add key deployment, fix pennyworth
parent
7d51eaa7d8
commit
c4ca9690a5
|
@ -0,0 +1,19 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
with lib;
|
||||
let cfg = config.deployment.keyys; in
|
||||
{
|
||||
options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
|
||||
options.deployment.keys-copy = mkOption { type = types.package; };
|
||||
config = {
|
||||
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
|
||||
set -e
|
||||
ssh root@$1 "mkdir -p /root/keys"
|
||||
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
|
||||
echo "uploaded keys"
|
||||
'' else ''
|
||||
echo "no keys to upload"
|
||||
'');
|
||||
|
||||
};
|
||||
|
||||
}
|
Binary file not shown.
|
@ -48,7 +48,8 @@
|
|||
};
|
||||
hidden-service = {
|
||||
hostname = "muflax65ngodyewp.onion";
|
||||
private_key = "/run/keys/torkeys/http.muflax.key";
|
||||
private_key = "/root/keys/http.muflax.key";
|
||||
};
|
||||
};
|
||||
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@ in {
|
|||
systemd.services."install-tor-hidden-service-keys" = {
|
||||
wantedBy = ["tor.service"];
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "tor";
|
||||
serviceConfig.User = "root";
|
||||
serviceConfig.Group = "keys";
|
||||
# TODO: update on change?
|
||||
# TODO: better ways to get the keys on the server
|
||||
|
@ -24,6 +24,7 @@ in {
|
|||
mkdir -p ${torDir}/onion/${name}/
|
||||
cp ${keypath} ${torDir}/onion/${name}/private_key
|
||||
chmod -R 700 ${torDir}/onion/${name}
|
||||
chown -R tor ${torDir}/onion/${name}
|
||||
fi
|
||||
'') service-keys);
|
||||
};
|
||||
|
|
|
@ -13,6 +13,8 @@ in
|
|||
# before: /nixos/nix/* /boot/grub/menu.lst
|
||||
# after: /nix/* /old-root/boot/grub/menu.lst
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
blacklistedKernelModules = ["coretemp"];
|
||||
# use grub 1, don't install
|
||||
loader.grub = {
|
||||
version = 1;
|
||||
|
|
|
@ -0,0 +1,117 @@
|
|||
let secrets = import <secrets>;
|
||||
in
|
||||
{ config, pkgs, lib, ...}:
|
||||
let
|
||||
machine = with lib; head (splitString "." config.networking.hostName);
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
../roles/pub.nix
|
||||
../roles/quassel.nix
|
||||
../roles/gogs.nix
|
||||
../roles/mail.nix
|
||||
../roles/website.nix
|
||||
../roles/xmpp.nix
|
||||
];
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
users.mutableUsers = false;
|
||||
users.extraUsers.root = {
|
||||
openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
|
||||
# root password is useful from console, ssh has password logins disabled
|
||||
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
|
||||
|
||||
};
|
||||
services.timesyncd.enable = true;
|
||||
services.fail2ban.enable = true;
|
||||
users.extraUsers.yorick = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
extraGroups = ["wheel"];
|
||||
group = "users";
|
||||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
|
||||
};
|
||||
|
||||
# Nix
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nix.package = pkgs.nixUnstable;
|
||||
|
||||
nix.buildCores = config.nix.maxJobs;
|
||||
|
||||
nix.extraOptions = ''
|
||||
allow-unsafe-native-code-during-evaluation = true
|
||||
'';
|
||||
|
||||
# Networking
|
||||
networking.enableIPv6 = false;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
};
|
||||
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
# ssh hidden service
|
||||
hiddenServices.ssh.map = [{ port = 22; }];
|
||||
service-keys.ssh = "/root/keys/ssh.${machine}.key";
|
||||
};
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
Host *.onion
|
||||
ProxyCommand nc -xlocalhost:9050 -X5 %h %p
|
||||
'' +
|
||||
(with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: ''
|
||||
Host ${removePrefix "ssh." name}.onion
|
||||
hostname ${secrets.tor_hostnames.${name}}
|
||||
''
|
||||
));
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# v important.
|
||||
cowsay ponysay
|
||||
ed # ed, man!
|
||||
sl
|
||||
rlwrap
|
||||
|
||||
vim
|
||||
|
||||
# system stuff
|
||||
ethtool inetutils
|
||||
pciutils usbutils
|
||||
iotop powertop htop
|
||||
psmisc lsof
|
||||
smartmontools hdparm
|
||||
lm_sensors
|
||||
ncdu
|
||||
|
||||
# utils
|
||||
file which
|
||||
reptyr
|
||||
tmux
|
||||
bc
|
||||
mkpasswd
|
||||
shadow
|
||||
|
||||
# archiving
|
||||
xdelta
|
||||
atool
|
||||
unrar p7zip
|
||||
unzip zip
|
||||
|
||||
# network
|
||||
nmap mtr bind
|
||||
socat netcat-openbsd
|
||||
lftp wget rsync
|
||||
|
||||
git
|
||||
nix-repl
|
||||
rxvt_unicode.terminfo
|
||||
];
|
||||
nix.gc.automatic = true;
|
||||
|
||||
}
|
||||
|
|
@ -8,6 +8,7 @@ in
|
|||
imports = [
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
<yori-nix/deploy/keys.nix>
|
||||
<yori-nix/services>
|
||||
];
|
||||
networking.hostName = secrets.hostnames.${machine};
|
||||
|
@ -61,8 +62,9 @@ in
|
|||
client.enable = true;
|
||||
# ssh hidden service
|
||||
hiddenServices.ssh.map = [{ port = 22; }];
|
||||
service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
|
||||
service-keys.ssh = "/root/keys/ssh.${machine}.key";
|
||||
};
|
||||
deployment.keyys = [ (<yori-nix/keys> + "/ssh.${machine}.key") ];
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
Host *.onion
|
||||
|
|
|
@ -4,5 +4,6 @@
|
|||
services.nixosManual.enable = false;
|
||||
|
||||
environment.noXlibs = true;
|
||||
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
|
||||
|
||||
}
|
||||
|
|
BIN
secrets.nix
BIN
secrets.nix
Binary file not shown.
|
@ -6,5 +6,5 @@
|
|||
./quassel.nix
|
||||
./website.nix
|
||||
./xmpp.nix
|
||||
]
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue