.. | ||
configuration.nix | ||
hardware-configuration.nix | ||
README.md | ||
secrets.yaml |
okarin
Hardware
Ionos VPS Linux XS S (1 Xeon Skylake vCPU, 1 GiB RAM, 10 GB SSD).
Purpose
It will host services I want to have separated from the rest of my infrastructure.
Name
Okabe Rintaro is a mad scientist from Steins;Gate
Setup
Much like the namesake, this server requires a “mad scientist” approach to set up. However, it is much easier than setting up its predecessor, which had just above 400 MiB usable memory.
Ionos does not offer any NixOS installation media. I could only choose between various installation media and rescue systems. Also, installing NixOS with a low amount of memory is problematic.
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
On there, I installed NixOS.
Because encryption with argon2id
as PBKDF is quite memory intensive,
I had to tune the parameters to ensure decryption was still possible on the target.
This can be done quite easily by interactively running the following command on the build VM:
cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3
The memory size was obtained by a successful run of cryptsetup benchmark
inside the initrd on the target.
However, since those parameters are not ideal, the following should later be run on the target host itself:
cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3
This will determine the memory usage automatically, use one thread and set the parameters so that decryption takes 10 seconds (10000 ms). The memory usage will not be as high as it could, but it will be better.
Getting the disk image onto the server was done
by first rsync
ing the image to another server (to allow for incremental iterations),
which then provided it via HTTP.
Using the Debian installation media in rescue mode
(as for some reason most other options tried to cache the file in memory and became very slow)
it was possible to write the image to disk with wget -O /dev/sda http://server/okarin.img
.
Because of all the pitfalls of this, you probably need more than one try. To make debugging easier on the target, the following option can be set:
{ pkgs, ... }:
{
boot.initrd.preLVMCommands = ''
${pkgs.bashInteractive}/bin/bash
'';
}