commit 0ab4ba65c664fd0c583f9579d9cd3668cd35d34e Author: Pim Kunis Date: Sun Nov 5 18:43:32 2023 +0100 init diff --git a/README.md b/README.md new file mode 100644 index 0000000..4b7a003 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# nixos-servers + +Nix definitions to configure our physical servers. +Currently, only one physical server (named jefke) is implemented. + +To deploy: +``` +nixos-rebuild switch -j auto --target-host root@jefke.hyp --flake ".#jefke" +``` diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..e99ad9d --- /dev/null +++ b/configuration.nix @@ -0,0 +1,141 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + time.timeZone = "Europe/Amsterdam"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + + extraLocaleSettings = { + LC_ADDRESS = "nl_NL.UTF-8"; + LC_IDENTIFICATION = "nl_NL.UTF-8"; + LC_MEASUREMENT = "nl_NL.UTF-8"; + LC_MONETARY = "nl_NL.UTF-8"; + LC_NAME = "nl_NL.UTF-8"; + LC_NUMERIC = "nl_NL.UTF-8"; + LC_PAPER = "nl_NL.UTF-8"; + LC_TELEPHONE = "nl_NL.UTF-8"; + LC_TIME = "nl_NL.UTF-8"; + }; + }; + + services = { + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + extraConfig = '' + HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + ''; + }; + + xserver = { + layout = "us"; + xkbVariant = ""; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" + ]; + + programs.ssh = { + knownHosts = { + dmz = { + hostNames = ["*.dmz"]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; + certAuthority = true; + }; + + hypervisors = { + hostNames = ["*.hyp"]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb"; + certAuthority = true; + }; + }; + + extraConfig = '' + CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub + HostKey /etc/ssh/ssh_user_ed25519_key + ''; + }; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + vim + neofetch + cowsay + python3 + ]; + + # TODO: firewalling + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + system.stateVersion = "23.05"; + + systemd.network = { + enable = true; + + netdevs = { + "20-vlandmz" = { + netdevConfig = { + Kind = "vlan"; + Name = "vlandmz"; + }; + vlanConfig.Id = 30; + }; + "20-bridgedmz" = { + netdevConfig = { + Kind = "bridge"; + Name = "bridgedmz"; + }; + }; + }; + + networks = { + "30-main-nic" = { + matchConfig.Name = "en*"; + networkConfig = { + DHCP = "yes"; + }; + vlan = [ + "vlandmz" + ]; + }; + "40-vlandmz" = { + matchConfig.Name = "vlandmz"; + networkConfig = { + IPv6AcceptRA = false; + LinkLocalAddressing = "no"; + Bridge = "bridgedmz"; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "40-bridgedmz" = { + matchConfig.Name = "bridgedmz"; + networkConfig = { + IPv6AcceptRA = false; + LinkLocalAddressing = "no"; + }; + linkConfig.RequiredForOnline = "carrier"; + }; + }; + }; + + virtualisation.libvirtd.enable = true; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..83c429e --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1699169573, + "narHash": "sha256-cvUb1xZkvOp3W2SzylStrTirhVd9zCeo5utJl9nSIhw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "aeefe2054617cae501809b82b44a8e8f7be7cc4b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..86c591c --- /dev/null +++ b/flake.nix @@ -0,0 +1,22 @@ +{ + description = "NixOS definitions for our physical servers"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + }; + + outputs = { + self, + nixpkgs, + ... + } @ attrs: { + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra; + nixosConfigurations.jefke = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + ./configuration.nix + ]; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..92d49b2 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/b78f591c-c9b6-4dae-9837-56716d38990b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6936-84C2"; + fsType = "vfat"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/79fbd322-e58d-4e45-8969-06ef494cefea";} + ]; + + networking.useDHCP = false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/secrets/.envrc b/secrets/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/secrets/.envrc @@ -0,0 +1 @@ +use flake diff --git a/secrets/.gitignore b/secrets/.gitignore new file mode 100644 index 0000000..92b2793 --- /dev/null +++ b/secrets/.gitignore @@ -0,0 +1 @@ +.direnv diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..f51972c --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,7 @@ +We can for now keep using Ansible vault to deploy secrets. +The steps for setting up a hypervisor will thus become: +1. Manually install NixOS +2. Configure SSH and install authorized keys +3. Ensure python3 is present on the system +4. Run Ansible script to copy secrets +5. Run Nix to configure everything else diff --git a/secrets/ansible.cfg b/secrets/ansible.cfg new file mode 100644 index 0000000..816bbb8 --- /dev/null +++ b/secrets/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +inventory=inventory +vault_password_file=$HOME/.config/home/ansible-vault-secret +host_key_checking = False +remote_user = root + +[diff] +always = True diff --git a/secrets/deploy.yml b/secrets/deploy.yml new file mode 100644 index 0000000..4d2f64d --- /dev/null +++ b/secrets/deploy.yml @@ -0,0 +1,32 @@ +- name: Deploy secrets + hosts: jefke + tasks: + - name: Place user certificate + copy: + src: files/jefke_user_ed25519.crt + dest: /etc/ssh/ssh_user_ed25519_key-cert.pub + + - name: Place user public key + copy: + src: files/jefke_user_ed25519.pub + dest: /etc/ssh/ssh_user_ed25519_key.pub + + - name: Place user private key + copy: + src: files/jefke_user_ed25519 + dest: /etc/ssh/ssh_user_ed25519_key + + - name: Place host certificate + copy: + src: files/jefke_host_ed25519.crt + dest: /etc/ssh/ssh_host_ed25519_key-cert.pub + + - name: Place host public key + copy: + src: files/jefke_host_ed25519.pub + dest: /etc/ssh/ssh_host_ed25519_key.pub + + - name: Place host private key + copy: + src: files/jefke_host_ed25519 + dest: /etc/ssh/ssh_host_ed25519_key diff --git a/secrets/files/jefke_host_ed25519 b/secrets/files/jefke_host_ed25519 new file mode 100644 index 0000000..1b2f8fa --- /dev/null +++ b/secrets/files/jefke_host_ed25519 @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +37613631656435623262663132613734663862346638313566623466663838333634663934663539 +3035363062373461313937383365383233643861346562660a666235323134663361366635343037 +35316364633964333963363866333364333834646636326632313261633863616661373763346539 +3266346433356362620a663634356331306538386463616261626232396464663166316533613330 +63633664626261333862623366666235383862386233313761616561623932666364636237346663 +32616633616364356537336463643237383233356232363836376337343166336332386530653338 +31643635303630386166393236616237343262653862323436636465613736393762623239646538 +35666266656465656333666266326639326161323230326232363461383634356264336333663664 +61656361666430356238666366363138343239316631313861636463376462613336613631633233 +38343161356464353138376131333563633539323231646530636566386434613463623934646162 +36323665353766313034623261336336393862366561343165613733396236326365656436373930 +65633838333438356464353436343638616163363637313665333336313137623035346235323332 +36383731663366356634653837306561613037633166653939336434623637353665326538303165 +66636332363131313332663130663332393237643361363166663634633661626137346264303938 +30383132376331633938353934393939373437343438613861653837613337373638336636653039 +39336637373730333434636134633062623064653432633730366139666265373066346132373639 +64353536646639366636656634633431316330656634383234343631626138393936663637653239 +62393130366136396363633264623139323437643862343964383963663162636332386630363363 +34636535376264323564383533306162316437306462326636313936316430326235633761356138 +39666235646364353332613038623935343265346661633032303036653461396139383933316263 +36316465383063643961353031633365613962383264663636623662363461626365356330663232 +39393632366439623063326232373733333766353638393466396365663039666130383239366534 +32326139306235306332376565366137373630303363346366306337306439643866393361333032 +38626139633761613365 diff --git a/secrets/files/jefke_host_ed25519.crt b/secrets/files/jefke_host_ed25519.crt new file mode 100644 index 0000000..5243924 --- /dev/null +++ b/secrets/files/jefke_host_ed25519.crt @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHzQMMRr2vNtTW3joxPzQYjFFu3iI/WyIRVD18YKY61CAAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9uAAAAAAAAAAAAAAACAAAACWplZmtlLmh5cAAAAA0AAAAJamVma2UuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQPNDgNAOmp5Gl//mjEHF2H5Yi8GIFfyiRm8nJ2UkGXzpNr3+bQvQhPigziuXO0+8910yY9QzXTfvc4mgAT1gpgU= root@jefke diff --git a/secrets/files/jefke_host_ed25519.pub b/secrets/files/jefke_host_ed25519.pub new file mode 100644 index 0000000..f20ed71 --- /dev/null +++ b/secrets/files/jefke_host_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9u root@jefke diff --git a/secrets/files/jefke_user_ed25519 b/secrets/files/jefke_user_ed25519 new file mode 100644 index 0000000..68f9b78 --- /dev/null +++ b/secrets/files/jefke_user_ed25519 @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +61393933316139623835666133666433393235376532643538363733656439356465393062636265 +3236373661386566326631636333346430316264616537320a386336376239613865363032666239 +63616166363837393562643836333765393536363564636365616638333939323436383735616262 +3331363766353038620a626662666331613734313564636564633238653762336364666237353635 +36353837666366346565626162666466353661646630376261643133393966336236656234626139 +38326164366565646539396139343538636234646330623965623430303535316131636261336133 +61373763326566666565366432353535653430326466316130376337656431363038666334653332 +63646439323635303432653536643464666266303533633330663137376432353563366133663661 +31393430356235323535303562323662313936393132383162316238666162373232313736646630 +34343131393963313839393330356539636532613936383932393537346134356337306336633434 +32653961616161656136306234313335653336336230366237303336346631623735646564323962 +31316165333264613433313761393936643433323762363161393730363161613839333038363032 +63393038346365353362366639386334666134613961383033306566333361373630353539366635 +32363732353262313436376462616437363337623933363964333763396233656438346638633432 +66383338336237313266666161656633656264623532633764333565663331666665623031353265 +31646233383238313734633234653666313734343263653936333636323463653636333535656565 +30646133366265363938363561623335653239643637656339393236313535326366643238396562 +30623631656530353362613536633935343131353961353735333561626463353632623465613063 +37373661333339353030626437653863653736353939643966373834663262383035336337656335 +34333836373535373164623436666465346564356539313032316130616439323161653134646364 +32363938356235343736396431333639656366663130366439363062643137326162366563346266 +30343834386135616663613964353262333462613465646362353437373362326363326136333131 +66356466656162393038316361323335363261653036316533646563376262353039623939306663 +35333430633836373064 diff --git a/secrets/files/jefke_user_ed25519.crt b/secrets/files/jefke_user_ed25519.crt new file mode 100644 index 0000000..522a1de --- /dev/null +++ b/secrets/files/jefke_user_ed25519.crt @@ -0,0 +1 @@ +ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKdTRygvLfapNY6umK+TdoqWDIq4ZzXLZlUJ/lVvkuqtAAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69AAAAAAAAAAAAAAABAAAACWplZmtlLmh5cAAAABsAAAAJamVma2UuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQI36zBw4Epr1ijXBk7T5JENgisn4SbVTLkhYBWCquHcAv3nFFJOEZ1kdC/SfYaDwmXb/rNybpr3942wF0xD3/ws= root@jefke diff --git a/secrets/files/jefke_user_ed25519.pub b/secrets/files/jefke_user_ed25519.pub new file mode 100644 index 0000000..2ff4efc --- /dev/null +++ b/secrets/files/jefke_user_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69 root@jefke diff --git a/secrets/flake.lock b/secrets/flake.lock new file mode 100644 index 0000000..342453d --- /dev/null +++ b/secrets/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1698434055, + "narHash": "sha256-Phxi5mUKSoL7A0IYUiYtkI9e8NcGaaV5PJEaJApU1Ko=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1a3c95e3b23b3cdb26750621c08cc2f1560cb883", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/secrets/flake.nix b/secrets/flake.nix new file mode 100644 index 0000000..f39a364 --- /dev/null +++ b/secrets/flake.nix @@ -0,0 +1,26 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + }; + + outputs = { + self, + nixpkgs, + ... + }: let + supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; + forEachSupportedSystem = f: + nixpkgs.lib.genAttrs supportedSystems (system: + f { + pkgs = import nixpkgs {inherit system;}; + }); + in { + devShells = forEachSupportedSystem ({pkgs}: { + default = pkgs.mkShell { + packages = with pkgs; [ + ansible + ]; + }; + }); + }; +} diff --git a/secrets/inventory/hosts.yml b/secrets/inventory/hosts.yml new file mode 100644 index 0000000..3b608e7 --- /dev/null +++ b/secrets/inventory/hosts.yml @@ -0,0 +1,5 @@ +all: + hosts: + jefke: + ansible_user: root + ansible_host: jefke.hyp