Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'prism/master'

Browse Source
This commit is contained in:
tv 2018-12-11 19:50:50 +01:00
commit 172a746c3a
14 changed files with 336 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
krebs/3modules/default.nix
View File

@ -122,6 +122,7 @@ let
shack = "hosts";
i = "hosts";
r = "hosts";
w = "hosts";
};
krebs.users = {

90
krebs/3modules/lass/default.nix
View File

@ -1,7 +1,11 @@
{ config, ... }:
with import <stockholm/lib>;
let
rip6 = krebs.genipv6 "retiolum" "lass";
wip6 = krebs.genipv6 "wirelum" "lass";
in
{
dns.providers = {
"lassul.us" = "zones";
@ -85,11 +89,22 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wirelum = {
via = internet;
ip4.addr = "10.244.1.1";
ip6.addr = (wip6 "1").address;
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
subnets = [ "10.244.1.0/24" (wip6 "1").subnetCIDR ];
};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
archprism = {
cores = 1;
nets = rec {
@ -177,6 +192,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wirelum = {
ip6.addr = (wip6 "dea7").address;
aliases = [
"mors.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -203,6 +225,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wirelum = {
ip6.addr = (wip6 "50da").address;
aliases = [
"shodan.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za4J3SQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -229,6 +258,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wirelum = {
ip6.addr = (wip6 "1205").address;
aliases = [
"icarus.w"
];
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -425,6 +461,13 @@ with import <stockholm/lib>;
-----END PUBLIC KEY-----
'';
};
wirelum = {
ip6.addr = (wip6 "e110").address;
aliases = [
"yellow.w"
];
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
@ -459,6 +502,49 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
phone = {
nets = {
wirelum = {
ip6.addr = (wip6 "a").address;
ip4.addr = "10.244.1.2";
aliases = [
"phone.w"
];
wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
};
};
external = true;
ci = false;
};
morpheus = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.19";
ip6.addr = "42::19";
aliases = [
"morpheus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
/Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
};
};
users = rec {
lass = lass-blue;

33
lass/1systems/morpheus/config.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/power-action.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
];
krebs.build.host = config.krebs.hosts.morpheus;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
nixpkgs.config.packageOverrides = super: {
steam = super.steam.override {
withPrimus = true;
extraPkgs = p: with p; [
glxinfo
nettools
bumblebee
];
};
};
}

32
lass/1systems/morpheus/physical.nix Normal file
View File

@ -0,0 +1,32 @@
{ lib, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./config.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostId = "60ce7e88";
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
hardware.bumblebee.enable = true;
hardware.bumblebee.group = "video";
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DF3B-4528";
fsType = "vfat";
};
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

26
lass/1systems/prism/config.nix
View File

@ -297,37 +297,25 @@ with import <stockholm/lib>;
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
imports = [
<stockholm/lass/2configs/wirelum.nix>
];
#krebs.iptables.tables.nat.PREROUTING.rules = [
# { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
#];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.1.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# lass-android
allowedIPs = [ "10.244.1.2/32" ];
publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
}
];
};
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig= ''
listen-address=10.244.1.1
except-interface=lo
interface=wg0
'';

9
lass/1systems/yellow/config.nix
View File

@ -19,7 +19,11 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download";
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.postStart = ''
chmod 775 /var/download/finished
'';
services.transmission = {
enable = true;
settings = {
@ -52,6 +56,9 @@ with import <stockholm/lib>;
autoindex on;
'';
};
locations."/dl".extraConfig = ''
return 301 /;
'';
locations."/" = {
root = "/var/download/finished";
extraConfig = ''

4
lass/2configs/baseX.nix
View File

@ -97,9 +97,9 @@ in {
enable = true;
layout = "us";
display = mkForce 0;
xkbModel = "evdev";
xkbVariant = "altgr-intl";
xkbOptions = "caps:backspace";
xkbOptions = "caps:escape";
libinput.enable = true;
displayManager.lightdm.enable = true;
windowManager.default = "xmonad";
windowManager.session = [{

1
lass/2configs/default.nix
View File

@ -10,6 +10,7 @@ with import <stockholm/lib>;
./zsh.nix
./htop.nix
./security-workarounds.nix
./wirelum.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })

1
lass/2configs/exim-smarthost.nix
View File

@ -94,6 +94,7 @@ with import <stockholm/lib>;
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; }
{ from = "csv-direct@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

1
lass/2configs/games.nix
View File

@ -57,6 +57,7 @@ let
in {
environment.systemPackages = with pkgs; [
dolphinEmu
doom1
doom2
vdoom1

3
lass/2configs/mouse.nix
View File

@ -1,4 +1,4 @@
{ ... }:
{ lib, ... }:
{
hardware.trackpoint = {
enable = true;
@ -7,6 +7,7 @@
emulateWheel = true;
};
services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics = {
enable = true;
horizEdgeScroll = false;

44
lass/2configs/wirelum.nix Normal file
View File

@ -0,0 +1,44 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
self = config.krebs.build.host.nets.wirelum;
isRouter = !isNull self.via;
in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
#hack for modprobe inside containers
systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
(pkgs.writeDashBin "modprobe" ":")
]);
boot.kernel.sysctl = mkIf isRouter {
"net.ipv6.conf.all.forwarding" = 1;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
{ precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
];
networking.wireguard.interfaces.wirelum = {
ips =
(optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr);
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wirelum.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = if isRouter then
(optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
(optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
else
host.nets.wirelum.wireguard.subnets
;
endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
publicKey = host.nets.wirelum.wireguard.pubkey;
})
(filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
};
}

92
lib/krebs/genipv6.nix Normal file
View File

@ -0,0 +1,92 @@
lib:
with lib;
let {
body = netname: subnetname: suffix: rec {
address = let
suffix' =
if hasEmptyGroup (parseAddress suffix)
then suffix
else joinAddress "::" suffix;
in
checkAddress addressLength (joinAddress subnetPrefix suffix');
addressCIDR = "${address}/${toString addressLength}";
addressLength = 128;
inherit netname;
netCIDR = "${netAddress}/${toString netPrefixLength}";
netAddress = joinAddress netPrefix "::";
netHash = toString {
retiolum = 0;
wirelum = 1;
}.${netname};
netPrefix = "42:${netHash}";
netPrefixLength = {
retiolum = 32;
wirelum = 32;
}.${netname};
inherit subnetname;
subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
subnetAddress = joinAddress subnetPrefix "::";
subnetHash = hash subnetname;
subnetPrefix = joinAddress netPrefix subnetHash;
subnetPrefixLength = netPrefixLength + 16;
inherit suffix;
suffixLength = addressLength - subnetPrefixLength;
};
hash = s: head (match "0*(.*)" (substring 0 4 (hashString "sha256" s)));
dropLast = n: xs: reverseList (drop n (reverseList xs));
takeLast = n: xs: reverseList (take n (reverseList xs));
hasEmptyPrefix = xs: take 2 xs == ["" ""];
hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
hasEmptyGroup = xs:
any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
parseAddress = splitString ":";
formatAddress = concatStringsSep ":";
check = s: c: if !c then throw "${s}" else true;
checkAddress = maxaddrlen: addr: let
parsedaddr = parseAddress addr;
normalizedaddr = trimEmpty 1 parsedaddr;
in
assert (check "address malformed; lone leading colon: ${addr}" (
head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
));
assert (check "address malformed; lone trailing colon ${addr}" (
last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
));
assert (check "address malformed; too many successive colons: ${addr}" (
length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
));
assert (check "address malformed: ${addr}" (
all (test "[0-9a-f]{0,4}") parsedaddr
));
assert (check "address is too long: ${addr}" (
length normalizedaddr * 16 <= maxaddrlen
));
addr;
joinAddress = prefix: suffix: let
parsedPrefix = parseAddress prefix;
parsedSuffix = parseAddress suffix;
normalizePrefix = rtrimEmpty 2 parsedPrefix;
normalizeSuffix = ltrimEmpty 2 parsedSuffix;
delimiter =
optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
(hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
"";
in
formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
}

24
lib/types.nix
View File

@ -192,6 +192,28 @@ rec {
}));
default = null;
};
wireguard = mkOption {
type = nullOr (submodule ({ config, ... }: {
options = {
port = mkOption {
type = int;
description = "tinc port to use to connect to host";
default = 51820;
};
pubkey = mkOption {
type = wireguard-pubkey;
};
subnets = mkOption {
type = listOf cidr;
description = ''
wireguard subnets,
this defines how routing behaves for hosts that can't reach each other.
'';
default = [];
};
};
}));
};
};
});
@ -548,4 +570,6 @@ rec {
check = filename.check;
merge = mergeOneOption;
};
wireguard-pubkey = str;
}