From 8aab61936f29c579691696955fb44b6908e6fb75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 12 Dec 2024 17:19:28 +0100 Subject: [PATCH] Separate minimal configs --- systems/default.nix | 6 - systems/microvm.nix | 78 ------------- systems/minimalLXCConfig.nix | 132 +++++++++++++++++++++ systems/minimalMicrovmConfig.nix | 195 +++++++++++++++++++++++++++++++ systems/minimalVMConfig.nix | 120 +++++++++++++++++++ 5 files changed, 447 insertions(+), 84 deletions(-) delete mode 100644 systems/default.nix delete mode 100644 systems/microvm.nix create mode 100644 systems/minimalLXCConfig.nix create mode 100644 systems/minimalMicrovmConfig.nix create mode 100644 systems/minimalVMConfig.nix diff --git a/systems/default.nix b/systems/default.nix deleted file mode 100644 index 1c27987..0000000 --- a/systems/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ inputs, ... }: -{ - imports = [ - ./microvm.nix - ]; -} diff --git a/systems/microvm.nix b/systems/microvm.nix deleted file mode 100644 index 5fd71c7..0000000 --- a/systems/microvm.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ inputs, lib, config, microvm, ... }: -let - cfg = config.services.micro_vm; -in -{ - options.services.micro_vm = { - enable = lib.mkEnableOption "Enable NixOS microvm config"; - hostname = lib.mkOption { - type = lib.types.str; - description = "The VM hostname"; - }; - vm_ip = lib.mkOption { - type = lib.types.str; - description = "The VM IP address"; - }; - macAddr = lib.mkOption { - type = lib.types.str; - description = "The VM MAC Address"; - }; - vm_mem = lib.mkOption { - type = lib.types.int; - description = "The VM memory count"; - default = 0; - }; - vm_cpu = lib.mkOption { - type = lib.types.int; - description = "The VM CPU count"; - default = 1; - }; - }; - config = lib.mkIf cfg.enable { - microvm = { - vcpu = cfg.vm_cpu; - balloonMem = cfg.vm_mem; - volumes = [ - { - mountPoint = "/var"; - image = "/var/lib/microvms/${cfg.hostname}/var.img"; - size = 8192; - } - ]; - shares = [ - { - proto = "virtiofs"; - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - { - proto = "virtiofs"; - tag = "${cfg.hostname}-env"; - source = "/var/lib/microvms/${cfg.hostname}/env"; - mountPoint = "/run/secrets/${cfg.hostname}"; - } - ]; - interfaces = [ { - type = "tap"; - id = "vm-${cfg.hostname}"; - mac = "${cfg.macAddr}"; - } ]; - - hypervisor = "qemu"; - socket = "control.socket"; - }; - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = ["${cfg.vm_ip}/24"]; - Gateway = "192.168.1.254"; - DNS = ["192.168.1.254"]; - IPv6AcceptRA = true; - DHCP = "no"; - }; - }; - }; -} diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix new file mode 100644 index 0000000..cc45864 --- /dev/null +++ b/systems/minimalLXCConfig.nix @@ -0,0 +1,132 @@ +{ config, pkgs, lib, inputs, modulesPath, ... }: +{ + + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 22 9002 ]; + }; + }; + + boot.isContainer = true; + proxmoxLXC = { + enable = true; + privileged = false; + manageNetwork = false; + manageHostName = false; + }; + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + time.timeZone = "Europe/Paris"; + console.keyMap = "fr"; + i18n.defaultLocale = "fr_FR.UTF-8"; + environment.sessionVariables = rec { + TERM = "xterm-256color"; + }; + + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-old"; + }; + + security.sudo.wheelNeedsPassword = false; + users = { + users.tbarnouin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" + ]; + }; + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + }; + + programs = { + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + }; + ohMyZsh = { + enable = true; + plugins = [ "git" ]; + theme = "bira"; + }; + }; + tmux = { + enable = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + environment = { + localBinInPath = true; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; + + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + fail2ban = { + enable = true; + }; + rsyslogd = { + enable = true; + extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; + }; + prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + }; + + system = { + stateVersion = "24.05"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; + }; +} diff --git a/systems/minimalMicrovmConfig.nix b/systems/minimalMicrovmConfig.nix new file mode 100644 index 0000000..ce0ab8a --- /dev/null +++ b/systems/minimalMicrovmConfig.nix @@ -0,0 +1,195 @@ +{ config, pkgs, lib, inputs, modulesPath, microvm, ... }: +let + cfg = config.services.micro_vm; +in +{ + options.services.micro_vm = { + enable = lib.mkEnableOption "Enable NixOS microvm config"; + hostname = lib.mkOption { + type = lib.types.str; + description = "The VM hostname"; + }; + vm_ip = lib.mkOption { + type = lib.types.str; + description = "The VM IP address"; + }; + macAddr = lib.mkOption { + type = lib.types.str; + description = "The VM MAC Address"; + }; + vm_mem = lib.mkOption { + type = lib.types.int; + description = "The VM memory count"; + default = 0; + }; + vm_cpu = lib.mkOption { + type = lib.types.int; + description = "The VM CPU count"; + default = 1; + }; + }; + config = lib.mkIf cfg.enable { + microvm = { + vcpu = cfg.vm_cpu; + balloonMem = cfg.vm_mem; + volumes = [ + { + mountPoint = "/var"; + image = "/var/lib/microvms/${cfg.hostname}/var.img"; + size = 8192; + } + ]; + shares = [ + { + proto = "virtiofs"; + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + { + proto = "virtiofs"; + tag = "${cfg.hostname}-env"; + source = "/var/lib/microvms/${cfg.hostname}/env"; + mountPoint = "/run/secrets/${cfg.hostname}"; + } + ]; + interfaces = [ { + type = "tap"; + id = "vm-${cfg.hostname}"; + mac = "${cfg.macAddr}"; + } ]; + + hypervisor = "qemu"; + socket = "control.socket"; + }; + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = ["${cfg.vm_ip}/24"]; + Gateway = "192.168.1.254"; + DNS = ["192.168.1.254"]; + IPv6AcceptRA = true; + DHCP = "no"; + }; + }; + + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 22 9002 ]; + }; + }; + + time.timeZone = "Europe/Paris"; + console.keyMap = "fr"; + i18n.defaultLocale = "fr_FR.UTF-8"; + environment.sessionVariables = rec { + TERM = "xterm-256color"; + }; + + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-old"; + }; + + security.sudo.wheelNeedsPassword = false; + users = { + users.tbarnouin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" + ]; + }; + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + }; + + programs = { + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + }; + ohMyZsh = { + enable = true; + plugins = [ "git" ]; + theme = "bira"; + }; + }; + tmux = { + enable = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + environment = { + localBinInPath = true; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; + + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + fail2ban = { + enable = true; + }; + rsyslogd = { + enable = true; + extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; + }; + prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + }; + + system = { + stateVersion = "24.05"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; + }; + }; +} + diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix new file mode 100644 index 0000000..bb06f68 --- /dev/null +++ b/systems/minimalVMConfig.nix @@ -0,0 +1,120 @@ +{ config, pkgs, lib, inputs, modulesPath, ... }: +{ + + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 22 9002 ]; + }; + }; + + time.timeZone = "Europe/Paris"; + console.keyMap = "fr"; + i18n.defaultLocale = "fr_FR.UTF-8"; + environment.sessionVariables = rec { + TERM = "xterm-256color"; + }; + + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-old"; + }; + + security.sudo.wheelNeedsPassword = false; + users = { + users.tbarnouin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr" + ]; + }; + users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" + ]; + }; + }; + + programs = { + zsh = { + enable = true; + shellAliases = { + ll = "ls -l"; + lla = "ls -lah"; + }; + ohMyZsh = { + enable = true; + plugins = [ "git" ]; + theme = "bira"; + }; + }; + tmux = { + enable = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + environment = { + localBinInPath = true; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; + + services = { + cloud-init.network.enable = true; + openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + fail2ban = { + enable = true; + }; + rsyslogd = { + enable = true; + extraConfig = "*.*@192.168.1.27:514;RSYSLOG_SyslogProtocol23Format"; + }; + prometheus = { + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + }; + + system = { + stateVersion = "24.05"; + activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh"; + }; +}