diff options
Diffstat (limited to 'lass')
34 files changed, 973 insertions, 387 deletions
diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index dd8308bbd..2c88b68cc 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/bitcoin.nix> diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 4c98091f1..cd38c3585 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -57,7 +57,7 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.PREROUTING.rules = [ - { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; } ]; # workaround for ssh access from yubikey via android diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index dd479f267..6d0d177ec 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -41,6 +41,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ppp/umts-stick.nix> # <stockholm/lass/2configs/remote-builder/morpheus.nix> # <stockholm/lass/2configs/remote-builder/prism.nix> + <stockholm/lass/2configs/autotether.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix new file mode 100644 index 000000000..8e5a60c36 --- /dev/null +++ b/lass/1systems/neoprism/config.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/retiolum.nix> + + # sync-containers + <stockholm/lass/2configs/consul.nix> + <stockholm/lass/2configs/yellow-host.nix> + <stockholm/lass/2configs/radio/container-host.nix> + + # other containers + <stockholm/lass/2configs/riot.nix> + ]; + + krebs.build.host = config.krebs.hosts.neoprism; +} diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix new file mode 100644 index 000000000..cf9a8cef4 --- /dev/null +++ b/lass/1systems/neoprism/disk.nix @@ -0,0 +1,116 @@ +{ lib, ... }: +{ + disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: { + type = "disk"; + device = disk; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1M"; + end = "1GiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "mdraid"; + name = "boot"; + }; + } + { + type = "partition"; + name = "zfs"; + start = "1GiB"; + end = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + } + ]; + }; + })) // { + hdd1 = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "zfs"; + pool = "tank"; + }; + }; + }; + mdadm = { + boot = { + type = "mdadm"; + level = 1; + metadata = "1.0"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + mode = "mirror"; + mountpoint = "/"; + rootFsOptions = { + }; + datasets.reserved = { + zfs_type = "filesystem"; + options.refreservation = "1G"; + }; + }; + tank = { + type = "zpool"; + datasets = { + reserved = { + zfs_type = "filesystem"; + options.refreservation = "1G"; + }; + containers = { + zfs_type = "filesystem"; + mountpoint = "/var/lib/containers"; + }; + home = { + zfs_type = "filesystem"; + mountpoint = "/home"; + }; + srv = { + zfs_type = "filesystem"; + mountpoint = "/srv"; + }; + libvirt = { + zfs_type = "filesystem"; + mountpoint = "/var/lib/libvirt"; + }; + # encrypted = { + # zfs_type = "filesystem"; + # options = { + # mountpoint = "none"; + # encryption = "aes-256-gcm"; + # keyformat = "passphrase"; + # keylocation = "prompt"; + # }; + # }; + + # "encrypted/download" = { + # zfs_type = "filesystem"; + # mountpoint = "/var/download"; + # }; + }; + }; + }; +} diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix new file mode 100644 index 000000000..4ffb749f1 --- /dev/null +++ b/lass/1systems/neoprism/physical.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./config.nix + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + disko.devices = import ./disk.nix; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.efiSupport = true; + boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; + boot.kernelModules = [ "kvm-amd" ]; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + # networking config + boot.kernelParams = [ "net.ifnames=0" ]; + networking.bridges."ext-br".interfaces = [ "eth0" ]; + networking = { + hostId = "2283aaae"; + defaultGateway = "95.217.192.1"; + defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; }; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.ext-br.ipv4.addresses = [ + { + address = "95.217.192.59"; + prefixLength = 26; + } + ]; + interfaces.ext-br.ipv6.addresses = [ + { + address = "2a01:4f9:4a:4f1a::1"; + prefixLength = 64; + } + ]; + }; + +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 594a21c02..bcc8c1a08 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -33,9 +33,9 @@ with import <stockholm/lib>; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" ]; }; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } + { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } ]; } { @@ -97,9 +97,35 @@ with import <stockholm/lib>; localAddress = "10.233.2.2"; }; } + { + services.nginx.virtualHosts."radio.lassul.us" = { + enableACME = true; + addSSL = true; + locations."/" = { + # recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://radio.r"; + extraConfig = '' + proxy_set_header Host radio.r; + # get source ip for weather reports + proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; + ''; + }; + }; + krebs.htgen.radio-redirect = { + port = 8000; + scriptFile = pkgs.writers.writeDash "redir" '' + printf 'HTTP/1.1 301 Moved Permanently\r\n' + printf "Location: http://radio.lassul.us''${Request_URI}\r\n" + printf '\r\n' + ''; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } + ]; + } <stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> - <stockholm/lass/2configs/radio> <stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/paste.nix> @@ -227,13 +253,13 @@ with import <stockholm/lib>; imports = [ <stockholm/lass/2configs/wiregrill.nix> ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } - { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ + { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } @@ -252,7 +278,7 @@ with import <stockholm/lib>; } { krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } <stockholm/lass/2configs/murmur.nix> diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix new file mode 100644 index 000000000..2fd23a448 --- /dev/null +++ b/lass/1systems/radio/config.nix @@ -0,0 +1,24 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/radio> + ]; + + krebs.build.host = config.krebs.hosts.radio; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@lassul.us"; + }; + + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; + }; +} diff --git a/lass/1systems/radio/physical.nix b/lass/1systems/radio/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/radio/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index ef538f339..5e48c216a 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/green-host.nix> <stockholm/krebs/2configs/news-host.nix> - <stockholm/lass/2configs/prism-mounts/samba.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/red-host.nix> diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index c8077e5ea..06561e9cf 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,20 +9,23 @@ in { krebs.build.host = config.krebs.hosts.yellow; + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; + }; + users.groups.download.members = [ "transmission" ]; networking.useHostResolvConf = false; networking.useNetworkd = true; - systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; - systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; services.transmission = { enable = true; + home = "/var/state/transmission"; group = "download"; downloadDirPermissions = "775"; settings = { - download-dir = "/var/download/finished"; - incomplete-dir = "/var/download/incoming"; - incomplete-dir-enable = true; + download-dir = "/var/download/transmission"; + incomplete-dir-enabled = false; rpc-bind-address = "::"; message-level = 1; umask = 18; @@ -31,6 +34,12 @@ in { }; }; + security.acme.defaults.email = "spam@krebsco.de"; + security.acme.acceptTerms = true; + security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -38,13 +47,12 @@ in { fancyindex ]; }; - virtualHosts.default = { + virtualHosts."yellow.r" = { default = true; - locations."/dl".extraConfig = '' - return 301 /; - ''; + enableACME = true; + addSSL = true; locations."/" = { - root = "/var/download/finished"; + root = "/var/download"; extraConfig = '' fancyindex on; fancyindex_footer "/fancy.html"; @@ -136,9 +144,87 @@ in { ''}; ''; }; + virtualHosts."jelly.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:8096/; + proxy_set_header Accept-Encoding ""; + ''; + }; + virtualHosts."radar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:7878"; + }; + }; + virtualHosts."sonar.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:8989"; + }; + }; }; - systemd.services.bruellwuerfel = { + services.samba = { + enable = true; + enableNmbd = false; + extraConfig = '' + workgroup = WORKGROUP + server string = ${config.networking.hostName} + # only allow retiolum addresses + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 + + # Use sendfile() for performance gain + use sendfile = true + + # No NetBIOS is needed + disable netbios = true + + # Only mangle non-valid NTFS names, don't care about DOS support + mangled names = illegal + + # Performance optimizations + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 + + # Disable all printing + load printers = false + disable spoolss = true + printcap name = /dev/null + + map to guest = Bad User + max log size = 50 + dns proxy = no + security = user + + [global] + syslog only = yes + ''; + shares.public = { + comment = "Warez"; + path = "/var/download"; + public = "yes"; + "only guest" = "yes"; + "create mask" = "0644"; + "directory mask" = "2777"; + writable = "no"; + printable = "no"; + }; + }; + + systemd.services.bruellwuerfel = + let + bruellwuerfelSrc = pkgs.fetchFromGitHub { + owner = "krebs"; + repo = "bruellwuerfel"; + rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; + sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; + }; + in { wantedBy = [ "multi-user.target" ]; environment = { IRC_CHANNEL = "#flix"; @@ -147,7 +233,7 @@ in { IRC_HISTORY_FILE = "/tmp/bruelli.history"; }; serviceConfig = { - ExecStart = "${pkgs.bruellwuerfel}/bin/bruellwuerfel"; + ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; }; }; @@ -155,15 +241,36 @@ in { enable = true; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir + { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin + { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr + { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr + { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr + { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr + + # smbd + { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; tables.filter.OUTPUT = { policy = "DROP"; rules = [ + { predicate = "-o lo"; target = "ACCEPT"; } { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; } { predicate = "-o tun0"; target = "ACCEPT"; } { predicate = "-o retiolum"; target = "ACCEPT"; } @@ -271,7 +378,7 @@ in { ExecStart = pkgs.writers.writeDash "flix-index" '' set -efu - DIR=/var/download/finished + DIR=/var/download cd "$DIR" while inotifywait -rq -e create -e move -e delete "$DIR"; do find . -type f > "$DIR"/index.tmp @@ -286,9 +393,22 @@ in { group = "download"; }; - services.magnetico = { + services.radarr = { + enable = true; + group = "download"; + }; + + services.sonarr = { + enable = true; + group = "download"; + }; + + services.prowlarr = { enable = true; - web.address = "0.0.0.0"; - web.port = 9092; + }; + + services.bazarr = { + enable = true; + group = "download"; }; } diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix index dfffbfdf9..e38475381 100644 --- a/lass/2configs/AP.nix +++ b/lass/2configs/AP.nix @@ -68,8 +68,8 @@ in { { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ #TODO find out what this is about? diff --git a/lass/2configs/autotether.nix b/lass/2configs/autotether.nix new file mode 100644 index 000000000..98712303e --- /dev/null +++ b/lass/2configs/autotether.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: +{ + systemd.services.usb_tether = { + script = '' + ${pkgs.android-tools}/bin/adb -s QV770FAMEK wait-for-device + ${pkgs.android-tools}/bin/adb -s QV770FAMEK shell svc usb setFunctions rndis + ''; + }; + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="fce/320d/510", TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service" + ''; + systemd.network.networks.android = { + matchConfig.Name = "enp0s20u1"; + DHCP = "yes"; + }; +} diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix index 3e533fb74..a8dd3dd1d 100644 --- a/lass/2configs/c-base.nix +++ b/lass/2configs/c-base.nix @@ -1,97 +1,115 @@ { config, lib, pkgs, ... }: let - inherit (import <stockholm/lib>) genid; - in { - users.extraUsers = { - cbasevpn = rec { - name = "cbasevpn"; - uid = genid "cbasevpn"; - description = "user for running c-base openvpn"; - home = "/home/${name}"; - }; - }; - - users.extraGroups.cbasevpn.gid = genid "cbasevpn"; - environment.systemPackages = [ pkgs.cifs-utils ]; - services.openvpn.servers = { - c-base = { - config = '' - client - dev tap - proto tcp - remote vpn.ext.c-base.org 1194 - resolv-retry infinite - nobind - user cbasevpn - group cbasevpn - persist-key - persist-tun - - auth-nocache - #auth-user-pass - auth-user-pass ${toString <secrets/cbase.txt>} - - comp-lzo - verb 3 - - #script-security 2 - #up /etc/openvpn/update-resolv-conf - #down /etc/openvpn/update-resolv-conf - - <ca> - -----BEGIN CERTIFICATE----- - MIIDUjCCArugAwIBAgIJAOOk8EXgjsf5MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV - BAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZj - LWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJ - ARYQYWRtYXhAYy1iYXNlLm9yZzAeFw0wOTAyMTMwOTE1MzdaFw0xOTAyMTEwOTE1 - MzdaMHoxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGlu - MQ8wDQYDVQQKEwZjLWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEf - MB0GCSqGSIb3DQEJARYQYWRtYXhAYy1iYXNlLm9yZzCBnzANBgkqhkiG9w0BAQEF - AAOBjQAwgYkCgYEAt3wEgXbqFKxs8z/E4rv13hkRi6J+QdshNzntm7rTOmUsXKE7 - IEwoJSglrmsDPv4UqE86A7bjW7YYSFjhzxFRkTEHJanyOCF48ZPItVl7Eq7T81co - uR+6lAhxnLDrwnPJCC83NzAa6lw8U1DsQRDkayKlrQrtZq6++pFFEvZvt1cCAwEA - AaOB3zCB3DAdBgNVHQ4EFgQUqkSbdXS90+HtqXDeAI+PcyTSSHEwgawGA1UdIwSB - pDCBoYAUqkSbdXS90+HtqXDeAI+PcyTSSHGhfqR8MHoxCzAJBgNVBAYTAkRFMQsw - CQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZjLWJhc2UxGzAZ - BgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhA - Yy1iYXNlLm9yZ4IJAOOk8EXgjsf5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF - BQADgYEAOBANG1H4uEEWk3sbeQoSMeA3LFG1+6MgFGk2WAdeHYuV9GKYBq6/PLP5 - ffw+FNkiDjLSeSQO88vHYJr2V1v8n/ZoCIT+1VBcDWXTpGz0YxDI1iBauO3tUPzK - wGs46RA/S0YwiZw64MaUHd88ZVadjKy9kNoO3w6/vpAS6s/Mh+o= - -----END CERTIFICATE----- - </ca> - key-direction 1 - <tls-auth> - # - # 2048 bit OpenVPN static key - # - -----BEGIN OpenVPN Static key V1----- - 5d49aa8c9cec18de7ab6e0b5cd09a368 - d3f1b8b77e055e448804fa0e14f487cb - 491681742f96b54a23fb8639aa9ed14e - c40b86a5546b888c4f3873f23c956e87 - 169076ec869127ffc85353fd5928871c - da19776b79f723abb366fae6cdfe4ad6 - 7ef667b7d05a7b78dfd5ea1d2da276dc - 5f6c82313fe9c1178c7256b8d1d081b0 - 4c80bc8f21add61fbc52c158579edc1d - bbde230afb9d0e531624ce289a17098a - 3261f9144a9a2a6f0da4250c9eed4086 - 187ec6fa757a454de743a349e32af193 - e9f8b49b010014bdfb3240d992f2f234 - 581d0ce05d4e07a2b588ad9b0555b704 - 9d5edc28efde59226ec8942feed690a1 - 2acd0c8bc9424d6074d0d495391023b6 - -----END OpenVPN Static key V1----- - </tls-auth> - ''; + systemd.network.networks.c-base = { + matchConfig.Name = "c-base"; + networkConfig = { + IgnoreCarrierLoss = "3s"; + KeepConfiguration = "static"; + DNS = "10.0.1.254"; + Domains = "cbrp3.c-base.org"; }; + routes = [ + { routeConfig = { + Destination = "10.0.1.0/24"; + Gateway = "172.31.77.1"; + };} + { routeConfig = { + Destination = "91.102.9.99/32"; # vorstand.c-base.org + Gateway = "172.31.77.1"; + };} + ]; + }; + services.openvpn.servers.c-base = { + config = '' + remote vpn.ext.c-base.org 1194 + verify-x509-name vpn.ext.c-base.org name + client + proto udp + dev-type tun + dev c-base + resolv-retry infinite + nobind + # user openvpn + # group openvpn + persist-key + persist-tun + comp-lzo + # register-dns + # block-outside-dns + script-security 2 + auth-user-pass ${toString <secrets/cbase.txt>} + #auth-user-pass + key-direction 1 + <tls-auth> + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 54a66ed1048bed7508703347e89d68d6 + 5586e6a5d1218cf8675941031d540be6 + 993e07200a16ad3b770b659932ee71e5 + f8080b5c9fa2acb3893abd40fad2552c + fdaf17565e617ae450efcccf5652dca5 + a16419509024b075941098731eb25ac0 + a64f963ece3dca1d2a64a9c5e17839d7 + 5b5080165a9b2dc90ef111879d7d3173 + 2d1027ae42d869394aca08da4472a9d0 + 6b724b4ed43a957feef7d6dfc86da241 + 74828fa0e1240941586f0d937cac32fc + 13cc81e7bed58817353d6afaff7e6a26 + 4f9cc086af79c1cdca660d86e18cff96 + 69dd3d392caf09a468894a8504f4cc7c + 7ae0072e6d9ad90b166ad13a39c57b3c + 3a869e27a1d89deb161c255227551713 + -----END OpenVPN Static key V1----- + </tls-auth> + <ca> + -----BEGIN CERTIFICATE----- + MIIGsDCCBJigAwIBAgIJAPkM1l2zA306MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD + VQQGEwJERTEPMA0GA1UEBxMGQmVybGluMRswGQYDVQQLExJ2cG4uZXh0LmMtYmFz + ZS5vcmcxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEbMBkGA1UEKRMSdnBu + LmV4dC5jLWJhc2Uub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1heEBjLWJhc2Uub3Jn + MB4XDTE2MDcwOTE4MjkyMFoXDTI2MDcxMDE4MjkyMFowgZYxCzAJBgNVBAYTAkRF + MQ8wDQYDVQQHEwZCZXJsaW4xGzAZBgNVBAsTEnZwbi5leHQuYy1iYXNlLm9yZzEb + MBkGA1UEAxMSdnBuLmV4dC5jLWJhc2Uub3JnMRswGQYDVQQpExJ2cG4uZXh0LmMt + YmFzZS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWF4QGMtYmFzZS5vcmcwggIiMA0G + CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXEs+uWCXLNmm+lgP9x7u3FqWa4pPI + h64c6EWIULMATrhEw+Ej4fpCXwU9otFaO04fAeJmZGkDcnAYdBDiCeI0luOSdj44 + Bg9KecSei/TskqjhDVnEBp65hiz0rZE6c1baPdLYmD5xrXWb3i0zrlBYFawuL6C2 + lwVCEm3cadvkDJ2DleMuu3NblV8ViIDN0HZqzJNP72g1I0MgohkpetACXlf7MzQV + PFHfzvb04Rj2lJ8BDhceQ0WmjtVV/Ag6nka5oi954OeHMujRuH+rZYiQZDZpJLHK + Kh1KWTVlWPRy+AvCi9lweDWSmLccq7Ug4xMtDF4I5qW3tjCd0xqpZ21Xmo2JyKtY + 4h8wEDPqiJvgwvkXsH17GLn5ZxiMcQuRJQYZqJephkzR9uccJeWSS76kwm/vLqG3 + +eORlYnyjiNXtiMIhmAEFjpWUrGH8v4CijpUNP6E63ynGrRVXK684YQXkqL+xPAt + t6dsMBUwf94a2S1o2kgvuRCim1wlHvf1QsHrO/Hwgpzc8no/daWL+Z9Rq9okTHNK + nc1G5dv8TkmxIDYnLm07QMzzBoOT36BcGtkEBA+0xhQlX5PyQdM5/jnZVhdSBmoP + MbZXPoU/gJAIuuBuwdTlgCzYf44/9/YU/AnW8eLrbhm9KtMtoMpatrWorKqk/GPv + /lGNRQuNffrbiQIDAQABo4H+MIH7MB0GA1UdDgQWBBTf5cYbK+KCF9u9aobFlLbu + ilwX4jCBywYDVR0jBIHDMIHAgBTf5cYbK+KCF9u9aobFlLbuilwX4qGBnKSBmTCB + ljELMAkGA1UEBhMCREUxDzANBgNVBAcTBkJlcmxpbjEbMBkGA1UECxMSdnBuLmV4 + dC5jLWJhc2Uub3JnMRswGQYDVQQDExJ2cG4uZXh0LmMtYmFzZS5vcmcxGzAZBgNV + BCkTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhAYy1i + YXNlLm9yZ4IJAPkM1l2zA306MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD + ggIBAMs1moiS7UZ4neOivQjqwKrBbm1j3tgmPLhDfNMmXYarGhnBGAlLxLAQWtG+ + Fnbx8KcsJnrsWcGfZcst1z45S4a5oBdVNKOfgkMOG0glZorIDO8Odrb51rpyzU0v + 0wcNumMNWhkFuo2OTBHPnnJIWEAFwwCCSCL0I0hQxxoaV36kphjuIwzrMJhd+XAT + 24En58cNp6sPRDd+FzOH08uFINevyzKWYxkMgVj+e3fbuiyOB8RqvndKvtfBBcpB + cCO86lGnj/ETMDciTczUShxaMn9wV1zr1KH1xvT3ohUeOcQZGbGTcjG4mxlns8ZO + U5J3Yrcd1eMfJq9Bwd3zPsTLnT8LwIS8vfYRav9b34XdqcBG73dhrjsicMK0Qy0z + Qz7vKJzcvrEnKuaMyB3mCxz/UvbNc2Bupwm4FmzN5eFjDs+7paYFdfOzqMjoRP+8 + bcXSqDN5P2eUd7cdsZXaFNcsf1FkWlE3GudVBOmNJqz9zBab/T5J+l4Z90Pd6OUX + GNozEvLhcJkvPKA526TegHTGC8hMquxKc9tpOzNRqZJMFa+UG1mgMrMepRmM/B3s + QrKI1C11iCVYfb9J0tQUkfENHMx4J7mG2DZAhnKWQDU2awM41qU4A7aBYaJvDPnQ + RRcbaT0D794lKUQwH/mZuyKzF22oZNk1o1TV2SaFXqgX5tDt + -----END CERTIFICATE----- + </ca> + ''; }; } diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index f04e4342d..0cfe193d9 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -8,8 +8,8 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 49a04e9c2..3d7188dc6 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -69,7 +69,6 @@ with import <stockholm/lib>; ]; networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; krebs = { enable = true; @@ -190,28 +189,34 @@ with import <stockholm/lib>; enable = true; tables = { nat.PREROUTING.rules = [ - { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + filter.INPUT.rules = mkMerge [ + (mkBefore [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]) + (mkOrder 1000 [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + ]) + (mkAfter [ + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; } + ]) ]; }; }; diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 89ccae408..51db9a40a 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -2,37 +2,56 @@ with import <stockholm/lib>; { + systemd.network.networks."50-et0" = { + matchConfig.Name = "et0"; + DHCP = "yes"; + # dhcpV4Config.UseDNS = false; + # dhcpV6Config.UseDNS = false; + linkConfig = { + RequiredForOnline = "routable"; + }; + # networkConfig = { + # LinkLocalAddressing = "no"; + # }; + # dhcpV6Config = { + # PrefixDelegationHint = "::/60"; + # }; + # networkConfig = { + # IPv6AcceptRA = true; + # }; + # ipv6PrefixDelegationConfig = { + # Managed = true; + # }; + }; + systemd.network.networks."50-int0" = { + name = "int0"; + address = [ + "10.42.0.1/24" + ]; + networkConfig = { + IPForward = "yes"; + IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; + # IPv6SendRA = "yes"; + # DHCPPrefixDelegation = "yes"; + }; + }; networking.networkmanager.unmanaged = [ "int0" ]; - networking.interfaces.int0.ipv4.addresses = [{ - address = "10.42.0.1"; - prefixLength = 24; - }]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i int0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i int0"; target = "ACCEPT"; } + { predicate = "-o int0"; target = "ACCEPT"; } + { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } + ]; networking.domain = "gg23"; - services.dhcpd4 = { - enable = true; - interfaces = [ "int0" ]; - extraConfig = '' - option subnet-mask 255.255.255.0; - option routers 10.42.0.1; - option domain-name-servers 10.42.0.1; - subnet 10.42.0.0 netmask 255.255.255.0 { - range 10.42.0.100 10.42.0.200; - } - ''; - machines = [ - { ethernetAddress = "a8:a6:48:65:ce:4c"; hostName = "tv"; ipAddress = "10.42.0.3"; } - { ethernetAddress = "3c:2a:f4:22:28:37"; hostName = "drucker"; ipAddress = "10.42.0.4"; } - { ethernetAddress = "80:7d:3a:67:b7:01"; hostName = "s20-tv"; ipAddress = "10.42.0.10"; } - { ethernetAddress = "80:7d:3a:68:04:f0"; hostName = "s20-drucker"; ipAddress = "10.42.0.11"; } - { ethernetAddress = "80:7d:3a:68:11:a5"; hostName = "s20-wasch"; ipAddress = "10.42.0.12"; } - { ethernetAddress = "80:7d:3a:67:bb:69"; hostName = "s20-stereo"; ipAddress = "10.42.0.13"; } - { ethernetAddress = "ec:b5:fa:07:78:16"; hostName = "hue-bridge"; ipAddress = "10.42.0.21"; } - { ethernetAddress = "80:8d:b7:c5:80:dc"; hostName = "arubaAP"; ipAddress = "10.42.0.99"; } - ]; - }; - services.dnsmasq = { enable = true; resolveLocalQueries = false; @@ -45,22 +64,4 @@ with import <stockholm/lib>; interface=int0 ''; }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i int0 -p udp --dport 53"; target = "ACCEPT"; } # dns - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.42.0.0/24 -o int0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.42.0.0/24 -i int0"; target = "ACCEPT"; } - { v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; } - ]; } - diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index f8dd2f0d2..9dafe086c 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -18,22 +18,22 @@ with import <stockholm/lib>; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.OUTPUT.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; # TODO use bridge interfaces instead of this crap diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index d391e0d7b..6d07c7a77 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,8 +20,8 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/radio/container-host.nix b/lass/2configs/radio/container-host.nix new file mode 100644 index 000000000..e32095ffa --- /dev/null +++ b/lass/2configs/radio/container-host.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.radio = { + sshKey = "${toString <secrets>}/radio.sync.key"; + }; + containers.radio = { + bindMounts."/var/music" = { + hostPath = "/var/music"; + isReadOnly = false; + }; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } + ]; + krebs.htgen.radio-redirect = { + port = 8000; + scriptFile = pkgs.writers.writeDash "redir" '' + printf 'HTTP/1.1 301 Moved Permanently\r\n' + printf "Location: http://radio.lassul.us''${Request_URI}\r\n" + printf '\r\n' + ''; + }; +} diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix index dfb3d7e0b..a511196fd 100644 --- a/lass/2configs/radio/default.nix +++ b/lass/2configs/radio/default.nix @@ -3,7 +3,7 @@ let name = "radio"; - music_dir = "/home/radio/music"; + music_dir = "/var/music"; skip_track = pkgs.writers.writeBashBin "skip_track" '' set -eu @@ -113,7 +113,7 @@ in { LIMIT=1000 #how many tracks to keep in the history HISTORY_FILE=/var/lib/radio/recent - listeners=$(${pkgs.curl}/bin/curl -fSs lassul.us:8000/status-json.xsl | + listeners=$(${pkgs.curl}/bin/curl -fSs http://localhost:8000/status-json.xsl | ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0) echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE" echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE" @@ -128,14 +128,33 @@ in { serviceConfig.User = lib.mkForce "radio"; }; + nixpkgs.config.packageOverrides = opkgs: { + icecast = opkgs.icecast.overrideAttrs (old: rec { + version = "2.5-beta3"; + + src = pkgs.fetchurl { + url = "http://downloads.xiph.org/releases/icecast/icecast-${version}.tar.gz"; + sha256 = "sha256-4FDokoA9zBDYj8RAO/kuTHaZ6jZYBLSJZiX/IYFaCW8="; + }; + + buildInputs = old.buildInputs ++ [ pkgs.pkg-config ]; + }); + }; services.icecast = { enable = true; hostname = "radio.lassul.us"; admin.password = "hackme"; extraConf = '' <authentication> - <source-password>hackme</source-password> + <source-password>hackme</source-password> + <admin-user>admin</admin-user> + <admin-password>hackme</admin-password> </authentication> + <logging> + <accesslog>-</accesslog> + <errorlog>-</errorlog> + <loglevel>3</loglevel> + </logging> ''; }; @@ -234,18 +253,38 @@ in { ''; }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { enable = true; - virtualHosts."radio.lassul.us" = { - forceSSL = true; - enableACME = true; + virtualHosts."radio.r" = { locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Real-IP $remote_addr; + # https://github.com/aswild/icecast-notes#core-nginx-config proxy_pass http://localhost:8000; + # Disable request size limit, very important for uploading large files + client_max_body_size 0; + + # Enable support `Transfer-Encoding: chunked` + chunked_transfer_encoding on; + + # Disable request and response buffering, minimize latency to/from Icecast + proxy_buffering off; + proxy_request_buffering off; + + # Icecast needs HTTP/1.1, not 1.0 or 2 + proxy_http_version 1.1; + + # Forward all original request headers + proxy_pass_request_headers on; + + # Set some standard reverse proxy headers. Icecast server currently ignores these, + # but may support them in a future version so that access logs are more useful. + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # get source ip for weather reports + proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; ''; locations."= /recent".extraConfig = '' default_type "text/plain"; @@ -266,7 +305,7 @@ in { while sleep 1; do mpv \ --cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \ - 'http://lassul.us:8000/radio.ogg' + 'http://radio.lassul.us/radio.ogg' done ''; locations."= /controls".extraConfig = '' @@ -278,35 +317,12 @@ in { add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; }; - virtualHosts."lassul.us".locations."= /the_playlist".extraConfig = let - html = pkgs.writeText "index.html" '' - <!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="utf-8"> - <title>lassulus playlist</title> - </head> - <body> - <div style="display:inline-block;margin:0px;padding:0px;overflow:hidden"> - <iframe src="https://kiwiirc.com/client/irc.hackint.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe> - </div> - <div style="position:absolute;bottom:1px;display:inline-block;background-color:red;"> - <audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio> - </div> - <!-- page content --> - </body> - </html> - ''; - in '' - default_type "text/html"; - alias ${html}; - ''; }; services.syncthing.declarative.folders."the_playlist" = { - path = "/home/radio/music/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" ]; + path = "/var/music/the_playlist"; + devices = [ "mors" "phone" "prism" "omo" "radio" ]; }; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:X".parents = true; - krebs.acl."/home/radio/music/the_playlist"."u:syncthing:rwX" = {}; - krebs.acl."/home/radio/music/the_playlist"."u:radio:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true; + krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {}; + krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {}; } diff --git a/lass/2configs/radio/radio.liq b/lass/2configs/radio/radio.liq index 70d316043..1366287a7 100644 --- a/lass/2configs/radio/radio.liq +++ b/lass/2configs/radio/radio.liq @@ -10,7 +10,7 @@ def stringify_attrs(attrs) = out end -def filter_graveyard(req) = +def filter_music(req) = filename = request.filename(req) if string.match(pattern = '.*/\\.graveyard/.*', filename) then false @@ -27,7 +27,7 @@ end env = environment() port = string.to_int(env["RADIO_PORT"], default = 8000) -all_music = playlist(env["MUSIC"], check_next = filter_graveyard) +all_music = playlist(env["MUSIC"], check_next = filter_music) wishlist = request.queue() tracks = fallback(track_sensitive = true, [wishlist, all_music]) tracks = blank.eat(tracks) @@ -36,7 +36,7 @@ last_metadata = ref([]) def on_metadata(m) = last_metadata := m print("changing tracks") - out = process.read(env["HOOK_TRACK_CHANGE"], env = m) + out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0) print(out) end tracks.on_metadata(on_metadata) diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix index 704bf7218..dca8a7843 100644 --- a/lass/2configs/radio/weather.nix +++ b/lass/2configs/radio/weather.nix @@ -10,20 +10,25 @@ let export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.curl - pkgs.iproute2 - pkgs.jc pkgs.jq ]}" curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY - ss -no 'sport = :8000' | - jc --ss | jq -r '.[] | - select( - .local_address != "[::ffff:127.0.0.1]" - and .local_address != "[::1]" - ) | .peer_address | gsub("[\\[\\]]"; "") - ' | + ( + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.ogg' + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.mp3' + curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.opus' + ) | jq -rs ' + [ + .[][].source|values|to_entries[].value | + (.listener//[]) [] | + (.useragent | capture("client-ip=(?<ip>[a-f0-9.:]+)")).ip // .ip + ] | + unique[] | + select(. != "127.0.0.1") | + select(. != "::1") + ' | ${weather_for_ips}/bin/weather_for_ips ''; in { diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py index 1f8489bd1..62206a985 100644 --- a/lass/2configs/radio/weather_for_ips.py +++ b/lass/2configs/radio/weather_for_ips.py @@ -3,32 +3,46 @@ import fileinput import json import requests import os +import random geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB']) seen = {} output = [] for ip in fileinput.input(): - location = geoip.city(ip.strip()) - if location.city.geoname_id not in seen: - seen[location.city.geoname_id] = True - weather_api_key = os.environ['OPENWEATHER_API_KEY'] - url = ( - f'https://api.openweathermap.org/data/2.5/onecall' - f'?lat={location.location.latitude}' - f'&lon={location.location.longitude}' - f'&appid={weather_api_key}' - f'&units=metric' - ) - resp = requests.get(url) - weather = json.loads(resp.text) + if "80.147.140.51" in ip: output.append( - f'Weather report for {location.city.name}, {location.country.name}. ' - f'It is {weather["current"]["weather"][0]["description"]} outside ' - f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' - f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' - f'and a humidity of {weather["current"]["humidity"]} percent. ' - f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + 'Weather report for c-base, space.' + 'It is empty space outside ' + 'with a temperature of -270 degrees, ' + 'a lightspeed of 299792 kilometers per second ' + 'and a humidity of Not a Number percent. ' + f'The probability of reincarnation is {random.randrange(0, 100)} percent.' ) + else: + try: + location = geoip.city(ip.strip()) + if location.city.geoname_id not in seen: + seen[location.city.geoname_id] = True + weather_api_key = os.environ['OPENWEATHER_API_KEY'] + url = ( + f'https://api.openweathermap.org/data/2.5/onecall' + f'?lat={location.location.latitude}' + f'&lon={location.location.longitude}' + f'&appid={weather_api_key}' + f'&units=metric' + ) + resp = requests.get(url) + weather = json.loads(resp.text) + output.append( + f'Weather report for {location.city.name}, {location.country.name}. ' + f'It is {weather["current"]["weather"][0]["description"]} outside ' + f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' + f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' + f'and a humidity of {weather["current"]["humidity"]} percent. ' + f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' + ) + except: # noqa E722 + pass print('\n'.join(output)) diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index b8c9d4f8d..746bc069d 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -27,6 +27,15 @@ LocalDiscovery = no ''} ''; + tincUp = lib.mkIf config.systemd.network.enable ""; + }; + + systemd.network.networks.retiolum = { + matchConfig.Name = "retiolum"; + address = [ + "${config.krebs.build.host.nets.retiolum.ip4.addr}/16" + "${config.krebs.build.host.nets.retiolum.ip6.addr}/16" + ]; }; nixpkgs.config.packageOverrides = pkgs: { diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix new file mode 100644 index 000000000..559e7b20d --- /dev/null +++ b/lass/2configs/riot.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +{ + containers.riot = { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + networking.defaultGateway = "10.233.1.1"; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.1.1"; + localAddress = "10.233.1.2"; + forwardPorts = [ + { hostPort = 45622; containerPort = 22; } + ]; + }; + + systemd.network.networks."50-ve-riot" = { + matchConfig.Name = "ve-riot"; + + networkConfig = { + IPForward = "yes"; + # weirdly we have to use POSTROUTING MASQUERADE here + # IPMasquerade = "both"; + LinkLocalAddressing = "no"; + KeepConfiguration = "static"; + }; + }; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ve-riot"; target = "ACCEPT"; } + { predicate = "-o ve-riot"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index c01a11cc3..233ca8fb7 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" ]; + devices = [ "mors" "phone" "prism" "omo" "radio" ]; }; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index 54257d2c4..a27e99ee2 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -16,13 +16,20 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [ + { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } + { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]); + systemd.network.networks.wiregrill = { + matchConfig.Name = "wiregrill"; + address = + (optional (!isNull self.ip4) "${self.ip4.addr}/16") ++ + (optional (!isNull self.ip6) "${self.ip6.addr}/48") + ; + }; networking.wireguard.interfaces.wiregrill = { ips = diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix new file mode 100644 index 000000000..d07c222c6 --- /dev/null +++ b/lass/2configs/yellow-host.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.yellow = { + sshKey = "${toString <secrets>}/yellow.sync.key"; + }; + containers.yellow.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/yellow/state"; + isReadOnly = false; + }; + containers.yellow.bindMounts."/var/download" = { + hostPath = "/var/download"; + isReadOnly = false; + }; +} diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/yellow-mounts/samba.nix index 4b1475ef3..e16f1cc47 100644 --- a/lass/2configs/prism-mounts/samba.nix +++ b/lass/2configs/yellow-mounts/samba.nix @@ -1,6 +1,6 @@ { - fileSystems."/mnt/prism" = { - device = "//prism.r/public"; + fileSystems."/mnt/yellow" = { + device = "//yellow.r/public"; fsType = "cifs"; options = [ "guest" diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix index 1371d5233..86aa40f03 100644 --- a/lass/3modules/sync-containers3.nix +++ b/lass/3modules/sync-containers3.nix @@ -28,6 +28,10 @@ in { type = lib.types.bool; default = false; }; + runContainer = lib.mkOption { + type = lib.types.bool; + default = true; + }; }; })); }; @@ -50,7 +54,8 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' set -efu - ln -frs /var/state/var_src /var/src + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src if test -e /var/src/nixos-config; then /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : fi @@ -64,7 +69,6 @@ in { privateNetwork = true; hostBridge = "ctr0"; bindMounts = { - "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; "/var/lib/self/disk" = { hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; isReadOnly = false; @@ -74,7 +78,7 @@ in { isReadOnly = false; }; }; - }) cfg.containers; + }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers); systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ { "${ctr.name}_syncer" = { @@ -101,14 +105,14 @@ in { set -efux if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then touch "$HOME"/incomplete - rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk + rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk rm "$HOME"/incomplete fi ''} ''; }; }; } - { "${ctr.name}_watcher" = { + { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { path = with pkgs; [ coreutils consul @@ -136,7 +140,8 @@ in { ;; 200) # echo 'got 200 from kv, will check payload' - export payload=$(consul kv get containers/${ctr.name}) + payload=$(consul kv get containers/${ctr.name}) || continue + export payload if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then # echo 'we are the host, trying to reach container' if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then @@ -163,7 +168,7 @@ in { ''; }; }; } - { "${ctr.name}_scheduler" = { + { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils @@ -246,7 +251,7 @@ in { users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { }) cfg.containers; users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ - group = "container_${ctr.name}"; + group = "${ctr.name}_container"; isNormalUser = true; uid = slib.genid_uint31 "container_${ctr.name}"; home = "/var/lib/sync-containers3/${ctr.name}"; @@ -254,47 +259,51 @@ in { homeMode = "705"; })) cfg.containers; + environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" '' + set -efux + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.cryptsetup + pkgs.libxfs.bin + ]}:$PATH + truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk + cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey} + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} + mkfs.xfs /dev/mapper/${ctr.name} + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" '' + mkdir -p /var/state + ''} + '')) cfg.containers; }) (lib.mkIf (cfg.containers != {}) { # networking - networking.networkmanager.unmanaged = [ "ctr0" ]; - networking.interfaces.dummy0.virtual = true; - networking.bridges.ctr0.interfaces = [ "dummy0" ]; - networking.interfaces.ctr0.ipv4.addresses = [{ - address = "10.233.0.1"; - prefixLength = 24; - }]; - systemd.services."dhcpd-ctr0" = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - Type = "forking"; - Restart = "always"; - DynamicUser = true; - StateDirectory = "dhcpd-ctr0"; - User = "dhcpd-ctr0"; - Group = "dhcpd-ctr0"; - AmbientCapabilities = [ - "CAP_NET_RAW" # to send ICMP messages - "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) - ]; - ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; - ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' - default-lease-time 600; - max-lease-time 7200; - authoritative; - ddns-update-style interim; - log-facility local1; # see dhcpd.nix - - option subnet-mask 255.255.255.0; - option routers 10.233.0.1; - # option domain-name-servers 8.8.8.8; # TODO configure dns server - subnet 10.233.0.0 netmask 255.255.255.0 { - range 10.233.0.10 10.233.0.250; - } - ''} ctr0"; + systemd.network.networks.ctr0 = { + name = "ctr0"; + address = [ + "10.233.0.1/24" + ]; + networkConfig = { + IPForward = "yes"; + IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; }; }; + systemd.network.netdevs.ctr0.netdevConfig = { + Kind = "bridge"; + Name = "ctr0"; + }; + networking.networkmanager.unmanaged = [ "ctr0" ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + { predicate = "-o ctr0"; target = "ACCEPT"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; @@ -308,6 +317,17 @@ in { cfg.inContainer.pubkey ]; }; + + networking.useHostResolvConf = false; + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.eth0 = { + matchConfig.Name = "eth0"; + DHCP = "yes"; + dhcpV4Config.UseDNS = true; + }; + }; }) ]; } diff --git a/lass/5pkgs/bruellwuerfel/default.nix b/lass/5pkgs/bruellwuerfel/default.nix deleted file mode 100644 index cb8f08fa8..000000000 --- a/lass/5pkgs/bruellwuerfel/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ yarn2nix-moretea, fetchFromGitHub, nodePackages, nodejs }: let - #src = ~/src/bruellwuerfel; - src = fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "57e20e630f732ce4e15b495ec5f9bf72a121b959"; - sha256 = "08zwwl24sq21r497a03lqpy2x10az8frrsh6d38xm92snd1yf85b"; - }; - -in yarn2nix-moretea.mkYarnModules rec { - pname = "bruellwuerfel"; - version = "1.0"; - name = "${pname}-${version}"; - packageJSON = "${src}/package.json"; - yarnLock = "${src}/yarn.lock"; - postBuild = '' - cp -r ${src}/{src,tsconfig.json} $out/ - cd $out - ${nodePackages.typescript}/bin/tsc || : - mkdir -p $out/bin - echo '#!/bin/sh' > $out/bin/bruellwuerfel - echo "export NODE_PATH=$out/dist" >> $out/bin/bruellwuerfel - echo "${nodejs}/bin/node $out/dist/index.js" >> $out/bin/bruellwuerfel - chmod +x $out/bin/bruellwuerfel - ''; -} diff --git a/lass/5pkgs/install-system/default.nix b/lass/5pkgs/install-system/default.nix new file mode 100644 index 000000000..9a392e669 --- /dev/null +++ b/lass/5pkgs/install-system/default.nix @@ -0,0 +1,26 @@ +{ pkgs }: +pkgs.writers.writeDashBin "install-system" '' + set -efux + SYSTEM=$1 + TARGET=$2 + # format + if ! (sshn "$TARGET" -- mountpoint /mnt); then + nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '<nixpkgs/nixos>' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET" + fi + + # install dependencies + sshn "$TARGET" << SSH + nix-channel --update + nix-env -iA nixos.git + SSH + + # populate + $(nix-build --no-out-link "$HOME"/sync/stockholm/lass/krops.nix -A populate --argstr name "$SYSTEM" --argstr target "$TARGET"/mnt/var/src --arg force true) + + # install + sshn "$TARGET" << SSH + ln -s /mnt/var/src /var/src + NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /var/src + zpool export -fa + SSH +'' diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index d999a4334..27e59bb96 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,57 +1,82 @@ { pkgs }: -pkgs.writeDashBin "l-gen-secrets" '' - HOSTNAME="$1" +pkgs.writers.writeDashBin "l-gen-secrets" '' + set -efu + HOSTNAME=$1 TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + if [ "''${DRYRUN-n}" = "n" ]; then + trap 'rm -rf $TMPDIR' EXIT + else + echo "$TMPDIR" + set -x + fi + mkdir -p $TMPDIR/out + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + # ssh ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null - ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key - ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub - cat <<EOF > $TMPDIR/hashedPasswords.nix + ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/ + + # tor + ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 >/dev/null || : + ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv + + # tinc + ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc + ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv + + # wireguard + ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub + + # system passwords + cat <<EOF > $TMPDIR/out/hashedPasswords.nix { root = "$HASHED_PASSWORD"; mainUser = "$HASHED_PASSWORD"; } EOF - cd $TMPDIR - for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null - done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + set +f + if [ "''${DRYRUN-n}" = "n" ]; then + cd $TMPDIR/out + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null + fi + set -f cat <<EOF - $HOSTNAME = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.changeme"; - ip6.addr = r6 "changeme"; - aliases = [ - "$HOSTNAME.r" - ]; - tinc.pubkey = ${"''"} - $(cat $TMPDIR/retiolum.rsa_key.pub) - ${"''"}; - }; - wiregrill = { - ip6.addr = w6 "changeme"; - aliases = [ - "$HOSTNAME.w" - ]; - wireguard.pubkey = ${"''"} - $(cat $TMPDIR/wiregrill.pub) - ${"''"}; - }; + { r6, w6, ... }: + { + nets = { + retiolum = { + ip4.addr = "10.243.0.changeme"; + ip6.addr = r6 "changeme"; + aliases = [ + "$HOSTNAME.r" + ]; + tinc.pubkey = ${"''"} + $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /') + ${"''"}; + tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')"; + }; + wiregrill = { + ip6.addr = w6 "changeme"; + aliases = [ + "$HOSTNAME.w" + ]; + wireguard.pubkey = ${"''"} + $(cat $TMPDIR/wiregrill.pub) + ${"''"}; }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; }; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + } EOF - - rm -rf $TMPDIR '' - |