nixos-config/machines/Hypervisor-VM/default.nix

{ modulesPath, inputs, lib, pkgs, config, options, ... }:
let
  zfs_arc_max = toString (1 * 1024 * 1024 * 1024);
in {
  imports = with inputs.self; [
    "${toString modulesPath}/profiles/hardened.nix"

    ./hardware-configuration.nix
    nixosRoles.hypervisor
    nixosProfiles.direnv
  ];

  # build hell
  environment.noXlibs = lib.mkForce false;
  # minimal profile
  documentation.nixos.enable = lib.mkForce false;
  programs.command-not-found.enable = lib.mkForce false;
  xdg.autostart.enable = lib.mkForce false;
  xdg.icons.enable = lib.mkForce false;
  xdg.mime.enable = lib.mkForce false;
  xdg.sounds.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;

  # boot
  boot = {
    zfs.forceImportAll = lib.mkForce false;
    loader.efi.canTouchEfiVariables = false;
    loader.efi.efiSysMountPoint = "/boot/efi";
    loader.systemd-boot.enable = false;
    loader.generationsDir.copyKernels = true;
    loader.grub = {
      enable = true;
      device = "nodev";
      version = 2;
      efiSupport = true;
      enableCryptodisk = true;
      zfsSupport = true;
      efiInstallAsRemovable = true;
      copyKernels = true;
      # extraPrepareConfig = ''
      # '';
    };
    initrd = {
      supportedFilesystems = [ "zfs" ];
      luks.devices = {
        "cryptboot" = {
          preLVM = true;
          keyFile = "/keyfile0.bin";
          allowDiscards = true;
          bypassWorkqueues = config.deviceSpecific.isSSD;
          fallbackToPassword = true;
          # postOpenCommands = "";
          # preOpenCommands = "";
        };
        "cryptroot" = {
          preLVM = true;
          keyFile = "/keyfile0.bin";
          allowDiscards = true;
          bypassWorkqueues = config.deviceSpecific.isSSD;
          fallbackToPassword = true;
        };
      };
      secrets = {
        "keyfile0.bin" = "/etc/secrets/keyfile0.bin";
      };
    };
    kernelPackages = pkgs.linuxPackages_hardened;
    kernelModules = [ "tcp_bbr" ];
    kernelParams = [
      "zfs.zfs_arc_max=${zfs_arc_max}"
      "zswap.enabled=0"
      "quiet"
      "scsi_mod.use_blk_mq=1"
      "modeset"
      "nofb"
      "pti=off"
      "spectre_v2=off"
      "kvm.ignore_msrs=1"
      "rd.systemd.show_status=auto"
      "rd.udev.log_priority=3"
    ];
    kernel.sysctl = {
      "kernel.sysrq" = false;
      "net.core.default_qdisc" = "sch_fq_codel";
      "net.ipv4.conf.all.accept_source_route" = false;
      "net.ipv4.icmp_ignore_bogus_error_responses" = true;
      "net.ipv4.tcp_congestion_control" = "bbr";
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_rfc1337" = true;
      "net.ipv4.tcp_syncookies" = true;
      "net.ipv6.conf.all.accept_source_route" = false;
      # disable ipv6
      "net.ipv6.conf.all.disable_ipv6" = true;
      "net.ipv6.conf.default.disable_ipv6" = true;
    };
    kernel.sysctl = {
      "vm.swappiness" = 1;
    };
    cleanTmpDir = true;
  };

  # security.polkit.enable = true;
  # system.nssModules = lib.mkForce [ ];

  # services.nscd.enable = false;

  deviceSpecific.devInfo = {
    cpu = {
      vendor = "intel";
      clock = 2300;
      cores = 4;
    };
    drive = {
      type = "ssd";
      speed = 500;
      size = 500;
    };
    gpu = {
      vendor = "other";
    };
    bigScreen = false;
    ram = 12;
  };
  deviceSpecific.enableVirtualisation = true;
  deviceSpecific.wireguard.enable = false;
  deviceSpecific.isServer = true;

  services.zfs.autoScrub.enable = true;
  services.zfs.autoScrub.interval = "daily";

  # hardened
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [];
  networking.firewall.allowedUDPPorts = [];
  systemd.coredump.enable = false;
  programs.firejail.enable = true;
  # scudo memalloc is unstable
  # environment.memoryAllocator.provider = "libc";
  # environment.memoryAllocator.provider = "graphene-hardened";

  networking.wireless.enable = false;
  networking.networkmanager.enable = false;
  networking.hostName = config.device;

  services.timesyncd.enable = false;
  services.openntpd.enable = true;
  networking.timeServers = [
    "0.ru.pool.ntp.org"
    "1.ru.pool.ntp.org"
    "2.ru.pool.ntp.org"
    "3.ru.pool.ntp.org"
    "0.europe.pool.ntp.org"
    "1.europe.pool.ntp.org"
    "2.europe.pool.ntp.org"
    "3.europe.pool.ntp.org"
  ] ++ options.networking.timeServers.default;

  # virtualisation
  virtualisation.oci-containers.backend = lib.mkForce "podman";
  virtualisation.docker.enable = lib.mkForce false;
  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
    dockerSocket.enable = true;
  };

  fonts.enableDefaultFonts = lib.mkForce false;
  fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];

  home-manager.users.alukard.home.packages = with pkgs; [ bat podman-compose ];

  home-manager.users.alukard.xdg.mime.enable = false;
  home-manager.users.alukard.home.stateVersion = "22.11";
  system.stateVersion = "22.11";
}
hypervisor-vm with zfs and encrypted boot 2022-12-08 23:11:08 +03:00			`{ modulesPath, inputs, lib, pkgs, config, options, ... }:`
			`let`
			`zfs_arc_max = toString (1 * 1024 * 1024 * 1024);`
			`in {`
setup hypervisor vm 2022-12-07 22:16:09 +03:00			`imports = with inputs.self; [`
			`"${toString modulesPath}/profiles/hardened.nix"`

			`./hardware-configuration.nix`
			`nixosRoles.hypervisor`
			`nixosProfiles.direnv`
			`];`

			`# build hell`
			`environment.noXlibs = lib.mkForce false;`
			`# minimal profile`
			`documentation.nixos.enable = lib.mkForce false;`
			`programs.command-not-found.enable = lib.mkForce false;`
			`xdg.autostart.enable = lib.mkForce false;`
			`xdg.icons.enable = lib.mkForce false;`
			`xdg.mime.enable = lib.mkForce false;`
			`xdg.sounds.enable = lib.mkForce false;`
			`services.udisks2.enable = lib.mkForce false;`

			`# boot`
			`boot = {`
			`zfs.forceImportAll = lib.mkForce false;`
hypervisor-vm with zfs and encrypted boot 2022-12-08 23:11:08 +03:00			`loader.efi.canTouchEfiVariables = false;`
			`loader.efi.efiSysMountPoint = "/boot/efi";`
			`loader.systemd-boot.enable = false;`
			`loader.generationsDir.copyKernels = true;`
			`loader.grub = {`
setup hypervisor vm 2022-12-07 22:16:09 +03:00			`enable = true;`
hypervisor-vm with zfs and encrypted boot 2022-12-08 23:11:08 +03:00			`device = "nodev";`
			`version = 2;`
			`efiSupport = true;`
			`enableCryptodisk = true;`
			`zfsSupport = true;`
			`efiInstallAsRemovable = true;`
			`copyKernels = true;`
			`# extraPrepareConfig = ''`
			`# '';`
			`};`
			`initrd = {`
			`supportedFilesystems = [ "zfs" ];`
			`luks.devices = {`
			`"cryptboot" = {`
			`preLVM = true;`
			`keyFile = "/keyfile0.bin";`
			`allowDiscards = true;`
			`bypassWorkqueues = config.deviceSpecific.isSSD;`
			`fallbackToPassword = true;`
			`# postOpenCommands = "";`
			`# preOpenCommands = "";`
			`};`
			`"cryptroot" = {`
			`preLVM = true;`
			`keyFile = "/keyfile0.bin";`
			`allowDiscards = true;`
			`bypassWorkqueues = config.deviceSpecific.isSSD;`
			`fallbackToPassword = true;`
			`};`
			`};`
			`secrets = {`
			`"keyfile0.bin" = "/etc/secrets/keyfile0.bin";`
			`};`
setup hypervisor vm 2022-12-07 22:16:09 +03:00			`};`
			`kernelPackages = pkgs.linuxPackages_hardened;`
			`kernelModules = [ "tcp_bbr" ];`
			`kernelParams = [`
hypervisor-vm with zfs and encrypted boot 2022-12-08 23:11:08 +03:00			`"zfs.zfs_arc_max=${zfs_arc_max}"`
setup hypervisor vm 2022-12-07 22:16:09 +03:00			`"zswap.enabled=0"`
			`"quiet"`
			`"scsi_mod.use_blk_mq=1"`
			`"modeset"`
			`"nofb"`
			`"pti=off"`
			`"spectre_v2=off"`
			`"kvm.ignore_msrs=1"`
			`"rd.systemd.show_status=auto"`
			`"rd.udev.log_priority=3"`
			`];`
			`kernel.sysctl = {`
			`"kernel.sysrq" = false;`
			`"net.core.default_qdisc" = "sch_fq_codel";`
			`"net.ipv4.conf.all.accept_source_route" = false;`
			`"net.ipv4.icmp_ignore_bogus_error_responses" = true;`
			`"net.ipv4.tcp_congestion_control" = "bbr";`
			`"net.ipv4.tcp_fastopen" = 3;`
			`"net.ipv4.tcp_rfc1337" = true;`
			`"net.ipv4.tcp_syncookies" = true;`
			`"net.ipv6.conf.all.accept_source_route" = false;`
			`# disable ipv6`
			`"net.ipv6.conf.all.disable_ipv6" = true;`
			`"net.ipv6.conf.default.disable_ipv6" = true;`
			`};`
			`kernel.sysctl = {`
			`"vm.swappiness" = 1;`
			`};`
			`cleanTmpDir = true;`
			`};`

			`# security.polkit.enable = true;`
			`# system.nssModules = lib.mkForce [ ];`

			`# services.nscd.enable = false;`

			`deviceSpecific.devInfo = {`
			`cpu = {`
			`vendor = "intel";`
			`clock = 2300;`
			`cores = 4;`
			`};`
			`drive = {`
hypervisor-vm with zfs and encrypted boot 2022-12-08 23:11:08 +03:00			`type = "ssd";`
setup hypervisor vm 2022-12-07 22:16:09 +03:00			`speed = 500;`
			`size = 500;`
			`};`
			`gpu = {`
			`vendor = "other";`
			`};`
			`bigScreen = false;`
			`ram = 12;`
			`};`
			`deviceSpecific.enableVirtualisation = true;`
			`deviceSpecific.wireguard.enable = false;`
			`deviceSpecific.isServer = true;`

			`services.zfs.autoScrub.enable = true;`
			`services.zfs.autoScrub.interval = "daily";`

			`# hardened`
			`networking.firewall.enable = true;`
			`networking.firewall.allowedTCPPorts = [];`
			`networking.firewall.allowedUDPPorts = [];`
			`systemd.coredump.enable = false;`
			`programs.firejail.enable = true;`
			`# scudo memalloc is unstable`
			`# environment.memoryAllocator.provider = "libc";`
			`# environment.memoryAllocator.provider = "graphene-hardened";`

			`networking.wireless.enable = false;`
			`networking.networkmanager.enable = false;`
			`networking.hostName = config.device;`

			`services.timesyncd.enable = false;`
			`services.openntpd.enable = true;`
			`networking.timeServers = [`
			`"0.ru.pool.ntp.org"`
			`"1.ru.pool.ntp.org"`
			`"2.ru.pool.ntp.org"`
			`"3.ru.pool.ntp.org"`
			`"0.europe.pool.ntp.org"`
			`"1.europe.pool.ntp.org"`
			`"2.europe.pool.ntp.org"`
			`"3.europe.pool.ntp.org"`
			`] ++ options.networking.timeServers.default;`

			`# virtualisation`
			`virtualisation.oci-containers.backend = lib.mkForce "podman";`
			`virtualisation.docker.enable = lib.mkForce false;`
			`virtualisation.podman = {`
			`enable = true;`
			`dockerCompat = true;`
			`dockerSocket.enable = true;`
			`};`

			`fonts.enableDefaultFonts = lib.mkForce false;`
			`fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];`

			`home-manager.users.alukard.home.packages = with pkgs; [ bat podman-compose ];`

			`home-manager.users.alukard.xdg.mime.enable = false;`
			`home-manager.users.alukard.home.stateVersion = "22.11";`
			`system.stateVersion = "22.11";`
			`}`