From c4ca9690a5f3a7e5dae8752548b4bb9aced954f1 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 11 Mar 2018 23:17:55 +0100
Subject: [PATCH] add key deployment, fix pennyworth

---
 deploy/keys.nix                |  19 ++++++
 keys/ssh.jarvis.key            | Bin 0 -> 909 bytes
 logical/pennyworth.nix         |   3 +-
 modules/tor-hidden-service.nix |   3 +-
 physical/kassala.nix           |   2 +
 roles/common.nix               | 117 +++++++++++++++++++++++++++++++++
 roles/default.nix              |   4 +-
 roles/server.nix               |   1 +
 secrets.nix                    | Bin 1567 -> 1612 bytes
 services/default.nix           |   2 +-
 10 files changed, 147 insertions(+), 4 deletions(-)
 create mode 100644 deploy/keys.nix
 create mode 100644 keys/ssh.jarvis.key
 create mode 100644 roles/common.nix

diff --git a/deploy/keys.nix b/deploy/keys.nix
new file mode 100644
index 0000000..55febbe
--- /dev/null
+++ b/deploy/keys.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, config, ... }:
+with lib;
+let cfg = config.deployment.keyys; in
+{
+  options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
+  options.deployment.keys-copy = mkOption { type = types.package; };
+  config = {
+    deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
+      set -e
+      ssh root@$1 "mkdir -p /root/keys"
+      scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
+      echo "uploaded keys"
+    '' else ''
+      echo "no keys to upload"
+    '');
+    
+  };
+    
+}
diff --git a/keys/ssh.jarvis.key b/keys/ssh.jarvis.key
new file mode 100644
index 0000000000000000000000000000000000000000..32c7090a31701f310f74c2a475cd81a1287663c7
GIT binary patch
literal 909
zcmV;819JQTM@dveQdv+`0MRYM#_|Rr3xLe42&VSRMyj{o#{fKdlZEsmIr))`Laonm
zn7UWwk3Z2f!_=j{h-q7<Kf>C`c@=IYrKXNw(Fxx+ryFrWhFlzrj|!EB^(jj|@_DC;
z1H6lNGOn5ge1pmio$Gl_5m^xyk*f(qaBQafd76RhJa%yJs#fMs(d8lzVepiBgELxj
z5ja*lxQlWu&zaGTqIDpzK$Z>+qT$}AHf3@G*+{Qv`h&)Veid%p4NQOD9332T1H4Kz
zXm=K`&_aQCf{d&@*2U}*?N454?}D2TMmkEstlm7PRrH(LF8zewy(jil>f^T_LY=8@
z^D&-G>*IkFEONWJ!fJ3JCD^tn>>9y*F|rzzz*|`XU7)ygZCA>ZFD?2Zd~9WqYHcaR
z>a<h=6#77`RQQeyLscDmmzU(zr_aan5?C-nx$FQli8q!aKX8;Yj(sV$5#X45cW=$@
zuRa`HH&4)=_J=9PYXqO6x}|l?=;q4m#_yL&<&gB5-QUg{u><=mlIyieEeNmIq7V~k
z+*p(T@tIqTXc2g5C#Y)U9BilqE^G;lI!+Q~G~;N(NnJa=YWHx;d-MdJ$*8}()ka2H
zk@?yoD2<Q9yTl>e%umceAr$LJfEO@s-#DxsdozH^G)%%^tN%!C?&K3CNpZxU8>L*h
zZuyjw{VHfYOlkvFE;g$=b9$OUzFe5u0n#>Y@EsVX0}FmtcZmK$1g8G4<*N1{2ss13
z{~ZqPdL7SK@srJ@P;+f?;`1-n2rJK`;3`E7?78|q_y8MhpQ4OJrtI<^pUb1~*k2iQ
zQHz0449y>r1%K!nz5KL&lH-6#Wa3*#ZC@KCAh|-T#JW-%ebpgRp|xrL;$0p&v#k`4
zcg0<$p3DSf@I1*xHIrVQ)l}j~Z$x2n?1bhw{-}C_^(P2Xs6<zzoRW{4XQ}#}y0ym0
zxpNXnj32G?JoS@E#Bxe=6K!Y)55pwUpg*mwE3bMzjI7tA6)dK4uMF1xdi`ua$+Mtx
z`?o`io(bc(K|xwJ%`FmLh?~2D0NE`VgFI#P15OBWZC7gW7_RGj*Ey*IbhU{>NIO}~
z+Ydo#bbv{e<f>Xm90BUUW>D}0&wvD8E2=nuEz?Qrx^{pLIaz@~el`m)6&Qij?3&A0
jIOh%TbB!w*uT<?*TQIZ+b=G5a22z%_`IZtAFps?a^tHRm

literal 0
HcmV?d00001

diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix
index 67b5416..26a5996 100644
--- a/logical/pennyworth.nix
+++ b/logical/pennyworth.nix
@@ -48,7 +48,8 @@
     };
     hidden-service = {
       hostname = "muflax65ngodyewp.onion";
-      private_key = "/run/keys/torkeys/http.muflax.key";
+      private_key = "/root/keys/http.muflax.key";
     };
   };
+  deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
 }
diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix
index 5fd411b..0774338 100644
--- a/modules/tor-hidden-service.nix
+++ b/modules/tor-hidden-service.nix
@@ -15,7 +15,7 @@ in {
     systemd.services."install-tor-hidden-service-keys" = {
       wantedBy = ["tor.service"];
       serviceConfig.Type = "oneshot";
-      serviceConfig.User = "tor";
+      serviceConfig.User = "root";
       serviceConfig.Group = "keys";
       # TODO: update on change?
       # TODO: better ways to get the keys on the server
@@ -24,6 +24,7 @@ in {
           mkdir -p ${torDir}/onion/${name}/
           cp ${keypath} ${torDir}/onion/${name}/private_key
           chmod -R 700 ${torDir}/onion/${name}
+          chown -R tor ${torDir}/onion/${name}
         fi
       '') service-keys);
     };
diff --git a/physical/kassala.nix b/physical/kassala.nix
index 0558288..b37e8c6 100644
--- a/physical/kassala.nix
+++ b/physical/kassala.nix
@@ -13,6 +13,8 @@ in
   # before: /nixos/nix/* /boot/grub/menu.lst
   # after:  /nix/* /old-root/boot/grub/menu.lst
   boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    blacklistedKernelModules = ["coretemp"];
     # use grub 1, don't install
     loader.grub = {
       version = 1;
diff --git a/roles/common.nix b/roles/common.nix
new file mode 100644
index 0000000..ca1dd58
--- /dev/null
+++ b/roles/common.nix
@@ -0,0 +1,117 @@
+let secrets = import <secrets>;
+in
+{ config, pkgs, lib, ...}:
+let
+  machine = with lib; head (splitString "." config.networking.hostName);
+in
+{
+	imports = [
+    ../modules/tor-hidden-service.nix
+    ../modules/nginx.nix
+    ../roles/pub.nix
+    ../roles/quassel.nix
+    ../roles/gogs.nix
+    ../roles/mail.nix
+    ../roles/website.nix
+    ../roles/xmpp.nix
+  ];
+	time.timeZone = "Europe/Amsterdam";
+	users.mutableUsers = false;
+	users.extraUsers.root = {
+		openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
+    # root password is useful from console, ssh has password logins disabled
+    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+
+	};
+  services.timesyncd.enable = true;
+  services.fail2ban.enable = true;
+	users.extraUsers.yorick = {
+	  isNormalUser = true;
+	  uid = 1000;
+	  extraGroups = ["wheel"];
+	  group = "users";
+	  openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
+	};
+
+  # Nix
+  nixpkgs.config.allowUnfree = true;
+  nix.package = pkgs.nixUnstable;
+
+  nix.buildCores = config.nix.maxJobs;
+
+  nix.extraOptions = ''
+    allow-unsafe-native-code-during-evaluation = true
+  '';
+
+  # Networking
+  networking.enableIPv6 = false;
+
+  services.openssh = {
+    enable = true;
+  	passwordAuthentication = false;
+  	challengeResponseAuthentication = false;
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+    # ssh hidden service
+    hiddenServices.ssh.map = [{ port = 22; }];
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host *.onion
+      ProxyCommand nc -xlocalhost:9050 -X5 %h %p
+  '' +
+  (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: ''
+    Host ${removePrefix "ssh." name}.onion
+        hostname ${secrets.tor_hostnames.${name}}
+    ''
+    ));
+
+  environment.systemPackages = with pkgs; [
+    # v important.
+    cowsay ponysay
+    ed # ed, man!
+    sl
+    rlwrap
+
+    vim
+
+    # system stuff
+    ethtool inetutils
+    pciutils usbutils
+    iotop powertop htop
+    psmisc lsof
+    smartmontools hdparm
+    lm_sensors
+    ncdu
+    
+    # utils
+    file which
+    reptyr
+    tmux
+    bc
+    mkpasswd
+    shadow
+    
+    # archiving
+    xdelta
+    atool
+    unrar p7zip
+    unzip zip
+
+    # network
+    nmap mtr bind
+    socat netcat-openbsd
+    lftp wget rsync
+
+    git
+    nix-repl
+    rxvt_unicode.terminfo
+  ];
+  nix.gc.automatic = true;
+
+}
+
diff --git a/roles/default.nix b/roles/default.nix
index 234a15f..3214df8 100644
--- a/roles/default.nix
+++ b/roles/default.nix
@@ -8,6 +8,7 @@ in
 	imports = [
     ../modules/tor-hidden-service.nix
     ../modules/nginx.nix
+    <yori-nix/deploy/keys.nix>
     <yori-nix/services>
   ];
   networking.hostName = secrets.hostnames.${machine};
@@ -61,8 +62,9 @@ in
     client.enable = true;
     # ssh hidden service
     hiddenServices.ssh.map = [{ port = 22; }];
-    service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
   };
+  deployment.keyys = [ (<yori-nix/keys> + "/ssh.${machine}.key") ];
 
   programs.ssh.extraConfig = ''
     Host *.onion
diff --git a/roles/server.nix b/roles/server.nix
index ea430a2..07c8ef4 100644
--- a/roles/server.nix
+++ b/roles/server.nix
@@ -4,5 +4,6 @@
   services.nixosManual.enable = false;
 
   environment.noXlibs = true;
+  networking.firewall.logRefusedConnections = false;    # Silence logging of scanners and knockers
 
 }
diff --git a/secrets.nix b/secrets.nix
index 32c7ebf08694b42cdd86c02fa3d044fee46be532..1e8c352579287b418507cd4f194eb47b3050f7d3 100644
GIT binary patch
literal 1612
zcmV-S2DAA9M@dveQdv+`00bhZ7>tu)^;&?v^`3wc1lIZZ)#&O!Nvz?N<pNnv_c`!H
zl-l!6vE~%f@K#S)!UfpQU>ol=Hb?h7)1YSkitZgpV(KeYY6Lj(*HMzi@Cm`<aWwEy
zEl;U<HmcT?dq-<zVY>pOd6c{rPY)a4C&MOd_B+LSm|_@;DL9w+U_e4rUchI_$x|Yg
zzNK758{LUS86dGzbdqZ}0&W#i(;*%^E%At7D{8(%n>Q{NM+Z-C;Vu{kqR$if{!ji+
zAh3#1e}uSCX>|S}wv}Q=llDzB6{ViYK4AW<Cd%+2zfII1f!w(7r3j5oFHPw8uPr4o
z2XE-phKyxfxY2D`19^{uEM#3e@WAt7Za$F7jyPOtR)AWT57$jiNcXeZT^3%Gd`)<o
zU^IM0Mcj+KBy|lu`<b<syo>VN+<cEQce0sHtgXcuWP)1c7~#!~Ayb*#30(4obS29c
z=D`VGy|UL|1^NVLa7q5Wco!T_=;p~Kx^jV|NrcK1|MpZ~0Y-N@PB@h9<gekAji50f
zpEuYZxgoU9hwA@B0T3V=fb&#!KCU=bTSpVA?Ow%2?`uBrfqKYNCWsW-bS;+qDC!re
z#4)5Mri!dQ_hckOb%9F5yX#i5LY4|*$6gVF_{wt6&L$Cxr3Ok0Hf6NM-fToZhQof(
z)+YTmvIY;|Io?ktn_j2#1W32;{I0%SjM|8qrG$8&+M8P@82tFwyg5Jm;=d!E6`fRx
zA;zFHVHDA7L@p3sEI>}p?WCp0FW7Q2hLk>{;i^mH)xqhR7^F{{0tQvbjMuo-`DlO<
zGLj>r3o#T<!Il)Sd|;04WR4lQ_W?x4#De2ve`!kr6w%Jj)N-7%uL2+xYf9o8RhCds
z1jO8bo__#|eqQ%tCx9Lq$-$+;B|N%JRHJ2r*`ix7;8J6QoXh_ZwY{J%us)2Cm!wGt
zbYe?`_B3JNaorNF18pAcd%A~tW3s5;Qmf3@=DNvb&Lm|h_i!DngjcUd@quUYG3yAa
zrJ^LK4=ru5CDZ!;BFYGD>SxANgU-gHk}eiL#xC{vDoL`=8F!yipk>N)BEvwxB31JB
z)X#S0B3$fI6eRd8+EKy)$}!--yMO#K_7+nV=0i-FTc+cKYmPh5{N8sdX8On`EJ8WV
zlS#d#!WN4%YldSi!wCa*39CJp<NDYP#yW+x;(B|rQAlxe)2Up-)@qD+g;<-%u)dU^
z_It4DQZtJ6z?k1_@OW!q^Dd1Yv|Zy0I(~pCIoA1&AX&OF{>O95<E7`4FZdy{9C3ze
zH(2#8T4t8dmIX{^K^%^+5g<3*4xfHc9lfza#VX?!6=1NrbvQ+By~oR|@h4&12al8W
zdkPasAg`_8(3FtB5{`fho1E#^QcOl|EQup?1<>HE%XQ$}>;F{9Zj}XY2%12IeX<(S
zMr2Sw%Og#kL}ErgR;fA+ShFuC`Nf77x|QPPi8|79FAm+sm<8t9rtj_f;~`xU;8O&8
zFrLX4EUi05rsNUmi*#~9eB^}VrUuL_`n?IbS-xFvyd=z~1IgW2!U}5RF@IG;ImH*r
z9zdYKWJ1UVSuck}%&8Sh+qs7sh|E}9+4H)3PYZW;y<UDZz+#}_ex10*;X*OzUJQc<
z_fPcN6%}wNeEL;vD9=KoUNz4I6H7WCFv`|24;mv~x)gIEIw(gR9yE$GHac0g6%RK~
z6_ouhyATog?)pK;DC;kcx7s*7v;ho)Ucw5jfiIp{x8_=AFd8+us6}OX{PEOHsyEAa
zLD~d<Jt<#jwf{U!BpXaV#PCm$Te@!+cvK&}2Am5V81U|liped7&`W9!S{WOYm2uJ%
zKBp9b<r2(wIZBBCFGVh^A8vuxh&f4GaRJw?m=Ib|7z0v<4)C6#sjg@;*7dN6m4dKT
z4md3*7|iXHQ6frjv0ZnvGjzR@7rzukb3LoB@ZImiS@6MlpGku?lOb&FO!r)7En0A_
zI>AMrJ;4H{@uWglCXI=kj%I0#E1>Ub3bW63r*2!<T~3wvF2?J$$6@2v<w1ulk@!Xi
zP2-_J!Y#pGx|yRN?-Z|tz9Ly*u48#PV6ofna`Ie@K9x2cP8p$j?`)6ilCi)0l_6(l
K{$9Hf5~gYxOc5mj

literal 1567
zcmV+)2H^PsM@dveQdv+`0P#oSyhvt_#>!i%FEjTGj2Bqb%*I_D?v@GH7Uh^G&@7#`
z_L1w;b-lp4>aFtXJ35i}C-z-PGxI|SQ?q8ekmfU$BX7Fz5s5C+cy;Ktb1F+{D?!y_
zNPj|d{MRO#lhB3igGn4_iES2uLV;r0b)cmhaJV}NY?W<VhmPB#8DFGP*+-}JYL8kp
zv}?zJguT{K--d3M3C#79wsr~E8$3{aYil!_PJGl1mV%RIlZ!JX!l05;qxtphjKc|@
z13rvZC;k~Z=CGM7hS+NREdL~kHG(e1+Yt_kEcpt`8NHv4d&HS-y^H6(sKev7!;4pj
zAVw2z$p0)7WklR~#bFsnHM!Dugb8X<2PI!%<O!OycrY<cXm&a$hm`t%g^T}vLIfQM
zFH8T(B@dGp{w?8Y%PF%Oysg~a!}%xxd!55fc)<W7!re6V%HGEDNQA?pUz-B>Tz_Ye
zFBGFytQeX=!JD*c>P{AAfe~}PVyJ%(O_{AT#W}<B3?;x<zP9OCsOfe43i;BjYCeHR
z0hpfCMdv|&&6CWkM66vt%>iF_QhD(m);Q3Ch^w0W2jaS*b{U8oGan%y4`@!MdZUOx
zg+ktL{t{($=#j>r=<Gm#==;1(Fb{`oQ_DZ|$DP#uU3WNvV}t|krZO8qc|N=J$LpHT
z_~4LGMFqXjOl+)Gpbisq$ls{Fx4bf7v%UySzZa79?Xw1)_S`3&mI(6`2~@rYlH_o%
zP(H2cQmJLTMytE&ui`BIVhsC7hdrzPH<#>R53X0SxDz%c1{!}uVfg_7u){0J74D$x
zLKlSq$2fyPT!n{aR%W5ZPqs~8L49}nHLA;Qn^tyBG_J_WggJ7rc{}k&f+<JYOqNyY
zexMzEUfzx#@uxZ7Le5Z}P@{J+xy%fYET|~{E=+)&vAqQ>jw$0atChN5GQh}*$Xu0s
zPF3kCD03SAS>&6YX%-ZD--3TrV;yvxRS}g;rS=b?O^L78x+c?m0JZmU)*sKr0$<{`
zB?ujTjR<!zyK{gjH|QsvvK}l2E)^Ww=Jr`{IDDcS@z>?Mm?4)zoPFx;7ffMRcBM!+
z`{e<3L>9*W`eG^Ue3@f?N4!fXmrFm^JtL^98bn>~Qa>;;-$h9I-a*n*>$NUGeDr>$
z7mz`>ygWL&?k4f76q?(4^5F;2I(fi|{pXX=2Q8SQ%_jk8J|y&NX^dv;c;Yhqst`}|
z!Yo6S*C+4!L*yH^-FluXWC+YnXII*8&sHdPqpn5{CHged`v;PQ=4^=vt0RNq4eA)H
zCRI2U=1mElA`|*z>Mmkf!+Uxf0;q-Z2Qr<%Wv6r^hVB00%kpaFQJ~u#e?;>+l1vZ_
zgS(>hE=$J2A%}`G<u%E}J-k4!fdp1Z+ov}GjvfrLv^N=Wa}!lnI`7-@$`)K~Q)1!!
z2eR*B8OqxZ<?yY+&K`g_w_S~Ne<vynlm(JhxmSIsqUUK=jhS!HO-yFg4kSNevV^$g
z-3@#^QrHzCeu{?a)5G!XG`I#l-v27OQ!_hTC@C|qPJo@?8si+zGp3B~jBAxVV*;C5
z?!m#@W!MpZ9)w>shBs2pUQ@MmEO&j<cvc3RBZPdz_p==@*3nO4eIY}a4nAW?#Z&4|
zQN~1IOYD{c?fxWiHf<n|f1G7BMP)p|l1OBF;p#0_z9Q(Q7C@TN$9(kq`qbJkiAKQl
z6!g5VKuuiq@{7qW%=aig;$8@-Oz-~O0_53aVbv9+PFv4fIA^@MlX^!=$M=)o&?dia
zRJ>yV<WE<<M2|-jVlze$Q&Qm{w25Fo%W2Ov7&SqjHs2f5#ty3`gWvfsO}2$jXUE(W
zPuJb^|3x4dy}$YrynwrLkFqB@p!Vm|{@pR*hbBz#0f&Yd51vk@G53WC!%=Y!3RrT<
zV=6JLK5S3MwK;}uc>162g_(w?s;9W`jM#Jr@U=xXzj}KX3kWdZsK!vFc+T)i=9po>
zbFB<3FAg1bGCGW$>gj7{-zSJ7lAeTt)ZeB3brD5A-<Y3P>yJ}K&9U_)PL#=R+*UQr
Rvea1c?_R}Sf#G()q{?r_3w;0p

diff --git a/services/default.nix b/services/default.nix
index acf564b..eb5a420 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -6,5 +6,5 @@
     ./quassel.nix
     ./website.nix
     ./xmpp.nix
-  ]
+  ];
 }