From 16fd1ff21f7d872600a698b96b70cb5d2defe274 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:24:50 -0700 Subject: [PATCH] Changes for plato --- config/hardware/plato.nix | 1 + config/host-config/plato.nix | 23 +++- config/sites.nix | 1 + lib/fudo/networks/rus.selby.ca.nix | 86 ------------ lib/fudo/networks/sea.fudo.org.nix | 214 ----------------------------- lib/fudo/sites.nix | 51 +++++-- 6 files changed, 60 insertions(+), 316 deletions(-) delete mode 100644 lib/fudo/networks/rus.selby.ca.nix delete mode 100644 lib/fudo/networks/sea.fudo.org.nix diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index c068835..1fa1150 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -73,6 +73,7 @@ with lib; }; interfaces = { + enp1s0.useDHCP = false; intif0 = { # output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:25:b7:67:c4:c2"; diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 6db97c7..ffc6d72 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -with lib; { +with lib; +let primary-ip = "10.0.0.21"; +in { config = { environment.etc = { nixos.source = "/state/nixos"; @@ -23,7 +25,7 @@ with lib; { systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - /state/root/gnupg" - "L /root/.emacs.d - - - - /state/root/emacs.d" + # "L /root/.emacs.d - - - - /state/root/emacs.d" "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" @@ -31,6 +33,23 @@ with lib; { "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" ]; + networking = { + defaultGateway = { + address = "10.0.0.1"; + interface = "intif0"; + }; + + interfaces = { + intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + }; + }; + services = { openssh = { hostKeys = [ diff --git a/config/sites.nix b/config/sites.nix index 16289ff..212d7e5 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -9,6 +9,7 @@ dynamic-network = "10.0.1.0/24"; timezone = "America/Los_Angeles"; gateway-host = "nostromo"; + deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/networks/rus.selby.ca.nix b/lib/fudo/networks/rus.selby.ca.nix deleted file mode 100644 index 3d5d744..0000000 --- a/lib/fudo/networks/rus.selby.ca.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - hosts = { - clunk = { - ipv4-address = "10.0.0.1"; - mac-address = "02:44:d1:eb:c3:6b"; - }; - - dns-proxy = { - ipv4-address = "10.0.0.2"; - # This is just a second IP on clunk, for the pihole - }; - - google-wifi = { - ipv4-address = "10.0.0.11"; - mac-address = "70:3a:cb:c0:3b:09"; - }; - - pselby-work = { - ipv4-address = "10.0.0.151"; - mac-address = "00:50:b6:aa:bd:b3"; - }; - - downstairs-desktop = { - ipv4-address = "10.0.0.100"; - mac-address = "90:b1:1c:8e:29:cf"; - }; - - upstairs-desktop = { - ipv4-address = "10.0.0.101"; - mac-address = "80:e8:2c:22:65:c2"; - }; - }; - - aliases = { - dns-hole = "clunk"; - gateway = "clunk"; - upstairs = "upstairs-desktop"; - downstairs = "downstairs-desktop"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "clunk.${local-domain}"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; -} diff --git a/lib/fudo/networks/sea.fudo.org.nix b/lib/fudo/networks/sea.fudo.org.nix deleted file mode 100644 index 68e017b..0000000 --- a/lib/fudo/networks/sea.fudo.org.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - aliases = { - kadmin = "nostromo"; - kdc = "nostromo"; - photo = "doraemon"; - music = "doraemon"; - panopticon = "lambda"; - panopticon-od = "lambda"; - ipfs = "nostromo"; - hole = "nostromo"; - pihole = "nostromo"; - dns-hole = "nostromo"; - mon-1 = "srv-1"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "nostromo.sea.fudo.org"; - }]; - ldap = [{ - port = 389; - host = "france.fudo.org"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; - - hosts = { - nostromo = { - ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; - }; - switch-master = { - ip-address = "10.0.0.5"; - mac-address = "00:14:1C:B6:BB:40"; - }; - google-wifi = { - ip-address = "10.0.0.7"; - mac-address = "7C:D9:5C:9F:6F:E9"; - }; - cam-entrance = { - ip-address = "10.0.0.31"; - mac-address = "9c:8e:cd:0e:99:7b"; - }; - cam-driveway = { - ip-address = "10.0.0.32"; - mac-address = "9c:8e:cd:0d:3b:09"; - }; - cam-deck = { - ip-address = "10.0.0.33"; - mac-address = "9c:8e:cd:0e:98:c8"; - }; - cargo = { - ip-address = "10.0.0.50"; - mac-address = "00:11:32:75:d8:b7"; - }; - whitedwarf = { - ip-address = "10.0.0.51"; - mac-address = "00:11:32:12:14:1d"; - }; - doraemon = { - ip-address = "10.0.0.52"; - mac-address = "00:11:32:0a:06:c5"; - }; - android = { - ip-address = "10.0.0.81"; - mac-address = "00:16:3e:43:39:fc"; - }; - retro-wired = { - ip-address = "10.0.0.82"; - mac-address = "dc:a6:32:6b:57:43"; - }; - retro = { - ip-address = "10.0.0.83"; - mac-address = "dc:a6:32:6b:57:45"; - }; - monolith = { - ip-address = "10.0.0.100"; - mac-address = "6c:62:6d:c8:b0:d8"; - }; - taipan = { - ip-address = "10.0.0.107"; - mac-address = "52:54:00:34:c4:78"; - }; - spark = { - ip-address = "10.0.0.108"; - mac-address = "78:24:af:04:f7:dd"; - }; - hyperion = { - ip-address = "10.0.0.109"; - mac-address = "52:54:00:33:46:de"; - }; - zbox = { - ip-address = "10.0.0.110"; - mac-address = "02:dd:80:52:83:9b"; - }; - ubiquiti-wifi = { - ip-address = "10.0.0.126"; - mac-address = "04:18:d6:20:48:fb"; - }; - generator-wireless = { - ip-address = "10.0.0.130"; - mac-address = "B8:27:EB:A6:32:26"; - }; - brother-wireless = { - ip-address = "10.0.0.160"; - mac-address = "c0:38:96:64:49:65"; - }; - nest = { - ip-address = "10.0.0.176"; - mac-address = "18:b4:30:16:7c:5a"; - }; - xixi-phone = { - ip-address = "10.0.0.193"; - mac-address = "48:43:7c:75:89:42"; - }; - ipad = { - ip-address = "10.0.0.202"; - mac-address = "9c:35:eb:48:6e:71"; - }; - cam-front = { - ip-address = "10.0.0.203"; - mac-address = "c4:d6:55:3e:b4:c3"; - }; - family-tv = { - ip-address = "10.0.0.205"; - mac-address = "84:a4:66:3a:b1:f8"; - }; - babycam = { - ip-address = "10.0.0.206"; - mac-address = "08:ea:40:59:5f:9e"; - }; - workphone = { - ip-address = "10.0.0.211"; - mac-address = "a8:8e:24:5c:12:67"; - }; - chromecast-2 = { - ip-address = "10.0.0.215"; - mac-address = "a4:77:33:59:a2:ba"; - }; - front-light = { - ip-address = "10.0.0.221"; - mac-address = "94:10:3e:48:94:ed"; - }; - - # Ceph network - srv-1 = { - ip-address = "10.0.10.1"; - mac-address = "02:65:d7:00:7d:1b"; - }; - node-1 = { - ip-address = "10.0.10.101"; - mac-address = "00:1e:06:36:81:cf"; - }; - node-2 = { - ip-address = "10.0.10.102"; - mac-address = "00:1e:06:36:ec:3e"; - }; - node-3 = { - ip-address = "10.0.10.103"; - mac-address = "00:1e:06:36:ec:4b"; - }; - node-4 = { - ip-address = "10.0.10.104"; - mac-address = "00:1e:06:36:dd:8c"; - }; - }; -} diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 03599be..f3dcbdc 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -95,6 +95,12 @@ let description = "Location of Dropbear ECDSA key."; default = "/etc/dropbear/host_ecdsa_key"; }; + + dropbear-deploy-port = mkOption { + type = port; + description = "Port to be used for the deploy SSH server."; + default = 2112; + }; }; }; @@ -107,16 +113,30 @@ in { config = mkIf (site-cfg.deploy-pubkey != null) { environment.etc."dropbear/authorized_keys" = { - text = "root@deploy ${site-cfg.deploy-pubkey}"; + text = "${site-cfg.deploy-pubkey} root@deploy"; mode = "0400"; }; - systemd.services = let dropbear-port = 2112; - in { + networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; - dropbear-init = { - wantedBy = [ "multi-user.target" ]; - script = '' + systemd = { + sockets = { + dropbear-deploy = { + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; + Accept = true; + }; + unitConfig = { + restartIfChanged = true; + }; + }; + }; + + services = { + dropbear-deploy-init = { + wantedBy = [ "multi-user.target" ]; + script = '' if [ ! -d /etc/dropbear ]; then mkdir /etc/dropbear chmod 700 /etc/dropbear @@ -132,15 +152,18 @@ in { ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} fi ''; - }; + }; - dropbear = { - requires = [ "dropbear-init.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - type = "simple"; - ExecStart = "${pkgs.dropbear} -F -m -s -j -k -p ${dropbear-port}"; + "dropbear-deploy@" = { + description = "Per-connection service for deployment, using dropbear."; + requires = [ "dropbear-deploy-init.service" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; + StandardInput = "socket"; + }; }; }; };