From 8610a59f35092b11c7d2351e8cebd7897e470e10 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sat, 31 Aug 2024 22:23:09 +0200 Subject: [PATCH] base.nix: split into multiple files --- base.nix | 190 -------------------- base/default.nix | 50 ++++++ base/networking.nix | 16 ++ base/nix.nix | 17 ++ base/services/acme.nix | 15 ++ base/services/auto-upgrade.nix | 12 ++ base/services/logrotate.nix | 42 +++++ base/services/nginx.nix | 44 +++++ base/services/openssh.nix | 13 ++ base/services/thermald.nix | 8 + hosts/bekkalokk/configuration.nix | 2 +- hosts/bicep/configuration.nix | 2 +- hosts/bob/configuration.nix | 2 +- hosts/brzeczyszczykiewicz/configuration.nix | 2 +- hosts/buskerud/configuration.nix | 2 +- hosts/georg/configuration.nix | 2 +- hosts/ildkule/configuration.nix | 2 +- hosts/shark/configuration.nix | 2 +- 18 files changed, 225 insertions(+), 198 deletions(-) delete mode 100644 base.nix create mode 100644 base/default.nix create mode 100644 base/networking.nix create mode 100644 base/nix.nix create mode 100644 base/services/acme.nix create mode 100644 base/services/auto-upgrade.nix create mode 100644 base/services/logrotate.nix create mode 100644 base/services/nginx.nix create mode 100644 base/services/openssh.nix create mode 100644 base/services/thermald.nix diff --git a/base.nix b/base.nix deleted file mode 100644 index 9733a7f..0000000 --- a/base.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, inputs, values, ... }: - -{ - imports = [ - ./users - ./modules/snakeoil-certs.nix - ]; - - networking.domain = "pvv.ntnu.no"; - networking.useDHCP = false; - # networking.search = [ "pvv.ntnu.no" "pvv.org" ]; - # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; - # networking.tempAddresses = lib.mkDefault "disabled"; - # networking.defaultGateway = values.hosts.gateway; - - systemd.network.enable = true; - - services.resolved = { - enable = lib.mkDefault true; - dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways... - }; - - time.timeZone = "Europe/Oslo"; - - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "no"; - }; - - system.autoUpgrade = { - enable = true; - flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; - flags = [ - "--update-input" "nixpkgs" - "--update-input" "nixpkgs-unstable" - "--no-write-lock-file" - ]; - }; - nix.gc.automatic = true; - nix.gc.options = "--delete-older-than 2d"; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - /* This makes commandline tools like - ** nix run nixpkgs#hello - ** and nix-shell -p hello - ** use the same channel the system - ** was built with - */ - nix.registry = { - nixpkgs.flake = inputs.nixpkgs; - }; - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - - environment.systemPackages = with pkgs; [ - file - git - gnupg - htop - nano - ripgrep - rsync - screen - tmux - vim - wget - - kitty.terminfo - ]; - - programs.zsh.enable = true; - - users.groups."drift".name = "drift"; - - # Trusted users on the nix builder machines - users.groups."nix-builder-users".name = "nix-builder-users"; - - # Let's not thermal throttle - services.thermald.enable = lib.mkIf (lib.all (x: x) [ - (config.nixpkgs.system == "x86_64-linux") - (!config.boot.isContainer or false) - ]) true; - - services.openssh = { - enable = true; - extraConfig = '' - PubkeyAcceptedAlgorithms=+ssh-rsa - Match Group wheel - PasswordAuthentication no - Match All - ''; - settings.PermitRootLogin = "yes"; - }; - - # nginx return 444 for all nonexistent virtualhosts - - systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ]; - - environment.snakeoil-certs = lib.mkIf config.services.nginx.enable { - "/etc/certs/nginx" = { - owner = "nginx"; - group = "nginx"; - }; - }; - - services.nginx = { - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - - appendConfig = '' - pcre_jit on; - worker_processes auto; - worker_rlimit_nofile 100000; - ''; - eventsConfig = '' - worker_connections 2048; - use epoll; - multi_accept on; - ''; - }; - - systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable { - LimitNOFILE = 65536; - }; - - services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { - sslCertificate = "/etc/certs/nginx.crt"; - sslCertificateKey = "/etc/certs/nginx.key"; - addSSL = true; - extraConfig = "return 444;"; - }; - - # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service - systemd.services.logrotate = { - documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; - unitConfig.RequiresMountsFor = "/var/log"; - serviceConfig = { - Nice = 19; - IOSchedulingClass = "best-effort"; - IOSchedulingPriority = 7; - - ReadWritePaths = [ "/var/log" ]; - - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; # disable for third party rotate scripts - PrivateDevices = true; - PrivateNetwork = true; # disable for mail delivery - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; # disable for userdir logs - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "full"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; # disable for creating setgid directories - SocketBindDeny = [ "any" ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - ]; - }; - }; - - networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; - - security.acme = { - acceptTerms = true; - defaults.email = "drift@pvv.ntnu.no"; - }; - # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode: - virtualisation.vmVariant = { - security.acme.defaults.server = "https://127.0.0.1"; - security.acme.preliminarySelfsigned = true; - - users.users.root.initialPassword = "root"; - }; - -} diff --git a/base/default.nix b/base/default.nix new file mode 100644 index 0000000..a26598b --- /dev/null +++ b/base/default.nix @@ -0,0 +1,50 @@ +{ pkgs, ... }: + +{ + imports = [ + ../users + ../modules/snakeoil-certs.nix + + ./networking.nix + ./nix.nix + + ./services/acme.nix + ./services/auto-upgrade.nix + ./services/logrotate.nix + ./services/nginx.nix + ./services/openssh.nix + ./services/thermald.nix + ]; + + time.timeZone = "Europe/Oslo"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "no"; + }; + + environment.systemPackages = with pkgs; [ + file + git + gnupg + htop + nano + ripgrep + rsync + screen + tmux + vim + wget + + kitty.terminfo + ]; + + programs.zsh.enable = true; + + users.groups."drift".name = "drift"; + + # Trusted users on the nix builder machines + users.groups."nix-builder-users".name = "nix-builder-users"; +} + diff --git a/base/networking.nix b/base/networking.nix new file mode 100644 index 0000000..1272b1e --- /dev/null +++ b/base/networking.nix @@ -0,0 +1,16 @@ +{ lib, values, ... }: +{ + networking.domain = "pvv.ntnu.no"; + networking.useDHCP = false; + # networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ]; + # networking.tempAddresses = lib.mkDefault "disabled"; + # networking.defaultGateway = values.hosts.gateway; + + systemd.network.enable = true; + + services.resolved = { + enable = lib.mkDefault true; + dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways... + }; +} \ No newline at end of file diff --git a/base/nix.nix b/base/nix.nix new file mode 100644 index 0000000..7f2a701 --- /dev/null +++ b/base/nix.nix @@ -0,0 +1,17 @@ +{ inputs, ... }: +{ + nix.gc.automatic = true; + nix.gc.options = "--delete-older-than 2d"; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + /* This makes commandline tools like + ** nix run nixpkgs#hello + ** and nix-shell -p hello + ** use the same channel the system + ** was built with + */ + nix.registry = { + nixpkgs.flake = inputs.nixpkgs; + }; + nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; +} \ No newline at end of file diff --git a/base/services/acme.nix b/base/services/acme.nix new file mode 100644 index 0000000..e12a501 --- /dev/null +++ b/base/services/acme.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "drift@pvv.ntnu.no"; + }; + + # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode: + virtualisation.vmVariant = { + security.acme.defaults.server = "https://127.0.0.1"; + security.acme.preliminarySelfsigned = true; + + users.users.root.initialPassword = "root"; + }; +} \ No newline at end of file diff --git a/base/services/auto-upgrade.nix b/base/services/auto-upgrade.nix new file mode 100644 index 0000000..eb0de6e --- /dev/null +++ b/base/services/auto-upgrade.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + system.autoUpgrade = { + enable = true; + flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; + flags = [ + "--update-input" "nixpkgs" + "--update-input" "nixpkgs-unstable" + "--no-write-lock-file" + ]; + }; +} \ No newline at end of file diff --git a/base/services/logrotate.nix b/base/services/logrotate.nix new file mode 100644 index 0000000..2db259e --- /dev/null +++ b/base/services/logrotate.nix @@ -0,0 +1,42 @@ +{ ... }: +{ + # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service + systemd.services.logrotate = { + documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; + unitConfig.RequiresMountsFor = "/var/log"; + serviceConfig = { + Nice = 19; + IOSchedulingClass = "best-effort"; + IOSchedulingPriority = 7; + + ReadWritePaths = [ "/var/log" ]; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; # disable for third party rotate scripts + PrivateDevices = true; + PrivateNetwork = true; # disable for mail delivery + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; # disable for userdir logs + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; # disable for creating setgid directories + SocketBindDeny = [ "any" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + ]; + }; + }; +} \ No newline at end of file diff --git a/base/services/nginx.nix b/base/services/nginx.nix new file mode 100644 index 0000000..6406527 --- /dev/null +++ b/base/services/nginx.nix @@ -0,0 +1,44 @@ +{ config, lib, ... }: +{ + # nginx return 444 for all nonexistent virtualhosts + + systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ]; + + environment.snakeoil-certs = lib.mkIf config.services.nginx.enable { + "/etc/certs/nginx" = { + owner = "nginx"; + group = "nginx"; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; + + services.nginx = { + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + appendConfig = '' + pcre_jit on; + worker_processes auto; + worker_rlimit_nofile 100000; + ''; + eventsConfig = '' + worker_connections 2048; + use epoll; + multi_accept on; + ''; + }; + + systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable { + LimitNOFILE = 65536; + }; + + services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { + sslCertificate = "/etc/certs/nginx.crt"; + sslCertificateKey = "/etc/certs/nginx.key"; + addSSL = true; + extraConfig = "return 444;"; + }; +} \ No newline at end of file diff --git a/base/services/openssh.nix b/base/services/openssh.nix new file mode 100644 index 0000000..ec34862 --- /dev/null +++ b/base/services/openssh.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + services.openssh = { + enable = true; + extraConfig = '' + PubkeyAcceptedAlgorithms=+ssh-rsa + Match Group wheel + PasswordAuthentication no + Match All + ''; + settings.PermitRootLogin = "yes"; + }; +} \ No newline at end of file diff --git a/base/services/thermald.nix b/base/services/thermald.nix new file mode 100644 index 0000000..ced2dad --- /dev/null +++ b/base/services/thermald.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + # Let's not thermal throttle + services.thermald.enable = lib.mkIf (lib.all (x: x) [ + (config.nixpkgs.system == "x86_64-linux") + (!config.boot.isContainer or false) + ]) true; +} \ No newline at end of file diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index ff2f1af..4f443be 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -3,7 +3,7 @@ imports = [ ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./services/gitea/default.nix diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix index 2350492..21dbab6 100644 --- a/hosts/bicep/configuration.nix +++ b/hosts/bicep/configuration.nix @@ -3,7 +3,7 @@ imports = [ ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./services/nginx diff --git a/hosts/bob/configuration.nix b/hosts/bob/configuration.nix index 674dac3..2c9ff70 100644 --- a/hosts/bob/configuration.nix +++ b/hosts/bob/configuration.nix @@ -3,7 +3,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./disks.nix diff --git a/hosts/brzeczyszczykiewicz/configuration.nix b/hosts/brzeczyszczykiewicz/configuration.nix index 77cce17..a0658b3 100644 --- a/hosts/brzeczyszczykiewicz/configuration.nix +++ b/hosts/brzeczyszczykiewicz/configuration.nix @@ -3,7 +3,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./services/grzegorz.nix diff --git a/hosts/buskerud/configuration.nix b/hosts/buskerud/configuration.nix index 1b4b461..43fc2c2 100644 --- a/hosts/buskerud/configuration.nix +++ b/hosts/buskerud/configuration.nix @@ -2,7 +2,7 @@ { imports = [ ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./services/libvirt.nix diff --git a/hosts/georg/configuration.nix b/hosts/georg/configuration.nix index 9b41740..d7f6d9a 100644 --- a/hosts/georg/configuration.nix +++ b/hosts/georg/configuration.nix @@ -3,7 +3,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ../../modules/grzegorz.nix diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix index 276af5a..a154ce7 100644 --- a/hosts/ildkule/configuration.nix +++ b/hosts/ildkule/configuration.nix @@ -3,7 +3,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ./services/monitoring diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix index d22263c..dda8ccb 100644 --- a/hosts/shark/configuration.nix +++ b/hosts/shark/configuration.nix @@ -3,7 +3,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ../../base.nix + ../../base ../../misc/metrics-exporters.nix ];