summaryrefslogtreecommitdiffstats
path: root/mb
diff options
context:
space:
mode:
Diffstat (limited to 'mb')
-rw-r--r--mb/1systems/rofl/configuration.nix103
-rw-r--r--mb/2configs/google-compute-config.nix231
-rw-r--r--mb/2configs/headless.nix25
-rw-r--r--mb/2configs/qemu-guest.nix19
4 files changed, 378 insertions, 0 deletions
diff --git a/mb/1systems/rofl/configuration.nix b/mb/1systems/rofl/configuration.nix
new file mode 100644
index 000000000..3c5c56c84
--- /dev/null
+++ b/mb/1systems/rofl/configuration.nix
@@ -0,0 +1,103 @@
+{ config, pkgs, callPackage, ... }: let
+ unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
+in {
+ imports =
+ [ # Include the results of the hardware scan.
+ <stockholm/mb/2configs/google-compute-config.nix>
+ <stockholm/mb>
+ ];
+
+ krebs.build.host = config.krebs.hosts.rofl;
+
+ i18n = {
+ consoleFont = "Lat2-Terminus16";
+ consoleKeyMap = "de";
+ defaultLocale = "en_US.UTF-8";
+ };
+
+ time.timeZone = "Europe/Berlin";
+
+ nixpkgs.config.allowUnfree = true;
+
+ environment.shellAliases = {
+ ll = "ls -alh";
+ ls = "ls --color=tty";
+ };
+
+ environment.systemPackages = with pkgs; [
+ curl
+ fish
+ git
+ htop
+ nmap
+ ranger
+ tcpdump
+ tmux
+ traceroute
+ tree
+ vim
+ xz
+ zbackup
+ ];
+
+ sound.enable = false;
+
+ services.openssh.enable = true;
+ services.openssh.passwordAuthentication = false;
+
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = false;
+ krebs.iptables.enable = true;
+ networking.enableIPv6 = false;
+
+ programs.fish = {
+ enable = true;
+ shellInit = ''
+ function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
+ if begin
+ set -q SSH_AGENT_PID
+ and kill -0 $SSH_AGENT_PID
+ and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
+ end
+ echo "ssh-agent running on pid $SSH_AGENT_PID"
+ else
+ eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
+ end
+ set -l identity $HOME/.ssh/id_rsa
+ set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
+ ssh-add -l | grep -q $fingerprint
+ or ssh-add $identity
+ end
+ '';
+ promptInit = ''
+ function fish_prompt --description 'Write out the prompt'
+ set -l color_cwd
+ set -l suffix
+ set -l nix_shell_info (
+ if test "$IN_NIX_SHELL" != ""
+ echo -n " <nix-shell>"
+ end
+ )
+ switch "$USER"
+ case root toor
+ if set -q fish_color_cwd_root
+ set color_cwd $fish_color_cwd_root
+ else
+ set color_cwd $fish_color_cwd
+ end
+ set suffix '#'
+ case '*'
+ set color_cwd $fish_color_cwd
+ set suffix '>'
+ end
+
+ echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
+ end
+ '';
+ };
+
+ system.autoUpgrade.enable = false;
+ system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
+ system.stateVersion = "19.03";
+
+}
diff --git a/mb/2configs/google-compute-config.nix b/mb/2configs/google-compute-config.nix
new file mode 100644
index 000000000..b201bd4b8
--- /dev/null
+++ b/mb/2configs/google-compute-config.nix
@@ -0,0 +1,231 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+ gce = pkgs.google-compute-engine;
+in
+{
+ imports = [
+ ./headless.nix
+ ./qemu-guest.nix
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-label/nixos";
+ autoResize = true;
+ };
+
+ boot.growPartition = true;
+ boot.kernelParams = [ "console=ttyS0" "panic=1" "boot.panic_on_fail" ];
+ boot.initrd.kernelModules = [ "virtio_scsi" ];
+ boot.kernelModules = [ "virtio_pci" "virtio_net" ];
+
+ # Generate a GRUB menu. Amazon's pv-grub uses this to boot our kernel/initrd.
+ boot.loader.grub.device = "/dev/sda";
+ boot.loader.timeout = 0;
+
+ # Don't put old configurations in the GRUB menu. The user has no
+ # way to select them anyway.
+ boot.loader.grub.configurationLimit = 0;
+
+ # Allow root logins only using the SSH key that the user specified
+ # at instance creation time.
+ #services.openssh.enable = true;
+ #services.openssh.permitRootLogin = "prohibit-password";
+ #services.openssh.passwordAuthentication = mkDefault false;
+
+ # Use GCE udev rules for dynamic disk volumes
+ services.udev.packages = [ gce ];
+
+ # Force getting the hostname from Google Compute.
+ networking.hostName = mkDefault "";
+
+ # Always include cryptsetup so that NixOps can use it.
+ environment.systemPackages = [ pkgs.cryptsetup ];
+
+ # Make sure GCE image does not replace host key that NixOps sets
+ environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
+ [InstanceSetup]
+ set_host_keys = false
+ '';
+
+ # Rely on GCP's firewall instead
+ networking.firewall.enable = mkDefault false;
+
+ # Configure default metadata hostnames
+ networking.extraHosts = ''
+ 169.254.169.254 metadata.google.internal metadata
+ '';
+
+ networking.timeServers = [ "metadata.google.internal" ];
+
+ networking.usePredictableInterfaceNames = false;
+
+ # GC has 1460 MTU
+ networking.interfaces.eth0.mtu = 1460;
+
+ security.googleOsLogin.enable = true;
+
+ systemd.services.google-clock-skew-daemon = {
+ description = "Google Compute Engine Clock Skew Daemon";
+ after = [
+ "network.target"
+ "google-instance-setup.service"
+ "google-network-setup.service"
+ ];
+ requires = ["network.target"];
+ wantedBy = ["multi-user.target"];
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${gce}/bin/google_clock_skew_daemon --debug";
+ };
+ };
+
+ systemd.services.google-instance-setup = {
+ description = "Google Compute Engine Instance Setup";
+ after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service"];
+ before = ["sshd.service"];
+ wants = ["local-fs.target" "network-online.target" "network.target"];
+ wantedBy = [ "sshd.service" "multi-user.target" ];
+ path = with pkgs; [ ethtool openssh ];
+ serviceConfig = {
+ ExecStart = "${gce}/bin/google_instance_setup --debug";
+ Type = "oneshot";
+ };
+ };
+
+ systemd.services.google-network-daemon = {
+ description = "Google Compute Engine Network Daemon";
+ after = ["local-fs.target" "network-online.target" "network.target" "rsyslog.service" "google-instance-setup.service"];
+ wants = ["local-fs.target" "network-online.target" "network.target"];
+ requires = ["network.target"];
+ partOf = ["network.target"];
+ wantedBy = [ "multi-user.target" ];
+ path = with pkgs; [ iproute ];
+ serviceConfig = {
+ ExecStart = "${gce}/bin/google_network_daemon --debug";
+ };
+ };
+
+ systemd.services.google-shutdown-scripts = {
+ description = "Google Compute Engine Shutdown Scripts";
+ after = [
+ "local-fs.target"
+ "network-online.target"
+ "network.target"
+ "rsyslog.service"
+ "systemd-resolved.service"
+ "google-instance-setup.service"
+ "google-network-daemon.service"
+ ];
+ wants = [ "local-fs.target" "network-online.target" "network.target"];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = "${pkgs.coreutils}/bin/true";
+ ExecStop = "${gce}/bin/google_metadata_script_runner --debug --script-type shutdown";
+ Type = "oneshot";
+ RemainAfterExit = true;
+ TimeoutStopSec = "infinity";
+ };
+ };
+
+ systemd.services.google-startup-scripts = {
+ description = "Google Compute Engine Startup Scripts";
+ after = [
+ "local-fs.target"
+ "network-online.target"
+ "network.target"
+ "rsyslog.service"
+ "google-instance-setup.service"
+ "google-network-daemon.service"
+ ];
+ wants = ["local-fs.target" "network-online.target" "network.target"];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = "${gce}/bin/google_metadata_script_runner --debug --script-type startup";
+ KillMode = "process";
+ Type = "oneshot";
+ };
+ };
+
+
+ # Settings taken from https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
+ boot.kernel.sysctl = {
+ # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
+ # of TCP functionality/features under normal conditions. When flood
+ # protections kick in under high unanswered-SYN load, the system
+ # should remain more stable, with a trade off of some loss of TCP
+ # functionality/features (e.g. TCP Window scaling).
+ "net.ipv4.tcp_syncookies" = mkDefault "1";
+
+ # ignores source-routed packets
+ "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
+
+ # ignores source-routed packets
+ "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
+
+ # ignores ICMP redirects
+ "net.ipv4.conf.all.accept_redirects" = mkDefault "0";
+
+ # ignores ICMP redirects
+ "net.ipv4.conf.default.accept_redirects" = mkDefault "0";
+
+ # ignores ICMP redirects from non-GW hosts
+ "net.ipv4.conf.all.secure_redirects" = mkDefault "1";
+
+ # ignores ICMP redirects from non-GW hosts
+ "net.ipv4.conf.default.secure_redirects" = mkDefault "1";
+
+ # don't allow traffic between networks or act as a router
+ "net.ipv4.ip_forward" = mkDefault "0";
+
+ # don't allow traffic between networks or act as a router
+ "net.ipv4.conf.all.send_redirects" = mkDefault "0";
+
+ # don't allow traffic between networks or act as a router
+ "net.ipv4.conf.default.send_redirects" = mkDefault "0";
+
+ # reverse path filtering - IP spoofing protection
+ "net.ipv4.conf.all.rp_filter" = mkDefault "1";
+
+ # reverse path filtering - IP spoofing protection
+ "net.ipv4.conf.default.rp_filter" = mkDefault "1";
+
+ # ignores ICMP broadcasts to avoid participating in Smurf attacks
+ "net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault "1";
+
+ # ignores bad ICMP errors
+ "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault "1";
+
+ # logs spoofed, source-routed, and redirect packets
+ "net.ipv4.conf.all.log_martians" = mkDefault "1";
+
+ # log spoofed, source-routed, and redirect packets
+ "net.ipv4.conf.default.log_martians" = mkDefault "1";
+
+ # implements RFC 1337 fix
+ "net.ipv4.tcp_rfc1337" = mkDefault "1";
+
+ # randomizes addresses of mmap base, heap, stack and VDSO page
+ "kernel.randomize_va_space" = mkDefault "2";
+
+ # Reboot the machine soon after a kernel panic.
+ "kernel.panic" = mkDefault "10";
+
+ ## Not part of the original config
+
+ # provides protection from ToCToU races
+ "fs.protected_hardlinks" = mkDefault "1";
+
+ # provides protection from ToCToU races
+ "fs.protected_symlinks" = mkDefault "1";
+
+ # makes locating kernel addresses more difficult
+ "kernel.kptr_restrict" = mkDefault "1";
+
+ # set ptrace protections
+ "kernel.yama.ptrace_scope" = mkOverride 500 "1";
+
+ # set perf only available to root
+ "kernel.perf_event_paranoid" = mkDefault "2";
+ };
+}
diff --git a/mb/2configs/headless.nix b/mb/2configs/headless.nix
new file mode 100644
index 000000000..46a9b6a7d
--- /dev/null
+++ b/mb/2configs/headless.nix
@@ -0,0 +1,25 @@
+# Common configuration for headless machines (e.g., Amazon EC2
+# instances).
+
+{ lib, ... }:
+
+with lib;
+
+{
+ boot.vesa = false;
+
+ # Don't start a tty on the serial consoles.
+ systemd.services."serial-getty@ttyS0".enable = false;
+ systemd.services."serial-getty@hvc0".enable = false;
+ systemd.services."getty@tty1".enable = false;
+ systemd.services."autovt@".enable = false;
+
+ # Since we can't manually respond to a panic, just reboot.
+ boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ];
+
+ # Don't allow emergency mode, because we don't have a console.
+ systemd.enableEmergencyMode = false;
+
+ # Being headless, we don't need a GRUB splash image.
+ boot.loader.grub.splashImage = null;
+}
diff --git a/mb/2configs/qemu-guest.nix b/mb/2configs/qemu-guest.nix
new file mode 100644
index 000000000..315d04093
--- /dev/null
+++ b/mb/2configs/qemu-guest.nix
@@ -0,0 +1,19 @@
+# Common configuration for virtual machines running under QEMU (using
+# virtio).
+
+{ ... }:
+
+{
+ boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
+ boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
+
+ boot.initrd.postDeviceCommands =
+ ''
+ # Set the system time from the hardware clock to work around a
+ # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
+ # to the *boot time* of the host).
+ hwclock -s
+ '';
+
+ security.rngd.enable = false;
+}