add key deployment, fix pennyworth

yorickvP · Mar 11, 2018 · c4ca969 · c4ca969
1 parent 7d51eaa
commit c4ca969
Show file tree

Hide file tree

Showing 10 changed files with 147 additions and 4 deletions.
diff --git a/deploy/keys.nix b/deploy/keys.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, config, ... }:
+with lib;
+let cfg = config.deployment.keyys; in
+{
+  options.deployment.keyys = mkOption { type = types.listOf types.path; default = []; };
+  options.deployment.keys-copy = mkOption { type = types.package; };
+  config = {
+    deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys" (if cfg != [] then ''
+      set -e
+      ssh root@$1 "mkdir -p /root/keys"
+      scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
+      echo "uploaded keys"
+    '' else ''
+      echo "no keys to upload"
+    '');
+
+  };
+
+}
diff --git a/keys/ssh.jarvis.key b/keys/ssh.jarvis.key
diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix
@@ -48,7 +48,8 @@
     };
     hidden-service = {
       hostname = "muflax65ngodyewp.onion";
-      private_key = "/run/keys/torkeys/http.muflax.key";
+      private_key = "/root/keys/http.muflax.key";
     };
   };
+  deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
 }
diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix
@@ -15,7 +15,7 @@ in {
     systemd.services."install-tor-hidden-service-keys" = {
       wantedBy = ["tor.service"];
       serviceConfig.Type = "oneshot";
-      serviceConfig.User = "tor";
+      serviceConfig.User = "root";
       serviceConfig.Group = "keys";
       # TODO: update on change?
       # TODO: better ways to get the keys on the server
@@ -24,6 +24,7 @@ in {
           mkdir -p ${torDir}/onion/${name}/
           cp ${keypath} ${torDir}/onion/${name}/private_key
           chmod -R 700 ${torDir}/onion/${name}
+          chown -R tor ${torDir}/onion/${name}
         fi
       '') service-keys);
     };

diff --git a/physical/kassala.nix b/physical/kassala.nix
@@ -13,6 +13,8 @@ in
   # before: /nixos/nix/* /boot/grub/menu.lst
   # after:  /nix/* /old-root/boot/grub/menu.lst
   boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    blacklistedKernelModules = ["coretemp"];
     # use grub 1, don't install
     loader.grub = {
       version = 1;

diff --git a/roles/common.nix b/roles/common.nix
@@ -0,0 +1,117 @@
+let secrets = import <secrets>;
+in
+{ config, pkgs, lib, ...}:
+let
+  machine = with lib; head (splitString "." config.networking.hostName);
+in
+{
+	imports = [
+    ../modules/tor-hidden-service.nix
+    ../modules/nginx.nix
+    ../roles/pub.nix
+    ../roles/quassel.nix
+    ../roles/gogs.nix
+    ../roles/mail.nix
+    ../roles/website.nix
+    ../roles/xmpp.nix
+  ];
+	time.timeZone = "Europe/Amsterdam";
+	users.mutableUsers = false;
+	users.extraUsers.root = {
+		openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
+    # root password is useful from console, ssh has password logins disabled
+    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+
+	};
+  services.timesyncd.enable = true;
+  services.fail2ban.enable = true;
+	users.extraUsers.yorick = {
+	  isNormalUser = true;
+	  uid = 1000;
+	  extraGroups = ["wheel"];
+	  group = "users";
+	  openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
+	};
+
+  # Nix
+  nixpkgs.config.allowUnfree = true;
+  nix.package = pkgs.nixUnstable;
+
+  nix.buildCores = config.nix.maxJobs;
+
+  nix.extraOptions = ''
+    allow-unsafe-native-code-during-evaluation = true
+  '';
+
+  # Networking
+  networking.enableIPv6 = false;
+
+  services.openssh = {
+    enable = true;
+  	passwordAuthentication = false;
+  	challengeResponseAuthentication = false;
+  };
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+    # ssh hidden service
+    hiddenServices.ssh.map = [{ port = 22; }];
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host *.onion
+      ProxyCommand nc -xlocalhost:9050 -X5 %h %p
+  '' +
+  (with lib; (flip concatMapStrings) (filter (hasPrefix "ssh.") (attrNames secrets.tor_hostnames)) (name: ''
+    Host ${removePrefix "ssh." name}.onion
+        hostname ${secrets.tor_hostnames.${name}}
+    ''
+    ));
+
+  environment.systemPackages = with pkgs; [
+    # v important.
+    cowsay ponysay
+    ed # ed, man!
+    sl
+    rlwrap
+
+    vim
+
+    # system stuff
+    ethtool inetutils
+    pciutils usbutils
+    iotop powertop htop
+    psmisc lsof
+    smartmontools hdparm
+    lm_sensors
+    ncdu
+
+    # utils
+    file which
+    reptyr
+    tmux
+    bc
+    mkpasswd
+    shadow
+
+    # archiving
+    xdelta
+    atool
+    unrar p7zip
+    unzip zip
+
+    # network
+    nmap mtr bind
+    socat netcat-openbsd
+    lftp wget rsync
+
+    git
+    nix-repl
+    rxvt_unicode.terminfo
+  ];
+  nix.gc.automatic = true;
+
+}
+
diff --git a/roles/default.nix b/roles/default.nix
@@ -8,6 +8,7 @@ in
 	imports = [
     ../modules/tor-hidden-service.nix
     ../modules/nginx.nix
+    <yori-nix/deploy/keys.nix>
     <yori-nix/services>
   ];
   networking.hostName = secrets.hostnames.${machine};
@@ -61,8 +62,9 @@ in
     client.enable = true;
     # ssh hidden service
     hiddenServices.ssh.map = [{ port = 22; }];
-    service-keys.ssh = "/run/keys/torkeys/ssh.${machine}.key";
+    service-keys.ssh = "/root/keys/ssh.${machine}.key";
   };
+  deployment.keyys = [ (<yori-nix/keys> + "/ssh.${machine}.key") ];
 
   programs.ssh.extraConfig = ''
     Host *.onion

diff --git a/roles/server.nix b/roles/server.nix
@@ -4,5 +4,6 @@
   services.nixosManual.enable = false;
 
   environment.noXlibs = true;
+  networking.firewall.logRefusedConnections = false;    # Silence logging of scanners and knockers
 
 }
diff --git a/secrets.nix b/secrets.nix
diff --git a/services/default.nix b/services/default.nix
@@ -6,5 +6,5 @@
     ./quassel.nix
     ./website.nix
     ./xmpp.nix
-  ]
+  ];
 }