WIP: next step on image build

2024-11-11 23:02:38 +01:00 · 2024-11-11 23:02:38 +01:00 · cca2a0ed75
commit cca2a0ed75
parent da5bdb3d47
38 changed files with 1095 additions and 3272 deletions
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -0,0 +1,82 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+
+  # Start out with a minimal system
+  imports = [
+    (modulesPath + "/profiles/image-based-appliance.nix")
+    (modulesPath + "/profiles/perlless.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # system.forbiddenDependenciesRegexes = lib.mkForce [ ];
+
+  nixpkgs.flake.setNixPath = false;
+  nixpkgs.flake.setFlakeRegistry = false;
+
+  networking.hostName = "patos";
+
+  boot.kernelModules = [
+    "zram"
+    "usb_storage"
+    "uas"
+    "sd_mod"
+    "r8169"
+    "ehci-hcd"
+    "ehci-pci"
+    "xhci-hcd"
+    "xhci-pci"
+    "xhci-pci-renesas"
+    "nvme"
+    "virtio_net"
+  ];
+
+  system.etc.overlay.mutable = lib.mkDefault false;
+  users.mutableUsers = lib.mkDefault false;
+
+  users.allowNoPasswordLogin = true;
+
+  programs.nano.enable = false;
+
+  boot.tmp.useTmpfs = true;
+
+  # Replace sudo with doas
+  security.sudo.enable = lib.mkDefault false;
+  security.doas.enable = lib.mkDefault true;
+
+  environment.systemPackages = with pkgs; [
+    (lib.mkIf config.security.doas.enable doas-sudo-shim)
+    iotop
+  ];
+
+  services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
+
+  systemd.watchdog = lib.mkDefault {
+    runtimeTime = "10s";
+    rebootTime = "30s";
+  };
+
+  zramSwap.enable = true;
+
+  i18n.supportedLocales = [
+    "en_US.UTF-8/UTF-8"
+  ];
+
+  boot.consoleLogLevel = lib.mkDefault 1;
+
+  systemd.services."getty@tty1".enable = lib.mkDefault false;
+  systemd.services."autovt@".enable = lib.mkDefault false;
+
+  systemd.enableEmergencyMode = false;
+
+  boot.kernelParams = [ "panic=1" "boot.panic_on_fail" "nomodeset" ];
+
+  programs.vim.enable = true;
+  programs.vim.defaultEditor = lib.mkDefault true;
+
+  services.journald.storage = "volatile";
+
+  console.enable = false;
+
+  networking.useNetworkd = true;
+  systemd.network.wait-online.enable = lib.mkDefault false;
+
+}
--- a/modules/profiles/network.nix
+++ b/modules/profiles/network.nix
@ -0,0 +1,52 @@
+{ lib, ... }: {
+
+  # Use TCP BBR
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+
+  # Use nftables
+  networking.nftables.enable = lib.mkDefault true;
+
+  # Use systemd-networkd
+  networking.useNetworkd = true;
+  systemd.network.wait-online.enable = true;
+
+  # Explicitly load networking modules
+  boot.kernelModules = [
+    "ip_tables"
+    "x_tables"
+    "nf_tables"
+    "nft_ct"
+    "nft_log"
+    "nf_log_syslog"
+    "nft_fib"
+    "nft_fib_inet"
+    "nft_compat"
+    "nft_nat"
+    "nft_chain_nat"
+    "nft_masq"
+    "nfnetlink"
+    "xt_conntrack"
+    "nf_conntrack"
+    "nf_log_syslog"
+    "nf_nat"
+    "af_packet"
+    "bridge"
+    "veth"
+    "tcp_bbr"
+    "sch_fq_codel"
+    "ipt_rpfilter"
+    "ip6t_rpfilter"
+    "sch_fq"
+    "tun"
+    "tap"
+    "xt_MASQUERADE"
+    "xt_mark"
+    "xt_comment"
+    "xt_multiport"
+    "xt_addrtype"
+  ];
+
+}
--- a/modules/profiles/server.nix
+++ b/modules/profiles/server.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+
+  imports = [
+    (modulesPath + "/profiles/minimal.nix")
+    ./network.nix
+  ];
+
+  boot.kernel.minimalModules = true;
+
+  # system.etc.overlay.mutable = true;
+  # users.mutableUsers = true;
+
+  users.users."admin" = {
+    isNormalUser = true;
+    linger = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  # perlless activation doesn't seem to support subuid / subgid yet
+  environment.etc."subuid" = {
+    text = ''
+      admin:100000:65536
+    '';
+    mode = "0644";
+  };
+
+  environment.etc."subgid" = {
+    text = ''
+      admin:100000:65536
+    '';
+    mode = "0644";
+  };
+
+  security.doas.wheelNeedsPassword = false;
+
+  services.openssh.enable = true;
+  system.image.sshKeys.enable = true;
+  system.image.sshKeys.keys = [
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3"
+  ];
+
+  virtualisation.podman.enable = true;
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_unprivileged_port_start" = 0;
+  };
+
+  networking.firewall.enable = false;
+
+  services.resolved.extraConfig = ''
+    DNSStubListener=no
+  '';
+
+}