l: (re)init echelon.r (with ssh tor unlocking)

This commit is contained in:
lassulus 2021-05-03 17:59:52 +02:00
parent 020154a859
commit 950a735472
5 changed files with 136 additions and 0 deletions

View file

@ -742,6 +742,46 @@ in {
syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ";
};
echelon = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.3";
ip6.addr = r6 "4";
aliases = [
"echelon.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp
1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A
MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe
UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V
rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez
gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO
c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna
dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze
ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D
KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq
GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr
43jjLL40ONdFxX7qW/DhT9MCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "3";
aliases = [
"echelon.w"
];
wireguard.pubkey = ''
SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
};
};
users = rec {
lass = lass-yubikey;

View file

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/tor-initrd.nix>
];
krebs.build.host = config.krebs.hosts.echelon;
boot.tmpOnTmpfs = true;
}

View file

@ -0,0 +1,33 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
./config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.initrd.luks.devices.luksroot.device = "/dev/sda3";
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
fileSystems."/" = {
device = "/dev/disk/by-uuid/5186edb1-9234-48ae-8679-61facb56b818";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/56D1-34A0";
fsType = "vfat";
};
}

View file

@ -0,0 +1,49 @@
{config, pkgs, ... }:
## unlock command:
# (pass admin/$host/root;echo) | torify ssh root@$(pass hosts/$host/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
{
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 22;
authorizedKeys = [
config.krebs.users.lass.pubkey
config.krebs.users.lass-mors.pubkey
config.krebs.users.lass-green.pubkey
];
hostKeys = [ <secrets/initrd/ssh.ed25519_key> ];
};
boot.initrd.availableKernelModules = [ "e1000e" ];
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = <secrets/initrd>;
};
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
'';
# start tor during boot process
boot.initrd.network.postCommands = let
torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'');
in ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
}