add key deployment, fix pennyworth
parent
7d51eaa7d8
commit
c4ca9690a5
|
@ -0,0 +1,19 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
with lib;
|
||||||
|
let cfg = config.deployment.keyys; in
|
||||||
|
{
|
||||||
|
options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
|
||||||
|
options.deployment.keys-copy = mkOption { type = types.package; };
|
||||||
|
config = {
|
||||||
|
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
|
||||||
|
set -e
|
||||||
|
ssh root@$1 "mkdir -p /root/keys"
|
||||||
|
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
|
||||||
|
echo "uploaded keys"
|
||||||
|
'' else ''
|
||||||
|
echo "no keys to upload"
|
||||||
|
'');
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
Binary file not shown.
|
@ -48,7 +48,8 @@
|
||||||
};
|
};
|
||||||
hidden-service = {
|
hidden-service = {
|
||||||
hostname = "muflax65ngodyewp.onion";
|
hostname = "muflax65ngodyewp.onion";
|
||||||
private_key = "/run/keys/torkeys/http.muflax.key";
|
private_key = "/root/keys/http.muflax.key";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@ in {
|
||||||
systemd.services."install-tor-hidden-service-keys" = {
|
systemd.services."install-tor-hidden-service-keys" = {
|
||||||
wantedBy = ["tor.service"];
|
wantedBy = ["tor.service"];
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
serviceConfig.User = "tor";
|
serviceConfig.User = "root";
|
||||||
serviceConfig.Group = "keys";
|
serviceConfig.Group = "keys";
|
||||||
# TODO: update on change?
|
# TODO: update on change?
|
||||||
# TODO: better ways to get the keys on the server
|
# TODO: better ways to get the keys on the server
|
||||||
|
@ -24,6 +24,7 @@ in {
|
||||||
mkdir -p ${torDir}/onion/${name}/
|
mkdir -p ${torDir}/onion/${name}/
|
||||||
cp ${keypath} ${torDir}/onion/${name}/private_key
|
cp ${keypath} ${torDir}/onion/${name}/private_key
|
||||||
chmod -R 700 ${torDir}/onion/${name}
|
chmod -R 700 ${torDir}/onion/${name}
|
||||||
|
chown -R tor ${torDir}/onion/${name}
|
||||||
fi
|
fi
|
||||||
'') service-keys);
|
'') service-keys);
|
||||||
};
|
};
|
||||||
|
|
|
@ -13,6 +13,8 @@ in
|
||||||
# before: /nixos/nix/* /boot/grub/menu.lst
|
# before: /nixos/nix/* /boot/grub/menu.lst
|
||||||
# after: /nix/* /old-root/boot/grub/menu.lst
|
# after: /nix/* /old-root/boot/grub/menu.lst
|
||||||
boot = {
|
boot = {
|
||||||
|
kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
blacklistedKernelModules = ["coretemp"];
|
||||||
# use grub 1, don't install
|
# use grub 1, don't install
|
||||||
loader.grub = {
|
loader.grub = {
|
||||||
version = 1;
|
version = 1;
|
||||||
|
|
|
@ -0,0 +1,117 @@
|
||||||
|
let secrets = import <secrets>;
|
||||||
|
in
|
||||||
|
{ config, pkgs, lib, ...}:
|
||||||
|
let
|
||||||
|
machine = with lib; head (splitString "." config.networking.hostName);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
../modules/tor-hidden-service.nix
|
||||||
|
../modules/nginx.nix
|
||||||
|
../roles/pub.nix
|
||||||
|
../roles/quassel.nix
|
||||||
|
../roles/gogs.nix
|
||||||
|
../roles/mail.nix
|
||||||
|
../roles/website.nix
|
||||||
|
../roles/xmpp.nix
|
||||||
|
];
|
||||||
|
time.timeZone = "Europe/Amsterdam";
|
||||||
|
users.mutableUsers = false;
|
||||||
|
users.extraUsers.root = {
|
||||||
|
openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
|
||||||
|
# root password is useful from console, ssh has password logins disabled
|
||||||
|
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
|
||||||
|
|
||||||
|
};
|
||||||
|
services.timesyncd.enable = true;
|
||||||
|
services.fail2ban.enable = true;
|
||||||
|
users.extraUsers.yorick = {
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = 1000;
|
||||||
|
extraGroups = ["wheel"];
|
||||||
|
group = "users";
|
||||||
|
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Nix
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
nix.package = pkgs.nixUnstable;
|
||||||
|
|
||||||
|
nix.buildCores = config.nix.maxJobs;
|
||||||
|
|
||||||
|
nix.extraOptions = ''
|
||||||
|
allow-unsafe-native-code-during-evaluation = true
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Networking
|
||||||
|
networking.enableIPv6 = false;
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
passwordAuthentication = false;
|
||||||
|
challengeResponseAuthentication = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.tor = {
|
||||||
|
enable = true;
|
||||||
|
client.enable = true;
|
||||||
|
# ssh hidden service
|
||||||
|
hiddenServices.ssh.map = [{ port = 22; }];
|
||||||
|
service-keys.ssh = "/root/keys/ssh.${machine}.key";
|
||||||
|
};
|
||||||
|
|
||||||
|
programs.ssh.extraConfig = ''
|
||||||
|
Host *.onion
|
||||||
|
ProxyCommand nc -xlocalhost:9050 -X5 %h %p
|
||||||
|
'' +
|
||||||
|
(with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: ''
|
||||||
|
Host ${removePrefix "ssh." name}.onion
|
||||||
|
hostname ${secrets.tor_hostnames.${name}}
|
||||||
|
''
|
||||||
|
));
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
# v important.
|
||||||
|
cowsay ponysay
|
||||||
|
ed # ed, man!
|
||||||
|
sl
|
||||||
|
rlwrap
|
||||||
|
|
||||||
|
vim
|
||||||
|
|
||||||
|
# system stuff
|
||||||
|
ethtool inetutils
|
||||||
|
pciutils usbutils
|
||||||
|
iotop powertop htop
|
||||||
|
psmisc lsof
|
||||||
|
smartmontools hdparm
|
||||||
|
lm_sensors
|
||||||
|
ncdu
|
||||||
|
|
||||||
|
# utils
|
||||||
|
file which
|
||||||
|
reptyr
|
||||||
|
tmux
|
||||||
|
bc
|
||||||
|
mkpasswd
|
||||||
|
shadow
|
||||||
|
|
||||||
|
# archiving
|
||||||
|
xdelta
|
||||||
|
atool
|
||||||
|
unrar p7zip
|
||||||
|
unzip zip
|
||||||
|
|
||||||
|
# network
|
||||||
|
nmap mtr bind
|
||||||
|
socat netcat-openbsd
|
||||||
|
lftp wget rsync
|
||||||
|
|
||||||
|
git
|
||||||
|
nix-repl
|
||||||
|
rxvt_unicode.terminfo
|
||||||
|
];
|
||||||
|
nix.gc.automatic = true;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
|
@ -8,6 +8,7 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
../modules/tor-hidden-service.nix
|
../modules/tor-hidden-service.nix
|
||||||
../modules/nginx.nix
|
../modules/nginx.nix
|
||||||
|
<yori-nix/deploy/keys.nix>
|
||||||
<yori-nix/services>
|
<yori-nix/services>
|
||||||
];
|
];
|
||||||
networking.hostName = secrets.hostnames.${machine};
|
networking.hostName = secrets.hostnames.${machine};
|
||||||
|
@ -61,8 +62,9 @@ in
|
||||||
client.enable = true;
|
client.enable = true;
|
||||||
# ssh hidden service
|
# ssh hidden service
|
||||||
hiddenServices.ssh.map = [{ port = 22; }];
|
hiddenServices.ssh.map = [{ port = 22; }];
|
||||||
service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
|
service-keys.ssh = "/root/keys/ssh.${machine}.key";
|
||||||
};
|
};
|
||||||
|
deployment.keyys = [ (<yori-nix/keys> + "/ssh.${machine}.key") ];
|
||||||
|
|
||||||
programs.ssh.extraConfig = ''
|
programs.ssh.extraConfig = ''
|
||||||
Host *.onion
|
Host *.onion
|
||||||
|
|
|
@ -4,5 +4,6 @@
|
||||||
services.nixosManual.enable = false;
|
services.nixosManual.enable = false;
|
||||||
|
|
||||||
environment.noXlibs = true;
|
environment.noXlibs = true;
|
||||||
|
networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
BIN
secrets.nix
BIN
secrets.nix
Binary file not shown.
|
@ -6,5 +6,5 @@
|
||||||
./quassel.nix
|
./quassel.nix
|
||||||
./website.nix
|
./website.nix
|
||||||
./xmpp.nix
|
./xmpp.nix
|
||||||
]
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue