From 7ba862f21dbcd23a567565aa703609838909888d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Fri, 8 Mar 2024 20:10:50 +0100 Subject: [PATCH] Add template host --- flake.nix | 9 ++++ hosts/ns3/configuration.nix | 24 +++++---- hosts/template/configuration.nix | 53 +++++++++++++++++++ hosts/template/default.nix | 7 +++ hosts/template/hardware-configuration.nix | 32 +++++++++++ hosts/template/scripts.nix | 32 +++++++++++ services/ns/master-authorative.nix | 8 +-- ...jus-net.conf => zones-test-2rjus-net.conf} | 0 system/default.nix | 2 +- system/root-user.nix | 2 +- system/sops.nix | 2 +- system/sshd.nix | 10 ++-- 12 files changed, 161 insertions(+), 20 deletions(-) create mode 100644 hosts/template/configuration.nix create mode 100644 hosts/template/default.nix create mode 100644 hosts/template/hardware-configuration.nix create mode 100644 hosts/template/scripts.nix rename services/ns/{test-2rjus-net.conf => zones-test-2rjus-net.conf} (100%) diff --git a/flake.nix b/flake.nix index 8fa62d8..60f6351 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,15 @@ sops-nix.nixosModules.sops ]; }; + template1 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs self sops-nix; }; + modules = [ + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + ./hosts/template + sops-nix.nixosModules.sops + ]; + }; }; }; } diff --git a/hosts/ns3/configuration.nix b/hosts/ns3/configuration.nix index 13df38b..75341e8 100644 --- a/hosts/ns3/configuration.nix +++ b/hosts/ns3/configuration.nix @@ -3,19 +3,27 @@ { imports = [ - ./hardware-configuration.nix + ../template/hardware-configuration.nix - ../system - ../services/ns/master-authorative.nix + ../../system + ../../services/ns/master-authorative.nix ]; nixpkgs.config.allowUnfree = true; # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; - networking.hostName = "ns3.home.2rjus.net"; # Define your hostname. + networking.hostname = "ns3"; + networking.domain = "home.2rjus.net"; networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = true; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + systemd.network.enable = true; systemd.network.networks."ens18" = { matchConfig.Name = "ens18"; @@ -36,10 +44,6 @@ git ]; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/hosts/template/configuration.nix b/hosts/template/configuration.nix new file mode 100644 index 0000000..2a03ae3 --- /dev/null +++ b/hosts/template/configuration.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + + ../../system + ]; + + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + networking.hostName = "nixos-template"; + networking.domain = "home.2rjus.net"; + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = true; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.8.250/24" + ]; + routes = [ + { routeConfig.Gateway = "10.69.8.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + environment.systemPackages = with pkgs; [ + age + vim + wget + git + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + system.stateVersion = "23.11"; # Did you read the comment? +} + diff --git a/hosts/template/default.nix b/hosts/template/default.nix new file mode 100644 index 0000000..81db6c0 --- /dev/null +++ b/hosts/template/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./scripts.nix + ]; +} diff --git a/hosts/template/hardware-configuration.nix b/hosts/template/hardware-configuration.nix new file mode 100644 index 0000000..555f0b4 --- /dev/null +++ b/hosts/template/hardware-configuration.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/68e895de-b547-4ba2-bfc6-57ec5eeea19f"; + fsType = "xfs"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/bfbe964e-89d8-48f0-b4e2-9723ee1081ac"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} + diff --git a/hosts/template/scripts.nix b/hosts/template/scripts.nix new file mode 100644 index 0000000..f174a5c --- /dev/null +++ b/hosts/template/scripts.nix @@ -0,0 +1,32 @@ +{ pkgs, ... }: +let + prepare-host-script = pkgs.writeShellScriptBin "prepare-host.sh" + '' + echo "Removing machine-id" + rm -f /etc/machine-id || true + + echo "Removing SSH host keys" + rm -f /etc/ssh/ssh_host_* || true + + echo "Removing temporary files" + rm -rf /tmp/* || true + + echo "Removing logs" + rm -rf /var/log/* || true + + echo "Removing cache" + rm -rf /var/cache/* || true + + echo "Generate age key" + rm -rf /var/lib/sops-nix || true + mkdir -p /var/lib/sops-nix + ${pkgs.age}/bin/age-keygen -o /var/lib/sops-nix/key.txt + + echo "Runing garbage collector" + ${pkgs.nix}/bin/nix-collect-garbage -d + ''; +in +{ + environment.systemPackages = [ prepare-host-script ]; + users.motd = "Prepare host by running 'systemctl start prepare-host'."; +} diff --git a/services/ns/master-authorative.nix b/services/ns/master-authorative.nix index 9f7e862..64ff986 100644 --- a/services/ns/master-authorative.nix +++ b/services/ns/master-authorative.nix @@ -3,9 +3,11 @@ enable = true; port = 8053; - "test.2rjus.net." = { - provideXFR = [ "10.69.0.0/16 NOKEY" ]; + zones = { + "test.2rjus.net." = { + provideXFR = [ "10.69.0.0/16 NOKEY" ]; + data = builtins.readFile ./zones-test-2rjus-net.conf; + }; }; - data = builtins.readFile ./zones-test-2rjus-net.conf; }; } diff --git a/services/ns/test-2rjus-net.conf b/services/ns/zones-test-2rjus-net.conf similarity index 100% rename from services/ns/test-2rjus-net.conf rename to services/ns/zones-test-2rjus-net.conf diff --git a/system/default.nix b/system/default.nix index 74827e0..06aee46 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,5 +1,5 @@ { ... }: { - import = [ + imports = [ ./sops.nix ./root-user.nix ./sshd.nix diff --git a/system/root-user.nix b/system/root-user.nix index eba1925..2fda84d 100644 --- a/system/root-user.nix +++ b/system/root-user.nix @@ -6,7 +6,7 @@ users.users.root = { shell = pkgs.zsh; hashedPasswordFile = config.sops.secrets.root_password_hash.path; - opennsh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter" ]; }; diff --git a/system/sops.nix b/system/sops.nix index 9ee9e2a..0918117 100644 --- a/system/sops.nix +++ b/system/sops.nix @@ -1,6 +1,6 @@ { ... }: { sops = { - defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFile = ../secrets/secrets.yaml; age.keyFile = "/var/lib/sops-nix/key.txt"; age.generateKey = true; }; diff --git a/system/sshd.nix b/system/sshd.nix index 1754436..85f8033 100644 --- a/system/sshd.nix +++ b/system/sshd.nix @@ -1,9 +1,11 @@ { ... }: { services.openssh = { enable = true; - permitRootLogin = "no"; - # TODO: Allow root login from certain hosts. - # Then dissallow rest. - passwordAuthentication = true; + settings = { + PermitRootLogin = "yes"; + # TODO: Allow root login from certain hosts. + # Then dissallow rest. + PasswordAuthentication = true; + }; }; }