host rmdir: initial commit

modules/rmdir/default.nix

@@ -0,0 +1,76 @@
+{ pkgs, ... }:
+
+let
+  inherit (builtins) readFile;
+in
+
+{
+  imports =
+    [
+      <secrets/hashedPasswords.nix>
+      ./iptables.nix
+      ./networking.nix
+      ./users.nix
+      ../common/nixpkgs.nix
+      ../tv/base.nix
+      ../tv/base-cac-CentOS-7-64bit.nix
+      ../tv/exim-smarthost.nix
+      ../tv/git/public.nix
+      ../tv/retiolum.nix
+      ../tv/sanitize.nix
+    ];
+
+  nix.maxJobs = 1;
+
+  nixpkgs = {
+    url = "https://github.com/NixOS/nixpkgs";
+    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+  };
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    mutt    # for mv
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  security.rtkit.enable = false;
+
+  services.cron.enable = false;
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  services.ntp.enable = false;
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      # XXX bits here make no science
+      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+    permitRootLogin = "yes";
+  };
+
+  services.retiolum = {
+    enable = true;
+    hosts = <retiolum-hosts>;
+    privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
+    connectTo = [
+      "cd"
+      "rmdir"
+      "fastpoke"
+      "pigstarter"
+      "ire"
+    ];
+  };
+
+  sound.enable = false;
+}

modules/rmdir/iptables.nix

@@ -0,0 +1,76 @@
+{ config, pkgs, ... }:
+
+{
+  #
+  # iptables
+  #
+  networking.firewall.enable = false;
+  system.activationScripts.iptables =
+    let
+      log = false;
+      when = c: f: if c then f else "";
+    in
+      ''
+        ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
+        ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
+        ipXtables() { ip4tables "$@" && ip6tables "$@"; }
+
+        # XXX This fails with the original CAC CentOS 7 kernel.
+        if ipXtables -vL >/dev/null; then
+
+          #
+          # nat
+          #
+
+          # reset tables
+          ipXtables -t nat -F
+          ipXtables -t nat -X
+
+          #
+          ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
+          ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
+
+          #
+          # filter
+          #
+
+          # reset tables
+          ipXtables -P INPUT DROP
+          ipXtables -P FORWARD DROP
+          ipXtables -F
+          ipXtables -X
+
+          # create custom chains
+          ipXtables -N Retiolum
+
+          # INPUT
+          ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+          ipXtables -A INPUT -j ACCEPT -i lo
+          ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
+          #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+          ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
+          ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+          ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW
+          ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW
+
+          ipXtables -A INPUT -j Retiolum -i retiolum
+          ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
+
+          # FORWARD
+          ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
+
+          # Retiolum
+          ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
+          ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
+
+          ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+
+          ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
+          ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+          ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+          ip4tables -A Retiolum -j REJECT        --reject-with icmp-proto-unreachable
+          ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
+          ip6tables -A Retiolum -j REJECT
+        fi
+      '';
+}

modules/rmdir/networking.nix

@@ -0,0 +1,14 @@
+{...}:
+{
+  networking.hostName = "rmdir";
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "162.219.6.2";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "162.219.6.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+}

modules/rmdir/users.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+let
+  inherit (builtins) readFile;
+in
+
+{
+  users.extraUsers =
+    {
+      root = {
+        openssh.authorizedKeys.keys = [
+          (readFile <pubkeys/deploy_wu.ssh.pub>)
+          (readFile <pubkeys/tv_wu.ssh.pub>)
+        ];
+      };
+    };
+
+  users.mutableUsers = false;
+}