Initial commit. Add configuration for NixOS Proxmox image

2023-09-11 23:20:34 +02:00 · 2023-09-11 23:20:34 +02:00 · 4193e65a04
commit 4193e65a04
14 changed files with 321 additions and 0 deletions
--- a/config/common/default-host-platform.nix
+++ b/config/common/default-host-platform.nix
@ -0,0 +1,10 @@
+# Set a default host platform.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default host platform for good measure.
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@ -0,0 +1,17 @@
+# Set a default state version.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default state version for good measure.
+  # NixOS 23.05 configuration comment:
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = lib.mkDefault "23.05";
+}
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./default-host-platform.nix
+    ./default-state-version.nix
+    ./localization.nix
+    ./ssh.nix
+    ./users.nix
+  ];
+}
--- a/config/common/localization.nix
+++ b/config/common/localization.nix
@ -0,0 +1,24 @@
+# Some common localization settings.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, ... }:
+
+{
+  time.timeZone = "Europe/Berlin";
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "de_DE.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+  };
+}
--- a/config/common/ssh.nix
+++ b/config/common/ssh.nix
@ -0,0 +1,52 @@
+# Common SSH configuration.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-ssh
+# - https://infosec.mozilla.org/guidelines/openssh
+# - Julians deploy_ssh_server_config Ansible role
+
+{ config, pkgs, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+
+    openFirewall = true;
+
+    settings = {
+      # Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
+      KexAlgorithms = [
+        "curve25519-sha256@libssh.org"
+        "ecdh-sha2-nistp521"
+        "ecdh-sha2-nistp384"
+        "ecdh-sha2-nistp256"
+        "diffie-hellman-group-exchange-sha256"
+      ];
+      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
+      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
+
+      # X11 Forwarding shouldn't be needed.
+      X11Forwarding = false;
+
+      # Don't allow root login.
+      PermitRootLogin = "no";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Set this according to Mozilla Modern guideline as of 2023-09-09.
+      # The guidelines description:
+      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+      # clear audit track of which key was using to log in.
+      LogLevel = "VERBOSE";
+    };
+
+    # Set those according to Mozilla Modern guideline as of 2023-09-09.
+    # The guidelines description:
+    # Log sftp level file access (read/write/etc.) that would not be easily
+    # logged otherwise.
+    sftpFlags = [
+      "-f AUTHPRIV"
+      "-l INFO"
+    ];
+  };
+}
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -0,0 +1,27 @@
+# Common users.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://nixos.org/manual/nixos/stable/#sec-user-management
+
+{ config, pkgs, lib, ... }:
+
+let
+  authorizedKeysRepo = builtins.fetchGit {
+    url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
+    ref = "trunk";
+    rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
+  };
+in
+  {
+    users.mutableUsers = false;
+
+    users.users.chaos = {
+      isNormalUser = true;
+      description = "Chaos";
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
+    };
+
+    # Since our user doesn't have a password, allow passwordless sudo for wheel.
+    security.sudo.wheelNeedsPassword = false;
+  }
--- a/config/nixos-generators/proxmox.nix
+++ b/config/nixos-generators/proxmox.nix
@ -0,0 +1,22 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L6
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/nixos-generators/default.nix#L13
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/flake.nix#L39
+
+{ config, pkgs, ... }:
+
+{
+  proxmox = {
+    qemuConf = {
+      boot = "order=virtio0";
+      cores = 2;
+      memory = 512;
+      bios = "seabios";
+      net0 = "virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1,tag=999";
+    };
+    qemuExtraConf = {
+      cpu = "cputype=host,flags=+aes";
+      template = 1;
+    };
+  };
+}
--- a/config/proxmox-vm/boot.nix
+++ b/config/proxmox-vm/boot.nix
@ -0,0 +1,30 @@
+# A Proxmox VM BIOS boot configuration.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L241
+
+{ config, pkgs, ... }:
+
+{
+  boot = {
+    initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ];
+    initrd.kernelModules = [ ];
+    # Not specified here:
+    # - boot.kernelModules
+    # - boot.extraModulePackages
+    # Please specify as needed.
+    
+    # Grow the root partition on boot.
+    growPartition = true;
+
+    kernelParams = [ "console=ttyS0" ];
+
+    loader.grub = {
+      enable = true;
+      # TODO: Can we use "/dev/disk/by-label/nixos" here?
+      device = "/dev/vda";
+    };
+
+    loader.timeout = 0;
+  };
+}
--- a/config/proxmox-vm/default.nix
+++ b/config/proxmox-vm/default.nix
@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./qemu-guest-agent.nix
+    ./storage.nix
+  ];
+}
--- a/config/proxmox-vm/qemu-guest-agent.nix
+++ b/config/proxmox-vm/qemu-guest-agent.nix
@ -0,0 +1,9 @@
+# A Proxmox VM qemu-guest-agent configuration.
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L270
+
+{ config, pkgs, ... }:
+
+{
+  services.qemuGuest.enable = true;
+}
--- a/config/proxmox-vm/storage.nix
+++ b/config/proxmox-vm/storage.nix
@ -0,0 +1,18 @@
+# A Proxmox VM storage configuration.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L260
+
+{ config, pkgs, ... }:
+
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+
+  # Not specified here:
+  # - swapDevices
+  # If needed, manually specify it elsewhere.
+}