From 1e32c33d925b5db73f52d8d6f3c8826daf724a12 Mon Sep 17 00:00:00 2001 From: min Date: Fri, 13 Dec 2024 17:47:09 -0500 Subject: [PATCH] Refactor + Proxmox VE --- flake.lock | 177 ++++++++++++++++--- flake.nix | 11 ++ nixos/hosts/eidola/configuration.nix | 17 +- nixos/hosts/eidola/default.nix | 7 +- nixos/hosts/eidola/hardware.nix | 2 +- nixos/hosts/eidola/nebula.nix | 16 ++ nixos/hosts/silver/configuration.nix | 6 +- nixos/modules/README.md | 5 - nixos/modules/{system => }/boot/default.nix | 0 nixos/modules/{system => }/boot/luks-ssh.nix | 6 +- nixos/modules/default.nix | 47 ++++- nixos/modules/{system => }/hardening.nix | 4 +- nixos/modules/{system => }/limits.nix | 0 nixos/modules/{system => }/networking.nix | 0 nixos/modules/system/default.nix | 43 ----- 15 files changed, 250 insertions(+), 91 deletions(-) delete mode 100644 nixos/modules/README.md rename nixos/modules/{system => }/boot/default.nix (100%) rename nixos/modules/{system => }/boot/luks-ssh.nix (88%) rename nixos/modules/{system => }/hardening.nix (96%) rename nixos/modules/{system => }/limits.nix (100%) rename nixos/modules/{system => }/networking.nix (100%) delete mode 100644 nixos/modules/system/default.nix diff --git a/flake.lock b/flake.lock index d77a1b1..b334229 100644 --- a/flake.lock +++ b/flake.lock @@ -37,6 +37,25 @@ "type": "github" } }, + "crane_2": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1717383740, + "narHash": "sha256-559HbY4uhNeoYvK3H6AMZAtVfmR3y8plXZ1x6ON/cWU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "b65673fce97d277934488a451724be94cc62499a", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "v0.17.3", + "repo": "crane", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -66,11 +85,11 @@ ] }, "locked": { - "lastModified": 1730751873, - "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=", + "lastModified": 1734011192, + "narHash": "sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J+f9dWREN8KA=", "owner": "nix-community", "repo": "disko", - "rev": "856a2902156ba304efebd4c1096dbf7465569454", + "rev": "0f31ad735e784315a22d9899d3ba24340ce64220", "type": "github" }, "original": { @@ -95,16 +114,31 @@ "type": "github" } }, + "flake-compat_2": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -133,11 +167,11 @@ }, "impermanence": { "locked": { - "lastModified": 1730403150, - "narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -149,11 +183,11 @@ "min-rip": { "flake": false, "locked": { - "lastModified": 1730603510, - "narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=", + "lastModified": 1733968933, + "narHash": "sha256-sM4W6aZDgoyWkXjgE+UXRwGdfrMFDRPRliZs7CTc4rw=", "ref": "refs/heads/main", - "rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5", - "revCount": 30, + "rev": "8b5c3a8ef205e82a5414cac4d9fb6c17276b71ae", + "revCount": 36, "type": "git", "url": "ssh://git@git.min.rip/min/min.rip.git" }, @@ -164,11 +198,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730602179, - "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", + "lastModified": 1733730953, + "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", + "rev": "7109b680d161993918b0a126f38bc39763e5a709", "type": "github" }, "original": { @@ -180,32 +214,84 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1730602179, - "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", + "lastModified": 1723556749, + "narHash": "sha256-+CHVZnTnIYRLYsARInHYoWkujzcRkLY/gXm3s5bE52o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", + "rev": "4a92571f9207810b559c9eac203d1f4d79830073", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1723637854, + "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1714656196, + "narHash": "sha256-kjQkA98lMcsom6Gbhw8SYzmwrSo+2nruiTcTZp5jK7o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "94035b482d181af0a0f8f77823a790b256b7c3cc", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, + "proxmox-nixos": { + "inputs": { + "crane": "crane_2", + "flake-compat": "flake-compat_2", + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1732473775, + "narHash": "sha256-WnckT473A+DcYYdzLFWgP4RSAvBNaSRw7fJuKySX+Og=", + "owner": "SaumonNet", + "repo": "proxmox-nixos", + "rev": "06fbc351ff461d26a8276f44088450c965195e10", + "type": "github" + }, + "original": { + "owner": "SaumonNet", + "repo": "proxmox-nixos", + "type": "github" + } + }, "root": { "inputs": { "breeze": "breeze", @@ -215,6 +301,7 @@ "impermanence": "impermanence", "min-rip": "min-rip", "nixpkgs": "nixpkgs", + "proxmox-nixos": "proxmox-nixos", "sops-nix": "sops-nix" } }, @@ -222,15 +309,14 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1730746162, - "narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=", + "lastModified": 1733965552, + "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", "owner": "Mic92", "repo": "sops-nix", - "rev": "59d6988329626132eaf107761643f55eb979eef1", + "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", "type": "github" }, "original": { @@ -269,6 +355,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems_2" @@ -286,6 +387,24 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ec81ee9..828ebd4 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,8 @@ impermanence.url = "github:nix-community/impermanence"; + proxmox-nixos.url = "github:SaumonNet/proxmox-nixos"; + min-rip.url = "git+ssh://git@git.min.rip/min/min.rip.git"; min-rip.flake = false; @@ -24,6 +26,15 @@ breeze.inputs.nixpkgs.follows = "nixpkgs"; }; + nixConfig = { + extra-substituters = [ + "https://cache.saumon.network/proxmox-nixos" + ]; + extra-trusted-public-keys = [ + "proxmox-nixos:nveXDuVVhFDRFx8Dn19f1WDEaNRJjPrF2CPD2D+m1ys=" + ]; + }; + outputs = inputs @ {self, ...}: inputs.flake-parts.lib.mkFlake {inherit inputs;} { flake = let diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix index 2a49f57..d76e00b 100644 --- a/nixos/hosts/eidola/configuration.nix +++ b/nixos/hosts/eidola/configuration.nix @@ -1,5 +1,6 @@ { config, + lib, pkgs, ... }: { @@ -9,7 +10,7 @@ ./mounts.nix ./secrets.nix ./nebula.nix - ./k3s.nix + # ./k3s.nix ]; networking.hostName = "eidola"; # Define your hostname. @@ -20,6 +21,8 @@ # Basic networking networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [5201 8081]; + networking.firewall.allowedUDPPorts = [5201]; # Locales i18n.defaultLocale = "en_US.UTF-8"; @@ -64,13 +67,21 @@ }; # My modules - gen.system.hardening.disableSack = true; - gen.system.bootloader.luksSsh = { + gen.hardening.disableSack = true; + gen.bootloader.luksSsh = { enable = true; port = 48722; hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; }; boot.initrd.network.udhcpc.enable = true; + # Proxmox + services.proxmox-ve = { + enable = true; + openFirewall = false; + }; + # TODO: add a bridge + # TODO: make sure proxmox stuff is persisted + system.stateVersion = "24.05"; } diff --git a/nixos/hosts/eidola/default.nix b/nixos/hosts/eidola/default.nix index 5b7035e..acdbafa 100644 --- a/nixos/hosts/eidola/default.nix +++ b/nixos/hosts/eidola/default.nix @@ -17,7 +17,12 @@ inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko inputs.impermanence.nixosModules.impermanence - inputs.breeze.nixosModules.${system}.breeze + inputs.proxmox-nixos.nixosModules.proxmox-ve + ({...}: { + nixpkgs.overlays = [ + inputs.proxmox-nixos.overlays.${system} + ]; + }) ./configuration.nix ]; } diff --git a/nixos/hosts/eidola/hardware.nix b/nixos/hosts/eidola/hardware.nix index 950cb3c..686c5de 100644 --- a/nixos/hosts/eidola/hardware.nix +++ b/nixos/hosts/eidola/hardware.nix @@ -23,7 +23,7 @@ }; initrd = { - availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "r8169"]; + availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "r8169" "ixgbe"]; kernelModules = []; }; kernelModules = ["kvm-amd"]; diff --git a/nixos/hosts/eidola/nebula.nix b/nixos/hosts/eidola/nebula.nix index 697b874..40356f9 100644 --- a/nixos/hosts/eidola/nebula.nix +++ b/nixos/hosts/eidola/nebula.nix @@ -3,6 +3,7 @@ # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 userGroup = "nebula-${netName}"; interface = "nebula.${netName}"; + service = "nebula@${netName}.service"; lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding lhsInt = builtins.attrNames lhs; in { @@ -14,6 +15,9 @@ in { networking.firewall.trustedInterfaces = [interface]; + # Make sure sshd starts after nebula + systemd.services.sshd.after = [service]; + services.nebula.networks.${netName} = { ca = ../../keys/ca.crt; cert = ../../keys/n-srv-eidola.crt; @@ -58,6 +62,18 @@ in { proto = "tcp"; host = "any"; } + # Allow Proxmox Web from anyone + { + port = 8006; + proto = "tcp"; + host = "any"; + } + # Allow iperf3 from anyone + { + port = 5201; + proto = "any"; + host = "any"; + } ]; }; } diff --git a/nixos/hosts/silver/configuration.nix b/nixos/hosts/silver/configuration.nix index ecbc349..40ee6d2 100644 --- a/nixos/hosts/silver/configuration.nix +++ b/nixos/hosts/silver/configuration.nix @@ -79,6 +79,8 @@ in { speedtest-cli ]; environment.variables.EDITOR = "vim"; + networking.firewall.allowedTCPPorts = [5201]; + networking.firewall.allowedUDPPorts = [5201]; # Enable ssh server services.openssh = { @@ -94,8 +96,8 @@ in { }; # My modules - gen.system.hardening.disableSack = true; - gen.system.bootloader.luksSsh = { + gen.hardening.disableSack = true; + gen.bootloader.luksSsh = { enable = true; port = 48722; hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; diff --git a/nixos/modules/README.md b/nixos/modules/README.md deleted file mode 100644 index b3e411e..0000000 --- a/nixos/modules/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# NixOS Modules - -This directory contains NixOS modules that are shared across hosts. - -* `modules/system` - shared config & options for base system (`gen.system.*`) diff --git a/nixos/modules/system/boot/default.nix b/nixos/modules/boot/default.nix similarity index 100% rename from nixos/modules/system/boot/default.nix rename to nixos/modules/boot/default.nix diff --git a/nixos/modules/system/boot/luks-ssh.nix b/nixos/modules/boot/luks-ssh.nix similarity index 88% rename from nixos/modules/system/boot/luks-ssh.nix rename to nixos/modules/boot/luks-ssh.nix index 23a0d58..670996d 100644 --- a/nixos/modules/system/boot/luks-ssh.nix +++ b/nixos/modules/boot/luks-ssh.nix @@ -3,10 +3,10 @@ lib, ... }: let - baseCfg = config.gen.system.bootloader; + baseCfg = config.gen.bootloader; cfg = baseCfg.luksSsh; in { - options.gen.system.bootloader.luksSsh = { + options.gen.bootloader.luksSsh = { enable = lib.mkEnableOption "use boot process with luks unlock over ssh"; port = lib.mkOption { type = lib.types.port; @@ -38,7 +38,7 @@ in { ssh = { enable = true; - authorizedKeys = import ../../../keys/ssh.nix; + authorizedKeys = import ../../keys/ssh.nix; inherit (cfg) hostKeys port; }; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index fb8572c..a7d0324 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,5 +1,48 @@ -{...}: { +{ + inputs, + pkgs, + ... +}: { imports = [ - ./system + ./boot + + ./hardening.nix + ./limits.nix + ./networking.nix ]; + + # Ensure root login is available on every machine (if ssh is enabled) + users.users.root.openssh.authorizedKeys.keys = import ../keys/ssh.nix; + + # Speed up the build a little bit, these aren't really needed + documentation = { + enable = false; + info.enable = false; + man.enable = false; + doc.enable = false; + nixos.enable = false; + }; + + # Immutable users + users.mutableUsers = false; + + ### Nix settings ### + nix = { + # Make sure flakes are enabled + settings.experimental-features = ["nix-command" "flakes"]; + extraOptions = '' + keep-outputs = true + keep-derivations = true + + flake-registry = ${builtins.toFile "flake-registry" (builtins.toJSON { + version = 2; + flakes = []; + })} + ''; + nixPath = ["nixpkgs=${pkgs.path}"]; + registry = { + self.flake = inputs.self; + nixpkgs.flake = inputs.nixpkgs; + }; + }; } diff --git a/nixos/modules/system/hardening.nix b/nixos/modules/hardening.nix similarity index 96% rename from nixos/modules/system/hardening.nix rename to nixos/modules/hardening.nix index 379ba9f..657a1a2 100644 --- a/nixos/modules/system/hardening.nix +++ b/nixos/modules/hardening.nix @@ -3,9 +3,9 @@ lib, ... }: let - cfg = config.gen.system.hardening; + cfg = config.gen.hardening; in { - options.gen.system.hardening = { + options.gen.hardening = { hardenBpf = lib.mkEnableOption "place heavier restrictions on BPF"; fullRpFilter = lib.mkEnableOption "enable full reverse path filtering. breaks dynamic routing, probably"; ignoreIcmpEcho = lib.mkEnableOption "ignore icmp echos. obviously, this makes pings unresponsive"; diff --git a/nixos/modules/system/limits.nix b/nixos/modules/limits.nix similarity index 100% rename from nixos/modules/system/limits.nix rename to nixos/modules/limits.nix diff --git a/nixos/modules/system/networking.nix b/nixos/modules/networking.nix similarity index 100% rename from nixos/modules/system/networking.nix rename to nixos/modules/networking.nix diff --git a/nixos/modules/system/default.nix b/nixos/modules/system/default.nix deleted file mode 100644 index 9bf5988..0000000 --- a/nixos/modules/system/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{inputs, pkgs, ...}: { - imports = [ - ./hardening.nix - ./limits.nix - ./networking.nix - ./boot - ]; - - # Ensure root login is available on every machine (if ssh is enabled) - users.users.root.openssh.authorizedKeys.keys = import ../../keys/ssh.nix; - - # Speed up the build a little bit, these aren't really needed - documentation = { - enable = false; - info.enable = false; - man.enable = false; - doc.enable = false; - nixos.enable = false; - }; - - # Immutable users - users.mutableUsers = false; - - ### Nix settings ### - nix = { - # Make sure flakes are enabled - settings.experimental-features = ["nix-command" "flakes"]; - extraOptions = '' - keep-outputs = true - keep-derivations = true - - flake-registry = ${builtins.toFile "flake-registry" (builtins.toJSON { - version = 2; - flakes = []; - })} - ''; - nixPath = ["nixpkgs=${pkgs.path}"]; - registry = { - self.flake = inputs.self; - nixpkgs.flake = inputs.nixpkgs; - }; - }; -}