forked from CCCHH/nix-infra
Initial commit. Add configuration for NixOS Proxmox image
This commit is contained in:
commit
4193e65a04
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
result
|
10
config/common/default-host-platform.nix
Normal file
10
config/common/default-host-platform.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Set a default host platform.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# Set a default host platform for good measure.
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
17
config/common/default-state-version.nix
Normal file
17
config/common/default-state-version.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# Set a default state version.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# Set a default state version for good measure.
|
||||||
|
# NixOS 23.05 configuration comment:
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = lib.mkDefault "23.05";
|
||||||
|
}
|
11
config/common/default.nix
Normal file
11
config/common/default.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./default-host-platform.nix
|
||||||
|
./default-state-version.nix
|
||||||
|
./localization.nix
|
||||||
|
./ssh.nix
|
||||||
|
./users.nix
|
||||||
|
];
|
||||||
|
}
|
24
config/common/localization.nix
Normal file
24
config/common/localization.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# Some common localization settings.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
i18n = {
|
||||||
|
defaultLocale = "en_US.UTF-8";
|
||||||
|
extraLocaleSettings = {
|
||||||
|
LC_ADDRESS = "de_DE.UTF-8";
|
||||||
|
LC_IDENTIFICATION = "de_DE.UTF-8";
|
||||||
|
LC_MEASUREMENT = "de_DE.UTF-8";
|
||||||
|
LC_MONETARY = "de_DE.UTF-8";
|
||||||
|
LC_NAME = "de_DE.UTF-8";
|
||||||
|
LC_NUMERIC = "de_DE.UTF-8";
|
||||||
|
LC_PAPER = "de_DE.UTF-8";
|
||||||
|
LC_TELEPHONE = "de_DE.UTF-8";
|
||||||
|
LC_TIME = "de_DE.UTF-8";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
52
config/common/ssh.nix
Normal file
52
config/common/ssh.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
# Common SSH configuration.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - https://nixos.org/manual/nixos/stable/#sec-ssh
|
||||||
|
# - https://infosec.mozilla.org/guidelines/openssh
|
||||||
|
# - Julians deploy_ssh_server_config Ansible role
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
openFirewall = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
# Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
|
||||||
|
KexAlgorithms = [
|
||||||
|
"curve25519-sha256@libssh.org"
|
||||||
|
"ecdh-sha2-nistp521"
|
||||||
|
"ecdh-sha2-nistp384"
|
||||||
|
"ecdh-sha2-nistp256"
|
||||||
|
"diffie-hellman-group-exchange-sha256"
|
||||||
|
];
|
||||||
|
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
|
||||||
|
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
|
||||||
|
|
||||||
|
# X11 Forwarding shouldn't be needed.
|
||||||
|
X11Forwarding = false;
|
||||||
|
|
||||||
|
# Don't allow root login.
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
|
||||||
|
# Set this according to Mozilla Modern guideline as of 2023-09-09.
|
||||||
|
# The guidelines description:
|
||||||
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
|
||||||
|
# clear audit track of which key was using to log in.
|
||||||
|
LogLevel = "VERBOSE";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set those according to Mozilla Modern guideline as of 2023-09-09.
|
||||||
|
# The guidelines description:
|
||||||
|
# Log sftp level file access (read/write/etc.) that would not be easily
|
||||||
|
# logged otherwise.
|
||||||
|
sftpFlags = [
|
||||||
|
"-f AUTHPRIV"
|
||||||
|
"-l INFO"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
27
config/common/users.nix
Normal file
27
config/common/users.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# Common users.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
# - https://nixos.org/manual/nixos/stable/#sec-user-management
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
authorizedKeysRepo = builtins.fetchGit {
|
||||||
|
url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
|
||||||
|
ref = "trunk";
|
||||||
|
rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.mutableUsers = false;
|
||||||
|
|
||||||
|
users.users.chaos = {
|
||||||
|
isNormalUser = true;
|
||||||
|
description = "Chaos";
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
|
||||||
|
};
|
||||||
|
|
||||||
|
# Since our user doesn't have a password, allow passwordless sudo for wheel.
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
}
|
22
config/nixos-generators/proxmox.nix
Normal file
22
config/nixos-generators/proxmox.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L6
|
||||||
|
# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/nixos-generators/default.nix#L13
|
||||||
|
# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/flake.nix#L39
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
proxmox = {
|
||||||
|
qemuConf = {
|
||||||
|
boot = "order=virtio0";
|
||||||
|
cores = 2;
|
||||||
|
memory = 512;
|
||||||
|
bios = "seabios";
|
||||||
|
net0 = "virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1,tag=999";
|
||||||
|
};
|
||||||
|
qemuExtraConf = {
|
||||||
|
cpu = "cputype=host,flags=+aes";
|
||||||
|
template = 1;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
30
config/proxmox-vm/boot.nix
Normal file
30
config/proxmox-vm/boot.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# A Proxmox VM BIOS boot configuration.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L241
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
boot = {
|
||||||
|
initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ];
|
||||||
|
initrd.kernelModules = [ ];
|
||||||
|
# Not specified here:
|
||||||
|
# - boot.kernelModules
|
||||||
|
# - boot.extraModulePackages
|
||||||
|
# Please specify as needed.
|
||||||
|
|
||||||
|
# Grow the root partition on boot.
|
||||||
|
growPartition = true;
|
||||||
|
|
||||||
|
kernelParams = [ "console=ttyS0" ];
|
||||||
|
|
||||||
|
loader.grub = {
|
||||||
|
enable = true;
|
||||||
|
# TODO: Can we use "/dev/disk/by-label/nixos" here?
|
||||||
|
device = "/dev/vda";
|
||||||
|
};
|
||||||
|
|
||||||
|
loader.timeout = 0;
|
||||||
|
};
|
||||||
|
}
|
9
config/proxmox-vm/default.nix
Normal file
9
config/proxmox-vm/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./boot.nix
|
||||||
|
./qemu-guest-agent.nix
|
||||||
|
./storage.nix
|
||||||
|
];
|
||||||
|
}
|
9
config/proxmox-vm/qemu-guest-agent.nix
Normal file
9
config/proxmox-vm/qemu-guest-agent.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# A Proxmox VM qemu-guest-agent configuration.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L270
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.qemuGuest.enable = true;
|
||||||
|
}
|
18
config/proxmox-vm/storage.nix
Normal file
18
config/proxmox-vm/storage.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# A Proxmox VM storage configuration.
|
||||||
|
# Sources for this configuration:
|
||||||
|
# - a generated NixOS 23.05 configuration
|
||||||
|
# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L260
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
autoResize = true;
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Not specified here:
|
||||||
|
# - swapDevices
|
||||||
|
# If needed, manually specify it elsewhere.
|
||||||
|
}
|
64
flake.lock
Normal file
64
flake.lock
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixlib": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1693701915,
|
||||||
|
"narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixos-generators": {
|
||||||
|
"inputs": {
|
||||||
|
"nixlib": "nixlib",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1693791338,
|
||||||
|
"narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixos-generators",
|
||||||
|
"rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixos-generators",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1694304580,
|
||||||
|
"narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-23.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixos-generators": "nixos-generators",
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
27
flake.nix
Normal file
27
flake.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
description = "CCCHH Nix Infrastructure";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||||
|
# Add nixos-generators as an input.
|
||||||
|
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
|
||||||
|
nixos-generators = {
|
||||||
|
url = "github:nix-community/nixos-generators";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = { nixpkgs, nixos-generators, ... }: {
|
||||||
|
packages.x86_64-linux = {
|
||||||
|
proxmox = nixos-generators.nixosGenerate {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
./config/nixos-generators/proxmox.nix
|
||||||
|
./config/common
|
||||||
|
./config/proxmox-vm
|
||||||
|
];
|
||||||
|
format = "proxmox";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue