summaryrefslogtreecommitdiffstats
path: root/modules/lass/base.nix
blob: 29010dd91241820a7fce914a5fa31257edf9893b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
{ config, pkgs, ... }:

{
  imports = [
    ./sshkeys.nix
  ];

  nix.useChroot = true;

  users.mutableUsers = false;

  boot.tmpOnTmpfs = true;
  # see tmpfiles.d(5)
  systemd.tmpfiles.rules = [
    "d /tmp 1777 root root - -"
  ];

  # multiple-definition-problem when defining environment.variables.EDITOR
  environment.extraInit = ''
    EDITOR=vim
    PAGER=most
  '';

  environment.systemPackages = with pkgs; [
    git
    most

  #network
    iptables
  ];

  programs.bash = {
    enableCompletion = true;
    interactiveShellInit = ''
      HISTCONTROL='erasedups:ignorespace'
      HISTSIZE=65536
      HISTFILESIZE=$HISTSIZE

      shopt -s checkhash
      shopt -s histappend histreedit histverify
      shopt -s no_empty_cmd_completion
      complete -d cd

      #fancy colors
      if [ -e ~/LS_COLORS ]; then
        eval $(dircolors ~/LS_COLORS)
      fi

      if [ -e /etc/nixos/dotfiles/link ]; then
        /etc/nixos/dotfiles/link
      fi
    '';
    promptInit = ''
      if test $UID = 0; then
        PS1='\[\033[1;31m\]\w\[\033[0m\] '
      elif test $UID = 1337; then
        PS1='\[\033[1;32m\]\w\[\033[0m\] '
      else
        PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
      fi
      if test -n "$SSH_CLIENT"; then
        PS1='\[\033[35m\]\h'" $PS1"
      fi
    '';
  };

  services.gitolite = {
    enable = true;
    dataDir = "/home/gitolite";
    adminPubkey = config.sshKeys.lass.pub;
  };

  services.openssh = {
    enable = true;
    hostKeys = [
      # XXX bits here make no science
      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
    ];
  };

  services.journald.extraConfig = ''
    SystemMaxUse=1G
    RuntimeMaxUse=128M
  '';

  networking.firewall = {
    enable = true;

    allowedTCPPorts = [
      22
    ];

    extraCommands = ''
      iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
      iptables -A INPUT -j ACCEPT -i lo

      #iptables -N Retiolum
      iptables -A INPUT -j Retiolum -i retiolum
      iptables -A Retiolum -j ACCEPT -p icmp
      iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
      iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
      iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
      iptables -A Retiolum -j REJECT        --reject-with icmp-proto-unreachable
      iptables -A Retiolum -j REJECT
    '';

    extraStopCommands = "iptables -F";
  };
}