add key deployment, fix pennyworth

2018-03-11 23:17:55 +01:00 · 2018-03-11 23:17:55 +01:00 · c4ca9690a5
parent 7d51eaa7d8
commit c4ca9690a5
10 changed files with 147 additions and 4 deletions
--- a/deploy/keys.nix
+++ b/deploy/keys.nix
@ -0,0 +1,19 @@
+{ pkgs, lib, config, ... }:
+with lib;
+let cfg = config.deployment.keyys; in
+{
+  options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
+  options.deployment.keys-copy = mkOption { type = types.package; };
+  config = {
+    deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
+      set -e
+      ssh root@$1 "mkdir -p /root/keys"
+      scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
+      echo "uploaded keys"
+    '' else ''
+      echo "no keys to upload"
+    '');
+    
+  };
+    
+}
--- a/keys/ssh.jarvis.key
+++ b/keys/ssh.jarvis.key
--- a/logical/pennyworth.nix
+++ b/logical/pennyworth.nix
@ -48,7 +48,8 @@
    };
    hidden-service = {
      hostname = "muflax65ngodyewp.onion";
-      private_key = "/run/keys/torkeys/http.muflax.key";
+      private_key = "/root/keys/http.muflax.key";
    };
  };
+  deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
 }
--- a/modules/tor-hidden-service.nix
+++ b/modules/tor-hidden-service.nix
@ -15,7 +15,7 @@ in {
    systemd.services."install-tor-hidden-service-keys" = {
      wantedBy = ["tor.service"];
      serviceConfig.Type = "oneshot";
-      serviceConfig.User = "tor";
+      serviceConfig.User = "root";
      serviceConfig.Group = "keys";
      # TODO: update on change?
      # TODO: better ways to get the keys on the server
@ -24,6 +24,7 @@ in {
          mkdir -p ${torDir}/onion/${name}/
          cp ${keypath} ${torDir}/onion/${name}/private_key
          chmod -R 700 ${torDir}/onion/${name}
+          chown -R tor ${torDir}/onion/${name}
        fi
      '') service-keys);
    };
--- a/physical/kassala.nix
+++ b/physical/kassala.nix
@ -13,6 +13,8 @@ in
  # before: /nixos/nix/* /boot/grub/menu.lst
  # after:  /nix/* /old-root/boot/grub/menu.lst
  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    blacklistedKernelModules = ["coretemp"];
    # use grub 1, don't install
    loader.grub = {
      version = 1;
--- a/roles/common.nix
+++ b/roles/common.nix
@ -0,0 +1,117 @@
+let secrets = import <secrets>;
+in
+{ config, pkgs, lib, ...}:
+let
+  machine = with lib; head (splitString "." config.networking.hostName);
+in
+{
+	imports = [
+    ../modules/tor-hidden-service.nix
+    ../modules/nginx.nix
+    ../roles/pub.nix
+    ../roles/quassel.nix
+    ../roles/gogs.nix
+    ../roles/mail.nix
+    ../roles/website.nix
+    ../roles/xmpp.nix
+  ];
+	time.timeZone = "Europe/Amsterdam";
+	users.mutableUsers = false;
+	users.extraUsers.root = {
+		openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
+    # root password is useful from console, ssh has password logins disabled
+    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+
+	};
+  services.timesyncd.enable = true;
+  services.fail2ban.enable = true;
+	users.extraUsers.yorick = {
+	  isNormalUser = true;
+	  uid = 1000;
+	  extraGroups = ["wheel"];
+	  group = "users";
+	  openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
+	};
+
+  # Nix
+  nixpkgs.config.allowUnfree = true;
+  nix.package = pkgs.nixUnstable;
+
+  nix.buildCores = config.nix.maxJobs;
+
+  nix.extraOptions = ''
+    allow-unsafe-native-code-during-evaluation = true
+  '';
+
+  # Networking
+  networking.enableIPv6 = false;
+
+  services.openssh = {
+    enable = true;
+  	passwordAuthentication = false;
+  	challengeResponseAuthentication = false;
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+    # ssh hidden service
+    hiddenServices.ssh.map = [{ port = 22; }];
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host *.onion
+      ProxyCommand nc -xlocalhost:9050 -X5 %h %p
+  '' +
+  (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: ''
+    Host ${removePrefix "ssh." name}.onion
+        hostname ${secrets.tor_hostnames.${name}}
+    ''
+    ));
+
+  environment.systemPackages = with pkgs; [
+    # v important.
+    cowsay ponysay
+    ed # ed, man!
+    sl
+    rlwrap
+
+    vim
+
+    # system stuff
+    ethtool inetutils
+    pciutils usbutils
+    iotop powertop htop
+    psmisc lsof
+    smartmontools hdparm
+    lm_sensors
+    ncdu
+    
+    # utils
+    file which
+    reptyr
+    tmux
+    bc
+    mkpasswd
+    shadow
+    
+    # archiving
+    xdelta
+    atool
+    unrar p7zip
+    unzip zip
+
+    # network
+    nmap mtr bind
+    socat netcat-openbsd
+    lftp wget rsync
+
+    git
+    nix-repl
+    rxvt_unicode.terminfo
+  ];
+  nix.gc.automatic = true;
+
+}
+
--- a/roles/default.nix
+++ b/roles/default.nix
@ -8,6 +8,7 @@ in
 	imports = [
    ../modules/tor-hidden-service.nix
    ../modules/nginx.nix
+    <yori-nix/deploy/keys.nix>
    <yori-nix/services>
  ];
  networking.hostName = secrets.hostnames.${machine};
@ -61,8 +62,9 @@ in
    client.enable = true;
    # ssh hidden service
    hiddenServices.ssh.map = [{ port = 22; }];
-    service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
  };
+  deployment.keyys = [ (<yori-nix/keys> + "/ssh.${machine}.key") ];

  programs.ssh.extraConfig = ''
    Host *.onion
--- a/roles/server.nix
+++ b/roles/server.nix
@ -4,5 +4,6 @@
  services.nixosManual.enable = false;

  environment.noXlibs = true;
+  networking.firewall.logRefusedConnections = false;    # Silence logging of scanners and knockers

 }
--- a/secrets.nix
+++ b/secrets.nix
--- a/services/default.nix
+++ b/services/default.nix
@ -6,5 +6,5 @@
    ./quassel.nix
    ./website.nix
    ./xmpp.nix
-  ]
+  ];
 }