From 1538630782ac8c56d549af4fcac4c9abcba8c9c5 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 19 Jun 2015 22:06:24 +0200
Subject: [PATCH] host rmdir: initial commit
---
modules/rmdir/default.nix | 76 ++++++++++++++++++++++++++++++++++++
modules/rmdir/iptables.nix | 76 ++++++++++++++++++++++++++++++++++++
modules/rmdir/networking.nix | 14 +++++++
modules/rmdir/users.nix | 19 +++++++++
4 files changed, 185 insertions(+)
create mode 100644 modules/rmdir/default.nix
create mode 100644 modules/rmdir/iptables.nix
create mode 100644 modules/rmdir/networking.nix
create mode 100644 modules/rmdir/users.nix
diff --git a/modules/rmdir/default.nix b/modules/rmdir/default.nix
new file mode 100644
index 000000000..e514e5dad
--- /dev/null
+++ b/modules/rmdir/default.nix
@@ -0,0 +1,76 @@
+{ pkgs, ... }:
+
+let
+ inherit (builtins) readFile;
+in
+
+{
+ imports =
+ [
+ <secrets/hashedPasswords.nix>
+ ./iptables.nix
+ ./networking.nix
+ ./users.nix
+ ../common/nixpkgs.nix
+ ../tv/base.nix
+ ../tv/base-cac-CentOS-7-64bit.nix
+ ../tv/exim-smarthost.nix
+ ../tv/git/public.nix
+ ../tv/retiolum.nix
+ ../tv/sanitize.nix
+ ];
+
+ nix.maxJobs = 1;
+
+ nixpkgs = {
+ url = "https://github.com/NixOS/nixpkgs";
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ };
+
+ environment.systemPackages = with pkgs; [
+ git # required for ./deploy, clone_or_update
+ htop
+ iftop
+ iotop
+ iptables
+ mutt # for mv
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ security.rtkit.enable = false;
+
+ services.cron.enable = false;
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ services.ntp.enable = false;
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ permitRootLogin = "yes";
+ };
+
+ services.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
+ connectTo = [
+ "cd"
+ "rmdir"
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+
+ sound.enable = false;
+}
diff --git a/modules/rmdir/iptables.nix b/modules/rmdir/iptables.nix
new file mode 100644
index 000000000..950aa8472
--- /dev/null
+++ b/modules/rmdir/iptables.nix
@@ -0,0 +1,76 @@
+{ config, pkgs, ... }:
+
+{
+ #
+ # iptables
+ #
+ networking.firewall.enable = false;
+ system.activationScripts.iptables =
+ let
+ log = false;
+ when = c: f: if c then f else "";
+ in
+ ''
+ ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
+ ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
+ ipXtables() { ip4tables "$@" && ip6tables "$@"; }
+
+ # XXX This fails with the original CAC CentOS 7 kernel.
+ if ipXtables -vL >/dev/null; then
+
+ #
+ # nat
+ #
+
+ # reset tables
+ ipXtables -t nat -F
+ ipXtables -t nat -X
+
+ #
+ ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
+ ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
+
+ #
+ # filter
+ #
+
+ # reset tables
+ ipXtables -P INPUT DROP
+ ipXtables -P FORWARD DROP
+ ipXtables -F
+ ipXtables -X
+
+ # create custom chains
+ ipXtables -N Retiolum
+
+ # INPUT
+ ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ ipXtables -A INPUT -j ACCEPT -i lo
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
+ #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW
+
+ ipXtables -A INPUT -j Retiolum -i retiolum
+ ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
+
+ # FORWARD
+ ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
+
+ # Retiolum
+ ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
+ ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
+
+ ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+
+ ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
+ ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+ ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+ ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
+ ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
+ ip6tables -A Retiolum -j REJECT
+ fi
+ '';
+}
diff --git a/modules/rmdir/networking.nix b/modules/rmdir/networking.nix
new file mode 100644
index 000000000..45dae3dcb
--- /dev/null
+++ b/modules/rmdir/networking.nix
@@ -0,0 +1,14 @@
+{...}:
+{
+ networking.hostName = "rmdir";
+ networking.interfaces.enp2s1.ip4 = [
+ {
+ address = "162.219.6.2";
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "162.219.6.1";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+}
diff --git a/modules/rmdir/users.nix b/modules/rmdir/users.nix
new file mode 100644
index 000000000..82f078b4e
--- /dev/null
+++ b/modules/rmdir/users.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+let
+ inherit (builtins) readFile;
+in
+
+{
+ users.extraUsers =
+ {
+ root = {
+ openssh.authorizedKeys.keys = [
+ (readFile <pubkeys/deploy_wu.ssh.pub>)
+ (readFile <pubkeys/tv_wu.ssh.pub>)
+ ];
+ };
+ };
+
+ users.mutableUsers = false;
+}