Initial commit. Add configuration for NixOS Proxmox image

.gitignore

@@ -0,0 +1 @@
+result

config/common/default-host-platform.nix

@@ -0,0 +1,10 @@
+# Set a default host platform.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default host platform for good measure.
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

config/common/default-state-version.nix

@@ -0,0 +1,17 @@
+# Set a default state version.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, lib, ... }:
+
+{
+  # Set a default state version for good measure.
+  # NixOS 23.05 configuration comment:
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = lib.mkDefault "23.05";
+}

config/common/default.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./default-host-platform.nix
+    ./default-state-version.nix
+    ./localization.nix
+    ./ssh.nix
+    ./users.nix
+  ];
+}

config/common/localization.nix

@@ -0,0 +1,24 @@
+# Some common localization settings.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+
+{ config, pkgs, ... }:
+
+{
+  time.timeZone = "Europe/Berlin";
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "de_DE.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+  };
+}

config/common/ssh.nix

@@ -0,0 +1,52 @@
+# Common SSH configuration.
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#sec-ssh
+# - https://infosec.mozilla.org/guidelines/openssh
+# - Julians deploy_ssh_server_config Ansible role
+
+{ config, pkgs, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+
+    openFirewall = true;
+
+    settings = {
+      # Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
+      KexAlgorithms = [
+        "curve25519-sha256@libssh.org"
+        "ecdh-sha2-nistp521"
+        "ecdh-sha2-nistp384"
+        "ecdh-sha2-nistp256"
+        "diffie-hellman-group-exchange-sha256"
+      ];
+      # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
+      # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
+
+      # X11 Forwarding shouldn't be needed.
+      X11Forwarding = false;
+
+      # Don't allow root login.
+      PermitRootLogin = "no";
+
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      # Set this according to Mozilla Modern guideline as of 2023-09-09.
+      # The guidelines description:
+      # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+      # clear audit track of which key was using to log in.
+      LogLevel = "VERBOSE";
+    };
+
+    # Set those according to Mozilla Modern guideline as of 2023-09-09.
+    # The guidelines description:
+    # Log sftp level file access (read/write/etc.) that would not be easily
+    # logged otherwise.
+    sftpFlags = [
+      "-f AUTHPRIV"
+      "-l INFO"
+    ];
+  };
+}

config/common/users.nix

@@ -0,0 +1,27 @@
+# Common users.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://nixos.org/manual/nixos/stable/#sec-user-management
+
+{ config, pkgs, lib, ... }:
+
+let
+  authorizedKeysRepo = builtins.fetchGit {
+    url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
+    ref = "trunk";
+    rev = "1b625d752fe5f19fd110871b9e3dfc6c93d3495a";
+  };
+in
+  {
+    users.mutableUsers = false;
+
+    users.users.chaos = {
+      isNormalUser = true;
+      description = "Chaos";
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
+    };
+
+    # Since our user doesn't have a password, allow passwordless sudo for wheel.
+    security.sudo.wheelNeedsPassword = false;
+  }

config/nixos-generators/proxmox.nix

@@ -0,0 +1,22 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L6
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/nixos-generators/default.nix#L13
+# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/flake.nix#L39
+
+{ config, pkgs, ... }:
+
+{
+  proxmox = {
+    qemuConf = {
+      boot = "order=virtio0";
+      cores = 2;
+      memory = 512;
+      bios = "seabios";
+      net0 = "virtio=00:00:00:00:00:00,bridge=vmbr0,firewall=1,tag=999";
+    };
+    qemuExtraConf = {
+      cpu = "cputype=host,flags=+aes";
+      template = 1;
+    };
+  };
+}

config/proxmox-vm/boot.nix

@@ -0,0 +1,30 @@
+# A Proxmox VM BIOS boot configuration.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L241
+
+{ config, pkgs, ... }:
+
+{
+  boot = {
+    initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ];
+    initrd.kernelModules = [ ];
+    # Not specified here:
+    # - boot.kernelModules
+    # - boot.extraModulePackages
+    # Please specify as needed.
+    
+    # Grow the root partition on boot.
+    growPartition = true;
+
+    kernelParams = [ "console=ttyS0" ];
+
+    loader.grub = {
+      enable = true;
+      # TODO: Can we use "/dev/disk/by-label/nixos" here?
+      device = "/dev/vda";
+    };
+
+    loader.timeout = 0;
+  };
+}

config/proxmox-vm/default.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./qemu-guest-agent.nix
+    ./storage.nix
+  ];
+}

config/proxmox-vm/qemu-guest-agent.nix

@@ -0,0 +1,9 @@
+# A Proxmox VM qemu-guest-agent configuration.
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L270
+
+{ config, pkgs, ... }:
+
+{
+  services.qemuGuest.enable = true;
+}

config/proxmox-vm/storage.nix

@@ -0,0 +1,18 @@
+# A Proxmox VM storage configuration.
+# Sources for this configuration:
+# - a generated NixOS 23.05 configuration
+# - https://github.com/NixOS/nixpkgs/blob/069de7d3deafab651fd627c8f6d7e4c7b33087a2/nixos/modules/virtualisation/proxmox-image.nix#L260
+
+{ config, pkgs, ... }:
+
+{
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+
+  # Not specified here:
+  # - swapDevices
+  # If needed, manually specify it elsewhere.
+}

flake.lock

@@ -0,0 +1,64 @@
+{
+  "nodes": {
+    "nixlib": {
+      "locked": {
+        "lastModified": 1693701915,
+        "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1693791338,
+        "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1694304580,
+        "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixos-generators": "nixos-generators",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,27 @@
+{
+  description = "CCCHH Nix Infrastructure";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    # Add nixos-generators as an input.
+    # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { nixpkgs, nixos-generators, ... }: {
+    packages.x86_64-linux = {
+      proxmox = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        modules = [
+          ./config/nixos-generators/proxmox.nix
+          ./config/common
+          ./config/proxmox-vm
+        ];
+        format = "proxmox";
+      };
+    };
+  };
+}