summaryrefslogtreecommitdiffstats
path: root/2configs/lass/base.nix
diff options
context:
space:
mode:
Diffstat (limited to '2configs/lass/base.nix')
-rw-r--r--2configs/lass/base.nix75
1 files changed, 41 insertions, 34 deletions
diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix
index 5e5b8a7b1..8d4a9c896 100644
--- a/2configs/lass/base.nix
+++ b/2configs/lass/base.nix
@@ -3,16 +3,44 @@
with lib;
{
imports = [
- ./sshkeys.nix
../../3modules/lass/iptables.nix
+ ../../2configs/lass/vim.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import /root/src/secrets/hashedPasswords.nix);
}
-
+ {
+ users.extraUsers = {
+ root = {
+ openssh.authorizedKeys.keys = map readFile [
+ ../../Zpubkeys/lass.ssh.pub
+ ];
+ };
+ mainUser = {
+ name = "lass";
+ uid = 1337;
+ home = "/home/lass";
+ group = "users";
+ createHome = true;
+ useDefaultShell = true;
+ extraGroups = [
+ "audio"
+ "wheel"
+ ];
+ openssh.authorizedKeys.keys = map readFile [
+ ../../Zpubkeys/lass.ssh.pub
+ ];
+ };
+ };
+ }
];
+ krebs = {
+ enable = true;
+ search-domain = "retiolum";
+ };
+
nix.useChroot = true;
users.mutableUsers = false;
@@ -30,6 +58,8 @@ with lib;
'';
environment.systemPackages = with pkgs; [
+ nmap
+
git
most
rxvt_unicode.terminfo
@@ -77,11 +107,11 @@ with lib;
"sendmail"
];
- services.gitolite = {
- enable = true;
- dataDir = "/home/gitolite";
- adminPubkey = config.sshKeys.lass.pub;
- };
+ #services.gitolite = {
+ # enable = true;
+ # dataDir = "/home/gitolite";
+ # adminPubkey = config.sshKeys.lass.pub;
+ #};
services.openssh = {
enable = true;
@@ -102,35 +132,12 @@ with lib;
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
- { predicate = "-i lo"; target = "ACCEPT"; }
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- { predicate = "-p icmp"; target = "ACCEPT"; }
- { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+ { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+ { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+ { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
];
};
};
- #Networking.firewall = {
- # enable = true;
-
- # allowedTCPPorts = [
- # 22
- # ];
-
- # extraCommands = ''
- # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- # iptables -A INPUT -j ACCEPT -i lo
- # #http://serverfault.com/questions/84963/why-not-block-icmp
- # iptables -A INPUT -j ACCEPT -p icmp
-
- # #TODO: fix Retiolum firewall
- # #iptables -N RETIOLUM
- # #iptables -A INPUT -j RETIOLUM -i retiolum
- # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
- # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
- # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable
- # #iptables -A RETIOLUM -j REJECT
- # '';
- #};
}