From f300ea69b66427bd2a5a92a4c4f0db0aa99392b0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 31 Oct 2022 15:15:00 +0100 Subject: ... --- accounts/gkleen@eos.nix | 25 ++++++- accounts/mherold@eos.nix | 19 ++++++ accounts/mherold@eos/default.nix | 1 - deploy/eos.nix | 1 + hosts/eos/default.nix | 101 +++++++++++++++++++++++++++++ hosts/eos/ruleset.nft | 101 +++++++++++++++++++++++++++++ hosts/vidhar/default.nix | 46 +++++++------ hosts/vidhar/network/dhcp/default.nix | 28 +++++++- hosts/vidhar/samba.nix | 25 +++++-- hosts/vidhar/zfs.nix | 12 ++-- installer-profiles/nfsroot.nix | 118 ++-------------------------------- installer/default.nix | 2 + system-profiles/nfsroot.nix | 114 ++++++++++++++++++++++++++++++++ 13 files changed, 446 insertions(+), 147 deletions(-) create mode 100644 accounts/mherold@eos.nix delete mode 100644 accounts/mherold@eos/default.nix create mode 100644 deploy/eos.nix create mode 100644 hosts/eos/default.nix create mode 100644 hosts/eos/ruleset.nft create mode 100644 system-profiles/nfsroot.nix diff --git a/accounts/gkleen@eos.nix b/accounts/gkleen@eos.nix index c157af78..dbe48ead 100644 --- a/accounts/gkleen@eos.nix +++ b/accounts/gkleen@eos.nix @@ -1 +1,24 @@ -{ ... }: {} +{ flake, userName, pkgs, ... }: +{ + imports = with flake.nixosModules.userProfiles.${userName}; [ + zsh utils tmux + ]; + + config.home-manager.users.${userName} = { + nixpkgs.config = { + allowUnfree = true; + }; + + home.packages = with pkgs; [ + thunderbird libreoffice element-desktop keepassxc + ]; + + programs.firefox = { + enable = true; + profiles.default.settings = { + "dom.security.https_only_mode" = true; + "browser.cache.disk.enable" = false; + }; + }; + }; +} diff --git a/accounts/mherold@eos.nix b/accounts/mherold@eos.nix new file mode 100644 index 00000000..6d376835 --- /dev/null +++ b/accounts/mherold@eos.nix @@ -0,0 +1,19 @@ +{ userName, pkgs, ... }: { + config.home-manager.users.${userName} = { + nixpkgs.config = { + allowUnfree = true; + }; + + home.packages = with pkgs; [ + thunderbird libreoffice element-desktop keepassxc + ]; + + programs.firefox = { + enable = true; + profiles.default.settings = { + "dom.security.https_only_mode" = true; + "browser.cache.disk.enable" = false; + }; + }; + }; +} diff --git a/accounts/mherold@eos/default.nix b/accounts/mherold@eos/default.nix deleted file mode 100644 index c157af78..00000000 --- a/accounts/mherold@eos/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/deploy/eos.nix b/deploy/eos.nix new file mode 100644 index 00000000..65a4c7ed --- /dev/null +++ b/deploy/eos.nix @@ -0,0 +1 @@ +{ ... }: { enabled = false; } diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix new file mode 100644 index 00000000..1c5347e7 --- /dev/null +++ b/hosts/eos/default.nix @@ -0,0 +1,101 @@ +{ flake, config, pkgs, lib, ... }: + +with lib; + +{ + imports = with flake.nixosModules.systemProfiles; [ + nfsroot + ]; + + config = { + nixpkgs = { + system = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + boot = { + initrd = { + availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ]; + kernelModules = [ "igb" ]; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + plymouth.enable = true; + + tmpOnTmpfs = true; + }; + + hardware = { + enableRedistributableFirmware = true; + cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + }; + + opengl.enable = true; + }; + + environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468"; + + networking = { + hostId = "f457b213"; + + domain = "asgard.yggdrasil"; + search = [ "asgard.yggdrasil" "yggdrasil" ]; + + hosts = { + "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ]; + "::1" = [ "eos.asgard.yggdrasil" "eos" ]; + }; + + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved = { + llmnr = "false"; + }; + + zramSwap.enable = true; + + system.stateVersion = config.system.nixos.release; # No state + + + time.timeZone = "Europe/Berlin"; + time.hardwareClockInLocalTime = true; + i18n.defaultLocale = "en_DK.UTF-8"; + + + environment.systemPackages = with pkgs; [ cifs-utils ]; + + security.pam.mount = { + enable = true; + extraVolumes = [ + "" + "" + ]; + }; + + + services.xserver = { + enable = true; + displayManager.sddm = { + enable = true; + settings = { + Users.HideUsers = "gkleen"; + }; + }; + desktopManager.plasma5.enable = true; + + videoDrivers = [ "nvidia" ]; + }; + }; +} diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft new file mode 100644 index 00000000..7b38a059 --- /dev/null +++ b/hosts/eos/ruleset.nft @@ -0,0 +1,101 @@ +define icmp_protos = {ipv6-icmp, icmp, igmp} + +table arp filter { + limit lim_arp { + rate over 50 mbytes/second burst 50 mbytes + } + + chain input { + type filter hook input priority filter + policy accept + + limit name lim_arp counter drop + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + limit name lim_arp counter drop + + counter + } +} + +table inet filter { + limit lim_reject { + rate over 1000/second burst 1000 packets + } + + limit lim_icmp { + rate over 50 mbytes/second burst 50 mbytes + } + + + chain forward { + type filter hook forward priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid forward: " counter drop + + + iifname lo counter accept + + + limit name lim_reject log level debug prefix "drop forward: " counter drop + log level debug prefix "reject forward: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain input { + type filter hook input priority filter + policy drop + + + ct state invalid log level debug prefix "drop invalid input: " counter drop + + + iifname lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter reject + iif != lo ip6 daddr ::1/128 counter reject + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + tcp dport 22 counter accept + udp dport 60000-61000 counter accept + + + ct state {established, related} counter accept + + + limit name lim_reject log level debug prefix "drop input: " counter drop + log level debug prefix "reject input: " counter + meta l4proto tcp ct state new counter reject with tcp reset + ct state new counter reject + + + counter + } + + chain output { + type filter hook output priority filter + policy accept + + + oifname lo counter accept + + meta l4proto $icmp_protos limit name lim_icmp counter drop + meta l4proto $icmp_protos counter accept + + + counter + } +} \ No newline at end of file diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 3f5d17d5..fc77f03c 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -235,25 +235,30 @@ with lib; ]; }; }; - systemd.services.loki.preStart = let - rulesYaml = generators.toYAML {} { - groups = [ - { name = "power-failures"; - rules = [ - { record = "apcupsd_power_failures:per_day"; - expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400"; - } - { record = "apcupsd_power_failures:per_week"; - expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800"; - } - ]; - } - ]; - }; - in '' - ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake - ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml - ''; + systemd.services.loki = { + preStart = let + rulesYaml = generators.toYAML {} { + groups = [ + { name = "power-failures"; + rules = [ + { record = "apcupsd_power_failures:per_day"; + expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1d])) * 86400"; + } + { record = "apcupsd_power_failures:per_week"; + expr = "sum by (nodename) (rate({job=\"systemd-journal\"} | json | MESSAGE = \"Power failure.\"[1w])) * 604800"; + } + ]; + } + ]; + }; + in '' + ${pkgs.coreutils}/bin/install -m 0755 -o ${config.services.loki.user} -g ${config.services.loki.group} -d ${config.services.loki.configuration.ruler.storage.local.directory}/fake + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "rules.yml" rulesYaml} ${config.services.loki.configuration.ruler.storage.local.directory}/fake/rules.yml + ''; + serviceConfig.Environment = [ + "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19" + ]; + }; services.promtail = { enable = true; configuration = { @@ -286,6 +291,9 @@ with lib; ]; }; }; + systemd.services.promtail.serviceConfig.Environment = [ + "ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19" + ]; services.apcupsd = { enable = true; diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix index dfaa4c9f..d3407f1d 100644 --- a/hosts/vidhar/network/dhcp/default.nix +++ b/hosts/vidhar/network/dhcp/default.nix @@ -23,6 +23,12 @@ with lib; }; client-classes = [ + { name = "eos-ipxe"; + test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE'"; + next-server = "10.141.0.1"; + boot-file-name = "http://nfsroot.vidhar.yggdrasil/eos/netboot.ipxe"; + only-if-required = true; + } { name = "ipxe"; test = "option[77].hex == 'iPXE'"; next-server = "10.141.0.1"; @@ -85,7 +91,7 @@ with lib; ddns-send-updates = true; ddns-qualifying-suffix = "lan.yggdrasil"; pools = [ { pool = "10.141.0.128 - 10.141.0.254"; } ]; - require-client-classes = ["ipxe" "uefi-64" "uefi-32" "legacy"]; + require-client-classes = map (cc: cc.name) config.services.kea.dhcp4.settings.client-classes; reservations = [ { hostname = "sif"; hw-address = "3c:e1:a1:52:24:35"; @@ -258,7 +264,25 @@ with lib; ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration '') ) ["x86_64-linux"] - ); + ) ++ [ + (let + eosBuild = (flake.nixosConfigurations.eos.extendModules { + modules = [ + ({ ... }: { + config.nfsroot.storeDevice = "10.141.0.1:nix-store"; + config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/eos/registration"; + }) + ]; + }).config.system.build; + in builtins.toPath (pkgs.runCommandLocal "eos" {} '' + mkdir -p $out/eos + install -m 0444 -t $out/eos \ + ${eosBuild.initialRamdisk}/initrd \ + ${eosBuild.kernel}/bzImage \ + ${eosBuild.netbootIpxeScript}/netboot.ipxe \ + ${pkgs.closureInfo { rootPaths = eosBuild.storeContents; }}/registration + '')) + ]; }; }; }; diff --git a/hosts/vidhar/samba.nix b/hosts/vidhar/samba.nix index 0ddf56a3..ffca9c6d 100644 --- a/hosts/vidhar/samba.nix +++ b/hosts/vidhar/samba.nix @@ -14,28 +14,45 @@ guest account = nobody bind interfaces only = yes interfaces = lo lan + server signing = mandatory + server min protocol = SMB3 + server smb encrypt = required ''; shares = { homes = { - comment = "Home Directories"; + comment = "Home directory for %S"; path = "/home/%S"; - browseable = "no"; + browseable = false; "valid users" = "%S"; - "read only" = "no"; + "read only" = false; "create mask" = "0700"; "directory mask" = "0700"; "vfs objects" = "shadow_copy2"; "shadow:snapdir" = ".zfs/snapshot"; + "shadow:snapdirseverywhere" = true; "shadow:sort" = "desc"; "shadow:format" = "%Y-%m-%dT%H:%M:%SZ"; }; eos = { - comment = "Disk image of eos"; + comment = "Disk image of legacy eos"; browseable = true; "valid users" = "mherold"; writeable = "true"; path = "/srv/eos"; }; + home-eos = { + comment = "Home directoriy for %u on PXE booted EOS"; + path = "/srv/cifs/home-eos/%u"; + volume = "%u@eos"; + browseable = true; + "read only" = false; + "create mask" = "0700"; + "directory mask" = "0700"; + "vfs objects" = "shadow_copy2"; + "shadow:snapdir" = ".zfs/snapshot"; + "shadow:sort" = "desc"; + "shadow:format" = "%Y-%m-%dT%H:%M:%SZ"; + }; }; }; services.samba-wsdd = { diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 52b48aca..1de4b9b7 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix @@ -23,7 +23,7 @@ fsType = "zfs"; neededForBoot = true; }; - + "/var/lib/nixos" = { device = "ssd-raid1/local/var-lib-nixos"; fsType = "zfs"; @@ -34,22 +34,22 @@ { device = "ssd-raid1/local/var-lib-unbound"; fsType = "zfs"; }; - + # "/var/lib/dhcp" = # { device = "ssd-raid1/local/var-lib-dhcp"; # fsType = "zfs"; # }; - + "/var/lib/chrony" = { device = "ssd-raid1/local/var-lib-chrony"; fsType = "zfs"; }; - + "/var/lib/samba" = { device = "ssd-raid1/local/var-lib-samba"; fsType = "zfs"; }; - + # "/var/lib/prometheus2" = # { device = "ssd-raid1/local/var-lib-prometheus2"; # fsType = "zfs"; @@ -67,7 +67,7 @@ # fsType = "zfs"; # options = [ "zfsutil" ]; # }; - + # "/srv/tftp" = # { device = "ssd-raid1/local/srv-tftp"; # fsType = "zfs"; diff --git a/installer-profiles/nfsroot.nix b/installer-profiles/nfsroot.nix index 2688a8d0..6bd875b4 100644 --- a/installer-profiles/nfsroot.nix +++ b/installer-profiles/nfsroot.nix @@ -1,121 +1,11 @@ -{ config, pkgs, lib, flakeInputs, ... }: +{ flakeInputs, flake, ... }: -with lib; - -let - cfg = config.nfsroot; -in { - imports = [ +{ + imports = with flake.nixosModules.systemProfiles; [ + nfsroot "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/minimal.nix" "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/all-hardware.nix" "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/base.nix" "${flakeInputs.nixpkgs.outPath}/nixos/modules/profiles/installation-device.nix" ]; - - options = { - nfsroot = { - storeDevice = mkOption { - type = types.str; - default = "nfsroot:nix-store"; - }; - - registrationUrl = mkOption { - type = types.str; - default = "http://nfsroot/nix-registration"; - }; - }; - - system.build = { - storeContents = mkOption {}; - }; - }; - - config = { - # Don't build the GRUB menu builder script, since we don't need it - # here and it causes a cyclic dependency. - boot.loader.grub.enable = false; - - # !!! Hack - attributes expected by other modules. - environment.systemPackages = [ pkgs.grub2_efi ] - ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" - then [] - else [ pkgs.grub2 pkgs.syslinux ]); - - fileSystems."/" = mkImageMediaOverride - { fsType = "tmpfs"; - options = [ "mode=0755" ]; - }; - - # In stage 1, mount a tmpfs on top of /nix/store (the squashfs - # image) to make this a live CD. - fileSystems."/nix/.ro-store" = mkImageMediaOverride - { fsType = "nfs4"; - device = cfg.storeDevice; - options = [ "ro" ]; - neededForBoot = true; - }; - - fileSystems."/nix/.rw-store" = mkImageMediaOverride - { fsType = "tmpfs"; - options = [ "mode=0755" ]; - neededForBoot = true; - }; - - fileSystems."/nix/store" = mkImageMediaOverride - { fsType = "overlay"; - device = "overlay"; - options = [ - "lowerdir=/nix/.ro-store" - "upperdir=/nix/.rw-store/store" - "workdir=/nix/.rw-store/work" - ]; - - depends = [ - "/nix/.ro-store" - "/nix/.rw-store/store" - "/nix/.rw-store/work" - ]; - }; - - nix.extraOptions = '' - use-sqlite-wal = false - ''; - - boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; - boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; - services.rpcbind.enable = mkImageMediaOverride false; - - boot.initrd.network.enable = true; - boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work - boot.initrd.postMountCommands = '' - mkdir -p /mnt-root/etc/ - cp /etc/resolv.conf /mnt-root/etc/resolv.conf - ''; - networking.useDHCP = true; - networking.resolvconf.enable = false; - - - system.build.storeContents = [config.system.build.toplevel]; - - system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' - #!ipxe - # Use the cmdline variable to allow the user to specify custom kernel params - # when chainloading this script from other iPXE scripts like netboot.xyz - kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} - initrd initrd - boot - ''; - - boot.postBootCommands = - '' - # After booting, register the contents of the Nix store on NFS - # in the Nix database in the tmpfs. - ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db - - # nixos-rebuild also requires a "system" profile and an - # /etc/NIXOS tag. - touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system - ''; - }; } diff --git a/installer/default.nix b/installer/default.nix index f882b22d..a0c84182 100644 --- a/installer/default.nix +++ b/installer/default.nix @@ -4,6 +4,8 @@ ]; config = { + hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + networking = { firewall.enable = false; nftables = { diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix new file mode 100644 index 00000000..92cf98de --- /dev/null +++ b/system-profiles/nfsroot.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, flakeInputs, ... }: + +with lib; + +let + cfg = config.nfsroot; +in { + options = { + nfsroot = { + storeDevice = mkOption { + type = types.str; + default = "nfsroot:nix-store"; + }; + + registrationUrl = mkOption { + type = types.str; + default = "http://nfsroot/nix-registration"; + }; + }; + + system.build = { + storeContents = mkOption {}; + }; + }; + + config = { + # Don't build the GRUB menu builder script, since we don't need it + # here and it causes a cyclic dependency. + boot.loader.grub.enable = false; + + # !!! Hack - attributes expected by other modules. + environment.systemPackages = [ pkgs.grub2_efi ] + ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" + then [] + else [ pkgs.grub2 pkgs.syslinux ]); + + fileSystems."/" = mkImageMediaOverride + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + # In stage 1, mount a tmpfs on top of /nix/store (the squashfs + # image) to make this a live CD. + fileSystems."/nix/.ro-store" = mkImageMediaOverride + { fsType = "nfs4"; + device = cfg.storeDevice; + options = [ "ro" ]; + neededForBoot = true; + }; + + fileSystems."/nix/.rw-store" = mkImageMediaOverride + { fsType = "tmpfs"; + options = [ "mode=0755" ]; + neededForBoot = true; + }; + + fileSystems."/nix/store" = mkImageMediaOverride + { fsType = "overlay"; + device = "overlay"; + options = [ + "lowerdir=/nix/.ro-store" + "upperdir=/nix/.rw-store/store" + "workdir=/nix/.rw-store/work" + ]; + + depends = [ + "/nix/.ro-store" + "/nix/.rw-store/store" + "/nix/.rw-store/work" + ]; + }; + + nix.extraOptions = '' + use-sqlite-wal = false + ''; + + boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ]; + boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ]; + services.rpcbind.enable = mkImageMediaOverride false; + + boot.initrd.network.enable = true; + boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work + boot.initrd.postMountCommands = '' + mkdir -p /mnt-root/etc/ + cp /etc/resolv.conf /mnt-root/etc/resolv.conf + ''; + networking.useDHCP = true; + networking.resolvconf.enable = false; + + + system.build.storeContents = [config.system.build.toplevel]; + + system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" '' + #!ipxe + # Use the cmdline variable to allow the user to specify custom kernel params + # when chainloading this script from other iPXE scripts like netboot.xyz + kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline} + initrd initrd + boot + ''; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store on NFS + # in the Nix database in the tmpfs. + ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + }; +} -- cgit v1.2.3