From 4193e65a04ce6b78187e509847a3a658fff883ee Mon Sep 17 00:00:00 2001 From: julian Date: Mon, 11 Sep 2023 23:20:34 +0200 Subject: [PATCH] Initial commit. Add configuration for NixOS Proxmox image --- .gitignore | 1 + config/common/default-host-platform.nix | 10 ++++ config/common/default-state-version.nix | 17 +++++++ config/common/default.nix | 11 +++++ config/common/localization.nix | 24 ++++++++++ config/common/ssh.nix | 52 ++++++++++++++++++++ config/common/users.nix | 27 +++++++++++ config/nixos-generators/proxmox.nix | 22 +++++++++ config/proxmox-vm/boot.nix | 30 ++++++++++++ config/proxmox-vm/default.nix | 9 ++++ config/proxmox-vm/qemu-guest-agent.nix | 9 ++++ config/proxmox-vm/storage.nix | 18 +++++++ flake.lock | 64 +++++++++++++++++++++++++ flake.nix | 27 +++++++++++ 14 files changed, 321 insertions(+) create mode 100644 .gitignore create mode 100644 config/common/default-host-platform.nix create mode 100644 config/common/default-state-version.nix create mode 100644 config/common/default.nix create mode 100644 config/common/localization.nix create mode 100644 config/common/ssh.nix create mode 100644 config/common/users.nix create mode 100644 config/nixos-generators/proxmox.nix create mode 100644 config/proxmox-vm/boot.nix create mode 100644 config/proxmox-vm/default.nix create mode 100644 config/proxmox-vm/qemu-guest-agent.nix create mode 100644 config/proxmox-vm/storage.nix create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result diff --git a/config/common/default-host-platform.nix b/config/common/default-host-platform.nix new file mode 100644 index 0000000..b587a76 --- /dev/null +++ b/config/common/default-host-platform.nix @@ -0,0 +1,10 @@ +# Set a default host platform. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration + +{ config, pkgs, lib, ... }: + +{ + # Set a default host platform for good measure. + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/config/common/default-state-version.nix b/config/common/default-state-version.nix new file mode 100644 index 0000000..090e729 --- /dev/null +++ b/config/common/default-state-version.nix @@ -0,0 +1,17 @@ +# Set a default state version. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration + +{ config, pkgs, lib, ... }: + +{ + # Set a default state version for good measure. + # NixOS 23.05 configuration comment: + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = lib.mkDefault "23.05"; +} diff --git a/config/common/default.nix b/config/common/default.nix new file mode 100644 index 0000000..3e01ad4 --- /dev/null +++ b/config/common/default.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./default-host-platform.nix + ./default-state-version.nix + ./localization.nix + ./ssh.nix + ./users.nix + ]; +} diff --git a/config/common/localization.nix b/config/common/localization.nix new file mode 100644 index 0000000..d163ef4 --- /dev/null +++ b/config/common/localization.nix @@ -0,0 +1,24 @@ +# Some common localization settings. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration + +{ config, pkgs, ... }: + +{ + time.timeZone = "Europe/Berlin"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + }; +} diff --git a/config/common/ssh.nix b/config/common/ssh.nix new file mode 100644 index 0000000..9bc97b9 --- /dev/null +++ b/config/common/ssh.nix @@ -0,0 +1,52 @@ +# Common SSH configuration. +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#sec-ssh +# - https://infosec.mozilla.org/guidelines/openssh +# - Julians deploy_ssh_server_config Ansible role + +{ config, pkgs, ... }: + +{ + services.openssh = { + enable = true; + + openFirewall = true; + + settings = { + # Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09. + KexAlgorithms = [ + "curve25519-sha256@libssh.org" + "ecdh-sha2-nistp521" + "ecdh-sha2-nistp384" + "ecdh-sha2-nistp256" + "diffie-hellman-group-exchange-sha256" + ]; + # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09. + # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09. + + # X11 Forwarding shouldn't be needed. + X11Forwarding = false; + + # Don't allow root login. + PermitRootLogin = "no"; + + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + + # Set this according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a + # clear audit track of which key was using to log in. + LogLevel = "VERBOSE"; + }; + + # Set those according to Mozilla Modern guideline as of 2023-09-09. + # The guidelines description: + # Log sftp level file access (read/write/etc.) that would not be easily + # logged otherwise. + sftpFlags = [ + "-f AUTHPRIV" + "-l INFO" + ]; + }; +} diff --git a/config/common/users.nix b/config/common/users.nix new file mode 100644 index 0000000..9b4a344 --- /dev/null +++ b/config/common/users.nix @@ -0,0 +1,27 @@ +# Common users. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration +# - https://nixos.org/manual/nixos/stable/#sec-user-management + +{ config, pkgs, lib, ... }: + +let + authorizedKeysRepo = builtins.fetchGit { + url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git"; + ref = "trunk"; + rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a"; + }; +in + { + users.mutableUsers = false; + + users.users.chaos = { + isNormalUser = true; + description = "Chaos"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); + }; + + # Since our user doesn't have a password, allow passwordless sudo for wheel. + security.sudo.wheelNeedsPassword = false; + } diff --git a/config/nixos-generators/proxmox.nix b/config/nixos-generators/proxmox.nix new file mode 100644 index 0000000..1c79fbd --- /dev/null +++ b/config/nixos-generators/proxmox.nix @@ -0,0 +1,22 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L6 +# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/nixos-generators/default.nix#L13 +# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/flake.nix#L39 + +{ config, pkgs, ... }: + +{ + proxmox = { + qemuConf = { + boot = "order=virtio0"; + cores = 2; + memory = 512; + bios = "seabios"; + net0 = "virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1,tag=999"; + }; + qemuExtraConf = { + cpu = "cputype=host,flags=+aes"; + template = 1; + }; + }; +} diff --git a/config/proxmox-vm/boot.nix b/config/proxmox-vm/boot.nix new file mode 100644 index 0000000..ccf6cb0 --- /dev/null +++ b/config/proxmox-vm/boot.nix @@ -0,0 +1,30 @@ +# A Proxmox VM BIOS boot configuration. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration +# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L241 + +{ config, pkgs, ... }: + +{ + boot = { + initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ]; + initrd.kernelModules = [ ]; + # Not specified here: + # - boot.kernelModules + # - boot.extraModulePackages + # Please specify as needed. + + # Grow the root partition on boot. + growPartition = true; + + kernelParams = [ "console=ttyS0" ]; + + loader.grub = { + enable = true; + # TODO: Can we use "/dev/disk/by-label/nixos" here? + device = "/dev/vda"; + }; + + loader.timeout = 0; + }; +} diff --git a/config/proxmox-vm/default.nix b/config/proxmox-vm/default.nix new file mode 100644 index 0000000..bb7d6b1 --- /dev/null +++ b/config/proxmox-vm/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./boot.nix + ./qemu-guest-agent.nix + ./storage.nix + ]; +} diff --git a/config/proxmox-vm/qemu-guest-agent.nix b/config/proxmox-vm/qemu-guest-agent.nix new file mode 100644 index 0000000..c24fd43 --- /dev/null +++ b/config/proxmox-vm/qemu-guest-agent.nix @@ -0,0 +1,9 @@ +# A Proxmox VM qemu-guest-agent configuration. +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L270 + +{ config, pkgs, ... }: + +{ + services.qemuGuest.enable = true; +} diff --git a/config/proxmox-vm/storage.nix b/config/proxmox-vm/storage.nix new file mode 100644 index 0000000..6748768 --- /dev/null +++ b/config/proxmox-vm/storage.nix @@ -0,0 +1,18 @@ +# A Proxmox VM storage configuration. +# Sources for this configuration: +# - a generated NixOS 23.05 configuration +# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L260 + +{ config, pkgs, ... }: + +{ + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + # Not specified here: + # - swapDevices + # If needed, manually specify it elsewhere. +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..f668a24 --- /dev/null +++ b/flake.lock @@ -0,0 +1,64 @@ +{ + "nodes": { + "nixlib": { + "locked": { + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693791338, + "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1694304580, + "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..de95e12 --- /dev/null +++ b/flake.nix @@ -0,0 +1,27 @@ +{ + description = "CCCHH Nix Infrastructure"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + # Add nixos-generators as an input. + # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { nixpkgs, nixos-generators, ... }: { + packages.x86_64-linux = { + proxmox = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/nixos-generators/proxmox.nix + ./config/common + ./config/proxmox-vm + ]; + format = "proxmox"; + }; + }; + }; +}