Added oddjob VM

Reviewed-on: Jan/dotfiles#2

README.md

@@ -4,8 +4,39 @@ My NixOS configuration.
 
 ## Installation
 
-For disk configuration we use disko, this means that installing the system from the configuration is just a single command:
+For disk configuration we use disko, but for secrets management we use sops-nix and the particular setup makes the installation process a bit more involved. It is required that the computer from which the installation is being run has access to the `nixos-secrets` repository, otherwise you will need to manually add the required ssh keys to the installation image. 
+```bash
+# Load into the installer
+sudo passwd # Set a root password
 
+# From a machine with network access to the installer
+# and access to the nixos-secrets repo
+ssh -A root@(installer-ip)
+
+# Set up disks
+nix-shell -p disko
+disko --mode disko --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
+exit
+
+# Install NixOS
+nixos-install --no-channel-copy --no-root-password --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
+
+# Set up host credentials for access to the secrets
+cd /mnt/persist/system/etc/sops
+touch sops_ed25519_key 
+chmod 600 sops_ed25519_key
+nano sops_ed25519_key
 ```
-sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/latest#disko-install" -- --flake git+https://git.bulthuis.dev/Jan/dotfiles#<hostname> --disk main /dev/sda
+If `nixos-install` is being stopped by the OOM-killer, you can try adding `-j 1` to limit the amount of jobs that will be executed at the same time to 1. It might require running nixos-install multiple times untill it has managed to download all requirements and slowly start building the rest of the system.
+
+## Updating
+
+To update the system configuration, it is a single command:
+```bash
+sudo system-update
 ```
+Or if this shell script has not been installed for some reason:
+```bash
+sudo nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config
+```
+Sometimes it may be necessary to reboot of course.

flake.lock

@@ -154,7 +154,44 @@
         "impermanence": "impermanence",
         "nix-minecraft": "nix-minecraft",
         "nix-modpack": "nix-modpack",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "secrets": "secrets",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "secrets": {
+      "locked": {
+        "lastModified": 1749133396,
+        "narHash": "sha256-St9GzTMi/Bx9Zs84LfNbcH7Qbs825UTg9hvzNg1ZI3A=",
+        "ref": "refs/heads/main",
+        "rev": "51679f68977cb3246a02791a59841fa31659136e",
+        "revCount": 8,
+        "type": "git",
+        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {

flake.nix

@@ -6,6 +6,13 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Secrets
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+    secrets.url = "git+ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets";
+
+    # Disk setup
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
     impermanence.url = "github:nix-community/impermanence";

hosts/20212060/configuration.nix

@@ -1,4 +1,4 @@
-{ flake, ... }:
+{ inputs, ... }:
 
 {
   # State version
@@ -13,6 +13,17 @@
     "wireshark"
   ];
 
+  # Set up kerberos
+  security.krb5 = {
+    enable = true;
+    settings = {
+      libdefaults = {
+        rdns = false;
+      };
+      realms = (inputs.secrets.gewis.krb5Realm);
+    };
+  };
+
   # Enable virtualisation for VMs
   virtualisation.libvirtd.enable = true;
 

hosts/vm-oddjob/configuration.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+{
+  # State version
+  system.stateVersion = "24.11";
+
+  # Machine hostname
+  networking.hostName = "vm-vpn";
+
+  # Enabled modules
+  modules = {
+    profiles.vm.enable = true;
+  };
+
+  # Setup NAS Backup Job
+
+}

hosts/vm-oddjob/users/local.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  home.stateVersion = "24.11";
+
+  modules.profiles.base.enable = true;
+}

modules/home/utilities/bitwarden.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.bitwarden;
+in
+{
+  options.modules.bitwarden = {
+    enable = mkEnableOption "Bitwarden";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      bitwarden-desktop
+    ];
+  };
+}

modules/home/utilities/secrets.nix

@@ -0,0 +1,43 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    # TODO: Fix the key not being present in .config/sops before sops-nix runs
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [
+      "${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
+      # "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
+    ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ ".config/sops" ];
+  };
+}

modules/nixos/secrets.nix

@@ -0,0 +1,43 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    # TODO: Fix the key not being present in /etc/sops before sops-nix runs
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [
+      "/etc/sops/sops_ed25519_key"
+      "/persist/system/etc/sops/sops_ed25519_key"
+    ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ "/etc/sops" ];
+  };
+}

modules/nixos/ssh.nix

@@ -9,7 +9,24 @@ in
     enable = mkEnableOption "ssh";
   };
   config = mkIf cfg.enable {
-    services.openssh.enable = true;
-    # TODO: Is this default configuration secure?
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+      };
+      hostKeys = mkIf (config.modules.impermanence.enable) [
+        {
+          type = "ed25519";
+          path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
+        }
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/persist/system/etc/ssh/ssh_host_rsa_key";
+        }
+      ];
+    };
   };
 }

profiles/disko/vm.nix

@@ -3,6 +3,7 @@
     disk = {
       main = {
         type = "disk";
+        device = "/dev/sda";
         content = {
           type = "gpt";
           partitions = {
@@ -17,12 +18,19 @@
               };
             };
             zfs = {
-              size = "100%";
+              end = "-4G";
               content = {
                 type = "zfs";
                 pool = "tank";
               };
             };
+            swap = {
+              size = "100%";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+              };
+            };
           };
         };
       };

profiles/home/jan.nix

@@ -24,7 +24,6 @@ in
       freecad-wayland
       inkscape
       ente-auth
-      bitwarden
       carla
       winbox
       whatsapp-for-linux
@@ -39,6 +38,7 @@ in
       prismlauncher
       foliate
       wireshark
+      obsidian
     ];
 
     modules = {
@@ -61,6 +61,7 @@ in
           "flake.lock"
         ];
       };
+      bitwarden.enable = true;
       xpra = {
         enable = true;
         hosts = [

profiles/nixos/base.nix

@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
@@ -20,13 +19,19 @@ in
       bootloader.enable = mkDefault true;
       ssh.enable = mkDefault true;
 
-      # Setup sensible default persistent data
       impermanence.directories = [
         "/var/lib/nixos"
       ];
-      impermanence.files = [
-        "/etc/shadow"
-      ];
+
+      # TODO: Remove the secrets module and use sops directly?
+      secrets = {
+        enable = true;
+        secrets = {
+          "ssh-keys/deploy-priv" = {
+            path = "/root/.ssh/id_ed25519";
+          };
+        };
+      };
     };
 
     # Localization

profiles/nixos/vm.nix

@@ -1,5 +1,4 @@
 {
-  mkModule,
   pkgs,
   lib,
   config,
@@ -33,15 +32,26 @@ in
       ssh.enable = true;
     };
 
-    # Admin users
+    # Autologin to root for access from hypervisor
+    services.getty.autologinUser = "root";
+
+    # Local user
+    modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
+    users.mutableUsers = false;
     users.users.local = {
-      initialPassword = "local";
+      hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
       extraGroups = [ "wheel" ];
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519  jan@bulthuis.dev"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Admin"
       ];
     };
 
+    # System packages
+    environment.systemPackages = with pkgs; [
+      # TODO: Make module for utilities/scripts
+      (writeShellScriptBin "system-update" "nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config")
+    ];
+
     # Enable qemu guest agent
     services.qemuGuest.enable = true;
 
@@ -61,17 +71,6 @@ in
       "sd_mod"
       "sr_mod"
     ];
-    boot.initrd.kernelModules = [ ];
     boot.kernelModules = [ "kvm-intel" ];
-    boot.extraModulePackages = [ ];
-    hardware.cpu.intel.updateMicrocode = true;
-
-    # Swapfile
-    swapDevices = [
-      {
-        device = "/var/lib/swapfile";
-        size = 6 * 1024;
-      }
-    ];
   };
 }