summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-12-11 19:50:50 +0100
committertv <tv@krebsco.de>2018-12-11 19:50:50 +0100
commit172a746c3a4735f1f7875f7169b53e8b3df82269 (patch)
treeee5e0d2e093f446d0f23d1abe599e85766928c12
parent761ce9cefdb2c04132f44c2b41fac6d49a472752 (diff)
parent30772247c0e629d443fb62bc566f3651be1157c1 (diff)
Merge remote-tracking branch 'prism/master'
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/lass/default.nix90
-rw-r--r--lass/1systems/morpheus/config.nix33
-rw-r--r--lass/1systems/morpheus/physical.nix32
-rw-r--r--lass/1systems/prism/config.nix26
-rw-r--r--lass/1systems/yellow/config.nix9
-rw-r--r--lass/2configs/baseX.nix4
-rw-r--r--lass/2configs/default.nix1
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/games.nix1
-rw-r--r--lass/2configs/mouse.nix3
-rw-r--r--lass/2configs/wirelum.nix44
-rw-r--r--lib/krebs/genipv6.nix92
-rw-r--r--lib/types.nix24
14 files changed, 336 insertions, 25 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e8ed64654..2e7c61fb5 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -122,6 +122,7 @@ let
shack = "hosts";
i = "hosts";
r = "hosts";
+ w = "hosts";
};
krebs.users = {
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 86a36015b..f06d62586 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -1,7 +1,11 @@
{ config, ... }:
-
with import <stockholm/lib>;
+let
+
+ rip6 = krebs.genipv6 "retiolum" "lass";
+ wip6 = krebs.genipv6 "wirelum" "lass";
+in
{
dns.providers = {
"lassul.us" = "zones";
@@ -85,11 +89,22 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
+ wirelum = {
+ via = internet;
+ ip4.addr = "10.244.1.1";
+ ip6.addr = (wip6 "1").address;
+ aliases = [
+ "prism.w"
+ ];
+ wireguard = {
+ pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
+ subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ];
+ };
+ };
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
-
archprism = {
cores = 1;
nets = rec {
@@ -177,6 +192,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
+ wirelum = {
+ ip6.addr = (wip6 "dea7").address;
+ aliases = [
+ "mors.w"
+ ];
+ wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
+ };
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@@ -203,6 +225,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
+ wirelum = {
+ ip6.addr = (wip6 "50da").address;
+ aliases = [
+ "shodan.w"
+ ];
+ wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ=";
+ };
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@@ -229,6 +258,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
+ wirelum = {
+ ip6.addr = (wip6 "1205").address;
+ aliases = [
+ "icarus.w"
+ ];
+ wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
+ };
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@@ -425,6 +461,13 @@ with import <stockholm/lib>;
-----END PUBLIC KEY-----
'';
};
+ wirelum = {
+ ip6.addr = (wip6 "e110").address;
+ aliases = [
+ "yellow.w"
+ ];
+ wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
+ };
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
@@ -459,6 +502,49 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
+ phone = {
+ nets = {
+ wirelum = {
+ ip6.addr = (wip6 "a").address;
+ ip4.addr = "10.244.1.2";
+ aliases = [
+ "phone.w"
+ ];
+ wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+ };
+ };
+ external = true;
+ ci = false;
+ };
+ morpheus = {
+ cores = 1;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.19";
+ ip6.addr = "42::19";
+ aliases = [
+ "morpheus.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
+ T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
+ /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
+ S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
+ Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
+ bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
+ Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
+ sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
+ VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
+ 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
+ U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
+ };
};
users = rec {
lass = lass-blue;
diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix
new file mode 100644
index 000000000..0d82ba611
--- /dev/null
+++ b/lass/1systems/morpheus/config.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ imports = [
+ <stockholm/lass>
+
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/power-action.nix>
+ <stockholm/lass/2configs/baseX.nix>
+ <stockholm/lass/2configs/games.nix>
+ <stockholm/lass/2configs/steam.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.morpheus;
+
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = true;
+
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
+ nixpkgs.config.packageOverrides = super: {
+ steam = super.steam.override {
+ withPrimus = true;
+ extraPkgs = p: with p; [
+ glxinfo
+ nettools
+ bumblebee
+ ];
+ };
+ };
+}
diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix
new file mode 100644
index 000000000..0f08acb2d
--- /dev/null
+++ b/lass/1systems/morpheus/physical.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+{
+ imports = [
+ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ./config.nix
+ ];
+
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostId = "60ce7e88";
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
+
+ hardware.bumblebee.enable = true;
+ hardware.bumblebee.group = "video";
+
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/DF3B-4528";
+ fsType = "vfat";
+ };
+
+ nix.maxJobs = lib.mkDefault 8;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 83cc96771..ec3976519 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -297,37 +297,25 @@ with import <stockholm/lib>;
};
}
{
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
- ];
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ imports = [
+ <stockholm/lass/2configs/wirelum.nix>
];
+ #krebs.iptables.tables.nat.PREROUTING.rules = [
+ # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ #];
krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
- networking.wireguard.interfaces.wg0 = {
- ips = [ "10.244.1.1/24" ];
- listenPort = 51820;
- privateKeyFile = (toString <secrets>) + "/wireguard.key";
- allowedIPsAsRoutes = true;
- peers = [
- {
- # lass-android
- allowedIPs = [ "10.244.1.2/32" ];
- publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
- }
- ];
- };
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig= ''
+ listen-address=10.244.1.1
except-interface=lo
interface=wg0
'';
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index ff7b23687..58fa564a1 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -19,7 +19,11 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download";
- systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
+ systemd.services.transmission.postStart = ''
+ chmod 775 /var/download/finished
+ '';
services.transmission = {
enable = true;
settings = {
@@ -52,6 +56,9 @@ with import <stockholm/lib>;
autoindex on;
'';
};
+ locations."/dl".extraConfig = ''
+ return 301 /;
+ '';
locations."/" = {
root = "/var/download/finished";
extraConfig = ''
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index d781f8c71..53d90ed7d 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -97,9 +97,9 @@ in {
enable = true;
layout = "us";
display = mkForce 0;
- xkbModel = "evdev";
xkbVariant = "altgr-intl";
- xkbOptions = "caps:backspace";
+ xkbOptions = "caps:escape";
+ libinput.enable = true;
displayManager.lightdm.enable = true;
windowManager.default = "xmonad";
windowManager.session = [{
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a43113177..dea32d4d4 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -10,6 +10,7 @@ with import <stockholm/lib>;
./zsh.nix
./htop.nix
./security-workarounds.nix
+ ./wirelum.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 1ee45bb41..1acfe5056 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -94,6 +94,7 @@ with import <stockholm/lib>;
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; }
+ { from = "csv-direct@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 49602898e..62e3f6d52 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -57,6 +57,7 @@ let
in {
environment.systemPackages = with pkgs; [
+ dolphinEmu
doom1
doom2
vdoom1
diff --git a/lass/2configs/mouse.nix b/lass/2configs/mouse.nix
index 098809d62..f5f9319ed 100644
--- a/lass/2configs/mouse.nix
+++ b/lass/2configs/mouse.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
{
hardware.trackpoint = {
enable = true;
@@ -7,6 +7,7 @@
emulateWheel = true;
};
+ services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics = {
enable = true;
horizEdgeScroll = false;
diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix
new file mode 100644
index 000000000..cd8a20c6b
--- /dev/null
+++ b/lass/2configs/wirelum.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+ self = config.krebs.build.host.nets.wirelum;
+ isRouter = !isNull self.via;
+
+in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
+ #hack for modprobe inside containers
+ systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
+ (pkgs.writeDashBin "modprobe" ":")
+ ]);
+
+ boot.kernel.sysctl = mkIf isRouter {
+ "net.ipv6.conf.all.forwarding" = 1;
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
+ { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
+ ];
+
+ networking.wireguard.interfaces.wirelum = {
+ ips =
+ (optional (!isNull self.ip4) self.ip4.addr) ++
+ (optional (!isNull self.ip6) self.ip6.addr);
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wirelum.key";
+ allowedIPsAsRoutes = true;
+ peers = mapAttrsToList
+ (_: host: {
+ allowedIPs = if isRouter then
+ (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
+ (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
+ else
+ host.nets.wirelum.wireguard.subnets
+ ;
+ endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
+ persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
+ publicKey = host.nets.wirelum.wireguard.pubkey;
+ })
+ (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
+ };
+}
diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix
new file mode 100644
index 000000000..8d5ca1667
--- /dev/null
+++ b/lib/krebs/genipv6.nix
@@ -0,0 +1,92 @@
+lib:
+with lib;
+let {
+ body = netname: subnetname: suffix: rec {
+ address = let
+ suffix' =
+ if hasEmptyGroup (parseAddress suffix)
+ then suffix
+ else joinAddress "::" suffix;
+ in
+ checkAddress addressLength (joinAddress subnetPrefix suffix');
+ addressCIDR = "${address}/${toString addressLength}";
+ addressLength = 128;
+
+ inherit netname;
+ netCIDR = "${netAddress}/${toString netPrefixLength}";
+ netAddress = joinAddress netPrefix "::";
+ netHash = toString {
+ retiolum = 0;
+ wirelum = 1;
+ }.${netname};
+ netPrefix = "42:${netHash}";
+ netPrefixLength = {
+ retiolum = 32;
+ wirelum = 32;
+ }.${netname};
+
+ inherit subnetname;
+ subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
+ subnetAddress = joinAddress subnetPrefix "::";
+ subnetHash = hash subnetname;
+ subnetPrefix = joinAddress netPrefix subnetHash;
+ subnetPrefixLength = netPrefixLength + 16;
+
+ inherit suffix;
+ suffixLength = addressLength - subnetPrefixLength;
+ };
+
+ hash = s: head (match "0*(.*)" (substring 0 4 (hashString "sha256" s)));
+
+ dropLast = n: xs: reverseList (drop n (reverseList xs));
+ takeLast = n: xs: reverseList (take n (reverseList xs));
+
+ hasEmptyPrefix = xs: take 2 xs == ["" ""];
+ hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
+ hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
+
+ hasEmptyGroup = xs:
+ any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
+
+ ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
+ rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
+ trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
+
+ parseAddress = splitString ":";
+ formatAddress = concatStringsSep ":";
+
+ check = s: c: if !c then throw "${s}" else true;
+
+ checkAddress = maxaddrlen: addr: let
+ parsedaddr = parseAddress addr;
+ normalizedaddr = trimEmpty 1 parsedaddr;
+ in
+ assert (check "address malformed; lone leading colon: ${addr}" (
+ head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
+ ));
+ assert (check "address malformed; lone trailing colon ${addr}" (
+ last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
+ ));
+ assert (check "address malformed; too many successive colons: ${addr}" (
+ length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
+ ));
+ assert (check "address malformed: ${addr}" (
+ all (test "[0-9a-f]{0,4}") parsedaddr
+ ));
+ assert (check "address is too long: ${addr}" (
+ length normalizedaddr * 16 <= maxaddrlen
+ ));
+ addr;
+
+ joinAddress = prefix: suffix: let
+ parsedPrefix = parseAddress prefix;
+ parsedSuffix = parseAddress suffix;
+ normalizePrefix = rtrimEmpty 2 parsedPrefix;
+ normalizeSuffix = ltrimEmpty 2 parsedSuffix;
+ delimiter =
+ optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
+ (hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
+ "";
+ in
+ formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
+}
diff --git a/lib/types.nix b/lib/types.nix
index 41e75154e..17c1688fa 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -192,6 +192,28 @@ rec {
}));
default = null;
};
+ wireguard = mkOption {
+ type = nullOr (submodule ({ config, ... }: {
+ options = {
+ port = mkOption {
+ type = int;
+ description = "tinc port to use to connect to host";
+ default = 51820;
+ };
+ pubkey = mkOption {
+ type = wireguard-pubkey;
+ };
+ subnets = mkOption {
+ type = listOf cidr;
+ description = ''
+ wireguard subnets,
+ this defines how routing behaves for hosts that can't reach each other.
+ '';
+ default = [];
+ };
+ };
+ }));
+ };
};
});
@@ -548,4 +570,6 @@ rec {
check = filename.check;
merge = mergeOneOption;
};
+
+ wireguard-pubkey = str;
}