diff --git a/deploy/keys.nix b/deploy/keys.nix new file mode 100644 index 0000000..55febbe --- /dev/null +++ b/deploy/keys.nix @@ -0,0 +1,19 @@ +{ pkgs, lib, config, ... }: +with lib; +let cfg = config.deployment.keyys; in +{ + options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; }; + options.deployment.keys-copy = mkOption { type = types.package; }; + config = { + deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then '' + set -e + ssh root@$1 "mkdir -p /root/keys" + scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys + echo "uploaded keys" + '' else '' + echo "no keys to upload" + ''); + + }; + +} diff --git a/keys/ssh.jarvis.key b/keys/ssh.jarvis.key new file mode 100644 index 0000000..32c7090 Binary files /dev/null and b/keys/ssh.jarvis.key differ diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix index 67b5416..26a5996 100644 --- a/logical/pennyworth.nix +++ b/logical/pennyworth.nix @@ -48,7 +48,8 @@ }; hidden-service = { hostname = "muflax65ngodyewp.onion"; - private_key = "/run/keys/torkeys/http.muflax.key"; + private_key = "/root/keys/http.muflax.key"; }; }; + deployment.keyys = [ ]; } diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix index 5fd411b..0774338 100644 --- a/modules/tor-hidden-service.nix +++ b/modules/tor-hidden-service.nix @@ -15,7 +15,7 @@ in { systemd.services."install-tor-hidden-service-keys" = { wantedBy = ["tor.service"]; serviceConfig.Type = "oneshot"; - serviceConfig.User = "tor"; + serviceConfig.User = "root"; serviceConfig.Group = "keys"; # TODO: update on change? # TODO: better ways to get the keys on the server @@ -24,6 +24,7 @@ in { mkdir -p ${torDir}/onion/${name}/ cp ${keypath} ${torDir}/onion/${name}/private_key chmod -R 700 ${torDir}/onion/${name} + chown -R tor ${torDir}/onion/${name} fi '') service-keys); }; diff --git a/physical/kassala.nix b/physical/kassala.nix index 0558288..b37e8c6 100644 --- a/physical/kassala.nix +++ b/physical/kassala.nix @@ -13,6 +13,8 @@ in # before: /nixos/nix/* /boot/grub/menu.lst # after: /nix/* /old-root/boot/grub/menu.lst boot = { + kernelPackages = pkgs.linuxPackages_latest; + blacklistedKernelModules = ["coretemp"]; # use grub 1, don't install loader.grub = { version = 1; diff --git a/roles/common.nix b/roles/common.nix new file mode 100644 index 0000000..ca1dd58 --- /dev/null +++ b/roles/common.nix @@ -0,0 +1,117 @@ +let secrets = import ; +in +{ config, pkgs, lib, ...}: +let + machine = with lib; head (splitString "." config.networking.hostName); +in +{ + imports = [ + ../modules/tor-hidden-service.nix + ../modules/nginx.nix + ../roles/pub.nix + ../roles/quassel.nix + ../roles/gogs.nix + ../roles/mail.nix + ../roles/website.nix + ../roles/xmpp.nix + ]; + time.timeZone = "Europe/Amsterdam"; + users.mutableUsers = false; + users.extraUsers.root = { + openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys; + # root password is useful from console, ssh has password logins disabled + hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own + + }; + services.timesyncd.enable = true; + services.fail2ban.enable = true; + users.extraUsers.yorick = { + isNormalUser = true; + uid = 1000; + extraGroups = ["wheel"]; + group = "users"; + openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick]; + }; + + # Nix + nixpkgs.config.allowUnfree = true; + nix.package = pkgs.nixUnstable; + + nix.buildCores = config.nix.maxJobs; + + nix.extraOptions = '' + allow-unsafe-native-code-during-evaluation = true + ''; + + # Networking + networking.enableIPv6 = false; + + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + services.tor = { + enable = true; + client.enable = true; + # ssh hidden service + hiddenServices.ssh.map = [{ port = 22; }]; + service-keys.ssh = "/root/keys/ssh.${machine}.key"; + }; + + programs.ssh.extraConfig = '' + Host *.onion + ProxyCommand nc -xlocalhost:9050 -X5 %h %p + '' + + (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: '' + Host ${removePrefix "ssh." name}.onion + hostname ${secrets.tor_hostnames.${name}} + '' + )); + + environment.systemPackages = with pkgs; [ + # v important. + cowsay ponysay + ed # ed, man! + sl + rlwrap + + vim + + # system stuff + ethtool inetutils + pciutils usbutils + iotop powertop htop + psmisc lsof + smartmontools hdparm + lm_sensors + ncdu + + # utils + file which + reptyr + tmux + bc + mkpasswd + shadow + + # archiving + xdelta + atool + unrar p7zip + unzip zip + + # network + nmap mtr bind + socat netcat-openbsd + lftp wget rsync + + git + nix-repl + rxvt_unicode.terminfo + ]; + nix.gc.automatic = true; + +} + diff --git a/roles/default.nix b/roles/default.nix index 234a15f..3214df8 100644 --- a/roles/default.nix +++ b/roles/default.nix @@ -8,6 +8,7 @@ in imports = [ ../modules/tor-hidden-service.nix ../modules/nginx.nix + ]; networking.hostName = secrets.hostnames.${machine}; @@ -61,8 +62,9 @@ in client.enable = true; # ssh hidden service hiddenServices.ssh.map = [{ port = 22; }]; - service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key"; + service-keys.ssh = "/root/keys/ssh.${machine}.key"; }; + deployment.keyys = [ ( + "/ssh.${machine}.key") ]; programs.ssh.extraConfig = '' Host *.onion diff --git a/roles/server.nix b/roles/server.nix index ea430a2..07c8ef4 100644 --- a/roles/server.nix +++ b/roles/server.nix @@ -4,5 +4,6 @@ services.nixosManual.enable = false; environment.noXlibs = true; + networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers } diff --git a/secrets.nix b/secrets.nix index 32c7ebf..1e8c352 100644 Binary files a/secrets.nix and b/secrets.nix differ diff --git a/services/default.nix b/services/default.nix index acf564b..eb5a420 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,5 +6,5 @@ ./quassel.nix ./website.nix ./xmpp.nix - ] + ]; }