nixos-config/machines/okarin/README.md
2023-05-06 11:39:31 +02:00

48 lines
1.8 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# okarin
## Hardware
[Ionos Cloud VPS](https://cloud.ionos.de/server/vps) S (1 Xeon Gold Gold 5120 vCPU, “512MB” = 443MiB RAM, 10 GB SSD).
## Purpose
It will host services I want to have separated from the rest of my infrastructure.
## Name
Okabe Rintaro is a mad scientist from *Steins;Gate*
## Setup
Much like the namesake,
this server requires a “mad scientist” approach to set up.
Ionos does not offer any NixOS installation media.
I could only choose between a Debian installation media, Knoppix and GParted.
Also, installing with a very low amount of memory is quite hard.
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
On there, I installed NixOS.
Because encryption with `argon2id` as PBKDF is quite memory intensive, I had to tune the parameters some.
What I settled on was
`cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3`.
To make btrfs use its SSD optimizations,
I had to force the kernel to see the device as non-rotational:
`echo 0 > /sys/block/dm-0/queue/rotational`
Another problem was the usage of VMware by Ionos.
The VM I set this up with was obviously using KVM/QEMU,
so it needed different kernel modules at boot.
What worked was setting it up in the local VM with both libvirt and vmware modules,
and then removing the libvirt modules once it was installed on the target.
Getting the disk image onto the server was done
by first `rsync`ing the image to another server (to allow for incremental iterations),
which then provided it via HTTP.
Using the Knoppix live image (booted with `knoppix 2` to avoid starting the gui),
it was possible to just `curl http://server/okarin.img > /dev/sda`.
Because of all the pitfalls of this,
you probably need more than one try.