summaryrefslogtreecommitdiffstats
path: root/modules/cd
diff options
context:
space:
mode:
Diffstat (limited to 'modules/cd')
-rw-r--r--modules/cd/default.nix118
-rw-r--r--modules/cd/iptables.nix75
-rw-r--r--modules/cd/networking.nix14
3 files changed, 207 insertions, 0 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix
new file mode 100644
index 000000000..a4e6bbc7d
--- /dev/null
+++ b/modules/cd/default.nix
@@ -0,0 +1,118 @@
+{ config, pkgs, ... }:
+
+{
+ imports =
+ [
+ <secrets/hashedPasswords.nix>
+ ./iptables.nix
+ ./networking.nix
+ ../tv/base-cac-CentOS-7-64bit.nix
+ ../tv/ejabberd.nix # XXX echtes modul
+ ../tv/exim-smarthost.nix
+ ../tv/retiolum.nix
+ ../tv/sanitize.nix
+ ];
+
+ # "Developer 2" plan has two vCPUs.
+ nix.maxJobs = 2;
+
+
+ environment.systemPackages = with pkgs; [
+ htop
+ iftop
+ iotop
+ iptables
+ mutt # for mv
+ nethogs
+ rxvt_unicode.terminfo
+ tcpdump
+ ];
+
+ security.rtkit.enable = false;
+
+ services.cron.enable = false;
+
+ services.ejabberd-cd = {
+ enable = true;
+ };
+
+ services.journald.extraConfig = ''
+ SystemMaxUse=1G
+ RuntimeMaxUse=128M
+ '';
+
+ services.ntp.enable = false;
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ # XXX bits here make no science
+ { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ permitRootLogin = "yes";
+ };
+
+ services.retiolum = {
+ enable = true;
+ hosts = /etc/nixos/hosts;
+ privateKeyFile = "/etc/nixos/secrets/cd.retiolum.rsa_key.priv";
+ connectTo = [
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+
+ sound.enable = false;
+
+ # TODO base
+ time.timeZone = "UTC";
+
+ # TODO replace by ./modules/cd-users.nix
+ users.extraGroups = {
+
+ # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+ # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+ # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+ # Docs: man:tmpfiles.d(5)
+ # man:systemd-tmpfiles(8)
+ # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+ # Main PID: 19272 (code=exited, status=1/FAILURE)
+ #
+ # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+ # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+ # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+ # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+ # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+ # warning: error(s) occured while switching to the new configuration
+ lock.gid = 10001;
+
+ };
+ users.extraUsers =
+ {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEieAihh+o208aeCA14fAtjzyZN/nrpOJt2vZ5VYZp69 deploy@wu"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDYv5OkVrnerkzJwgi7ol7HzcWJf4oWCJTX84trFX5vgJXu1zMvSe+koY8xpnMOd7WHF2wgsjjrFlMuixTrfMPc/OjvG2N1TlnvzlFD8ivTW/AJzDwNxT//niqAYAZ9kmb8e/zE/SyNHSKZcyEKGiiW2+YW9wWHPYRP/XiNEjLP3BeTGScMwWr001V/8m7ne4SGHrE1FbHbHqaBXgqUFgnvzMY3CsfDafODZlj5xSMNGHyLGNNKvu3YR1crcAjbQrBXBdwaArThFxp+e2uWrnffshlks6WtRyR1AFVjc/gxEG74Axq1AHY6EJm2Fw/JdFNiYQ7yyQZHS9bZJYjgnWF tv@nomic"
+ ];
+ };
+
+ mv = rec {
+ name = "mv";
+ uid = 1338;
+ group = "users";
+ home = "/home/${name}";
+ createHome = true;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"
+ ];
+ };
+
+ };
+
+ users.mutableUsers = false;
+
+}
diff --git a/modules/cd/iptables.nix b/modules/cd/iptables.nix
new file mode 100644
index 000000000..48425e8dc
--- /dev/null
+++ b/modules/cd/iptables.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, ... }:
+
+{
+ #
+ # iptables
+ #
+ networking.firewall.enable = false;
+ system.activationScripts.iptables =
+ let
+ log = false;
+ when = c: f: if c then f else "";
+ in
+ ''
+ ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
+ ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
+ ipXtables() { ip4tables "$@" && ip6tables "$@"; }
+
+ # XXX This fails with the original CAC CentOS 7 kernel.
+ if ipXtables -vL >/dev/null; then
+
+ #
+ # nat
+ #
+
+ # reset tables
+ ipXtables -t nat -F
+ ipXtables -t nat -X
+
+ #
+ ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
+ ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
+
+ #
+ # filter
+ #
+
+ # reset tables
+ ipXtables -P INPUT DROP
+ ipXtables -P FORWARD DROP
+ ipXtables -F
+ ipXtables -X
+
+ # create custom chains
+ ipXtables -N Retiolum
+
+ # INPUT
+ ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
+ ipXtables -A INPUT -j ACCEPT -i lo
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
+ #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW
+ ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW
+
+ ipXtables -A INPUT -j Retiolum -i retiolum
+ ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
+
+ # FORWARD
+ ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
+
+ # Retiolum
+ ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
+ ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
+
+
+ ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
+ ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
+ ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
+ ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
+ ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
+ ip6tables -A Retiolum -j REJECT
+ fi
+ '';
+}
diff --git a/modules/cd/networking.nix b/modules/cd/networking.nix
new file mode 100644
index 000000000..215e20829
--- /dev/null
+++ b/modules/cd/networking.nix
@@ -0,0 +1,14 @@
+{...}:
+{
+ networking.hostName = "cd";
+ networking.interfaces.enp2s1.ip4 = [
+ {
+ address = "162.219.7.216";
+ prefixLength = 24;
+ }
+ ];
+ networking.defaultGateway = "162.219.7.1";
+ networking.nameservers = [
+ "8.8.8.8"
+ ];
+}