add a common buildOS function with preliminary vpn

5 files changed, 135 insertions, 81 deletions

diff --git a/Com/Simatime/buildOS.nix b/Com/Simatime/buildOS.nix
new file mode 100644
index 0000000..2da22a1
--- /dev/null
+++ b/Com/Simatime/buildOS.nix
@@ -0,0 +1,52 @@
+nixos:
+{ ipAddress ? null
+, enableVpn ? false
+, vpnConnectTo ? ""
+, vpnRsaPrivateKeyFile ? null
+, vpnEd25519PrivateKeyFile ? null
+, configuration # see: configuration.nix(5)
+}:
+assert enableVpn -> builtins.isString ipAddress;
+assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile;
+assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile;
+let
+  vpnExtraConfig = ''
+    ConnectTo = ${vpnConnectTo}
+    Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}"
+    PrivateKeyFile = "${vpnRsaPrivateKeyFile}"
+  '';
+  defaults = {
+    boot.cleanTmpDir = true;
+    #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }];
+    nix.binaryCaches = [ "https://cache.nixos.org" ];
+    nix.gc.automatic = true;
+    nix.gc.dates = "Sunday 02:15";
+    nix.maxJobs = 1; # "auto";
+    nix.optimise.automatic = true;
+    nix.optimise.dates = [ "Sunday 02:30" ];
+    security.sudo.wheelNeedsPassword = false;
+    services.clamav.daemon.enable = true; # security
+    services.clamav.updater.enable = true; # security
+    services.fail2ban.enable = true; # security
+    services.openssh.enable = true;
+    services.openssh.forwardX11 = true;
+    services.openssh.passwordAuthentication = false;
+    services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig;
+    services.tinc.networks.simatime-vpn.debugLevel = 3;
+    services.tinc.networks.simatime-vpn.interfaceType = "tap";
+    services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix;
+    system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.09";
+    system.autoUpgrade.dates = "03:00";
+    system.autoUpgrade.enable = true;
+    users.motd = "welcome to simatime.com";
+    users.users =  import ./users.nix;
+
+  };
+  os = nixos {
+    system = "x86_64-linux";
+    configuration = (defaults // configuration);
+  };
+in {
+   system = os.system;
+   vm = os.vm;
+}
diff --git a/Com/Simatime/dev/configuration.nix b/Com/Simatime/dev/configuration.nix
index c096f85..ec3a5a4 100644
--- a/Com/Simatime/dev/configuration.nix
+++ b/Com/Simatime/dev/configuration.nix
@@ -113,11 +113,6 @@
       configFile = "/home/ben/gitlab-runner.toml";
     };
 
-    openssh = {
-      enable = true;
-      forwardX11 = true;
-    };
-
     deluge = {
       enable = true;
       openFilesLimit = 10240;
@@ -164,7 +159,7 @@
       };
     };
 
-    jellyfin = { # previously emby
+    emby = { # previously emby
       enable = true;
       user = "jellyfin";
       group = "jellyfin";
@@ -172,13 +167,6 @@
 
     vnstat.enable = true;
 
-    # security stuff
-    fail2ban.enable = true;
-    clamav = {
-      daemon.enable = true;
-      updater.enable = true;
-    };
-
     postgresql = {
       enable = true;
       package = pkgs.postgresql_10;
@@ -193,28 +181,16 @@
     };
   };
 
-  nix = {
-    gc = {
-      automatic = true;
-      dates = "03:15";
-    };
-    binaryCaches =  [ "https://cache.nixos.org/" ];
-    nixPath = [
-      "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs"
-      "nixos-config=/etc/nixos/configuration.nix"
-      "/nix/var/nix/profiles/per-user/root/channels"
-    ];
-    extraOptions = ''
-      gc-keep-outputs = true
-      gc-keep-derivations = true
-    '';
-  };
+  # Since this is the dev machine, we can turn these on at the expense of extra
+  # disk space.
+  nix.extraOptions = ''
+    keep-outputs = true
+    keep-derivations = true
+  '';
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
   system.stateVersion = "17.09"; # Did you read the comment?
-  system.autoUpgrade.enable = true;
-
 }
diff --git a/Com/Simatime/users.nix b/Com/Simatime/users.nix
index daac9d6..c951c8e 100644
--- a/Com/Simatime/users.nix
+++ b/Com/Simatime/users.nix
@@ -1,33 +1,28 @@
-{ ... }:
-
-let
-  key = f: builtins.readFile (./keys/. + ("/" + f));
-in
-{
-  users = {
-    users = {
-      # bots
-      deploy = {
-        isNormalUser = true;
-        home = "/home/deploy";
-        openssh.authorizedKeys.keys = [ (key "deploy.pub") ];
-        extraGroups = [ "wheel" ];
-      };
-
-      # humans
-      root.openssh.authorizedKeys.keys = [ (key "ben.pub") ];
-      ben = {
-        isNormalUser = true;
-        home = "/home/ben";
-        openssh.authorizedKeys.keys = [ (key "ben.pub") ];
-        extraGroups = [ "wheel" "networkmanager" "docker" ];
-      };
-      nick = {
-        isNormalUser = true;
-        home = "/home/nick";
-        openssh.authorizedKeys.keys = [ (key "nick.pub") ];
-        extraGroups = [ "docker" ];
-      };
-    };
+{ #
+  # bots
+  #
+  deploy = {
+    isNormalUser = true;
+    home = "/home/deploy";
+    openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ];
+    extraGroups = [ "wheel" ];
+  };
+  #
+  # humans
+  #
+  root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+  ben = {
+    description = "Ben Sima";
+    isNormalUser = true;
+    home = "/home/ben";
+    openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+    extraGroups = [ "wheel" "networkmanager" "docker" ];
+  };
+  nick = {
+    description = "Nick Sima";
+    isNormalUser = true;
+    home = "/home/nick";
+    openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ];
+    extraGroups = [ "docker" ];
   };
 }
diff --git a/Com/Simatime/vpnHosts.nix b/Com/Simatime/vpnHosts.nix
new file mode 100644
index 0000000..1a66e92
--- /dev/null
+++ b/Com/Simatime/vpnHosts.nix
@@ -0,0 +1,37 @@
+let
+  mkVpnPeer = { address, subnet, ed25519PublicKey, rsaPublicKey }: ''
+    Address = ${address}
+    Subnet = ${subnet}
+    Ed25519PublicKey = ${ed25519PublicKey}
+    ${rsaPublicKey}
+  '';
+in {
+  "com.simatime" = mkVpnPeer {
+    address = "159.89.128.69";
+    subnet = "10.1.1.25";
+    ed25519PublicKey = "TODO";
+    rsaPublicKey = ''
+      TODO
+    '';
+  };
+  "com.simatime.dev" = mkVpnPeer {
+    address = "69.181.254.154";
+    subnet = "10.1.1.21";
+    ed25519PublicKey = "s5/rbuM7WaYqaZH0BP4/mYefrl3uWfaT+Ew4gmSsh8F";
+    rsaPublicKey = ''
+      -----BEGIN RSA PUBLIC KEY-----
+      MIICCgKCAgEAydQHK4jUQnp4ZSqIB/fjfLxILqy/IHR6DPiUp/HustFDOaLKSVM8
+      75fVtBybiEkUmXLU3Bg8WX9zR+llTf3za1B13w+uJpcR4FS/LhAN/wgHCdgHUb4W
+      D7YZzGUnLhPAu3Ivnu5QZ6vzigqtbPCIFfwGDW2RGjq3iJMag1sM/xBOZrSn+zsZ
+      azCEP/snY30UE5ggrxJSMpZXSpS9u266nTblo8gTwfjdzrC93gmNNIxdHpeYGb0O
+      VGdaMmExq5Ny4flG2qtWA0u8nDscg7bEVIYfPjZr1G2FT5A0Ma4kteu6TeYpQEd9
+      0if3lRb48iMwh1VBfXBps9Heexz0HjG6EAku2B1mEL5orjmC3jJK0DpuXnwVN5pz
+      B+UrFnqbFykeHxZD5RdAB1tcuHZlJ/mQyZRQMJtkifFLdj4iBBK+si05GpodGhIz
+      iXkMYRIOja9/4EyukDdU2i2yEOmgif6DhIh4awss1b2Crtxs2bg6/xi2Hy63IQEy
+      u8LxuiPGA69NsaFZz49SXXJw11KQt5g7WE0jweYXmT3VO6yZlktGdJjzXyhaw7ma
+      G9VgHvxh+K/mDZ2SXwDcINzwYwZxxqcxcmA4o8glCKQyVHIT5hlo7QkSzK4P+GgN
+      Js+sRDreM6Rha2zcOaJWZ5IO2Xva6AZZ29oO5m4V/CYPCuMAzXwV2GMCAwEAAQ==
+      -----END RSA PUBLIC KEY-----
+    '';
+  };
+}
diff --git a/default.nix b/default.nix
index a6aa0de..939302a 100644
--- a/default.nix
+++ b/default.nix
@@ -4,24 +4,23 @@ let
   nixos = import "${nixpkgs-tar}/nixos";
   # TODO(bsima): buildNixOS should be split into multiple functions that each
   # return one thing, instead of a single function that returns multiple things
-  buildNixOS = opts: let full = (nixos opts); in {
-    system = full.system;
-    vm = full.vm;
-  };
+  buildOS = import ./Com/Simatime/buildOS.nix nixos;
   buildHaskellApp = import ./Com/Simatime/buildHaskellApp.nix nixpkgs;
   nixos-mailserver = builtins.fetchTarball {
     url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
     sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
   };
 in {
-  Com.Simatime = buildNixOS {
-    system = "x86_64-linux";
+  Com.Simatime = buildOS {
+    enableVpn = true;
+    ipAddress = "159.89.128.69";
+    vpnRsaPrivateKeyFile = "/etc/tinc/rsa_key.priv";
+    vpnEd25519PrivateKeyFile = "/etc/tinc/ed25519_key.priv";
     configuration = {
       imports = [
         ./Com/Simatime/hardware.nix
         ./Com/Simatime/networking.nix
         # common infra
-        ./Com/Simatime/users.nix
         ./Com/Simatime/packages.nix
         # configured modules
         ./Com/Simatime/git.nix
@@ -31,8 +30,6 @@ in {
         # third party
         nixos-mailserver
       ];
-      # TODO(bsima): move more stuff here to a common module
-      nixpkgs.config.allowUnfree = true;
       programs.mosh = {
         enable = true;
         withUtempter = true;
@@ -41,15 +38,16 @@ in {
         enable = true;
         passwordAuthentication = false;
       };
-      security.sudo.wheelNeedsPassword = true;
-      boot.cleanTmpDir = true;
     };
   } // {
-    dev = buildNixOS {
-      system = "x86_64-linux";
+    dev = buildOS {
+      enableVpn = true;
+      ipAddress = "69.181.254.154";
+      vpnConnectTo = "com.simatime";
+      vpnRsaPrivateKeyFile = "/etc/tinc/rsa_key.priv";
+      vpnEd25519PrivateKeyFile = "/etc/tinc/ed25519_key.priv";
       configuration = {
         imports = [
-          ./Com/Simatime/users.nix
           ./Com/Simatime/packages.nix
           ./Com/Simatime/dev/hardware.nix
           ./Com/Simatime/dev/configuration.nix
@@ -57,13 +55,11 @@ in {
       };
     };
   };
-  Com.InfluencedByBooks = buildNixOS {
-    system = "x86_64-linux";
+  Com.InfluencedByBooks = buildOS {
     configuration = {
       imports = [
         ./Com/InfluencedByBooks/service.nix
         # common infra
-        ./Com/Simatime/users.nix
         ./Com/Simatime/packages.nix
       ];
       nixpkgs.config.allowUnfree = true;
@@ -71,8 +67,6 @@ in {
         enable = true;
         passwordAuthentication = false;
       };
-      security.sudo.wheelNeedsPassword = true;
-      boot.cleanTmpDir = true;
       boot.isContainer = true;
       networking.useDHCP = false;
     };