simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity
nixos-config/machines/okarin/README.md

2.4 KiB
Raw Blame History

okarin

Hardware

Ionos VPS Linux XS S (1 Xeon Skylake vCPU, 1GiB RAM, 10GB SSD).

Purpose

It will host services I want to have separated from the rest of my infrastructure.

Name

Okabe Rintaro is a mad scientist from Steins;Gate

Setup

Much like the namesake, this server requires a “mad scientist” approach to set up. However, it is much easier than setting up its predecessor, which had just above 400MiB usable memory.

Ionos does not offer any NixOS installation media. I could only choose between various installation media and rescue systems. Also, installing NixOS with a low amount of memory is problematic.

I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size. On there, I installed NixOS. Because encryption with argon2id as PBKDF is quite memory intensive, I had to tune the parameters to ensure decryption was still possible on the target. This can be done quite easily by interactively running the following command on the build VM:

cryptsetup luksChangeKey --pbkdf-memory 100747 --pbkdf-parallel 1 --pbkdf-force-iterations 29 /dev/vda3

The memory size was obtained by a successful run of cryptsetup benchmark inside the initrd on the target.

However, since those parameters are not ideal, the following should later be run on the target host itself:

cryptsetup luksChangeKey --pbkdf-parallel 1 -i 10000 /dev/vda3

This will determine the memory usage automatically, use one thread and set the parameters so that decryption takes 10 seconds (10000ms). The memory usage will not be as high as it could, but it will be better.

Getting the disk image onto the server was done by first rsyncing the image to another server (to allow for incremental iterations), which then provided it via HTTP. Using the Debian installation media in rescue mode (as for some reason most other options tried to cache the file in memory and became very slow) it was possible to write the image to disk with wget -O /dev/sda http://server/okarin.img.

Because of all the pitfalls of this, you probably need more than one try. To make debugging easier on the target, the following option can be set:

{ pkgs, ... }:

{
  boot.initrd.preLVMCommands = ''
    ${pkgs.bashInteractive}/bin/bash
  '';
}