diff options
author | tv <tv@krebsco.de> | 2018-12-11 19:50:50 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2018-12-11 19:50:50 +0100 |
commit | 172a746c3a4735f1f7875f7169b53e8b3df82269 (patch) | |
tree | ee5e0d2e093f446d0f23d1abe599e85766928c12 | |
parent | 761ce9cefdb2c04132f44c2b41fac6d49a472752 (diff) | |
parent | 30772247c0e629d443fb62bc566f3651be1157c1 (diff) |
Merge remote-tracking branch 'prism/master'
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/lass/default.nix | 90 | ||||
-rw-r--r-- | lass/1systems/morpheus/config.nix | 33 | ||||
-rw-r--r-- | lass/1systems/morpheus/physical.nix | 32 | ||||
-rw-r--r-- | lass/1systems/prism/config.nix | 26 | ||||
-rw-r--r-- | lass/1systems/yellow/config.nix | 9 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 4 | ||||
-rw-r--r-- | lass/2configs/default.nix | 1 | ||||
-rw-r--r-- | lass/2configs/exim-smarthost.nix | 1 | ||||
-rw-r--r-- | lass/2configs/games.nix | 1 | ||||
-rw-r--r-- | lass/2configs/mouse.nix | 3 | ||||
-rw-r--r-- | lass/2configs/wirelum.nix | 44 | ||||
-rw-r--r-- | lib/krebs/genipv6.nix | 92 | ||||
-rw-r--r-- | lib/types.nix | 24 |
14 files changed, 336 insertions, 25 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e8ed64654..2e7c61fb5 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -122,6 +122,7 @@ let shack = "hosts"; i = "hosts"; r = "hosts"; + w = "hosts"; }; krebs.users = { diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 86a36015b..f06d62586 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,7 +1,11 @@ { config, ... }: - with import <stockholm/lib>; +let + + rip6 = krebs.genipv6 "retiolum" "lass"; + wip6 = krebs.genipv6 "wirelum" "lass"; +in { dns.providers = { "lassul.us" = "zones"; @@ -85,11 +89,22 @@ with import <stockholm/lib>; -----END RSA PUBLIC KEY----- ''; }; + wirelum = { + via = internet; + ip4.addr = "10.244.1.1"; + ip6.addr = (wip6 "1").address; + aliases = [ + "prism.w" + ]; + wireguard = { + pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk="; + subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ]; + }; + }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; }; - archprism = { cores = 1; nets = rec { @@ -177,6 +192,13 @@ with import <stockholm/lib>; -----END RSA PUBLIC KEY----- ''; }; + wirelum = { + ip6.addr = (wip6 "dea7").address; + aliases = [ + "mors.w" + ]; + wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ="; + }; }; secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; @@ -203,6 +225,13 @@ with import <stockholm/lib>; -----END RSA PUBLIC KEY----- ''; }; + wirelum = { + ip6.addr = (wip6 "50da").address; + aliases = [ + "shodan.w" + ]; + wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ="; + }; }; secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; @@ -229,6 +258,13 @@ with import <stockholm/lib>; -----END RSA PUBLIC KEY----- ''; }; + wirelum = { + ip6.addr = (wip6 "1205").address; + aliases = [ + "icarus.w" + ]; + wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ="; + }; }; secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; @@ -425,6 +461,13 @@ with import <stockholm/lib>; -----END PUBLIC KEY----- ''; }; + wirelum = { + ip6.addr = (wip6 "e110").address; + aliases = [ + "yellow.w" + ]; + wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU="; + }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje "; @@ -459,6 +502,49 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; }; + phone = { + nets = { + wirelum = { + ip6.addr = (wip6 "a").address; + ip4.addr = "10.244.1.2"; + aliases = [ + "phone.w" + ]; + wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; + }; + }; + external = true; + ci = false; + }; + morpheus = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.19"; + ip6.addr = "42::19"; + aliases = [ + "morpheus.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY + T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN + /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh + S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz + Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR + bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI + Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz + sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+ + VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j + 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA + U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f "; + }; }; users = rec { lass = lass-blue; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix new file mode 100644 index 000000000..0d82ba611 --- /dev/null +++ b/lass/1systems/morpheus/config.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +{ + imports = [ + <stockholm/lass> + + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/power-action.nix> + <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/games.nix> + <stockholm/lass/2configs/steam.nix> + ]; + + krebs.build.host = config.krebs.hosts.morpheus; + + networking.wireless.enable = false; + networking.networkmanager.enable = true; + + services.logind.extraConfig = '' + HandleLidSwitch=ignore + ''; + + nixpkgs.config.packageOverrides = super: { + steam = super.steam.override { + withPrimus = true; + extraPkgs = p: with p; [ + glxinfo + nettools + bumblebee + ]; + }; + }; +} diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix new file mode 100644 index 000000000..0f08acb2d --- /dev/null +++ b/lass/1systems/morpheus/physical.nix @@ -0,0 +1,32 @@ +{ lib, ... }: +{ + imports = [ + <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ./config.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostId = "60ce7e88"; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ]; + + hardware.bumblebee.enable = true; + hardware.bumblebee.group = "video"; + + fileSystems."/" = + { device = "rpool/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/DF3B-4528"; + fsType = "vfat"; + }; + + nix.maxJobs = lib.mkDefault 8; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 83cc96771..ec3976519 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -297,37 +297,25 @@ with import <stockholm/lib>; }; } { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + imports = [ + <stockholm/lass/2configs/wirelum.nix> ]; + #krebs.iptables.tables.nat.PREROUTING.rules = [ + # { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + #]; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } ]; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.244.1.1/24" ]; - listenPort = 51820; - privateKeyFile = (toString <secrets>) + "/wireguard.key"; - allowedIPsAsRoutes = true; - peers = [ - { - # lass-android - allowedIPs = [ "10.244.1.2/32" ]; - publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; - } - ]; - }; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' + listen-address=10.244.1.1 except-interface=lo interface=wg0 ''; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index ff7b23687..58fa564a1 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -19,7 +19,11 @@ with import <stockholm/lib>; users.groups.download.members = [ "transmission" ]; users.users.transmission.group = mkForce "download"; - systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ]; + systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; + systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; + systemd.services.transmission.postStart = '' + chmod 775 /var/download/finished + ''; services.transmission = { enable = true; settings = { @@ -52,6 +56,9 @@ with import <stockholm/lib>; autoindex on; ''; }; + locations."/dl".extraConfig = '' + return 301 /; + ''; locations."/" = { root = "/var/download/finished"; extraConfig = '' diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index d781f8c71..53d90ed7d 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -97,9 +97,9 @@ in { enable = true; layout = "us"; display = mkForce 0; - xkbModel = "evdev"; xkbVariant = "altgr-intl"; - xkbOptions = "caps:backspace"; + xkbOptions = "caps:escape"; + libinput.enable = true; displayManager.lightdm.enable = true; windowManager.default = "xmonad"; windowManager.session = [{ diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index a43113177..dea32d4d4 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,6 +10,7 @@ with import <stockholm/lib>; ./zsh.nix ./htop.nix ./security-workarounds.nix + ./wirelum.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 1ee45bb41..1acfe5056 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -94,6 +94,7 @@ with import <stockholm/lib>; { from = "osmocom@lassul.us"; to = lass.mail; } { from = "lesswrong@lassul.us"; to = lass.mail; } { from = "nordvpn@lassul.us"; to = lass.mail; } + { from = "csv-direct@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 49602898e..62e3f6d52 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -57,6 +57,7 @@ let in { environment.systemPackages = with pkgs; [ + dolphinEmu doom1 doom2 vdoom1 diff --git a/lass/2configs/mouse.nix b/lass/2configs/mouse.nix index 098809d62..f5f9319ed 100644 --- a/lass/2configs/mouse.nix +++ b/lass/2configs/mouse.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, ... }: { hardware.trackpoint = { enable = true; @@ -7,6 +7,7 @@ emulateWheel = true; }; + services.xserver.libinput.enable = lib.mkForce false; services.xserver.synaptics = { enable = true; horizEdgeScroll = false; diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix new file mode 100644 index 000000000..cd8a20c6b --- /dev/null +++ b/lass/2configs/wirelum.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + self = config.krebs.build.host.nets.wirelum; + isRouter = !isNull self.via; + +in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) { + #hack for modprobe inside containers + systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [ + (pkgs.writeDashBin "modprobe" ":") + ]); + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv6.conf.all.forwarding" = 1; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ + { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; } + ]; + + networking.wireguard.interfaces.wirelum = { + ips = + (optional (!isNull self.ip4) self.ip4.addr) ++ + (optional (!isNull self.ip6) self.ip6.addr); + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wirelum.key"; + allowedIPsAsRoutes = true; + peers = mapAttrsToList + (_: host: { + allowedIPs = if isRouter then + (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++ + (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr) + else + host.nets.wirelum.wireguard.subnets + ; + endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}"); + persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61; + publicKey = host.nets.wirelum.wireguard.pubkey; + }) + (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts); + }; +} diff --git a/lib/krebs/genipv6.nix b/lib/krebs/genipv6.nix new file mode 100644 index 000000000..8d5ca1667 --- /dev/null +++ b/lib/krebs/genipv6.nix @@ -0,0 +1,92 @@ +lib: +with lib; +let { + body = netname: subnetname: suffix: rec { + address = let + suffix' = + if hasEmptyGroup (parseAddress suffix) + then suffix + else joinAddress "::" suffix; + in + checkAddress addressLength (joinAddress subnetPrefix suffix'); + addressCIDR = "${address}/${toString addressLength}"; + addressLength = 128; + + inherit netname; + netCIDR = "${netAddress}/${toString netPrefixLength}"; + netAddress = joinAddress netPrefix "::"; + netHash = toString { + retiolum = 0; + wirelum = 1; + }.${netname}; + netPrefix = "42:${netHash}"; + netPrefixLength = { + retiolum = 32; + wirelum = 32; + }.${netname}; + + inherit subnetname; + subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}"; + subnetAddress = joinAddress subnetPrefix "::"; + subnetHash = hash subnetname; + subnetPrefix = joinAddress netPrefix subnetHash; + subnetPrefixLength = netPrefixLength + 16; + + inherit suffix; + suffixLength = addressLength - subnetPrefixLength; + }; + + hash = s: head (match "0*(.*)" (substring 0 4 (hashString "sha256" s))); + + dropLast = n: xs: reverseList (drop n (reverseList xs)); + takeLast = n: xs: reverseList (take n (reverseList xs)); + + hasEmptyPrefix = xs: take 2 xs == ["" ""]; + hasEmptySuffix = xs: takeLast 2 xs == ["" ""]; + hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs); + + hasEmptyGroup = xs: + any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix]; + + ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs; + rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs; + trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs); + + parseAddress = splitString ":"; + formatAddress = concatStringsSep ":"; + + check = s: c: if !c then throw "${s}" else true; + + checkAddress = maxaddrlen: addr: let + parsedaddr = parseAddress addr; + normalizedaddr = trimEmpty 1 parsedaddr; + in + assert (check "address malformed; lone leading colon: ${addr}" ( + head parsedaddr == "" -> tail (take 2 parsedaddr) == "" + )); + assert (check "address malformed; lone trailing colon ${addr}" ( + last parsedaddr == "" -> head (takeLast 2 parsedaddr) == "" + )); + assert (check "address malformed; too many successive colons: ${addr}" ( + length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""] + )); + assert (check "address malformed: ${addr}" ( + all (test "[0-9a-f]{0,4}") parsedaddr + )); + assert (check "address is too long: ${addr}" ( + length normalizedaddr * 16 <= maxaddrlen + )); + addr; + + joinAddress = prefix: suffix: let + parsedPrefix = parseAddress prefix; + parsedSuffix = parseAddress suffix; + normalizePrefix = rtrimEmpty 2 parsedPrefix; + normalizeSuffix = ltrimEmpty 2 parsedSuffix; + delimiter = + optional (length (normalizePrefix ++ normalizeSuffix) < 8 && + (hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix)) + ""; + in + formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix); +} diff --git a/lib/types.nix b/lib/types.nix index 41e75154e..17c1688fa 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -192,6 +192,28 @@ rec { })); default = null; }; + wireguard = mkOption { + type = nullOr (submodule ({ config, ... }: { + options = { + port = mkOption { + type = int; + description = "tinc port to use to connect to host"; + default = 51820; + }; + pubkey = mkOption { + type = wireguard-pubkey; + }; + subnets = mkOption { + type = listOf cidr; + description = '' + wireguard subnets, + this defines how routing behaves for hosts that can't reach each other. + ''; + default = []; + }; + }; + })); + }; }; }); @@ -548,4 +570,6 @@ rec { check = filename.check; merge = mergeOneOption; }; + + wireguard-pubkey = str; } |