From 376430ca3f4065b35e97f97ed4aaa4062db41440 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Wed, 6 Nov 2019 22:21:48 -0800 Subject: add a common buildOS function with preliminary vpn --- Com/Simatime/buildOS.nix | 52 ++++++++++++++++++++++++++++++++++ Com/Simatime/dev/configuration.nix | 38 +++++-------------------- Com/Simatime/users.nix | 57 +++++++++++++++++--------------------- Com/Simatime/vpnHosts.nix | 37 +++++++++++++++++++++++++ default.nix | 32 +++++++++------------ 5 files changed, 135 insertions(+), 81 deletions(-) create mode 100644 Com/Simatime/buildOS.nix create mode 100644 Com/Simatime/vpnHosts.nix diff --git a/Com/Simatime/buildOS.nix b/Com/Simatime/buildOS.nix new file mode 100644 index 0000000..2da22a1 --- /dev/null +++ b/Com/Simatime/buildOS.nix @@ -0,0 +1,52 @@ +nixos: +{ ipAddress ? null +, enableVpn ? false +, vpnConnectTo ? "" +, vpnRsaPrivateKeyFile ? null +, vpnEd25519PrivateKeyFile ? null +, configuration # see: configuration.nix(5) +}: +assert enableVpn -> builtins.isString ipAddress; +assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile; +assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile; +let + vpnExtraConfig = '' + ConnectTo = ${vpnConnectTo} + Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}" + PrivateKeyFile = "${vpnRsaPrivateKeyFile}" + ''; + defaults = { + boot.cleanTmpDir = true; + #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }]; + nix.binaryCaches = [ "https://cache.nixos.org" ]; + nix.gc.automatic = true; + nix.gc.dates = "Sunday 02:15"; + nix.maxJobs = 1; # "auto"; + nix.optimise.automatic = true; + nix.optimise.dates = [ "Sunday 02:30" ]; + security.sudo.wheelNeedsPassword = false; + services.clamav.daemon.enable = true; # security + services.clamav.updater.enable = true; # security + services.fail2ban.enable = true; # security + services.openssh.enable = true; + services.openssh.forwardX11 = true; + services.openssh.passwordAuthentication = false; + services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig; + services.tinc.networks.simatime-vpn.debugLevel = 3; + services.tinc.networks.simatime-vpn.interfaceType = "tap"; + services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix; + system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.09"; + system.autoUpgrade.dates = "03:00"; + system.autoUpgrade.enable = true; + users.motd = "welcome to simatime.com"; + users.users = import ./users.nix; + + }; + os = nixos { + system = "x86_64-linux"; + configuration = (defaults // configuration); + }; +in { + system = os.system; + vm = os.vm; +} diff --git a/Com/Simatime/dev/configuration.nix b/Com/Simatime/dev/configuration.nix index c096f85..ec3a5a4 100644 --- a/Com/Simatime/dev/configuration.nix +++ b/Com/Simatime/dev/configuration.nix @@ -113,11 +113,6 @@ configFile = "/home/ben/gitlab-runner.toml"; }; - openssh = { - enable = true; - forwardX11 = true; - }; - deluge = { enable = true; openFilesLimit = 10240; @@ -164,7 +159,7 @@ }; }; - jellyfin = { # previously emby + emby = { # previously emby enable = true; user = "jellyfin"; group = "jellyfin"; @@ -172,13 +167,6 @@ vnstat.enable = true; - # security stuff - fail2ban.enable = true; - clamav = { - daemon.enable = true; - updater.enable = true; - }; - postgresql = { enable = true; package = pkgs.postgresql_10; @@ -193,28 +181,16 @@ }; }; - nix = { - gc = { - automatic = true; - dates = "03:15"; - }; - binaryCaches = [ "https://cache.nixos.org/" ]; - nixPath = [ - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - extraOptions = '' - gc-keep-outputs = true - gc-keep-derivations = true - ''; - }; + # Since this is the dev machine, we can turn these on at the expense of extra + # disk space. + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "17.09"; # Did you read the comment? - system.autoUpgrade.enable = true; - } diff --git a/Com/Simatime/users.nix b/Com/Simatime/users.nix index daac9d6..c951c8e 100644 --- a/Com/Simatime/users.nix +++ b/Com/Simatime/users.nix @@ -1,33 +1,28 @@ -{ ... }: - -let - key = f: builtins.readFile (./keys/. + ("/" + f)); -in -{ - users = { - users = { - # bots - deploy = { - isNormalUser = true; - home = "/home/deploy"; - openssh.authorizedKeys.keys = [ (key "deploy.pub") ]; - extraGroups = [ "wheel" ]; - }; - - # humans - root.openssh.authorizedKeys.keys = [ (key "ben.pub") ]; - ben = { - isNormalUser = true; - home = "/home/ben"; - openssh.authorizedKeys.keys = [ (key "ben.pub") ]; - extraGroups = [ "wheel" "networkmanager" "docker" ]; - }; - nick = { - isNormalUser = true; - home = "/home/nick"; - openssh.authorizedKeys.keys = [ (key "nick.pub") ]; - extraGroups = [ "docker" ]; - }; - }; +{ # + # bots + # + deploy = { + isNormalUser = true; + home = "/home/deploy"; + openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ]; + extraGroups = [ "wheel" ]; + }; + # + # humans + # + root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ]; + ben = { + description = "Ben Sima"; + isNormalUser = true; + home = "/home/ben"; + openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ]; + extraGroups = [ "wheel" "networkmanager" "docker" ]; + }; + nick = { + description = "Nick Sima"; + isNormalUser = true; + home = "/home/nick"; + openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ]; + extraGroups = [ "docker" ]; }; } diff --git a/Com/Simatime/vpnHosts.nix b/Com/Simatime/vpnHosts.nix new file mode 100644 index 0000000..1a66e92 --- /dev/null +++ b/Com/Simatime/vpnHosts.nix @@ -0,0 +1,37 @@ +let + mkVpnPeer = { address, subnet, ed25519PublicKey, rsaPublicKey }: '' + Address = ${address} + Subnet = ${subnet} + Ed25519PublicKey = ${ed25519PublicKey} + ${rsaPublicKey} + ''; +in { + "com.simatime" = mkVpnPeer { + address = "159.89.128.69"; + subnet = "10.1.1.25"; + ed25519PublicKey = "TODO"; + rsaPublicKey = '' + TODO + ''; + }; + "com.simatime.dev" = mkVpnPeer { + address = "69.181.254.154"; + subnet = "10.1.1.21"; + ed25519PublicKey = "s5/rbuM7WaYqaZH0BP4/mYefrl3uWfaT+Ew4gmSsh8F"; + rsaPublicKey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAydQHK4jUQnp4ZSqIB/fjfLxILqy/IHR6DPiUp/HustFDOaLKSVM8 + 75fVtBybiEkUmXLU3Bg8WX9zR+llTf3za1B13w+uJpcR4FS/LhAN/wgHCdgHUb4W + D7YZzGUnLhPAu3Ivnu5QZ6vzigqtbPCIFfwGDW2RGjq3iJMag1sM/xBOZrSn+zsZ + azCEP/snY30UE5ggrxJSMpZXSpS9u266nTblo8gTwfjdzrC93gmNNIxdHpeYGb0O + VGdaMmExq5Ny4flG2qtWA0u8nDscg7bEVIYfPjZr1G2FT5A0Ma4kteu6TeYpQEd9 + 0if3lRb48iMwh1VBfXBps9Heexz0HjG6EAku2B1mEL5orjmC3jJK0DpuXnwVN5pz + B+UrFnqbFykeHxZD5RdAB1tcuHZlJ/mQyZRQMJtkifFLdj4iBBK+si05GpodGhIz + iXkMYRIOja9/4EyukDdU2i2yEOmgif6DhIh4awss1b2Crtxs2bg6/xi2Hy63IQEy + u8LxuiPGA69NsaFZz49SXXJw11KQt5g7WE0jweYXmT3VO6yZlktGdJjzXyhaw7ma + G9VgHvxh+K/mDZ2SXwDcINzwYwZxxqcxcmA4o8glCKQyVHIT5hlo7QkSzK4P+GgN + Js+sRDreM6Rha2zcOaJWZ5IO2Xva6AZZ29oO5m4V/CYPCuMAzXwV2GMCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; +} diff --git a/default.nix b/default.nix index a6aa0de..939302a 100644 --- a/default.nix +++ b/default.nix @@ -4,24 +4,23 @@ let nixos = import "${nixpkgs-tar}/nixos"; # TODO(bsima): buildNixOS should be split into multiple functions that each # return one thing, instead of a single function that returns multiple things - buildNixOS = opts: let full = (nixos opts); in { - system = full.system; - vm = full.vm; - }; + buildOS = import ./Com/Simatime/buildOS.nix nixos; buildHaskellApp = import ./Com/Simatime/buildHaskellApp.nix nixpkgs; nixos-mailserver = builtins.fetchTarball { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz"; sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx"; }; in { - Com.Simatime = buildNixOS { - system = "x86_64-linux"; + Com.Simatime = buildOS { + enableVpn = true; + ipAddress = "159.89.128.69"; + vpnRsaPrivateKeyFile = "/etc/tinc/rsa_key.priv"; + vpnEd25519PrivateKeyFile = "/etc/tinc/ed25519_key.priv"; configuration = { imports = [ ./Com/Simatime/hardware.nix ./Com/Simatime/networking.nix # common infra - ./Com/Simatime/users.nix ./Com/Simatime/packages.nix # configured modules ./Com/Simatime/git.nix @@ -31,8 +30,6 @@ in { # third party nixos-mailserver ]; - # TODO(bsima): move more stuff here to a common module - nixpkgs.config.allowUnfree = true; programs.mosh = { enable = true; withUtempter = true; @@ -41,15 +38,16 @@ in { enable = true; passwordAuthentication = false; }; - security.sudo.wheelNeedsPassword = true; - boot.cleanTmpDir = true; }; } // { - dev = buildNixOS { - system = "x86_64-linux"; + dev = buildOS { + enableVpn = true; + ipAddress = "69.181.254.154"; + vpnConnectTo = "com.simatime"; + vpnRsaPrivateKeyFile = "/etc/tinc/rsa_key.priv"; + vpnEd25519PrivateKeyFile = "/etc/tinc/ed25519_key.priv"; configuration = { imports = [ - ./Com/Simatime/users.nix ./Com/Simatime/packages.nix ./Com/Simatime/dev/hardware.nix ./Com/Simatime/dev/configuration.nix @@ -57,13 +55,11 @@ in { }; }; }; - Com.InfluencedByBooks = buildNixOS { - system = "x86_64-linux"; + Com.InfluencedByBooks = buildOS { configuration = { imports = [ ./Com/InfluencedByBooks/service.nix # common infra - ./Com/Simatime/users.nix ./Com/Simatime/packages.nix ]; nixpkgs.config.allowUnfree = true; @@ -71,8 +67,6 @@ in { enable = true; passwordAuthentication = false; }; - security.sudo.wheelNeedsPassword = true; - boot.cleanTmpDir = true; boot.isContainer = true; networking.useDHCP = false; }; -- cgit v1.2.3