mb: add rofl.r

5 files changed, 404 insertions, 0 deletions

diff --git a/krebs/3modules/mb/default.nix b/krebs/3modules/mb/default.nix
index e77811f0..31e01c4a 100644
--- a/krebs/3modules/mb/default.nix
+++ b/krebs/3modules/mb/default.nix
@@ -36,6 +36,32 @@ in {
         };
       };
     };
+    rofl = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.42.43";
+          aliases = [
+            "rofl.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnysdVVwxkmSroNUleYZm
+            xdaIB9EdZYCo2xj3WyhsD2lWMpj51FzSH6Y052Vy1V1TCuIXIwjidpmMohBvflG8
+            txKCaBGQOZbVqRgzyCDXsNisbr05ayYuHcRrXTpn5ask4HN0Vtx2uJOn8YmOxA0D
+            VhyEnf8xWu+vi8dwDqRVR17QnPBYqgenzIBmAuRngvNqg6WZg+E9X2e1Dco/PMzb
+            VW0AgC2+zFCl4+G7dEW7uhsI6IJLy4LsJuEN4TlvWAf7tfdFEnBzTfODW8quGdts
+            1Yzah4svPNNt9F1ZhOR/1bDsfVoOjI76BgB0G+ZZPQAGV1zxgn8DXSKi/tJTLNu1
+            vj/n9sUJfXMYQdTAOkABghCyEDFUspPKCffQqUXUcJbLKY9fNssGGBeanMsobUQC
+            Ch9z7kIJ52JDcP/D58z9Yf62P5ENqXzeVPCcodIOey1EizOu/FH3jVo52we1M5sp
+            1iM4hMc3ZINUBI9AA1nLWWlB3lBnErAXrhmMMHjcO4nO7/M0YU+EalkDB5eIhqiH
+            QJx7VnOE2UZYU9Y0vVNSWfYocU12aABK98T7lr5Tde4dI1J81sk2MUZcbNHger3f
+            NxpvNzOBpeC5xvq/ENCRR7MDf/59xWW5P5N7PbGprLQAi8cfdSoIEhSPz17Taq1f
+            3aAAePgBsZvRQozxXZfqp58CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     p1nk = {
       nets = {
         retiolum = {
diff --git a/mb/1systems/rofl/configuration.nix b/mb/1systems/rofl/configuration.nix
new file mode 100644
index 00000000..3c5c56c8
--- /dev/null
+++ b/mb/1systems/rofl/configuration.nix
@@ -0,0 +1,103 @@
+{ config, pkgs, callPackage, ... }: let
+  unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      <stockholm/mb/2configs/google-compute-config.nix>
+      <stockholm/mb>
+    ];
+
+  krebs.build.host = config.krebs.hosts.rofl;
+
+  i18n = {
+    consoleFont = "Lat2-Terminus16";
+    consoleKeyMap = "de";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.shellAliases = {
+    ll = "ls -alh";
+    ls = "ls --color=tty";
+  };
+
+  environment.systemPackages = with pkgs; [
+     curl
+     fish
+     git
+     htop
+     nmap
+     ranger
+     tcpdump
+     tmux
+     traceroute
+     tree
+     vim
+     xz
+     zbackup
+  ];
+
+  sound.enable = false;
+
+  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+
+  networking.wireless.enable = false;
+  networking.networkmanager.enable = false;
+  krebs.iptables.enable = true;
+  networking.enableIPv6 = false;
+
+   programs.fish = {
+    enable = true;
+    shellInit = ''
+      function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
+          if begin
+              set -q SSH_AGENT_PID
+              and kill -0 $SSH_AGENT_PID
+              and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
+          end
+              echo "ssh-agent running on pid $SSH_AGENT_PID"
+          else
+              eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
+          end
+          set -l identity $HOME/.ssh/id_rsa
+          set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
+          ssh-add -l | grep -q $fingerprint
+            or ssh-add $identity
+      end
+    '';
+    promptInit = ''
+      function fish_prompt --description 'Write out the prompt'
+          set -l color_cwd
+          set -l suffix
+          set -l nix_shell_info (
+              if test "$IN_NIX_SHELL" != ""
+                 echo -n " <nix-shell>"
+              end
+          )
+          switch "$USER"
+              case root toor
+                  if set -q fish_color_cwd_root
+                      set color_cwd $fish_color_cwd_root
+                  else
+                      set color_cwd $fish_color_cwd
+                  end
+                  set suffix '#'
+              case '*'
+                  set color_cwd $fish_color_cwd
+                  set suffix '>'
+          end
+
+          echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
+      end
+    '';
+  };
+
+  system.autoUpgrade.enable = false;
+  system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
+  system.stateVersion = "19.03";
+
+}
diff --git a/mb/2configs/google-compute-config.nix b/mb/2configs/google-compute-config.nix
new file mode 100644
index 00000000..b201bd4b
--- /dev/null
+++ b/mb/2configs/google-compute-config.nix
@@ -0,0 +1,231 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  gce = pkgs.google-compute-engine;
+in
+{
+  imports = [
+    ./headless.nix
+    ./qemu-guest.nix
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    autoResize = true;
+  };
+
+  boot.growPartition = true;
+  boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
+  boot.initrd.kernelModules = [ "virtio_scsi" ];
+  boot.kernelModules = [ "virtio_pci" "virtio_net" ];
+
+  # Generate a GRUB menu.  Amazon's pv-grub uses this to boot our kernel/initrd.
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.timeout = 0;
+
+  # Don't put old configurations in the GRUB menu.  The user has no
+  # way to select them anyway.
+  boot.loader.grub.configurationLimit = 0;
+
+  # Allow root logins only using the SSH key that the user specified
+  # at instance creation time.
+  #services.openssh.enable = true;
+  #services.openssh.permitRootLogin = "prohibit-password";
+  #services.openssh.passwordAuthentication = mkDefault false;
+
+  # Use GCE udev rules for dynamic disk volumes
+  services.udev.packages = [ gce ];
+
+  # Force getting the hostname from Google Compute.
+  networking.hostName = mkDefault "";
+
+  # Always include cryptsetup so that NixOps can use it.
+  environment.systemPackages = [ pkgs.cryptsetup ];
+
+  # Make sure GCE image does not replace host key that NixOps sets
+  environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
+    [InstanceSetup]
+    set_host_keys = false
+  '';
+
+  # Rely on GCP's firewall instead
+  networking.firewall.enable = mkDefault false;
+
+  # Configure default metadata hostnames
+  networking.extraHosts = ''
+    169.254.169.254 metadata.google.internal metadata
+  '';
+
+  networking.timeServers = [ "metadata.google.internal" ];
+
+  networking.usePredictableInterfaceNames = false;
+
+  # GC has 1460 MTU
+  networking.interfaces.eth0.mtu = 1460;
+
+  security.googleOsLogin.enable = true;
+
+  systemd.services.google-clock-skew-daemon = {
+    description = "Google Compute Engine Clock Skew Daemon";
+    after = [
+      "network.target"
+      "google-instance-setup.service"
+      "google-network-setup.service"
+    ];
+    requires = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
+    };
+  };
+
+  systemd.services.google-instance-setup = {
+    description = "Google Compute Engine Instance Setup";
+    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
+    before = ["sshd.service"];
+    wants = ["local-fs.target" "network-online.target" "network.target"];
+    wantedBy = [ "sshd.service" "multi-user.target" ];
+    path = with pkgs; [ ethtool openssh ];
+    serviceConfig = {
+      ExecStart = "${gce}/bin/google_instance_setup --debug";
+      Type = "oneshot";
+    };
+  };
+
+  systemd.services.google-network-daemon = {
+    description = "Google Compute Engine Network Daemon";
+    after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
+    wants = ["local-fs.target" "network-online.target" "network.target"];
+    requires = ["network.target"];
+    partOf = ["network.target"];
+    wantedBy = [ "multi-user.target" ];
+    path = with pkgs; [ iproute ];
+    serviceConfig = {
+      ExecStart = "${gce}/bin/google_network_daemon --debug";
+    };
+  };
+
+  systemd.services.google-shutdown-scripts = {
+    description = "Google Compute Engine Shutdown Scripts";
+    after = [
+      "local-fs.target"
+      "network-online.target"
+      "network.target"
+      "rsyslog.service"
+      "systemd-resolved.service"
+      "google-instance-setup.service"
+      "google-network-daemon.service"
+    ];
+    wants = [ "local-fs.target" "network-online.target" "network.target"];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.coreutils}/bin/true";
+      ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
+      Type = "oneshot";
+      RemainAfterExit = true;
+      TimeoutStopSec = "infinity";
+    };
+  };
+
+  systemd.services.google-startup-scripts = {
+    description = "Google Compute Engine Startup Scripts";
+    after = [
+      "local-fs.target"
+      "network-online.target"
+      "network.target"
+      "rsyslog.service"
+      "google-instance-setup.service"
+      "google-network-daemon.service"
+    ];
+    wants = ["local-fs.target" "network-online.target" "network.target"];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
+      KillMode = "process";
+      Type = "oneshot";
+    };
+  };
+
+
+  # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
+  boot.kernel.sysctl = {
+    # Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
+    # of TCP functionality/features under normal conditions.  When flood
+    # protections kick in under high unanswered-SYN load, the system
+    # should remain more stable, with a trade off of some loss of TCP
+    # functionality/features (e.g. TCP Window scaling).
+    "net.ipv4.tcp_syncookies" = mkDefault "1";
+
+    # ignores source-routed packets
+    "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
+
+    # ignores source-routed packets
+    "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
+
+    # ignores ICMP redirects
+    "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
+
+    # ignores ICMP redirects
+    "net.ipv4.conf.default.accept_redirects" = mkDefault "0";
+
+    # ignores ICMP redirects from non-GW hosts
+    "net.ipv4.conf.all.secure_redirects" = mkDefault "1";
+
+    # ignores ICMP redirects from non-GW hosts
+    "net.ipv4.conf.default.secure_redirects" = mkDefault "1";
+
+    # don't allow traffic between networks or act as a router
+    "net.ipv4.ip_forward" = mkDefault "0";
+
+    # don't allow traffic between networks or act as a router
+    "net.ipv4.conf.all.send_redirects" = mkDefault "0";
+
+    # don't allow traffic between networks or act as a router
+    "net.ipv4.conf.default.send_redirects" = mkDefault "0";
+
+    # reverse path filtering - IP spoofing protection
+    "net.ipv4.conf.all.rp_filter" = mkDefault "1";
+
+    # reverse path filtering - IP spoofing protection
+    "net.ipv4.conf.default.rp_filter" = mkDefault "1";
+
+    # ignores ICMP broadcasts to avoid participating in Smurf attacks
+    "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
+
+    # ignores bad ICMP errors
+    "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
+
+    # logs spoofed, source-routed, and redirect packets
+    "net.ipv4.conf.all.log_martians" = mkDefault "1";
+
+    # log spoofed, source-routed, and redirect packets
+    "net.ipv4.conf.default.log_martians" = mkDefault "1";
+
+    # implements RFC 1337 fix
+    "net.ipv4.tcp_rfc1337" = mkDefault "1";
+
+    # randomizes addresses of mmap base, heap, stack and VDSO page
+    "kernel.randomize_va_space" = mkDefault "2";
+
+    # Reboot the machine soon after a kernel panic.
+    "kernel.panic" = mkDefault "10";
+
+    ## Not part of the original config
+
+    # provides protection from ToCToU races
+    "fs.protected_hardlinks" = mkDefault "1";
+
+    # provides protection from ToCToU races
+    "fs.protected_symlinks" = mkDefault "1";
+
+    # makes locating kernel addresses more difficult
+    "kernel.kptr_restrict" = mkDefault "1";
+
+    # set ptrace protections
+    "kernel.yama.ptrace_scope" = mkOverride 500 "1";
+
+    # set perf only available to root
+    "kernel.perf_event_paranoid" = mkDefault "2";
+  };
+}
diff --git a/mb/2configs/headless.nix b/mb/2configs/headless.nix
new file mode 100644
index 00000000..46a9b6a7
--- /dev/null
+++ b/mb/2configs/headless.nix
@@ -0,0 +1,25 @@
+# Common configuration for headless machines (e.g., Amazon EC2
+# instances).
+
+{ lib, ... }:
+
+with lib;
+
+{
+  boot.vesa = false;
+
+  # Don't start a tty on the serial consoles.
+  systemd.services."serial-getty@ttyS0".enable = false;
+  systemd.services."serial-getty@hvc0".enable = false;
+  systemd.services."getty@tty1".enable = false;
+  systemd.services."autovt@".enable = false;
+
+  # Since we can't manually respond to a panic, just reboot.
+  boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ];
+
+  # Don't allow emergency mode, because we don't have a console.
+  systemd.enableEmergencyMode = false;
+
+  # Being headless, we don't need a GRUB splash image.
+  boot.loader.grub.splashImage = null;
+}
diff --git a/mb/2configs/qemu-guest.nix b/mb/2configs/qemu-guest.nix
new file mode 100644
index 00000000..315d0409
--- /dev/null
+++ b/mb/2configs/qemu-guest.nix
@@ -0,0 +1,19 @@
+# Common configuration for virtual machines running under QEMU (using
+# virtio).
+
+{ ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
+  boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
+
+  boot.initrd.postDeviceCommands =
+    ''
+      # Set the system time from the hardware clock to work around a
+      # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
+      # to the *boot time* of the host).
+      hwclock -s
+    '';
+
+  security.rngd.enable = false;
+}