summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/makefu/default.nix67
-rw-r--r--krebs/3modules/nginx.nix13
-rw-r--r--krebs/3modules/retiolum.nix40
3 files changed, 105 insertions, 15 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 52db3de85..a878f50ee 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -49,10 +49,22 @@ with config.krebs.lib;
'';
};
siem = {
- ip4.addr = "10.8.10.2";
+ ip4.addr = "10.8.10.2";
+ ip4.prefix = "10.8.10.0/24";
aliases = [
"darth.siem"
];
+ tinc.pubkey = ''
+ Ed25519PublicKey = 24t9ye4gRLg6UbVxBvuuDlvU/cnByxMjYjym4LO6GkK
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCQKCAQEApcUeTecVahqNIfLEkfgNiaW+eHQ9Y90DxHhy9vdPZh8dmLqoFBoW
+ TCPcZIRpyj7hxRkNIhh34Ewpul0oQ1tzrUGcT2xvMNwaCupRDmhZn9jR9aFFEYKb
+ fUOplCxb4y2UKbWAA6hie3PKH9wnPfbwSsexb2BSQAqSt4iNIVCV6j7LXpiopbGS
+ Exs3/Pz+IeMtGyuMYA3rUmJsVRKR1o7axLtlhYK7JSMbqdYhaQJ4NZrvIXw//w21
+ kM/TJTPZ4j47ME18jQInO62X5h+xVch6DtvwvjBMMMKbS0am9qw1P3qo7MP3PmQh
+ rvVQRth8L63q4NLOnT29XmnxPSVGL1PBQQICEAE=
+ -----END RSA PUBLIC KEY-----
+ '';
};
};
};
@@ -60,9 +72,20 @@ with config.krebs.lib;
nets = {
siem = {
ip4.addr = "10.8.10.6";
+ ip4.prefix = "10.8.10.0/24";
aliases = [
"ossim.siem"
];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAv5qv9R3E1AHJOhTnHJ2E5zWjItRdXSw/inpz/W+KcBeM/HSG0XEl
+ RyGAwty7VP4CiLp7CagWmtVsz/5ytnXJzLDeRLn5t+KzO6am0aOpvAt6ZggZXPhL
+ cQkn4IGi1TJE5tw+lzabBkUZm3zD1KEXpqJeZ6spA4e9lB/+T3Tx23g9WDEOKand
+ mAJrsdsvTCIiVJefidOAmgeZVVOV3ltBonNP1nqEy+5v4B3EBT/Uj7ImL2aRj/pd
+ dPs6dGV2LqSQvnrSbFZzuKVXKpD1M+wgT/5NQk/hVJJxBQC6rxvpg1XyQkepcLWL
+ WjvogOl4NjXStmKDX2+gPPFx6XTmwDenOwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
};
};
};
@@ -126,9 +149,21 @@ with config.krebs.lib;
};
siem = {
ip4.addr = "10.8.10.4";
+ ip4.prefix = "10.8.10.0/24";
aliases = [
- "arch.siem"
+ "makefu.siem"
];
+ tinc.pubkey = ''
+ Ed25519PublicKey = rFTglGxm563e/w82Q9Qqy/E+V/ipT4DOTyTuYrWrtmI
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCQKCAQEAx+OQXQj6rlXIByo48JZXSexRz5G5oJVZTHAJ0GF5f70U65C0x83p
+ XtNp4LGYti+cyyzmQjf/N7jr2CxUlOATN2nRO4CT+JaMM2MoqnPWqTZBPMDiHq2y
+ ce0zjLPPl0hVc5mg+6F0tgolbUvTIo2CgAIl5lNvJiVfmXRSehmMprf1NPkxJd/O
+ vAOD7mgnCjkEAWElf1cfxSGZqSLbNltRK340nE5x6A5tY7iEueP/r9chEmOnVjKm
+ t+GJAJIe1PClWJHJYAXF8I7R3g+XQIqgw+VTN3Ng5cS5W/mbTFIzLWMZpdZaAhWR
+ 56pthtZAE5FZ+4vxMpDQ4yeDu0b6gajWNQICEAE=
+ -----END RSA PUBLIC KEY-----
+ '';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
@@ -167,6 +202,7 @@ with config.krebs.lib;
extraZones = {
"krebsco.de" = ''
euer IN MX 1 aspmx.l.google.com.
+ nixos.unstable IN CNAME krebscode.github.io.
pigstarter IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
boot IN A ${nets.internet.ip4.addr}
@@ -324,7 +360,21 @@ with config.krebs.lib;
nets = {
siem = {
ip4.addr = "10.8.10.7";
+ ip4.prefix = "10.8.10.0/24";
aliases = [ "display.siem" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA+/TpxsVIBL9J9QAe/+jB6sgu/O6J+KY4YrAzZ6dM4kbFv5JA64f5
+ 6znv8EFqn6loS9Aez3e08P5scyGjiwWytdKN5Yztlffc0xDD7MUU2RiCsQF1X74J
+ +1i8NhSq3PJ6UeUURxYYnAYzBlFvsxev4vpniFTsIR9tmcAYX9NT9420D6nV7xq7
+ FdkoBlYj4eUQqQzHH1T/Lmt+BGmf+BufIJas+Oo/Sg59vIk9OM08WyAjHVT2iNbg
+ LXDhzVaeGOOM3GOa0YGG0giM3Rd245YPaPiVbwrMy8HQRBpMzXOPjcC1nYZSjxrW
+ LQxtRS+dmfEMG7MJ8T2T2bseX6z6mONc1QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ -----BEGIN ED25519 PUBLIC KEY-----
+ 3JGeGnADWR+hfb4TEoHDyopEYgkfGNJKwy71bqcsNrO
+ -----END ED25519 PUBLIC KEY-----
+ '';
};
retiolum = {
ip4.addr = "10.243.214.15";
@@ -394,10 +444,21 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
nets = {
siem = {
ip4.addr = "10.8.10.1";
+ ip4.prefix = "10.8.10.0/24";
aliases = [
- "sjump.siem"
+ "shoney.siem"
"graphs.siem"
];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA0OK28PHsMGMxAqVRiRGv93zzEWJgV3hMFquWrpbYC3OZwHDYcNHu
+ 74skwRRwwnbcq0ZtWroEvUTmZczuPt2FewdtuEutT7uZJnAYnzSOrB9lmmdoXKQU
+ l4ho1LEf/J0sMBi7RU/OJosuruQTAl53ca5KQbRCXkcPlmq4KzUpvgPINpEpYQjB
+ CGC3ErOvw2jXESbDnWomYZgJl3uilJUEYlyQEwyWVG+fO8uxlz9qKLXMlkoJTbs4
+ fTIcxh7y6ZA7QfMN3Ruq1R66smfXQ4xu1hybvqL66RLiDQgH3BRyKIgobS1UxI4z
+ L+xhIsiMXQIo2hv8aOUnf/7Ac9DXNR83GwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
};
internet = {
ip4.addr = "64.137.234.215";
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index bc32da3b1..214f55018 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -71,6 +71,14 @@ let
type = bool;
default = true;
};
+ force_encryption = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ redirect all `http` traffic to the same domain but with ssl
+ protocol.
+ '';
+ };
protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ];
@@ -120,6 +128,11 @@ let
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix
index 0bd815211..18e0dd65a 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/retiolum.nix
@@ -12,9 +12,11 @@ let
define a tinc network
'';
type = with types; attrsOf (submodule (tinc: {
- options = {
+ options = let
+ netname = tinc.config._module.args.name;
+ in {
- enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; };
+ enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
host = mkOption {
type = types.host;
@@ -23,7 +25,7 @@ let
netname = mkOption {
type = types.enum (attrNames tinc.config.host.nets);
- default = tinc.config._module.args.name;
+ default = netname;
description = ''
The tinc network name.
It is used to name the TUN device and to generate the default value for
@@ -38,6 +40,27 @@ let
Extra Configuration to be appended to tinc.conf
'';
};
+ tincUp = mkOption {
+ type = types.string;
+ default = let
+ net = tinc.config.host.nets.${netname};
+ iproute = tinc.config.iproutePackage;
+ in ''
+ ${optionalString (net.ip4 != null) /* sh */ ''
+ ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
+ ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
+ ''}
+ ${optionalString (net.ip6 != null) /* sh */ ''
+ ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
+ ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
+ ''}
+ '';
+ description = ''
+ tinc-up script to be used. Defaults to setting the
+ krebs.host.nets.<netname>.ip4 and ip6 for the new ips and
+ configures forwarding of the respecitive netmask as subnet.
+ '';
+ };
tincPackage = mkOption {
type = types.package;
@@ -131,6 +154,7 @@ let
krebs.secret.files = mapAttrs' (netname: cfg:
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
inherit (cfg.user) home name uid;
@@ -140,7 +164,6 @@ let
systemd.services = mapAttrs (netname: cfg:
let
- net = cfg.host.nets.${netname};
tinc = cfg.tincPackage;
iproute = cfg.iproutePackage;
@@ -157,14 +180,7 @@ let
'';
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
${iproute}/sbin/ip link set ${netname} up
- ${optionalString (net.ip4 != null) /* sh */ ''
- ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
- ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
- ''}
- ${optionalString (net.ip6 != null) /* sh */ ''
- ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
- ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
- ''}
+ ${cfg.tincUp}
'';
}
);