diff options
author | tv <tv@shackspace.de> | 2015-06-19 22:06:24 +0200 |
---|---|---|
committer | tv <tv@shackspace.de> | 2015-06-19 22:06:24 +0200 |
commit | 1538630782ac8c56d549af4fcac4c9abcba8c9c5 (patch) | |
tree | 35279433e44979ad8c240d3b5bba625702659044 /modules | |
parent | e5b14a9ed69a75f57a2184f85f5b4f24cb50da51 (diff) |
host rmdir: initial commit
Diffstat (limited to 'modules')
-rw-r--r-- | modules/rmdir/default.nix | 76 | ||||
-rw-r--r-- | modules/rmdir/iptables.nix | 76 | ||||
-rw-r--r-- | modules/rmdir/networking.nix | 14 | ||||
-rw-r--r-- | modules/rmdir/users.nix | 19 |
4 files changed, 185 insertions, 0 deletions
diff --git a/modules/rmdir/default.nix b/modules/rmdir/default.nix new file mode 100644 index 000000000..e514e5dad --- /dev/null +++ b/modules/rmdir/default.nix @@ -0,0 +1,76 @@ +{ pkgs, ... }: + +let + inherit (builtins) readFile; +in + +{ + imports = + [ + <secrets/hashedPasswords.nix> + ./iptables.nix + ./networking.nix + ./users.nix + ../common/nixpkgs.nix + ../tv/base.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/exim-smarthost.nix + ../tv/git/public.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ]; + + nix.maxJobs = 1; + + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs"; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + }; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + security.rtkit.enable = false; + + services.cron.enable = false; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.ntp.enable = false; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + services.retiolum = { + enable = true; + hosts = <retiolum-hosts>; + privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv"; + connectTo = [ + "cd" + "rmdir" + "fastpoke" + "pigstarter" + "ire" + ]; + }; + + sound.enable = false; +} diff --git a/modules/rmdir/iptables.nix b/modules/rmdir/iptables.nix new file mode 100644 index 000000000..950aa8472 --- /dev/null +++ b/modules/rmdir/iptables.nix @@ -0,0 +1,76 @@ +{ config, pkgs, ... }: + +{ + # + # iptables + # + networking.firewall.enable = false; + system.activationScripts.iptables = + let + log = false; + when = c: f: if c then f else ""; + in + '' + ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + ipXtables() { ip4tables "$@" && ip6tables "$@"; } + + # XXX This fails with the original CAC CentOS 7 kernel. + if ipXtables -vL >/dev/null; then + + # + # nat + # + + # reset tables + ipXtables -t nat -F + ipXtables -t nat -X + + # + ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # + # filter + # + + # reset tables + ipXtables -P INPUT DROP + ipXtables -P FORWARD DROP + ipXtables -F + ipXtables -X + + # create custom chains + ipXtables -N Retiolum + + # INPUT + ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + ipXtables -A INPUT -j ACCEPT -i lo + ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW + + ipXtables -A INPUT -j Retiolum -i retiolum + ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # FORWARD + ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # Retiolum + ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + + ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + ip6tables -A Retiolum -j REJECT + fi + ''; +} diff --git a/modules/rmdir/networking.nix b/modules/rmdir/networking.nix new file mode 100644 index 000000000..45dae3dcb --- /dev/null +++ b/modules/rmdir/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "rmdir"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.6.2"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.6.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/modules/rmdir/users.nix b/modules/rmdir/users.nix new file mode 100644 index 000000000..82f078b4e --- /dev/null +++ b/modules/rmdir/users.nix @@ -0,0 +1,19 @@ +{ ... }: + +let + inherit (builtins) readFile; +in + +{ + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + (readFile <pubkeys/deploy_wu.ssh.pub>) + (readFile <pubkeys/tv_wu.ssh.pub>) + ]; + }; + }; + + users.mutableUsers = false; +} |