From 5b5e76e21099213758a6b3872b24015f8e33d409 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 18:57:58 +0200 Subject: 1&2 lass: move userconfig to base.nix --- 2configs/lass/base.nix | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 5e5b8a7..26e6cae 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -3,14 +3,36 @@ with lib; { imports = [ - ./sshkeys.nix ../../3modules/lass/iptables.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; nix.useChroot = true; -- cgit v1.2.3 From 188b97682a03e1c786b3404b0c5009e20294f22b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:02:31 +0200 Subject: 2 lass: remove gitolite from base.nix --- 2configs/lass/base.nix | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 26e6cae..a0d3c3a 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -99,11 +99,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -132,27 +132,4 @@ with lib; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } -- cgit v1.2.3 From fbea2ae05c574cd11f1aebaeb40cca8d4b536908 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:17:40 +0200 Subject: 1&2 lass: move vim.nix import to base.nix --- 2configs/lass/base.nix | 1 + 1 file changed, 1 insertion(+) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index a0d3c3a..35631ff 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -4,6 +4,7 @@ with lib; { imports = [ ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) -- cgit v1.2.3 From 493184a2f4b7d0f0cf407731e11e6cb9565f5aa8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:24 +0200 Subject: 2 lass.base: use precedence in iptables config --- 2configs/lass/base.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 35631ff..b24e6a9 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -125,10 +125,10 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; -- cgit v1.2.3 From 88d8137c63c0742028145b1fe39728a55879ed96 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:46 +0200 Subject: 2 lass.base: add nmap to defaultPackages --- 2configs/lass/base.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index b24e6a9..494cafa 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -53,6 +53,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo -- cgit v1.2.3 From 36566b511d6cca0e17013bcbdfb05885117b375a Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 17:03:20 +0200 Subject: lass: move krebs config to base --- 2configs/lass/base.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 494cafa..8d4a9c8 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -36,6 +36,11 @@ with lib; } ]; + krebs = { + enable = true; + search-domain = "retiolum"; + }; + nix.useChroot = true; users.mutableUsers = false; -- cgit v1.2.3 From aa3a158c25d436643144b24d47a10e2e6d0660eb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 20:28:21 +0200 Subject: lass: port everything to stockholm --- 2configs/lass/base.nix | 143 ------------------------------------------------- 1 file changed, 143 deletions(-) delete mode 100644 2configs/lass/base.nix (limited to '2configs/lass/base.nix') diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix deleted file mode 100644 index 8d4a9c8..0000000 --- a/2configs/lass/base.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/lass/vim.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "audio" - "wheel" - ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - }; - } - ]; - - krebs = { - enable = true; - search-domain = "retiolum"; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - PAGER=most - ''; - - environment.systemPackages = with pkgs; [ - nmap - - git - most - rxvt_unicode.terminfo - - #network - iptables - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - security.setuidPrograms = [ - "sendmail" - ]; - - #services.gitolite = { - # enable = true; - # dataDir = "/home/gitolite"; - # adminPubkey = config.sshKeys.lass.pub; - #}; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - lass.iptables = { - enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - ]; - }; - }; - -} -- cgit v1.2.3