From 3c39c5aaa4b22ebdf280edfb972b99fd897803c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20BARNOUIN?= Date: Mon, 9 Sep 2024 10:48:56 +0200 Subject: [PATCH] First commit --- configuration.nix | 102 ++++++++++++++++++++++ flake.lock | 121 +++++++++++++++++++++++++++ flake.nix | 76 +++++++++++++++++ hardware-configuration.nix | 33 ++++++++ home.nix | 116 +++++++++++++++++++++++++ services/default.nix | 7 ++ services/minimalConfig/default.nix | 121 +++++++++++++++++++++++++++ services/nginx/default.nix | 130 +++++++++++++++++++++++++++++ systems/default.nix | 78 +++++++++++++++++ 9 files changed, 784 insertions(+) create mode 100644 configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hardware-configuration.nix create mode 100644 home.nix create mode 100644 services/default.nix create mode 100644 services/minimalConfig/default.nix create mode 100644 services/nginx/default.nix create mode 100644 systems/default.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..25523a9 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,102 @@ +{ config, lib, pkgs, ... }: + +{ imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "@wheel" ]; + }; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + boot.kernel.sysctl."vm.swapiness" = 1; + + networking.useNetworkd = true; + + systemd.network.enable = true; + systemd.network.networks."10-lan" = { + matchConfig.Name = ["enp1s0" "vm-*"]; + networkConfig = { + Bridge = "br0"; + }; + }; + + systemd.network.netdevs."br0" = { + netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + }; + + systemd.network.networks."10-lan-bridge" = { + matchConfig.Name = "br0"; + networkConfig = { + Address = ["192.168.122.31/24"]; + Gateway = "192.168.122.1"; + DNS = ["192.168.122.1"]; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; + + time.timeZone = "Europe/Paris"; + i18n.defaultLocale = "fr_FR.UTF-8"; console = { + useXkbConfig = true; # use xkb.options in tty. + }; + + users.users = { + tbarnouin = { + isNormalUser = true; + description = "Théo Barnouin"; + extraGroups = [ + "networkmanager" + "wheel" + "libvirtd" + "docker" + "render" + "video" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + vim + htop + wget + curl + git + neofetch + libvirt + qemu_kvm + nmap + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + X11Forwarding = false; + PermitRootLogin = "prohibit-password"; + }; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 ]; + #networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. networking.firewall.enable = false; + + system.stateVersion = "24.05"; # Did you read the comment? + +} + diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..fa40179 --- /dev/null +++ b/flake.lock @@ -0,0 +1,121 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725703823, + "narHash": "sha256-tDgM4d8mLK0Hd6YMB2w1BqMto1XBXADOzPEaLl10VI4=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "208df2e558b73b6a1f0faec98493cb59a25f62ba", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1725664757, + "narHash": "sha256-kUMgeF3hHJM8aBpdazNgtCeeOTrWext6lHfrYmC6otU=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "caac7808d1e31f8a0fa408338cd3736947cb226d", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1725693463, + "narHash": "sha256-ZPzhebbWBOr0zRWW10FfqfbJlan3G96/h3uqhiFqmwg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "68e7dce0a6532e876980764167ad158174402c6f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "microvm": "microvm", + "nixpkgs": "nixpkgs" + } + }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1720264467, + "narHash": "sha256-xzM92n3Q9L90faJIJrkrTtTx+JqCGRHMkHWztkV4PuY=", + "ref": "refs/heads/main", + "rev": "fb59d42542049f586c84b0f8bb86ff3be338e9d3", + "revCount": 674, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..6541d3b --- /dev/null +++ b/flake.nix @@ -0,0 +1,76 @@ +{ + description = "A simple system flake using some Aux defaults"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + home-manager = { + url = "github:nix-community/home-manager/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + microvm.url = "github:astro/microvm.nix"; + microvm.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = inputs@{ nixpkgs, home-manager, microvm, ... }: + let + system = "x86_64-linux"; + username = "tbarnouin"; + in + { + nixosConfigurations = { + nixos = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration.nix + { + networking.hostName = "nixos"; + } + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.${username} = import ./home.nix; + } + microvm.nixosModules.host + { + microvm = { + autostart = [ + "nginx" + ]; + vms = { + nginx = { + flake = self; + updateFlake = "git+file:///etc/nixos"; + }; + }; + }; + } + ]; + + specialArgs = { + inherit inputs; + inherit username; + }; + }; + nginx = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + microvm.nixosModules.microvm + "${inputs.self}/systems" + "${inputs.self}/services" + { + services.vm_nginx = { + enable = true; + }; + services.vm = { + enable = true; + hostname = "nginx"; + vm_ip = "192.168.122.40"; + macAddr = "02:00:00:00:00:40"; + }; + } + ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..4e3f911 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/cd191c1d-d2d7-44ae-8a9a-75ad7d8228a4"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/335e1191-f20f-4afc-bc2b-b156cf8dc2c2"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/home.nix b/home.nix new file mode 100644 index 0000000..9550c95 --- /dev/null +++ b/home.nix @@ -0,0 +1,116 @@ +{ config, pkgs, ... }: +{ + home = { + username = "tbarnouin"; + stateVersion = "24.05"; + sessionPath = [ + "$HOME/.local/bin" + ]; + file.".ssh/authorized_keys".text = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos + ''; + }; + programs = { + git = { + enable = true; + }; + vim = { + enable = true; + plugins = with pkgs.vimPlugins; [ + vim-airline + vim-airline-themes + vim-bufferline + vim-markdown + markdown-preview-nvim + tabular + ]; + settings = { + expandtab = true; + ignorecase = true; + smartcase = true; + number = true; + shiftwidth = 2; + tabstop = 2; + }; + extraConfig = '' + set nocompatible + filetype on + filetype plugin on + filetype indent on + syntax on + set nobackup + set showcmd + set showmode + set showmatch + set hlsearch + set wrap + set linebreak + set textwidth=0 + set wrapmargin=0 + set scrolloff=15 + + highlight ExtraWhitespace ctermbg=red guibg=red + autocmd BufWritePre * :%s/\s\+$//e + + inoremap " "" + inoremap \' \'\' + inoremap ( () + inoremap [ [] + inoremap { {} + + let g:vim_markdown_folding_disabled = 1 + let g:mkdp_auto_start = 1 + let g:mkdp_auto_close = 1 + let g:airline_theme='molokai' + ''; + }; + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + terraform = "tofu"; + # Nixos + update = "sudo nixos-rebuild switch"; + upgrade = "sudo nix-channel --update && sudo nixos-rebuild switch --upgrade"; + # Kitty + #ssh = "kitten ssh"; + icat = "kitten icat"; + }; + oh-my-zsh = { + enable = true; + plugins = + [ + "git" + "terraform" + "sudo" + "docker" + "pip" + "python" + "pyenv" + "pipenv" + ]; + theme = "bira"; + }; + initExtra = '' + export MAMBA_EXE="/etc/profiles/per-user/tbarnouin/bin/micromamba"; + export MAMBA_ROOT_PREFIX="/home/tbarnouin/micromamba"; + __mamba_setup="$("$MAMBA_EXE" shell hook --shell zsh --prefix "$MAMBA_ROOT_PREFIX" 2> /dev/null)" + if [ $? -eq 0 ]; then + eval "$__mamba_setup" + else + if [ -f "/home/tbarnouin/micromamba/etc/profile.d/micromamba.sh" ]; then + . "/home/tbarnouin/micromamba/etc/profile.d/micromamba.sh" + else + export PATH="/home/tbarnouin/micromamba/bin:$PATH" + fi + fi + unset __mamba_setup + ''; + }; + tmux = { + enable = true; + mouse = true; + }; + }; +} diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 0000000..706b899 --- /dev/null +++ b/services/default.nix @@ -0,0 +1,7 @@ +{ inputs, ... }: +{ + imports = [ + ./nginx + ./minimalConfig + ]; +} diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix new file mode 100644 index 0000000..d1f10f3 --- /dev/null +++ b/services/minimalConfig/default.nix @@ -0,0 +1,121 @@ +{ config, pkgs, lib, inputs, ... }: +{ + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "@wheel" ]; + }; + + networking = { + hostName = "${config.services.vm.hostname}"; + firewall = { + enable = true; + allowedTCPPorts = [ 22 9002 ]; + }; + }; + + time.timeZone = "Europe/Paris"; + console.keyMap = "fr"; + i18n.defaultLocale = "fr_FR.UTF-8"; + environment.sessionVariables = rec { + TERM = "xterm-256color"; + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + security.sudo.wheelNeedsPassword = false; + users = { + users.tbarnouin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner" + ]; + initialPassword = "test"; + }; + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy03fJvfWQtzHgAdH0OPwwcGzdggyuPkveystyrm5+I tbarnouin@gitea-actions-runner" + ]; + }; + }; + + programs = { + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + }; + ohMyZsh = { + enable = true; + plugins = [ "git" ]; + theme = "bira"; + }; + }; + tmux = { + enable = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + environment = { + localBinInPath = true; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; + + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/var/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + fail2ban = { + enable = true; + ignoreIP = [ "192.168.122.0/24" ]; + }; + rsyslogd = { + enable = true; + }; + prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + }; + + system = { + stateVersion = "24.05"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /var/ssh"; + }; +} diff --git a/services/nginx/default.nix b/services/nginx/default.nix new file mode 100644 index 0000000..a7f19e6 --- /dev/null +++ b/services/nginx/default.nix @@ -0,0 +1,130 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vm_nginx; +in +{ + options.services.vm_nginx = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults.email = "theo.barnouin@le43.eu"; + }; + services = { + fail2ban = { + jails = { + nginx-http-auth = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + nginx-botsearch = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + nginx-bad-request = '' + enabled = true + port = http,https + logpath = /var/log/nginx/*.log + backend = polling + journalmatch = + ''; + }; + }; + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "10000m"; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + client_body_buffer_size 400M; + ''; + user = "tbarnouin"; + logError = "syslog:server=unix:/dev/log"; + commonHttpConfig = '' + access_log syslog:server=unix:/dev/log; + ''; + virtualHosts."logs.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.20:3000"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + virtualHosts."play.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.42:8096"; + recommendedProxySettings = true; + }; + }; + virtualHosts."cloud.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.44"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + virtualHosts."collabora.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.46:9980"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; + virtualHosts."git.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.14:3000"; + recommendedProxySettings = true; + }; + }; + virtualHosts."authentik.le43.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://192.168.1.41"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/systems/default.nix b/systems/default.nix new file mode 100644 index 0000000..0dd4d64 --- /dev/null +++ b/systems/default.nix @@ -0,0 +1,78 @@ +{ inputs, lib, config, microvm, ... }: +let + cfg = config.services.vm; +in +{ + options.services.vm = { + enable = lib.mkEnableOption "Enable minimal config"; + hostname = lib.mkOption { + type = lib.types.str; + description = "The VM hostname"; + }; + vm_ip = lib.mkOption { + type = lib.types.str; + description = "The VM IP address"; + }; + macAddr = lib.mkOption { + type = lib.types.str; + description = "The VM MAC Address"; + }; + vm_mem = lib.mkOption { + type = lib.types.int; + description = "The VM memory count"; + default = 0; + }; + vm_cpu = lib.mkOption { + type = lib.types.int; + description = "The VM CPU count"; + default = 1; + }; + }; + config = lib.mkIf cfg.enable { + microvm = { + vcpu = cfg.vm_cpu; + balloonMem = cfg.vm_mem; + volumes = [ + { + mountPoint = "/var"; + image = "/var/lib/microvms/${cfg.hostname}/var.img"; + size = 8192; + } + ]; + shares = [ + { + proto = "virtiofs"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + proto = "virtiofs"; + tag = "${cfg.hostname}-env"; + source = "/var/lib/microvms/${cfg.hostname}/env"; + mountPoint = "/run/secrets/${cfg.hostname}"; + } + ]; + interfaces = [ { + type = "tap"; + id = "vm-${cfg.hostname}"; + mac = "${cfg.macAddr}"; + } ]; + + hypervisor = "qemu"; + socket = "control.socket"; + }; + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = ["${cfg.vm_ip}/24"]; + Gateway = "192.168.122.1"; + DNS = ["192.168.122.1"]; + IPv6AcceptRA = true; + DHCP = "no"; + }; + }; + }; +}