Simon Bruder
26d85e97aa
This avoids boilerplate code for displaying the imprint on the fqdn of the machine. |
||
---|---|---|
.. | ||
services | ||
configuration.nix | ||
hardware-configuration.nix | ||
README.md | ||
secrets.yaml |
okarin
Hardware
Ionos Cloud VPS S (1 Xeon Gold Gold 5120 vCPU, “512 MB” = 443 MiB RAM, 10 GB SSD).
Purpose
It will host services I want to have separated from the rest of my infrastructure.
Name
Okabe Rintaro is a mad scientist from Steins;Gate
Setup
Much like the namesake, this server requires a “mad scientist” approach to set up.
Ionos does not offer any NixOS installation media. I could only choose between a Debian installation media, Knoppix and GParted. Also, installing with a very low amount of memory is quite hard.
I therefore created a VM locally with a disk image exactly 10737418240 Bytes in size.
On there, I installed NixOS.
Because encryption with argon2id
as PBKDF is quite memory intensive, I had to tune the parameters some.
What I settled on was
cryptsetup luksFormat --pbkdf argon2id --iter-time 10000 --pbkdf-memory 250000 /dev/sda3
.
To make btrfs use its SSD optimizations,
I had to force the kernel to see the device as non-rotational:
echo 0 > /sys/block/dm-0/queue/rotational
Another problem was the usage of VMware by Ionos. The VM I set this up with was obviously using KVM/QEMU, so it needed different kernel modules at boot. What worked was setting it up in the local VM with both libvirt and vmware modules, and then removing the libvirt modules once it was installed on the target.
Getting the disk image onto the server was done
by first rsync
ing the image to another server (to allow for incremental iterations),
which then provided it via HTTP.
Using the Knoppix live image (booted with knoppix 2
to avoid starting the gui),
it was possible to just curl http://server/okarin.img > /dev/sda
.
Because of all the pitfalls of this, you probably need more than one try.