Refactor + Proxmox VE

This commit is contained in:
minish 2024-12-13 17:47:09 -05:00
parent f517d30525
commit 1e32c33d92
Signed by: min
SSH Key Fingerprint: SHA256:NFjjdbkd6u7aoMlcrDCVvz6o2UBtlAuPm8IQ2vhZ3Fg
15 changed files with 250 additions and 91 deletions

View File

@ -37,6 +37,25 @@
"type": "github"
}
},
"crane_2": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1717383740,
"narHash": "sha256-559HbY4uhNeoYvK3H6AMZAtVfmR3y8plXZ1x6ON/cWU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "b65673fce97d277934488a451724be94cc62499a",
"type": "github"
},
"original": {
"owner": "ipetkov",
"ref": "v0.17.3",
"repo": "crane",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
@ -66,11 +85,11 @@
]
},
"locked": {
"lastModified": 1730751873,
"narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
"lastModified": 1734011192,
"narHash": "sha256-NghuiWXx6Q3gwLiudiNwDpYQ1CPEUK7J+f9dWREN8KA=",
"owner": "nix-community",
"repo": "disko",
"rev": "856a2902156ba304efebd4c1096dbf7465569454",
"rev": "0f31ad735e784315a22d9899d3ba24340ce64220",
"type": "github"
},
"original": {
@ -95,16 +114,31 @@
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
@ -133,11 +167,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1730403150,
"narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github"
},
"original": {
@ -149,11 +183,11 @@
"min-rip": {
"flake": false,
"locked": {
"lastModified": 1730603510,
"narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=",
"lastModified": 1733968933,
"narHash": "sha256-sM4W6aZDgoyWkXjgE+UXRwGdfrMFDRPRliZs7CTc4rw=",
"ref": "refs/heads/main",
"rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5",
"revCount": 30,
"rev": "8b5c3a8ef205e82a5414cac4d9fb6c17276b71ae",
"revCount": 36,
"type": "git",
"url": "ssh://git@git.min.rip/min/min.rip.git"
},
@ -164,11 +198,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"lastModified": 1733730953,
"narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"rev": "7109b680d161993918b0a126f38bc39763e5a709",
"type": "github"
},
"original": {
@ -180,32 +214,84 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1730504152,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"lastModified": 1733096140,
"narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"lastModified": 1723556749,
"narHash": "sha256-+CHVZnTnIYRLYsARInHYoWkujzcRkLY/gXm3s5bE52o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"rev": "4a92571f9207810b559c9eac203d1f4d79830073",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1723637854,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1714656196,
"narHash": "sha256-kjQkA98lMcsom6Gbhw8SYzmwrSo+2nruiTcTZp5jK7o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "94035b482d181af0a0f8f77823a790b256b7c3cc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"proxmox-nixos": {
"inputs": {
"crane": "crane_2",
"flake-compat": "flake-compat_2",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
"utils": "utils_2"
},
"locked": {
"lastModified": 1732473775,
"narHash": "sha256-WnckT473A+DcYYdzLFWgP4RSAvBNaSRw7fJuKySX+Og=",
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"rev": "06fbc351ff461d26a8276f44088450c965195e10",
"type": "github"
},
"original": {
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"type": "github"
}
},
"root": {
"inputs": {
"breeze": "breeze",
@ -215,6 +301,7 @@
"impermanence": "impermanence",
"min-rip": "min-rip",
"nixpkgs": "nixpkgs",
"proxmox-nixos": "proxmox-nixos",
"sops-nix": "sops-nix"
}
},
@ -222,15 +309,14 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1730746162,
"narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=",
"lastModified": 1733965552,
"narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "59d6988329626132eaf107761643f55eb979eef1",
"rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
"type": "github"
},
"original": {
@ -269,6 +355,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
@ -286,6 +387,24 @@
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

View File

@ -17,6 +17,8 @@
impermanence.url = "github:nix-community/impermanence";
proxmox-nixos.url = "github:SaumonNet/proxmox-nixos";
min-rip.url = "git+ssh://git@git.min.rip/min/min.rip.git";
min-rip.flake = false;
@ -24,6 +26,15 @@
breeze.inputs.nixpkgs.follows = "nixpkgs";
};
nixConfig = {
extra-substituters = [
"https://cache.saumon.network/proxmox-nixos"
];
extra-trusted-public-keys = [
"proxmox-nixos:nveXDuVVhFDRFx8Dn19f1WDEaNRJjPrF2CPD2D+m1ys="
];
};
outputs = inputs @ {self, ...}:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
flake = let

View File

@ -1,5 +1,6 @@
{
config,
lib,
pkgs,
...
}: {
@ -9,7 +10,7 @@
./mounts.nix
./secrets.nix
./nebula.nix
./k3s.nix
# ./k3s.nix
];
networking.hostName = "eidola"; # Define your hostname.
@ -20,6 +21,8 @@
# Basic networking
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [5201 8081];
networking.firewall.allowedUDPPorts = [5201];
# Locales
i18n.defaultLocale = "en_US.UTF-8";
@ -64,13 +67,21 @@
};
# My modules
gen.system.hardening.disableSack = true;
gen.system.bootloader.luksSsh = {
gen.hardening.disableSack = true;
gen.bootloader.luksSsh = {
enable = true;
port = 48722;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
};
boot.initrd.network.udhcpc.enable = true;
# Proxmox
services.proxmox-ve = {
enable = true;
openFirewall = false;
};
# TODO: add a bridge
# TODO: make sure proxmox stuff is persisted
system.stateVersion = "24.05";
}

View File

@ -17,7 +17,12 @@
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko
inputs.impermanence.nixosModules.impermanence
inputs.breeze.nixosModules.${system}.breeze
inputs.proxmox-nixos.nixosModules.proxmox-ve
({...}: {
nixpkgs.overlays = [
inputs.proxmox-nixos.overlays.${system}
];
})
./configuration.nix
];
}

View File

@ -23,7 +23,7 @@
};
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "r8169"];
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "r8169" "ixgbe"];
kernelModules = [];
};
kernelModules = ["kvm-amd"];

View File

@ -3,6 +3,7 @@
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
userGroup = "nebula-${netName}";
interface = "nebula.${netName}";
service = "nebula@${netName}.service";
lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
lhsInt = builtins.attrNames lhs;
in {
@ -14,6 +15,9 @@ in {
networking.firewall.trustedInterfaces = [interface];
# Make sure sshd starts after nebula
systemd.services.sshd.after = [service];
services.nebula.networks.${netName} = {
ca = ../../keys/ca.crt;
cert = ../../keys/n-srv-eidola.crt;
@ -58,6 +62,18 @@ in {
proto = "tcp";
host = "any";
}
# Allow Proxmox Web from anyone
{
port = 8006;
proto = "tcp";
host = "any";
}
# Allow iperf3 from anyone
{
port = 5201;
proto = "any";
host = "any";
}
];
};
}

View File

@ -79,6 +79,8 @@ in {
speedtest-cli
];
environment.variables.EDITOR = "vim";
networking.firewall.allowedTCPPorts = [5201];
networking.firewall.allowedUDPPorts = [5201];
# Enable ssh server
services.openssh = {
@ -94,8 +96,8 @@ in {
};
# My modules
gen.system.hardening.disableSack = true;
gen.system.bootloader.luksSsh = {
gen.hardening.disableSack = true;
gen.bootloader.luksSsh = {
enable = true;
port = 48722;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];

View File

@ -1,5 +0,0 @@
# NixOS Modules
This directory contains NixOS modules that are shared across hosts.
* `modules/system` - shared config & options for base system (`gen.system.*`)

View File

@ -3,10 +3,10 @@
lib,
...
}: let
baseCfg = config.gen.system.bootloader;
baseCfg = config.gen.bootloader;
cfg = baseCfg.luksSsh;
in {
options.gen.system.bootloader.luksSsh = {
options.gen.bootloader.luksSsh = {
enable = lib.mkEnableOption "use boot process with luks unlock over ssh";
port = lib.mkOption {
type = lib.types.port;
@ -38,7 +38,7 @@ in {
ssh = {
enable = true;
authorizedKeys = import ../../../keys/ssh.nix;
authorizedKeys = import ../../keys/ssh.nix;
inherit (cfg) hostKeys port;
};

View File

@ -1,5 +1,48 @@
{...}: {
{
inputs,
pkgs,
...
}: {
imports = [
./system
./boot
./hardening.nix
./limits.nix
./networking.nix
];
# Ensure root login is available on every machine (if ssh is enabled)
users.users.root.openssh.authorizedKeys.keys = import ../keys/ssh.nix;
# Speed up the build a little bit, these aren't really needed
documentation = {
enable = false;
info.enable = false;
man.enable = false;
doc.enable = false;
nixos.enable = false;
};
# Immutable users
users.mutableUsers = false;
### Nix settings ###
nix = {
# Make sure flakes are enabled
settings.experimental-features = ["nix-command" "flakes"];
extraOptions = ''
keep-outputs = true
keep-derivations = true
flake-registry = ${builtins.toFile "flake-registry" (builtins.toJSON {
version = 2;
flakes = [];
})}
'';
nixPath = ["nixpkgs=${pkgs.path}"];
registry = {
self.flake = inputs.self;
nixpkgs.flake = inputs.nixpkgs;
};
};
}

View File

@ -3,9 +3,9 @@
lib,
...
}: let
cfg = config.gen.system.hardening;
cfg = config.gen.hardening;
in {
options.gen.system.hardening = {
options.gen.hardening = {
hardenBpf = lib.mkEnableOption "place heavier restrictions on BPF";
fullRpFilter = lib.mkEnableOption "enable full reverse path filtering. breaks dynamic routing, probably";
ignoreIcmpEcho = lib.mkEnableOption "ignore icmp echos. obviously, this makes pings unresponsive";

View File

@ -1,43 +0,0 @@
{inputs, pkgs, ...}: {
imports = [
./hardening.nix
./limits.nix
./networking.nix
./boot
];
# Ensure root login is available on every machine (if ssh is enabled)
users.users.root.openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
# Speed up the build a little bit, these aren't really needed
documentation = {
enable = false;
info.enable = false;
man.enable = false;
doc.enable = false;
nixos.enable = false;
};
# Immutable users
users.mutableUsers = false;
### Nix settings ###
nix = {
# Make sure flakes are enabled
settings.experimental-features = ["nix-command" "flakes"];
extraOptions = ''
keep-outputs = true
keep-derivations = true
flake-registry = ${builtins.toFile "flake-registry" (builtins.toJSON {
version = 2;
flakes = [];
})}
'';
nixPath = ["nixpkgs=${pkgs.path}"];
registry = {
self.flake = inputs.self;
nixpkgs.flake = inputs.nixpkgs;
};
};
}