You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

206 lines
4.7 KiB
Nix

3 months ago
# applicable to all service VMs running on a hypervisor (currently Proxmox/QEMU assumed)
{
config,
lib,
pkgs,
...
3 months ago
}:
let
cfg = config.x-banananetwork.vmCommon;
in
{
options = {
x-banananetwork.vmCommon = {
enable = lib.mkEnableOption ''
settings for all my VMs
3 months ago
'';
userName = lib.mkOption {
description = ''
username of administrative user.
'';
type = lib.types.str;
example = "username";
};
hashedPassword = lib.mkOption {
description = ''
hash of password of adminstrative user.
This can e.g. be generated using mkpasswd.
'';
type = with lib.types; nullOr str;
default = null;
};
3 months ago
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
3 months ago
{
3 months ago
# timing-related options
# - ordered by chronological order
3 months ago
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
3 months ago
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
3 months ago
nix.optimise = {
# should not take long because of auto-optimise-store
dates = lib.singleton "05:30";
};
3 months ago
}
3 months ago
{
3 months ago
# all other options
3 months ago
boot = {
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
};
};
3 months ago
};
3 months ago
networking = {
3 months ago
firewall = {
allowPing = lib.mkDefault true;
logRefusedConnections = lib.mkDefault false;
# TODO
};
3 months ago
useDHCP = lib.mkDefault true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = lib.mkDefault true;
3 months ago
};
nix = {
3 months ago
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
3 months ago
optimise = {
automatic = true;
};
3 months ago
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
3 months ago
};
3 months ago
security = {
3 months ago
apparmor.enable = true;
3 months ago
lockKernelModules = true; # after boot loading not required on VMs
3 months ago
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
3 months ago
};
3 months ago
services = {
3 months ago
openssh = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
};
3 months ago
};
3 months ago
system.autoUpgrade = {
enable = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server#${config.networking.fqdnOrHostName}"; # ===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
3 months ago
users = {
mutableUsers = false;
users.${cfg.userName} = {
description = cfg.userName;
extraGroups = [
(lib.mkIf config.networking.networkmanager.enable "networkmanager")
"wheel"
];
inherit (cfg) hashedPassword;
isNormalUser = true;
openssh.authorizedKeys.keys = config.x-banananetwork.sshPublicKeys;
};
users.root.openssh.authorizedKeys.keys = config.x-banananetwork.sshPublicKeys;
};
x-banananetwork = {
3 months ago
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
3 months ago
};
3 months ago
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${lib.getExe resize}"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
}
]
);
3 months ago
}