From 740f8c8ccfca38d7fc164a8c99bb6df6249c0d22 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 30 Nov 2018 04:35:00 +0100 Subject: l: move download stuff to yellow.r --- lass/1systems/prism/config.nix | 58 ++++++++++++++++- lass/1systems/yellow/config.nix | 132 ++++++++++++++++++++++++++++++++++++++ lass/1systems/yellow/physical.nix | 8 +++ 3 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 lass/1systems/yellow/config.nix create mode 100644 lass/1systems/yellow/physical.nix (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index a9fbae695..57298b1bd 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -207,7 +207,6 @@ with import ; RandomizedDelaySec = "2min"; }; } - { services.taskserver = { @@ -338,6 +337,63 @@ with import ; ]; } + { + systemd.services."container@yellow".reloadIfChanged = mkForce false; + containers.yellow = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.13"; + localAddress = "10.233.2.14"; + }; + + services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = '' + if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; + } + auth_basic "Restricted Content"; + auth_basic_user_file ${pkgs.writeText "transmission-user-pass" '' + krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 + ''}; + proxy_pass http://10.233.2.14:9091; + ''; + + users.groups.download = {}; + users.users = { + download = { + createHome = true; + group = "download"; + name = "download"; + home = "/var/download"; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-shodan.pubkey + lass-icarus.pubkey + lass-daedalus.pubkey + lass-helios.pubkey + makefu.pubkey + wine-mors.pubkey + ]; + }; + }; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chmod 775 /var/download + ln -fs /var/download/finished /var/lib/containers/yellow/var/download/finished || : + chown download: /var/download/finished + ln -fs /var/download/incoming /var/lib/containers/yellow/var/download/incoming || : + chown download: /var/download/incoming + ''; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix new file mode 100644 index 000000000..ee14986ac --- /dev/null +++ b/lass/1systems/yellow/config.nix @@ -0,0 +1,132 @@ +with import ; +{ config, lib, pkgs, ... }: +{ + imports = [ + + + + ]; + + krebs.build.host = config.krebs.hosts.yellow; + + system.activationScripts.downloadFolder = '' + mkdir -p /var/download + chown download:download /var/download + chmod 775 /var/download + ''; + + users.users.download = { uid = genid "download"; }; + users.groups.download.members = [ "transmission" ]; + users.users.transmission.group = mkForce "download"; + + systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ]; + services.transmission = { + enable = true; + settings = { + download-dir = "/var/download/finished"; + incomplete-dir = "/var/download/incoming"; + incomplete-dir-enable = true; + umask = "002"; + rpc-whitelist-enabled = false; + rpc-host-whitelist-enabled = false; + }; + }; + + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } + { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } + ]; + }; + + services.nginx.enable = true; + services.openvpn.servers.nordvpn.config = '' + client + dev tun + proto udp + remote 82.102.16.229 1194 + resolv-retry infinite + remote-random + nobind + tun-mtu 1500 + tun-mtu-extra 32 + mssfix 1450 + persist-key + persist-tun + ping 15 + ping-restart 0 + ping-timer-rem + reneg-sec 0 + comp-lzo no + + explicit-exit-notify 3 + + remote-cert-tls server + + #mute 10000 + auth-user-pass ${toString } + + verb 3 + pull + fast-io + cipher AES-256-CBC + auth SHA512 + + + -----BEGIN CERTIFICATE----- + MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD + VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH + Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw + bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y + ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG + A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT + B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2 + cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v + cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG + UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny + mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X + +D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT + ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI + 583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA + VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT + Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh + MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ + MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy + Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW + EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG + SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ + e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW + //DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB + wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB + KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p + lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9 + -----END CERTIFICATE----- + + key-direction 1 + + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 49b2f54c6ee58d2d97331681bb577d55 + 054f56d92b743c31e80b684de0388702 + ad3bf51088cd88f3fac7eb0729f2263c + 51d82a6eb7e2ed4ae6dfa65b1ac764d0 + b9dedf1379c1b29b36396d64cb6fd6b2 + e61f869f9a13001dadc02db171f04c4d + c46d1132c1f31709e7b54a6eabae3ea8 + fbd2681363c185f4cb1be5aa42a27c31 + 21db7b2187fd11c1acf224a0d5a44466 + b4b5a3cc34ec0227fe40007e8b379654 + f1e8e2b63c6b46ee7ab6f1bd82f57837 + 92c209e8f25bc9ed493cb5c1d891ae72 + 7f54f4693c5b20f136ca23e639fd8ea0 + 865b4e22dd2af43e13e6b075f12427b2 + 08af9ffd09c56baa694165f57fe2697a + 3377fa34aebcba587c79941d83deaf45 + -----END OpenVPN Static key V1----- + + ''; +} diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix new file mode 100644 index 000000000..7499ff723 --- /dev/null +++ b/lass/1systems/yellow/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} -- cgit v1.2.3