From 7f3c409d56f296628e91fde9386f5ce1d2c03dd6 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 12 Apr 2021 13:38:56 -0700 Subject: [PATCH 01/10] Force hosts to contain proper localhost --- config/profile-config/common.nix | 2 +- lib/fudo/hosts.nix | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index f27b7c4..e95e398 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -31,7 +31,7 @@ in { }; libdefaults = { - allow_weak_crypto = false; + allow_weak_crypto = true; dns_lookup_kdc = true; dns_lookup_realm = true; forwardable = true; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index b0993c8..6c12067 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -143,7 +143,22 @@ in { # Necessary to ensure that Kerberos and Avahi both work. Kerberos needs # the fqdn of the host, whereas Avahi wants just the simple hostname.` - hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; + hosts = { + "127.0.0.2" = [ "${hostname}.${domain-name}" "${hostname}" ]; + "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; + "::1" = [ "${hostname}.${domain-name}" "${hostname}" ]; + }; + }; + + environment.etc.hosts = mkForce { + text = '' + 127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost + 127.0.0.2 ${hostname} localhost + ::1 ${hostname}.${domain-name} ${hostname} localhost + ''; + user = "root"; + group = "root"; + mode = "0444"; }; nix = mkIf From 6ee8509d990bd0672ec06074d6ccfbfacb2897f3 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 13:41:00 -0700 Subject: [PATCH 02/10] Don't use tmpfs for small-mem hosts --- config/hosts/limina.nix | 1 + config/hosts/plato.nix | 1 + config/profile-config/server.nix | 12 ++---------- lib/fudo/hosts.nix | 9 +++++++++ 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index 04fb8f6..a85eb41 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -13,4 +13,5 @@ profile = "server"; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; + tmp-on-tmpfs = false; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 8fa9a6c..16187c2 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -16,4 +16,5 @@ build-pubkeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" ]; + tmp-on-tmpfs = false; } diff --git a/config/profile-config/server.nix b/config/profile-config/server.nix index 1b0b130..9cc8bf0 100644 --- a/config/profile-config/server.nix +++ b/config/profile-config/server.nix @@ -2,11 +2,7 @@ with lib; let - serverPackages = with pkgs; [ - emacs-nox - reboot-if-necessary - test-config - ]; + serverPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ]; reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" '' if [ $# -ne 1 ]; then @@ -50,9 +46,7 @@ in { imports = [ ./common.nix ]; config = { - environment = { - systemPackages = serverPackages; - }; + environment = { systemPackages = serverPackages; }; system.autoUpgrade.enable = false; @@ -60,8 +54,6 @@ in { networking.networkmanager.enable = mkForce false; - boot.tmpOnTmpfs = true; - services = { xserver.enable = false; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index b0993c8..b772b68 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -89,6 +89,13 @@ let default = null; }; + tmp-on-tmpfs = mkOption { + type = bool; + description = + "Use tmpfs for /tmp. Great if you've got enough (>16G) RAM."; + default = true; + }; + enable-gui = mkEnableOption "Install desktop GUI software."; docker-server = mkEnableOption "Enable Docker on the current host."; @@ -172,6 +179,8 @@ in { autoPrune.enable = true; }; + boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; + programs.ssh.knownHosts = let keyed-hosts = filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts; From 6f070a9963b4494bd0e71c3f8f28c840c867893a Mon Sep 17 00:00:00 2001 From: root Date: Mon, 12 Apr 2021 14:41:08 -0700 Subject: [PATCH 03/10] Set the host domain name --- lib/fudo/hosts.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 6c12067..9592bc9 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -136,6 +136,7 @@ in { in { networking = { hostName = config.instance.hostname; + domain = domain-name; nameservers = site.nameservers; # This will cause a loop on the gateway itself #defaultGateway = site.gateway-v4; From 4a7c4a9469bc0a1428dbe1cd1f3de099645921e9 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 14:53:55 -0700 Subject: [PATCH 04/10] Only enable the firewall if there's an external interface specified --- lib/fudo/hosts.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 10acca6..cbaf9a0 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -119,6 +119,12 @@ let description = "SSH public keys used to access the build server."; default = [ ]; }; + + external-interfaces = mkOption { + type = listOf str; + description = "A list of interfaces on which to enable the firewall."; + default = [ ]; + }; }; }; @@ -155,6 +161,11 @@ in { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; "::1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; + + firewall = { + enable = (length host-cfg.external-interfaces) > 0; + allowedTCPPorts = [ 22 ]; + }; }; environment.etc.hosts = mkForce { From 358a4b85514914319c95cb96211050c35bd60546 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 15:27:42 -0700 Subject: [PATCH 05/10] Switch back to intif0 for lambda --- config/host-config/lambda.nix | 6 ++---- config/networks/sea.fudo.org.nix | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index d630aa7..8feb358 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -5,7 +5,7 @@ nixpkgs.config.permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" # CVE-2021-28041 ]; - + fudo.slynk.enable = true; networking = { @@ -15,9 +15,7 @@ enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; - intif0 = { - useDHCP = true; - }; + intif0 = { useDHCP = true; }; }; }; diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index f93f390..94032da 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -80,7 +80,7 @@ in { }; lambda = { ipv4-address = "10.0.0.11"; - mac-address = "e8:39:35:2c:38:08"; + mac-address = "02:f5:fe:8c:22:fe"; }; plato = { ipv4-address = "10.0.0.21"; }; cam-entrance = { From 71d7fcd7a49af7f7fd96de7677e023bad18ecfd2 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 15:30:11 -0700 Subject: [PATCH 06/10] Fuck...didn't I push this? --- config/host-config/clunk.nix | 12 +++--------- config/host-config/limina.nix | 8 ++------ 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/config/host-config/clunk.nix b/config/host-config/clunk.nix index 5cd326f..386622a 100644 --- a/config/host-config/clunk.nix +++ b/config/host-config/clunk.nix @@ -6,9 +6,7 @@ let dns-proxy-port = 5335; - host-packages = with pkgs; [ - nixops - ]; + host-packages = with pkgs; [ nixops ]; site-name = config.fudo.hosts.${config.instance.hostname}.site; site = config.fudo.site.${site-name}; @@ -53,13 +51,9 @@ in { network-definition = config.fudo.networks."rus.selby.ca"; }; - networking = { - firewall = { - enable = true; - trustedInterfaces = [ "intif0" "docker0" ]; - allowedTCPPorts = [ 22 ]; - }; + fudo.hosts.clunk.external-interfaces = [ "enp1s0" ]; + networking = { interfaces = { enp1s0.useDHCP = true; diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index 9c12b98..3c9eb6e 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -20,13 +20,9 @@ in { "openssh-with-gssapi-8.4p1" # CVE-2021-28041 ]; - networking = { - firewall = { - enable = true; - trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ]; - allowedTCPPorts = [ 22 ]; - }; + fudo.hosts.limina.external-interfaces = [ "enp1s0" ]; + networking = { interfaces = { enp1s0 = { useDHCP = true; }; From d9aa06e6750d0795ca8d375b80faa96cef4828f0 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 15:31:55 -0700 Subject: [PATCH 07/10] Ugh...too many configs --- config/host-config/limina.nix | 21 ++++++++++++++------- config/profile-config/common.nix | 2 +- lib/fudo/hosts/local-network.nix | 1 + 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index 9c12b98..c691733 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -20,13 +20,9 @@ in { "openssh-with-gssapi-8.4p1" # CVE-2021-28041 ]; - networking = { - firewall = { - enable = true; - trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ]; - allowedTCPPorts = [ 22 ]; - }; + + networking = { interfaces = { enp1s0 = { useDHCP = true; }; @@ -41,14 +37,25 @@ in { intif2 = { useDHCP = false; }; }; + # FIXME: this should be automatic + firewall.trustedInterfaces = [ + "intif0" + "intif1" + "intif2" + "lo" + "docker0" + ]; + nat = { enable = true; externalInterface = "enp1s0"; - internalInterfaces = [ "intif0" ]; + internalInterfaces = [ "intif0" "intif1" "intif2" ]; }; }; fudo = { + hosts.limina.external-interfaces = [ "enp1s0" ]; + local-network = { enable = true; domain = domain-name; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index e95e398..cd771b7 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -56,7 +56,7 @@ in { }; fail2ban = { - enable = true; + enable = config.networking.firewall.enable; bantime-increment.enable = true; }; diff --git a/lib/fudo/hosts/local-network.nix b/lib/fudo/hosts/local-network.nix index f4d2c70..f2de116 100644 --- a/lib/fudo/hosts/local-network.nix +++ b/lib/fudo/hosts/local-network.nix @@ -6,6 +6,7 @@ with lib; let cfg = config.fudo.hosts.local-network; + # FIXME: this isn't used, is it? gatewayServerOpts = { ... }: { options = { enable = mkEnableOption "Turn this host into a network gateway."; From 7da8090eebabef80e60164fd20d116f9571dfa4e Mon Sep 17 00:00:00 2001 From: Niten Date: Mon, 12 Apr 2021 15:33:44 -0700 Subject: [PATCH 08/10] Aha, here it is --- config/hosts/pselby-work.nix | 3 +++ config/hosts/upstairs-desktop.nix | 3 +++ 2 files changed, 6 insertions(+) diff --git a/config/hosts/pselby-work.nix b/config/hosts/pselby-work.nix index 9797c0e..c41cec0 100644 --- a/config/hosts/pselby-work.nix +++ b/config/hosts/pselby-work.nix @@ -1,3 +1,6 @@ { description = "Google Lenovo work laptop."; + site = "seattle"; + profile = "laptop"; + domain = "sea.fudo.org"; } diff --git a/config/hosts/upstairs-desktop.nix b/config/hosts/upstairs-desktop.nix index dcf14e8..313b1ce 100644 --- a/config/hosts/upstairs-desktop.nix +++ b/config/hosts/upstairs-desktop.nix @@ -10,4 +10,7 @@ ]; rp = "niten"; admin-email = "niten@fudo.org"; + site = "russell"; + domain = "rus.selby.ca"; + profile = "desktop"; } From 3d0fda0d1cf3e53df6f6db840ce789d62f3d503c Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 12 Apr 2021 15:43:45 -0700 Subject: [PATCH 09/10] Try using DNS now that Kerberos is working again --- config/profile-config/common.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index e95e398..b7e2a82 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -45,7 +45,7 @@ in { openssh = { enable = true; startWhenNeeded = true; - # useDns = true; + useDns = true; permitRootLogin = "prohibit-password"; extraConfig = '' GSSAPIAuthentication yes From f99759d5cb6ee8c6000da07d4e1ac4ffed4cb297 Mon Sep 17 00:00:00 2001 From: Niten Date: Mon, 12 Apr 2021 22:15:13 -0700 Subject: [PATCH 10/10] Local changes --- config/host-config/limina.nix | 11 +++-------- config/profile-config/common.nix | 11 +++++++---- config/sites.nix | 1 + lib/fudo/hosts.nix | 2 +- lib/fudo/sites.nix | 6 ++++++ 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index b2d2421..5fec051 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -36,13 +36,8 @@ in { }; # FIXME: this should be automatic - firewall.trustedInterfaces = [ - "intif0" - "intif1" - "intif2" - "lo" - "docker0" - ]; + firewall.trustedInterfaces = + [ "intif0" "intif1" "intif2" "lo" "docker0" ]; nat = { enable = true; @@ -53,7 +48,7 @@ in { fudo = { hosts.limina.external-interfaces = [ "enp1s0" ]; - + local-network = { enable = true; domain = domain-name; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index fb4a081..6d387d6 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -55,10 +55,13 @@ in { ''; }; - fail2ban = { - enable = config.networking.firewall.enable; - bantime-increment.enable = true; - }; + fail2ban = + let domain-name = config.fudo.hosts.${config.instance.hostname}.domain; + in { + enable = config.networking.firewall.enable; + bantime-increment.enable = true; + ignoreIP = config.fudo.domains.${domain-name}.local-networks; + }; xserver = { layout = "us"; diff --git a/config/sites.nix b/config/sites.nix index 86c3605..5810243 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -21,6 +21,7 @@ speed-factor = 2; }; }; + enable-distributed-builds = true; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 4554651..477957e 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -183,7 +183,7 @@ in { nix = mkIf (has-build-servers && has-build-keys && site.enable-distributed-builds) { buildMachines = mapAttrsToList (hostname: buildOpts: { - hostName = "${hostname}.${domain}"; + hostName = "${hostname}.${domain-name}"; maxJobs = buildOpts.max-jobs; speedFactor = buildOpts.speed-factor; supportedFeatures = buildOpts.supported-features; diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 9389b42..db12e10 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -133,6 +133,12 @@ let description = "User as which to run builds."; default = "nix-site-builder"; }; + + local-networks = mkOption { + type = listOf str; + description = "List of networks to consider local at this site."; + default = [ ]; + }; }; };