Initial commit. Add configuration for NixOS Proxmox image

2023-09-11 23:20:34 +02:00 · 2023-09-11 23:20:34 +02:00 · 4193e65a04
commit 4193e65a04
14 changed files with 321 additions and 0 deletions
--- a/config/common/default-host-platform.nix
+++ b/config/common/default-host-platform.nix
@ -0,0 +1,10 @@
+# Set a default host platform.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default host platform for good measure.
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/config/common/default-state-version.nix
+++ b/config/common/default-state-version.nix
@ -0,0 +1,17 @@
+# Set a default state version.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default state version for good measure.
+  # NixOS 23.05 configuration comment:
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = lib.mkDefault "23.05";
+}
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./default-host-platform.nix
+    ./default-state-version.nix
+    ./localization.nix
+    ./ssh.nix
+    ./users.nix
+  ];
+}
--- a/config/common/localization.nix
+++ b/config/common/localization.nix
@ -0,0 +1,24 @@
+# Some common localization settings.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, ... }:
+
+{
+  time.timeZone = "Europe/Berlin";
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "de_DE.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+  };
+}
--- a/config/common/ssh.nix
+++ b/config/common/ssh.nix
@ -0,0 +1,52 @@
+# Common SSH configuration.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-ssh
+# - https://infosec.mozilla.org/guidelines/openssh
+# - Julians deploy_ssh_server_config Ansible role
+
+{ config, pkgs, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+
+    openFirewall = true;
+
+    settings = {
+      # Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
+      KexAlgorithms = [
+        "curve25519-sha256@libssh.org"
+        "ecdh-sha2-nistp521"
+        "ecdh-sha2-nistp384"
+        "ecdh-sha2-nistp256"
+        "diffie-hellman-group-exchange-sha256"
+      ];
+      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
+      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
+
+      # X11 Forwarding shouldn't be needed.
+      X11Forwarding = false;
+
+      # Don't allow root login.
+      PermitRootLogin = "no";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Set this according to Mozilla Modern guideline as of 2023-09-09.
+      # The guidelines description:
+      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+      # clear audit track of which key was using to log in.
+      LogLevel = "VERBOSE";
+    };
+
+    # Set those according to Mozilla Modern guideline as of 2023-09-09.
+    # The guidelines description:
+    # Log sftp level file access (read/write/etc.) that would not be easily
+    # logged otherwise.
+    sftpFlags = [
+      "-f AUTHPRIV"
+      "-l INFO"
+    ];
+  };
+}
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -0,0 +1,27 @@
+# Common users.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://nixos.org/manual/nixos/stable/#sec-user-management
+
+{ config, pkgs, lib, ... }:
+
+let
+  authorizedKeysRepo = builtins.fetchGit {
+    url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
+    ref = "trunk";
+    rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
+  };
+in
+  {
+    users.mutableUsers = false;
+
+    users.users.chaos = {
+      isNormalUser = true;
+      description = "Chaos";
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
+    };
+
+    # Since our user doesn't have a password, allow passwordless sudo for wheel.
+    security.sudo.wheelNeedsPassword = false;
+  }