host rmdir: initial commit
This commit is contained in:
parent
e5b14a9ed6
commit
1538630782
76
modules/rmdir/default.nix
Normal file
76
modules/rmdir/default.nix
Normal file
@ -0,0 +1,76 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) readFile;
|
||||
in
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
<secrets/hashedPasswords.nix>
|
||||
./iptables.nix
|
||||
./networking.nix
|
||||
./users.nix
|
||||
../common/nixpkgs.nix
|
||||
../tv/base.nix
|
||||
../tv/base-cac-CentOS-7-64bit.nix
|
||||
../tv/exim-smarthost.nix
|
||||
../tv/git/public.nix
|
||||
../tv/retiolum.nix
|
||||
../tv/sanitize.nix
|
||||
];
|
||||
|
||||
nix.maxJobs = 1;
|
||||
|
||||
nixpkgs = {
|
||||
url = "https://github.com/NixOS/nixpkgs";
|
||||
rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
git # required for ./deploy, clone_or_update
|
||||
htop
|
||||
iftop
|
||||
iotop
|
||||
iptables
|
||||
mutt # for mv
|
||||
nethogs
|
||||
rxvt_unicode.terminfo
|
||||
tcpdump
|
||||
];
|
||||
|
||||
security.rtkit.enable = false;
|
||||
|
||||
services.cron.enable = false;
|
||||
|
||||
services.journald.extraConfig = ''
|
||||
SystemMaxUse=1G
|
||||
RuntimeMaxUse=128M
|
||||
'';
|
||||
|
||||
services.ntp.enable = false;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
hostKeys = [
|
||||
# XXX bits here make no science
|
||||
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||
];
|
||||
permitRootLogin = "yes";
|
||||
};
|
||||
|
||||
services.retiolum = {
|
||||
enable = true;
|
||||
hosts = <retiolum-hosts>;
|
||||
privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
|
||||
connectTo = [
|
||||
"cd"
|
||||
"rmdir"
|
||||
"fastpoke"
|
||||
"pigstarter"
|
||||
"ire"
|
||||
];
|
||||
};
|
||||
|
||||
sound.enable = false;
|
||||
}
|
76
modules/rmdir/iptables.nix
Normal file
76
modules/rmdir/iptables.nix
Normal file
@ -0,0 +1,76 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
#
|
||||
# iptables
|
||||
#
|
||||
networking.firewall.enable = false;
|
||||
system.activationScripts.iptables =
|
||||
let
|
||||
log = false;
|
||||
when = c: f: if c then f else "";
|
||||
in
|
||||
''
|
||||
ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
|
||||
ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
|
||||
ipXtables() { ip4tables "$@" && ip6tables "$@"; }
|
||||
|
||||
# XXX This fails with the original CAC CentOS 7 kernel.
|
||||
if ipXtables -vL >/dev/null; then
|
||||
|
||||
#
|
||||
# nat
|
||||
#
|
||||
|
||||
# reset tables
|
||||
ipXtables -t nat -F
|
||||
ipXtables -t nat -X
|
||||
|
||||
#
|
||||
ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
|
||||
ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
|
||||
|
||||
#
|
||||
# filter
|
||||
#
|
||||
|
||||
# reset tables
|
||||
ipXtables -P INPUT DROP
|
||||
ipXtables -P FORWARD DROP
|
||||
ipXtables -F
|
||||
ipXtables -X
|
||||
|
||||
# create custom chains
|
||||
ipXtables -N Retiolum
|
||||
|
||||
# INPUT
|
||||
ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
|
||||
ipXtables -A INPUT -j ACCEPT -i lo
|
||||
ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
|
||||
#ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
|
||||
ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
|
||||
ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
|
||||
ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW
|
||||
ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW
|
||||
|
||||
ipXtables -A INPUT -j Retiolum -i retiolum
|
||||
${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
|
||||
|
||||
# FORWARD
|
||||
${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
|
||||
|
||||
# Retiolum
|
||||
ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
|
||||
ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
|
||||
|
||||
ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
|
||||
|
||||
${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
|
||||
ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
|
||||
ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
|
||||
ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
|
||||
ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
|
||||
ip6tables -A Retiolum -j REJECT
|
||||
fi
|
||||
'';
|
||||
}
|
14
modules/rmdir/networking.nix
Normal file
14
modules/rmdir/networking.nix
Normal file
@ -0,0 +1,14 @@
|
||||
{...}:
|
||||
{
|
||||
networking.hostName = "rmdir";
|
||||
networking.interfaces.enp2s1.ip4 = [
|
||||
{
|
||||
address = "162.219.6.2";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
networking.defaultGateway = "162.219.6.1";
|
||||
networking.nameservers = [
|
||||
"8.8.8.8"
|
||||
];
|
||||
}
|
19
modules/rmdir/users.nix
Normal file
19
modules/rmdir/users.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) readFile;
|
||||
in
|
||||
|
||||
{
|
||||
users.extraUsers =
|
||||
{
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
(readFile <pubkeys/deploy_wu.ssh.pub>)
|
||||
(readFile <pubkeys/tv_wu.ssh.pub>)
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
}
|
Loading…
Reference in New Issue
Block a user