l: (re)init echelon.r (with ssh tor unlocking)
This commit is contained in:
parent
bbe60be64d
commit
c659504146
|
@ -742,6 +742,46 @@ in {
|
|||
syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ";
|
||||
};
|
||||
|
||||
echelon = {
|
||||
cores = 1;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.0.3";
|
||||
ip6.addr = r6 "4";
|
||||
aliases = [
|
||||
"echelon.r"
|
||||
];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArxTpl0YvJWiF9cAYeAdp
|
||||
1gG18vrSeYDpmVCsZmxi2qyeWNM4JGSVPYoagyKHSDGH60xvktRh/1Zat+1hHR0A
|
||||
MAjDIENn9hAICQ8lafnm2v3+xzLNoTMJTYG3eba2MlJpAH0rYP0E5xBhQj9DCSAe
|
||||
UpEZWAwCKDCOmg/9h0gvs3kh0HopwjOE1IEzApgg05Yuhna96IATVdBAC7uF768V
|
||||
rJZNkQRvhetGxB459C58uMdcRK3degU6HMpZIXjJk6bqkzKBMm7C3lsAfaWulfez
|
||||
gavFSHC15NbHkz+fcVZNZReJhfTHP7k05xo5vYpDhszdUSjc3MtWBmk5v9zdS1pO
|
||||
c+20a1eurr1EPoYBqjQL0tLBwuQc2tN5XqJKVY5LGAnojAI6ktPKPLR6qZHC4Kna
|
||||
dgJ/S1BzHVxniYh3/rEzhXioneZ6oZgO+65WtsS42WAvh/53U/Q3chgI074Jssze
|
||||
ev09+zU8Xj0vX/7KpRKy5Vln6RGkQbKAIt7TZL5cJALswQDzcCO4WTv1X5KoG3+D
|
||||
KfTMfl9HzFsv59uHKlUqUguN5e8CLdmjgU1v2WvHBCw1PArIE8ZC0Tu2bMi5i9Vq
|
||||
GHxVn9O4Et5yPocyQtE4zOfGfqwR/yNa//Zs1b6DxQ73tq7rbBQaAzq7lxW6Ndbr
|
||||
43jjLL40ONdFxX7qW/DhT9MCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
'';
|
||||
};
|
||||
wiregrill = {
|
||||
ip6.addr = w6 "3";
|
||||
aliases = [
|
||||
"echelon.w"
|
||||
];
|
||||
wireguard.pubkey = ''
|
||||
SLdk0lph2rSFU+3dyrWDU1CT/oU+HPcOVYeGVIgDpEc=
|
||||
'';
|
||||
};
|
||||
};
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
|
||||
};
|
||||
|
||||
};
|
||||
users = rec {
|
||||
lass = lass-yubikey;
|
||||
|
|
14
lass/1systems/echelon/config.nix
Normal file
14
lass/1systems/echelon/config.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/tor-initrd.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.echelon;
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
}
|
||||
|
33
lass/1systems/echelon/physical.nix
Normal file
33
lass/1systems/echelon/physical.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [
|
||||
./config.nix
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.efiSupport = true;
|
||||
boot.loader.grub.efiInstallAsRemovable = true;
|
||||
# Define on which hard drive you want to install Grub.
|
||||
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.initrd.luks.devices.luksroot.device = "/dev/sda3";
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.ens18.useDHCP = true;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/5186edb1-9234-48ae-8679-61facb56b818";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/56D1-34A0";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
}
|
49
lass/2configs/tor-initrd.nix
Normal file
49
lass/2configs/tor-initrd.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{config, pkgs, ... }:
|
||||
## unlock command:
|
||||
# (pass admin/$host/root;echo) | torify ssh root@$(pass hosts/$host/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
|
||||
{
|
||||
boot.initrd.network.enable = true;
|
||||
boot.initrd.network.ssh = {
|
||||
enable = true;
|
||||
port = 22;
|
||||
authorizedKeys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
config.krebs.users.lass-mors.pubkey
|
||||
config.krebs.users.lass-green.pubkey
|
||||
];
|
||||
hostKeys = [ <secrets/initrd/ssh.ed25519_key> ];
|
||||
};
|
||||
boot.initrd.availableKernelModules = [ "e1000e" ];
|
||||
|
||||
boot.initrd.secrets = {
|
||||
"/etc/tor/onion/bootup" = <secrets/initrd>;
|
||||
};
|
||||
|
||||
boot.initrd.extraUtilsCommands = ''
|
||||
copy_bin_and_libs ${pkgs.tor}/bin/tor
|
||||
'';
|
||||
|
||||
# start tor during boot process
|
||||
boot.initrd.network.postCommands = let
|
||||
torRc = (pkgs.writeText "tor.rc" ''
|
||||
DataDirectory /etc/tor
|
||||
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||||
SOCKSPort 127.0.0.1:9063
|
||||
HiddenServiceDir /etc/tor/onion/bootup
|
||||
HiddenServicePort 22 127.0.0.1:22
|
||||
'');
|
||||
in ''
|
||||
echo "tor: preparing onion folder"
|
||||
# have to do this otherwise tor does not want to start
|
||||
chmod -R 700 /etc/tor
|
||||
|
||||
echo "make sure localhost is up"
|
||||
ip a a 127.0.0.1/8 dev lo
|
||||
ip link set lo up
|
||||
|
||||
echo "tor: starting tor"
|
||||
tor -f ${torRc} --verify-config
|
||||
tor -f ${torRc} &
|
||||
'';
|
||||
}
|
||||
|
Loading…
Reference in a new issue