From 16fd1ff21f7d872600a698b96b70cb5d2defe274 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:24:50 -0700 Subject: [PATCH 1/3] Changes for plato --- config/hardware/plato.nix | 1 + config/host-config/plato.nix | 23 +++- config/sites.nix | 1 + lib/fudo/networks/rus.selby.ca.nix | 86 ------------ lib/fudo/networks/sea.fudo.org.nix | 214 ----------------------------- lib/fudo/sites.nix | 51 +++++-- 6 files changed, 60 insertions(+), 316 deletions(-) delete mode 100644 lib/fudo/networks/rus.selby.ca.nix delete mode 100644 lib/fudo/networks/sea.fudo.org.nix diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index c068835..1fa1150 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -73,6 +73,7 @@ with lib; }; interfaces = { + enp1s0.useDHCP = false; intif0 = { # output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:25:b7:67:c4:c2"; diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 6db97c7..ffc6d72 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -with lib; { +with lib; +let primary-ip = "10.0.0.21"; +in { config = { environment.etc = { nixos.source = "/state/nixos"; @@ -23,7 +25,7 @@ with lib; { systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - /state/root/gnupg" - "L /root/.emacs.d - - - - /state/root/emacs.d" + # "L /root/.emacs.d - - - - /state/root/emacs.d" "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" @@ -31,6 +33,23 @@ with lib; { "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" ]; + networking = { + defaultGateway = { + address = "10.0.0.1"; + interface = "intif0"; + }; + + interfaces = { + intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + }; + }; + services = { openssh = { hostKeys = [ diff --git a/config/sites.nix b/config/sites.nix index 16289ff..212d7e5 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -9,6 +9,7 @@ dynamic-network = "10.0.1.0/24"; timezone = "America/Los_Angeles"; gateway-host = "nostromo"; + deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/networks/rus.selby.ca.nix b/lib/fudo/networks/rus.selby.ca.nix deleted file mode 100644 index 3d5d744..0000000 --- a/lib/fudo/networks/rus.selby.ca.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - hosts = { - clunk = { - ipv4-address = "10.0.0.1"; - mac-address = "02:44:d1:eb:c3:6b"; - }; - - dns-proxy = { - ipv4-address = "10.0.0.2"; - # This is just a second IP on clunk, for the pihole - }; - - google-wifi = { - ipv4-address = "10.0.0.11"; - mac-address = "70:3a:cb:c0:3b:09"; - }; - - pselby-work = { - ipv4-address = "10.0.0.151"; - mac-address = "00:50:b6:aa:bd:b3"; - }; - - downstairs-desktop = { - ipv4-address = "10.0.0.100"; - mac-address = "90:b1:1c:8e:29:cf"; - }; - - upstairs-desktop = { - ipv4-address = "10.0.0.101"; - mac-address = "80:e8:2c:22:65:c2"; - }; - }; - - aliases = { - dns-hole = "clunk"; - gateway = "clunk"; - upstairs = "upstairs-desktop"; - downstairs = "downstairs-desktop"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "clunk.${local-domain}"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; -} diff --git a/lib/fudo/networks/sea.fudo.org.nix b/lib/fudo/networks/sea.fudo.org.nix deleted file mode 100644 index 68e017b..0000000 --- a/lib/fudo/networks/sea.fudo.org.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - aliases = { - kadmin = "nostromo"; - kdc = "nostromo"; - photo = "doraemon"; - music = "doraemon"; - panopticon = "lambda"; - panopticon-od = "lambda"; - ipfs = "nostromo"; - hole = "nostromo"; - pihole = "nostromo"; - dns-hole = "nostromo"; - mon-1 = "srv-1"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "nostromo.sea.fudo.org"; - }]; - ldap = [{ - port = 389; - host = "france.fudo.org"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; - - hosts = { - nostromo = { - ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; - }; - switch-master = { - ip-address = "10.0.0.5"; - mac-address = "00:14:1C:B6:BB:40"; - }; - google-wifi = { - ip-address = "10.0.0.7"; - mac-address = "7C:D9:5C:9F:6F:E9"; - }; - cam-entrance = { - ip-address = "10.0.0.31"; - mac-address = "9c:8e:cd:0e:99:7b"; - }; - cam-driveway = { - ip-address = "10.0.0.32"; - mac-address = "9c:8e:cd:0d:3b:09"; - }; - cam-deck = { - ip-address = "10.0.0.33"; - mac-address = "9c:8e:cd:0e:98:c8"; - }; - cargo = { - ip-address = "10.0.0.50"; - mac-address = "00:11:32:75:d8:b7"; - }; - whitedwarf = { - ip-address = "10.0.0.51"; - mac-address = "00:11:32:12:14:1d"; - }; - doraemon = { - ip-address = "10.0.0.52"; - mac-address = "00:11:32:0a:06:c5"; - }; - android = { - ip-address = "10.0.0.81"; - mac-address = "00:16:3e:43:39:fc"; - }; - retro-wired = { - ip-address = "10.0.0.82"; - mac-address = "dc:a6:32:6b:57:43"; - }; - retro = { - ip-address = "10.0.0.83"; - mac-address = "dc:a6:32:6b:57:45"; - }; - monolith = { - ip-address = "10.0.0.100"; - mac-address = "6c:62:6d:c8:b0:d8"; - }; - taipan = { - ip-address = "10.0.0.107"; - mac-address = "52:54:00:34:c4:78"; - }; - spark = { - ip-address = "10.0.0.108"; - mac-address = "78:24:af:04:f7:dd"; - }; - hyperion = { - ip-address = "10.0.0.109"; - mac-address = "52:54:00:33:46:de"; - }; - zbox = { - ip-address = "10.0.0.110"; - mac-address = "02:dd:80:52:83:9b"; - }; - ubiquiti-wifi = { - ip-address = "10.0.0.126"; - mac-address = "04:18:d6:20:48:fb"; - }; - generator-wireless = { - ip-address = "10.0.0.130"; - mac-address = "B8:27:EB:A6:32:26"; - }; - brother-wireless = { - ip-address = "10.0.0.160"; - mac-address = "c0:38:96:64:49:65"; - }; - nest = { - ip-address = "10.0.0.176"; - mac-address = "18:b4:30:16:7c:5a"; - }; - xixi-phone = { - ip-address = "10.0.0.193"; - mac-address = "48:43:7c:75:89:42"; - }; - ipad = { - ip-address = "10.0.0.202"; - mac-address = "9c:35:eb:48:6e:71"; - }; - cam-front = { - ip-address = "10.0.0.203"; - mac-address = "c4:d6:55:3e:b4:c3"; - }; - family-tv = { - ip-address = "10.0.0.205"; - mac-address = "84:a4:66:3a:b1:f8"; - }; - babycam = { - ip-address = "10.0.0.206"; - mac-address = "08:ea:40:59:5f:9e"; - }; - workphone = { - ip-address = "10.0.0.211"; - mac-address = "a8:8e:24:5c:12:67"; - }; - chromecast-2 = { - ip-address = "10.0.0.215"; - mac-address = "a4:77:33:59:a2:ba"; - }; - front-light = { - ip-address = "10.0.0.221"; - mac-address = "94:10:3e:48:94:ed"; - }; - - # Ceph network - srv-1 = { - ip-address = "10.0.10.1"; - mac-address = "02:65:d7:00:7d:1b"; - }; - node-1 = { - ip-address = "10.0.10.101"; - mac-address = "00:1e:06:36:81:cf"; - }; - node-2 = { - ip-address = "10.0.10.102"; - mac-address = "00:1e:06:36:ec:3e"; - }; - node-3 = { - ip-address = "10.0.10.103"; - mac-address = "00:1e:06:36:ec:4b"; - }; - node-4 = { - ip-address = "10.0.10.104"; - mac-address = "00:1e:06:36:dd:8c"; - }; - }; -} diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 03599be..f3dcbdc 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -95,6 +95,12 @@ let description = "Location of Dropbear ECDSA key."; default = "/etc/dropbear/host_ecdsa_key"; }; + + dropbear-deploy-port = mkOption { + type = port; + description = "Port to be used for the deploy SSH server."; + default = 2112; + }; }; }; @@ -107,16 +113,30 @@ in { config = mkIf (site-cfg.deploy-pubkey != null) { environment.etc."dropbear/authorized_keys" = { - text = "root@deploy ${site-cfg.deploy-pubkey}"; + text = "${site-cfg.deploy-pubkey} root@deploy"; mode = "0400"; }; - systemd.services = let dropbear-port = 2112; - in { + networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; - dropbear-init = { - wantedBy = [ "multi-user.target" ]; - script = '' + systemd = { + sockets = { + dropbear-deploy = { + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; + Accept = true; + }; + unitConfig = { + restartIfChanged = true; + }; + }; + }; + + services = { + dropbear-deploy-init = { + wantedBy = [ "multi-user.target" ]; + script = '' if [ ! -d /etc/dropbear ]; then mkdir /etc/dropbear chmod 700 /etc/dropbear @@ -132,15 +152,18 @@ in { ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} fi ''; - }; + }; - dropbear = { - requires = [ "dropbear-init.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - type = "simple"; - ExecStart = "${pkgs.dropbear} -F -m -s -j -k -p ${dropbear-port}"; + "dropbear-deploy@" = { + description = "Per-connection service for deployment, using dropbear."; + requires = [ "dropbear-deploy-init.service" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; + StandardInput = "socket"; + }; }; }; }; From 986bd347bd15ea4a69c5b12d61d4b7ccf20e636b Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 21:26:12 +0000 Subject: [PATCH 2/3] Changes for lambda --- config/hardware/lambda.nix | 9 ++-- config/hosts/lambda.nix | 71 +++++++++++++++++++++++++++++++- config/networks/sea.fudo.org.nix | 2 +- config/profiles/server.nix | 4 +- 4 files changed, 76 insertions(+), 10 deletions(-) diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 1624afd..0a4845f 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -19,7 +19,6 @@ }; kernelModules = [ "kvm-amd" ]; - externalModulePackages = [ ]; kernelPackages = pkgs.linuxPackages_latest; loader.grub = { @@ -49,16 +48,16 @@ networking = { macvlans = { - intif0 = { + extif0 = { interface = "enp3s0f1"; mode = "bridge"; }; }; interfaces = { - intif0 = { - # output of: echo lambda-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:f5:fe:8c:22:fe"; + extif0 = { + # output of: echo lambda-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:27:fe:1c:3c:6e"; }; }; }; diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 90349aa..fe32bcb 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -1,11 +1,22 @@ { config, lib, pkgs, ... }: -let primary-ip = "10.0.0.3"; +let + primary-ip = "10.0.0.3"; + shinobi-port = "7080"; + shinobi-od-port = "7082"; in { + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + fudo.slynk.enable = true; networking = { + defaultGateway = "10.0.0.1"; + interfaces = { enp3s0f0.useDHCP = false; enp3s0f1.useDHCP = false; @@ -28,5 +39,61 @@ in { api-address = "/ip4/${primary-ip}/tcp/5001"; }; - # TODO: add camera + virtualisation.oci-containers.containers = { + shinobi = { + image = "shinobisystems/shinobi:latest"; + ports = [ "${shinobi-port}:8080" ]; + volumes = [ + "/srv/shinobi/plugins:/home/Shinobi/plugins" + "/srv/shinobi/config:/home/Shinobi/config" + "/srv/shinobi/videos:/home/Shinobi/videos" + "/srv/shinobi/db-data:/var/lib/mysql" + "/etc/localtime:/etc/localtime:ro" + ]; + }; + + # shinobi-od = { + # image = "shinobisystems/shinobi-tensorflow:latest"; + # volumes = + # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; + # ports = [ "${shinobi-od-port}:8082" ]; + # environment = { + # PLUGIN_HOST = "panopticon.sea.fudo.org"; + # PLUGIN_PORT = shinobi-port; + # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; + # }; + # }; + + # photoprism = { image = "photoprism/photoprism"; }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + + virtualHosts = { + "panopticon.sea.fudo.org" = { + locations."/" = { + proxyPass = "http://localhost:${shinobi-port}"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + ''; + }; + }; + # "panopticon-od.sea.fudo.org" = { + # locations."/" = { + # proxyPass = "http://localhost:${shinobi-od-port}"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # ''; + # }; + # }; + }; + }; } diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index dd22863..6a66637 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -77,7 +77,7 @@ in { }; lambda = { ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; + mac-address = "02:27:fe:1c:3c:6e"; }; switch-master = { ip-address = "10.0.0.5"; diff --git a/config/profiles/server.nix b/config/profiles/server.nix index a8cd609..b7d1879 100644 --- a/config/profiles/server.nix +++ b/config/profiles/server.nix @@ -6,7 +6,6 @@ let emacs-nox ldns ldns.examples - jdk14_headless racket-minimal reboot-if-necessary test-config @@ -24,7 +23,8 @@ let $WALL "$1 exists, rebooting system" ${pkgs.systemd}/bin/reboot else - $WALL "$1 does not exist, aborting reboot." + $WALL "$1 does not exist, switching config." + nixos-rebuild switch fi exit 0 From d9b0132e456650ad54142316158b1d1ebd81b971 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:48:28 -0700 Subject: [PATCH 3/3] Corrected MAC for lambda, and changed extif0 -> intif0 --- config/hardware/lambda.nix | 8 ++++---- config/host-config/lambda.nix | 19 +++++++++---------- config/networks/sea.fudo.org.nix | 22 +++++++++------------- 3 files changed, 22 insertions(+), 27 deletions(-) diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 0a4845f..97a4d2a 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -48,16 +48,16 @@ networking = { macvlans = { - extif0 = { + intif0 = { interface = "enp3s0f1"; mode = "bridge"; }; }; interfaces = { - extif0 = { - # output of: echo lambda-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:27:fe:1c:3c:6e"; + intif0 = { + # output of: echo lambda-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:f5:fe:8c:22:fe"; }; }; }; diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index 90349aa..d630aa7 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -1,8 +1,11 @@ { config, lib, pkgs, ... }: -let primary-ip = "10.0.0.3"; - -in { +{ + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + fudo.slynk.enable = true; networking = { @@ -12,12 +15,8 @@ in { enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; - extif0 = { - useDHCP = false; - ipv4.addresses = [{ - address = primary-ip; - prefixLength = 22; - }]; + intif0 = { + useDHCP = true; }; }; }; @@ -25,7 +24,7 @@ in { fudo.ipfs = { enable = true; users = [ "niten" ]; - api-address = "/ip4/${primary-ip}/tcp/5001"; + api-address = "/ip4/0.0.0.0/tcp/5001"; }; # TODO: add camera diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index 3a3ec29..844804d 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -68,20 +68,8 @@ in { hosts = { limina = { - ip-address = "10.0.0.6"; - mac-address = "02:fd:79:94:a2:a8"; - }; - nostromo = { ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:27:fe:1c:3c:6e"; + mac-address = "02:fd:79:94:a2:a8"; }; switch-master = { ip-address = "10.0.0.5"; @@ -90,6 +78,14 @@ in { google-wifi = { ip-address = "10.0.0.7"; mac-address = "7C:D9:5C:9F:6F:E9"; + }; + nostromo = { + ip-address = "10.0.0.10"; + mac-address = "46:54:76:06:f1:10"; + }; + lambda = { + ip-address = "10.0.0.11"; + mac-address = "02:f5:fe:8c:22:fe"; }; cam-entrance = { ip-address = "10.0.0.31";