feat: security - gnupg & openssh's KDF

modules/nixos/server/proxmox-hardware-configuration.nix

@@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  username,
+  ...
+}:
+##############################################################################
+#
+#  Template for Proxmox's VM, mainly based on:
+#    https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/virtualisation/proxmox-image.nix
+#
+#  the url above is used by `nixos-generator` to generate the Proxmox's VMA image file.
+#
+##############################################################################
+{
+  # DO NOT promote ryan to input password for sudo.
+  # this is a workaround for the issue of remote deploy:
+  #   https://github.com/NixOS/nixpkgs/issues/118655
+  security.sudo.extraRules = [
+    {
+      users = [username];
+      commands = [
+        {
+          command = "ALL";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];
+
+  boot = {
+    # after resize the disk, it will grow partition automatically.
+    growPartition = true;
+    kernelParams = ["console=ttyS0"];
+    loader.grub = {
+      device = "/dev/vda";
+
+      # we do not support EFI, so disable it.
+      efiSupport = false;
+      efiInstallAsRemovable = false;
+    };
+
+    loader.timeout = lib.mkForce 3; # wait for 3 seconds to select the boot entry
+    initrd.availableKernelModules = ["uas" "virtio_blk" "virtio_pci"];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+    fsType = "ext4";
+  };
+  # we do not have a /boot partition, so do not mount it.
+
+  # it alse had qemu-guest-agent installed by default.
+  services.qemuGuest.enable = lib.mkDefault true;
+}

modules/nixos/server/security.nix

@@ -0,0 +1,7 @@
+{username, ...}: {
+  # Public Keys that can be used to login to all my servers.
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    # TODO update keys here
+    "ssh-ed25519 xxx ryan@romantic"
+  ];
+}

modules/nixos/server/server-riscv64.nix

@@ -0,0 +1,65 @@
+{pkgs, ...}: {
+  # =========================================================================
+  #      Base NixOS Configuration
+  # =========================================================================
+
+  imports = [
+    ../base/i18n.nix
+    ../base/misc.nix
+    ../base/user-group.nix
+
+    ../../base.nix
+    
+    ./security.nix
+  ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  #
+  # TODO feel free to add or remove packages here.
+  environment.systemPackages = with pkgs; [
+    neovim
+
+    # networking
+    mtr # A network diagnostic tool
+    iperf3 # A tool for measuring TCP and UDP bandwidth performance
+    nmap # A utility for network discovery and security auditing
+    ldns # replacement of dig, it provide the command `drill`
+    socat # replacement of openbsd-netcat
+    tcpdump # A powerful command-line packet analyzer
+
+    # archives
+    zip
+    xz
+    unzip
+    p7zip
+    zstd
+    gnutar
+
+    # misc
+    file
+    which
+    tree
+    gnused
+    gawk
+    zellij
+    docker-compose
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    # start dockerd on boot.
+    # This is required for containers which are created with the `--restart=always` flag to work.
+    enableOnBoot = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      X11Forwarding = true;
+      PermitRootLogin = "prohibit-password"; # disable root login with password
+      PasswordAuthentication = false; # disable password login
+    };
+    openFirewall = true;
+  };
+}

modules/nixos/server/server.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ../base
+    ../../base.nix
+
+    ./security.nix
+  ];
+}