}" ''
                  set -exo pipefail
                  # opening luks fails if gpg-agent is not unlocked yet
-                  pass "devices/${hostname}/luks" >/dev/null
-                  ssh \
+                  pass "devices/${hostname}/luks" | ssh \
                      ${lib.optionalString unlockOverV4 "-4"} \
                      -p 2222 \
                      "root@${targetHost}" \
-                      "cat > /crypt-ramfs/passphrase" < <(pass "devices/${hostname}/luks")
+                      "cat > /crypt-ramfs/passphrase"
                '')
              self.nixosConfigurations);

--- a/keys/machines/koyomi.asc
+++ b/keys/machines/koyomi.asc
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEACxLvouloEvO6hjBfydEMJIEVzJLBqZJBmBvHmJKRbhWSldCWLi
+bdL7L3Ld1K4uQKSEPNRk6LcVVCAPaXuhyeza57U8PNMBJrDESZ+SdAjuNw5/mDTa
+VF4jgPzrPmQ1ufRiaOgxOj7OAwOqFEZBMeHXPrauY83dHgKJBcRuw5567YTJ0zoJ
+bi3mtetgAeVwgPgQBgihDQhvxgxiOQ0kLbRRDFm8sVsp8o/zJbVy3zop4sJppOSg
+JYzjFyt40wqPQ0TospxvwiYiJhg339hduZZ+J7+4XcdKnTVUNM8Ws7notVFRkWYG
+8jWTUuld815WZUA/2rkjx7GsZ9sLChaXVmXRfUGO3G01zaEZ84PA/XrpemWVMs+I
+y/1UznrSFy3bPh9/Jdpr4D5/gxsJaNs8ioSjb/3fXfZ4+kZySmQiWpagwsLXmPU3
+eno5YjvuU8qCh37zWF7uhsUsIDXw1FWqgy7HoU7HLYHDpRoerEABQpIf3378eZJ1
+VK/Em2NLyapgBGx+hv+qrUGKAv+/bdTt5XQtQypHI5ihI2H/Rr/ZfTzIWcJIomR
+KwCsjZDuiRWsQWa/WEqthPX/ckNKJuB25tkCFM4owMtgJEMSymRZ6Fd/zdI+WBS2
+1QSECOHFyr8ha0OfpZF6qy8YYqV82EHeTQdqvAY18po8/Y5WGvm4Q0QCQwARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQZg5pur7kJkMCGw8CGQEAANR9EABfKws/H9UX31pJbdWzSotN
+/1OkQxCNQvTmzxByP+JDBZQoplKbhjwVi/seshwxCMGuvBklmFSdpzGXip68QR4Q
+CYQsFg02URFKA8vggnIbpkNMB3/ckM6m6wQlMshTl1DPpZcZflppi/O68hIqtrSN
+/xXx5hIBFqe4NY6+ouHRy+4KPnWqndcHSRC2TaYYiiAo9dBj7VyQsL0zYYyTAl0U
+J6rolDz5VqWzkHklH/UMJ3u8ZwV2VHuyU5Drod8/1bDYtjGXxeUhcd25X4q0Gcqh
+gts0zoV/kYgnX3rGzqT4q6MGHWzlHtblMxtPpV8m/fd2KDvIKDdJPnYsbKDNlX7j
+QwVS8rE2T/FfU2KGoadNmSJACmCdShpCCd7CSHludcXLMDVuFijh4iCHkc3KvJJP
+MrWqBTWzYB73O5WGAWDxL7trw80a5Qi2+5PRCQY0smOR4jC3d36PGjtD8ykCHlqt
+HVZ2CtNl+6loGJ9TTgMwzNOY2PQPP2bhzdB16ht5CDsadFXrFD8mRVcwnQ6F0UU0
+DROW+C7FdYkZiEM9r6QMkRX4Xkc4YTV7EL0kEwJkWvxTbL2X/r1lSOKE27iMk2D/
+kkNzVXEH89ryyJc4Pgro5aTjzkAfTOUc+LV34b2CE0NGLjZvOvTic5SSdsAZ+PVL
+CxhNpGhTpzl96WA2WsNP9Q==
+=slmv
+-----END PGP PUBLIC KEY BLOCK-----
--- a/machines/default.nix
+++ b/machines/default.nix
@ -76,4 +76,13 @@ in

    targetHost = "yuzuru.sbruder.de";
  };
+  koyomi = {
+    system = "x86_64-linux";
+    extraModules = [
+      hardware.common-cpu-intel
+      hardware.common-pc-ssd
+    ];
+
+    targetHost = "koyomi.sbruder.de";
+  };
 }
--- a/machines/koyomi/README.md
+++ b/machines/koyomi/README.md
@ -0,0 +1,37 @@
+<!--
+SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# koyomi
+
+## Hardware
+
+System from [Hetzner Online Serverbörse](https://www.hetzner.com/sb).
+
+- Motherboard: FUJITSU D3401-H1
+- CPU: Intel Core i7-6700
+- RAM: 4×16 GB Samsung [M378A2K43CB1-CRC](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43cb1-crc/)/[M378A2K43BB1-CPB](https://semiconductor.samsung.com/dram/module/udimm/m378a2k43bb1-cpb/) (DDR4 2400/2133 MHz)
+- SSD: 2×512 GB M.2 NVMe SAMSUNG MZVLB512HAJQ-00000
+
+## Setup
+
+As it is a physical server (not a VM) in a remote location,
+extra care must be taken when installing.
+Fortunately, Hetzner provides an automated way to reset the server (by sending Ctrl+Alt+Del or force resetting)
+and a rescue system that can be activated before a reboot.
+Additionally, there is also a *vKVM* rescue system,
+that boots a hypervisor from the network and runs a VM which boots from the physical disks.
+
+The rescue system can be used to start a kexec installer generated by [nixos-generators](https://github.com/nix-community/nixos-generators).
+Ideally, everything goes well and the next reboot works,
+but in the case it does not, the vKVM rescue system can be used for debugging.
+
+## Purpose
+
+Hypervisor. Exact scope is to be determined.
+
+## Name
+
+Araragi Koyomi is a student from the *Monogatari Series*.
--- a/machines/koyomi/configuration.nix
+++ b/machines/koyomi/configuration.nix
@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    wireguard.home.enable = true;
+    infovhost.enable = true;
+  };
+
+  networking.hostName = "koyomi";
+
+  system.stateVersion = "23.11";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs.qemu_kvm;
+  };
+}
--- a/machines/koyomi/hardware-configuration.nix
+++ b/machines/koyomi/hardware-configuration.nix
@ -0,0 +1,72 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    swraid.enable = true;
+    kernelModules = [ "kvm-intel" ];
+    kernelParams = [ "ip=dhcp" ];
+    loader = {
+      grub = {
+        devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+      };
+    };
+    initrd = {
+      availableKernelModules = [ "aesni_intel" "ahci" "e1000e" "nvme" ];
+      kernelModules = [ "dm-snapshot" ];
+      network.enable = true; # remote unlocking
+      luks.devices = {
+        koyomi-pv = {
+          name = "koyomi-pv";
+          device = "/dev/disk/by-uuid/9145417d-e8f5-4aa9-a526-419e507c47fd";
+          preLVM = true;
+          allowDiscards = true;
+        };
+      };
+
+      # FIXME XXX HACK
+      # This is required to have the md device available under /dev/disk/by-uuid.
+      # Both commands are run as part of the regular stage-1 init script,
+      # but for some reason, they need to be run twice.
+      preLVMCommands = ''
+        udevadm trigger
+        udevadm settle
+      '';
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/3b31163f-4fec-4e1c-b311-7c8aaca76cd4";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/12CE-A600";
+      fsType = "vfat";
+    };
+  };
+
+  networking.useDHCP = false;
+  networking.usePredictableInterfaceNames = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+        address = [ "2a01:4f8:151:712d::1/64" ];
+        gateway = [ "fe80::1" ];
+      };
+    };
+  };
+}
--- a/machines/koyomi/secrets.yaml
+++ b/machines/koyomi/secrets.yaml
@ -0,0 +1,72 @@
+wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-11T21:49:03Z"
+    mac: ENC[AES256_GCM,data:yS/v+NWiLlFLTwnbhaYVg98H/ThqW5r+3eC1YsvJRRrF/yZBk6nUtK8CT4tvR9PUeks4a2H15/5aY2oDxnABhXhkbasZjnl3+YGF8SOIwo+YuWJ5A3rHJZQMJGRGg8dwh4xkJMDJKb2Or1uH3ZiSclVMQDiM3RGVifLhtv+gJEc=,iv:ygTcKqU5pzkOoGUx9xw9BzWJx15t28w3tJVH4eAdxS4=,tag:F5/8SSt/eON9zwWGGUyUEQ==,type:str]
+    pgp:
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdATNhq0wu5gLVG+7PHCtdQRxgC6GqQrvrttZnN3AvnZ0ww
+            qBdXl+6qkWHyjvclklzcNfpcMD7cmRwRDSDSQASmSTAyulBbgjDuou9Tjl/Rxorl
+            hF4Dub78fMESoMASAQdAIhgR5ZyuaP12Mav7NNapUcWrScnmjNPh46oX2W3jDDsw
+            in+hRRYC6apDKMcC3IFEzo6vy7OfhEeMR2IthtU0Y+bgdfjpwEOZ4J5CLg2ERZO+
+            hF4DM6AcvgVUx2MSAQdAKc70+YldBMdetkmcWWJYDSUbewIJOrDCJBS+TUTQ2hQw
+            dq03NJuiqwsrN1YBa1qHELTJj7CvrxTvVSQvDpSEwD3WVk8Qn5z1lMgBrivxCGa8
+            1GYBCQIQj3MkZci7qGULIHivbsOSwX6a3T9JQRkmHylyzZDxYRUz3TLhNvjuly58
+            TxBJcHkDmXDP5T+UACrryRIN2h/J/+gw6WkHnPJOcs5JFqB9uneVwpW1A3jNMhRD
+            iXDXWxIe5PY=
+            =zp+l
+            -----END PGP MESSAGE-----
+          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dub78fMESoMASAQdAs3PQ1mkR/MS3vg1qCTPiQihx7yZvQlqlhYRsRigJDiEw
+            WuZYC66MsLHi2YQEkFoxG0bgt3sHkVRlq72ae713UzfWiI0Dl59dxtGcOtvdo5LK
+            1GYBCQIQIupCIS36+zkecqWl1h55C0G/bC+SHdwgp5nFbva+3fidastsvakUDuTW
+            dGOLK1FC2xUrct/rLGBmWA48fSOA/VJiiEVzP0TsVCytTx/Y44jm0f5HC85LNnNy
+            8GoFUoOn6tE=
+            =A7C7
+            -----END PGP MESSAGE-----
+          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAK53bLfsn0k8SFw/88FliX2Yaev9oMGmKSR7f/6vJmH4w
+            pZxJqMwkpWt3We5DAkN+VFuawOzPNrV0vmmd8StlajZ5GIaz713QJQ8cpVrE/sPh
+            1GYBCQIQUuj0dgOWLtcB/w1vHj0qQW8LnMG5uVY7gk+hPmllQb8TJ1aRUkcPrKoE
+            rXUCl17BO59C4AUWLu/0RviAki6FMZC1S0g1z8eOck6CFSnW4i4uMB0g5Yi5kqpK
+            K0oWZqedIzU=
+            =Z8wz
+            -----END PGP MESSAGE-----
+          fp: 403215E0F99D2582C7055C512C77841620B8F380
+        - created_at: "2024-05-11T21:48:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2YOabq+5CZDAQ//beLzskyTj+PN79rvrupVY5gwWxIhYuoRs2ZkJSlNyRYg
+            exNxwPAjssi3yKoUOy9TNbxzOKP5VwehnOPlJ4jyVgdZ9zksJH9k0WnfhlmabHeC
+            UnYsUSDB7VUFrpacdIKjmFM6OPlu7Xm98RwSabkmlHEE/voF/Ma5yWT0c3Sx2lzv
+            ucNSCqmjY0D6S5tJz+3nYsT54OjS+Jlr96CPOR9dz1jEGGQMfwyMxwMLhVpVBDKE
+            uusl5VD3jw50wYbkhvYscGGkdOkLwAFMIwYvw1seYFTb3kux8ChahYQ3QtPn3ZUD
+            OoPqYUtgpcnZTAcMGvzL7B0OwJLsCpin454yko56KV/cnIHwSv2cyfsQB0M4dz6l
+            OalAS5BpqhZ2ulDm34yFlRE7MD+H12tOzBJIFjGQksv9DiuRyezZnevBqlOdott8
+            cSDfO3RD3wGdUOIVwi3B92N5j1w39d2wKoXa19kM66mzsdbQrXwmxKa8gQMkjsG9
+            Ds2sUwQlKZ0HvvNkJTJ+NORWKKvwGXKqVPwOTUaZjzQGUtVWg5WSjmFoPQ049nqf
+            gLYhy0OeyEAIRe9HjNo5YANPNBF63qTT2++n6xs2ErXjHNNi85yUnhCBqRRI3Od6
+            HkLlLQN3i6RdV5C1wJwu3k1N6a+dl03gFgO3PSJZaLpIhHJuOJwYT3rCGi3ZgzXS
+            VgFycpleRMSCTjEIY/Ky4PJOlbUykf4CuFWnvJLSOcqjPbozzqjUaw4xzea2Lloj
+            +Io3l0AHWqKCmv4qbZxim37YuicyM02A56pk7SMKXOuqbb1m5hBr
+            =bvPZ
+            -----END PGP MESSAGE-----
+          fp: a53d4ca8d2cf54613822c81d660e69babee42643
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/renge/services/prometheus.nix
+++ b/machines/renge/services/prometheus.nix
@ -75,6 +75,7 @@ in
          "shinobu.vpn.sbruder.de:9100"
          "nazuna.vpn.sbruder.de:9100"
          "yuzuru.vpn.sbruder.de:9100"
+          "koyomi.vpn.sbruder.de:9100"
        ];
        relabel_configs = lib.singleton {
          target_label = "instance";
--- a/modules/ssh.nix
+++ b/modules/ssh.nix
@ -87,5 +87,13 @@
      hostNames = [ "[yuzuru.sbruder.de]:2222" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcvbbHSK7x9t0Jpr4L55RTC4WRNJIgKZ1B+99PhpSX8";
    };
+    koyomi = {
+      hostNames = [ "koyomi" "koyomi.sbruder.de" "koyomi.vpn.sbruder.de" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZVoGK0JNltzqVWN9dejWMkedfzcipTv6iX52HTHaVz";
+    };
+    koyomi-initrd = {
+      hostNames = [ "[koyomi.sbruder.de]:2222" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPQuXX9EJXcz7wkG/yDxrZVODaitAQ1lfGzedNrYKhI";
+    };
  };
 }
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@ -48,6 +48,10 @@ let
      address = "10.80.0.16";
      publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
    };
+    koyomi = {
+      address = "10.80.0.17";
+      publicKey = "fvQDGqmkcFUvfUFmkSagJZy6pGIP6ewZrzTQfaz+mmE=";
+    };
  };

  cfg = config.sbruder.wireguard.home;
Author	SHA1	Message	Date
Simon Bruder	c3dd51b352	fixup! koyomi: Init	2024-05-12 01:33:35 +02:00
Simon Bruder	4c31b3be7f	WIP: koyomi libvirt	2024-05-12 01:01:31 +02:00
Simon Bruder	69c5948149	koyomi: Init	2024-05-12 01:01:31 +02:00
Simon Bruder	ada59a1fbd	unlock: Simplify	2024-05-12 01:01:18 +02:00