nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Arg, fucking port forwarding is shit

Browse Source
This commit is contained in:
Niten 2021-03-17 19:45:40 +00:00
parent 098b55d047
commit d3e395b71d
12 changed files with 163 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/domains/rus.selby.ca.nix
View File

@ -2,4 +2,4 @@
{
}
}

10
config/hosts.nix
View File

@ -26,6 +26,8 @@
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
};
downstairs-desktop = {
@ -43,6 +45,8 @@
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
ssh-pubkey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
};
france = {
@ -59,6 +63,8 @@
domain = "fudo.org";
site = "portage";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
};
google-wifi = {
@ -96,6 +102,8 @@
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
};
plato = {
@ -111,6 +119,8 @@
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
};
procul = {

2
config/hosts/plato.nix
View File

@ -27,6 +27,8 @@ with lib; {
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {

5
config/profiles/common.nix
View File

@ -59,7 +59,10 @@ in {
};
};
fail2ban.enable = true;
fail2ban = {
enable = true;
bantime-increment.enable = true;
};
xserver = {
layout = "us";

1
initialize.nix
View File

@ -20,7 +20,6 @@
fudo.hosts."${hostname}" = {
domain = domain;
hostname = hostname;
site = site;
profile = profile;
};

1
lib/default.nix
View File

@ -16,6 +16,7 @@ with lib; {
./fudo/domains.nix
./fudo/garbage-collector.nix
./fudo/git.nix
./fudo/global.nix
./fudo/grafana.nix
./fudo/hosts.nix
./fudo/ipfs.nix

64
lib/fudo/common.nix
View File

@ -1,65 +1,5 @@
# General Fudo config, shared across packages
{ config, lib, pkgs, ... }:
with lib; {
options.fudo.common = {
hostname = mkOption {
type = types.str;
description = ''
Hostname of the local host (without domain).
'';
};
# domain = mkOption {
# type = types.str;
# description = ''
# Domain of the local network.
# '';
# };
# local-networks = mkOption {
# type = with types; listOf str;
# description = ''
# A list of networks to consider 'local'. Used by various services to
# limit access to the external world.
# '';
# default = [ ];
# };
# profile = mkOption {
# type = with types; nullOr str;
# example = "desktop";
# description = ''
# The profile to use for this host. This will do some profile-dependent
# configuration, for example removing X-libs from servers and adding UI
# packages to desktops.
# '';
# default = null;
# };
# site = mkOption {
# type = with types; nullOr str;
# example = "seattle";
# description = ''
# The site at which this host is located. This will do some site-dependent
# configuration.
# '';
# default = null;
# };
# www-root = mkOption {
# type = types.path;
# description = "Path at which to store www files for serving.";
# example = /var/www;
# };
# admin-email = mkOption {
# type = types.str;
# description = "Email for administrator of this system.";
# default = "admin@fudo.org";
# };
# enable-gui = mkEnableOption "Install desktop GUI software.";
};
}
with lib;
{ }

5
lib/fudo/global.nix Normal file
View File

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
with lib; {
config = { };
}

61
lib/fudo/hosts.nix
View File

@ -4,21 +4,28 @@ with lib;
let
hostOpts = { hostname, ... }: {
options = with types; {
hostname = mkOption {
type = types.str;
description = "Hostname (without domain name).";
default = hostname;
};
domain = mkOption {
type = types.str;
type = str;
description =
"Domain to which the host belongs, in the form of a domain name.";
"Primary domain to which the host belongs, in the form of a domain name.";
default = "fudo.org";
};
extra-domains = mkOption {
type = listOf str;
description = "Extra domain in which this host is reachable.";
default = [ ];
};
aliases = mkOption {
type = listOf str;
description =
"Host aliases used by the current host. Note this will be multiplied with extra-domains.";
default = [ ];
};
site = mkOption {
type = types.str;
type = str;
description = "Site at which the host is located.";
};
@ -50,7 +57,7 @@ let
};
description = mkOption {
type = types.str;
type = str;
description = "Description of this host.";
default = "Another Fudo Host.";
};
@ -92,6 +99,13 @@ let
"List of services which should exist for this host, if it belongs to a realm.";
default = [ "ssh" "host" ];
};
ssh-pubkey = mkOption {
type = nullOr str;
description =
"SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
default = null;
};
};
};
@ -136,5 +150,32 @@ in {
enableOnBoot = true;
autoPrune.enable = true;
};
programs.ssh.knownHosts = let
keyed-hosts =
filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts;
traceOut = obj: builtins.trace obj obj;
crossProduct = f: list0: list1:
concatMap (el0: map (el1: f el0 el1) list1) list0;
getHostnames = hostOpts:
[ hostOpts.hostname ]
++ (crossProduct (host: domain: "${host}.${domain}")
([ hostOpts.hostname ] ++ hostOpts.aliases)
([ hostOpts.domain ] ++ hostOpts.extra-domains));
getHostEntryPairs = host:
map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; })
(getHostnames host);
hostAttrsToList = hostAttrs:
mapAttrsToList (hostname: opts: { hostname = hostname; } // opts)
hostAttrs;
getKnownHosts = hosts:
concatMap getHostEntryPairs (hostAttrsToList hosts);
in listToAttrs (getKnownHosts keyed-hosts);
};
}

13
lib/fudo/kdc.nix
View File

@ -34,14 +34,13 @@ let
${pkgs.heimdalFull}/bin/kstash --key-file=${key-file} --random-key
${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- init --realm-max-ticket-life="${max-lifetime}" --realm-max-renewable-life="${max-renewal}" RUS.SELBY.CA
${add-hosts-principals realm kdc-conf}
${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- add --random-key --use-defaults kadmin/${local-hostname}@${realm}
${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${primary-keytab} */${local-hostname}@${realm}
${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${kadmin-keytab} kadmin/${local-hostname}@${realm}
${pkgs.coreutils}/bin/chown ${user}:${group} ${key-file}
${pkgs.coreutils}/bin/chown ${user}:${group} ${db-name}
${pkgs.coreutils}/bin/chown ${user}:${group} ${iprop-log}
${pkgs.coreutils}/bin/chown ${user}:${group} ${primary-keytab}
${pkgs.coreutils}/bin/chown ${user}:${group} ${kadmin-keytab}
${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${kadmin-keytab} kadmin/admin@${realm}
#${pkgs.coreutils}/bin/chown ${user}:${group} ${key-file}
#${pkgs.coreutils}/bin/chown ${user}:${group} ${db-name}
#${pkgs.coreutils}/bin/chown ${user}:${group} ${iprop-log}
#${pkgs.coreutils}/bin/chown ${user}:${group} ${primary-keytab}
#${pkgs.coreutils}/bin/chown ${user}:${group} ${kadmin-keytab}
fi
'';

125
lib/fudo/system.nix
View File

@ -435,53 +435,88 @@ in {
};
config = {
# boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) {
# "net.ipv4.conf.all.route_localhost" = "1";
# };
# networking.firewall = let
# ip-forward-line = protocols: internal: external:
# concatStringsSep "\n" (map (protocol:
# "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${
# toString external
# } -j DNAT --to 127.0.0.1:${toString internal}") protocols);
# ip-unforward-line = protocols: internal: external:
# concatStringsSep "\n" (map (protocol:
# "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${
# toString external
# } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols);
# protocol-list = protocol:
# if (protocol == null) then [ "tcp" "udp" ] else [ protocol ];
# in {
# extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
# ip-forward-line (protocol-list opts.protocol) opts.internal-port
# opts.external-port) cfg.internal-port-map);
# extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
# ip-unforward-line (protocol-list opts.protocol) opts.internal-port
# opts.external-port) cfg.internal-port-map);
# };
services.xinetd = mkIf ((length (attrNames cfg.internal-port-map)) > 0) {
enable = true;
services = let
svcs = mapAttrsToList (name: opts: opts // { name = name; })
cfg.internal-port-map;
svcs-protocols = concatMap
(svc: map (protocol: svc // { protocol = protocol; }) svc.protocols)
svcs;
in map (opts: {
name = opts.name;
unlisted = true;
port = opts.external-port;
server = "${pkgs.coreutils}/bin/false";
extraConfig = "redirect = localhost ${toString opts.internal-port}";
protocol = opts.protocol;
}) svcs-protocols;
boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) {
"net.ipv4.conf.all.route_localnet" = "1";
};
networking.firewall = let
iptables = "ip46tables";
ip-forward-line = protocols: internal: external:
concatStringsSep "\n" (map (protocol: ''
# ${iptables} -I PREROUTING -p ${protocol} --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -I OUTPUT -p ${protocol} -i lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -I OUTPUT -p ${protocol} -o lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -t nat -I PREROUTING -p ${protocol} --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -t nat -I OUTPUT -p ${protocol} -i lo --dport ${
toString external
} -j REDIRECT --to-ports 127.0.0.1:${toString internal}
# ${iptables} -t nat -I OUTPUT -p ${protocol} -o lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
'') protocols);
ip-unforward-line = protocols: internal: external:
concatStringsSep "\n" (map (protocol: ''
# ${iptables} -D PREROUTING -p ${protocol} --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -D OUTPUT -p ${protocol} -i lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -D OUTPUT -p ${protocol} -o lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -t nat -D PREROUTING -p ${protocol} --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
# ${iptables} -t nat -D OUTPUT -p ${protocol} -i lo --dport ${
toString external
} -j REDIRECT --to-ports 127.0.0.1:${toString internal}
# ${iptables} -t nat -D OUTPUT -p ${protocol} -o lo --dport ${
toString external
} -j REDIRECT --to-ports ${toString internal}
'') protocols);
in {
enable = true;
extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
ip-forward-line opts.protocols opts.internal-port opts.external-port)
cfg.internal-port-map);
extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts:
ip-unforward-line opts.protocols opts.internal-port opts.external-port)
cfg.internal-port-map);
};
# Services.xinetd = mkIf ((length (attrNames cfg.internal-port-map)) > 0) {
# enable = true;
# services = let
# svcs = mapAttrsToList (name: opts: opts // { name = name; })
# cfg.internal-port-map;
# svcs-protocols = concatMap
# (svc: map (protocol: svc // { protocol = protocol; }) svc.protocols)
# svcs;
# in map (opts: {
# name = opts.name;
# unlisted = true;
# port = opts.external-port;
# server = "${pkgs.coreutils}/bin/false";
# extraConfig = "redirect = localhost ${toString opts.internal-port}";
# protocol = opts.protocol;
# }) svcs-protocols;
# };
systemd.timers = mapAttrs (name: opts: {
enable = true;
description = opts.description;

1
nixops/lib/hosts.nix
View File

@ -13,6 +13,7 @@ let
initialize = import ../../initialize.nix;
# This is a problem...it creates a second source of truth.
host-config = ip: config:
{ ... }: {
imports = [