nixos-config/machines/okarin
2024-01-22 17:32:02 +01:00
..
services Relicense 2024-01-13 14:39:22 +01:00
configuration.nix Relicense 2024-01-13 14:39:22 +01:00
hardware-configuration.nix Relicense 2024-01-13 14:39:22 +01:00
README.md Relicense 2024-01-13 14:39:22 +01:00
secrets.yaml sops: Switch to new PGP key 2024-01-22 17:32:02 +01:00

okarin

Hardware

Ionos Cloud VPS S (1 Xeon Gold Gold 5120 vCPU, “512MB” = 443MiB RAM, 10 GB SSD).

Purpose

It will host services I want to have separated from the rest of my infrastructure.

Name

Okabe Rintaro is a mad scientist from Steins;Gate

Setup

Much like the namesake, this server requires a “mad scientist” approach to set up.

Ionos does not offer any NixOS installation media. I could only choose between a Debian installation media, Knoppix and GParted. Also, installing with a very low amount of memory is quite hard.

I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. On there, I installed NixOS. Because encryption with argon2id as PBKDF is quite memory intensive, I had to tune the parameters some. What I settled on was cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3.

To make btrfs use its SSD optimizations, I had to force the kernel to see the device as non-rotational: echo 0 > /sys/block/dm-0/queue/rotational

Another problem was the usage of VMware by Ionos. The VM I set this up with was obviously using KVM/QEMU, so it needed different kernel modules at boot. What worked was setting it up in the local VM with both libvirt and vmware modules, and then removing the libvirt modules once it was installed on the target.

Getting the disk image onto the server was done by first rsyncing the image to another server (to allow for incremental iterations), which then provided it via HTTP. Using the Knoppix live image (booted with knoppix 2 to avoid starting the gui), it was possible to just curl http://server/okarin.img > /dev/sda.

Because of all the pitfalls of this, you probably need more than one try.