diff --git a/assets/tinc/sternchen_host_file b/assets/tinc/sternchen_host_file new file mode 100644 index 0000000..ebb806b --- /dev/null +++ b/assets/tinc/sternchen_host_file @@ -0,0 +1,14 @@ +Ed25519PublicKey = Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEA1vhCFsFK0QSYDlXSS6ngpZbilplYtaPBzbxWYGAxa5vNtwoaO2Tz +BZ4ptvE26TR2+Jygvlk5xdoNYAL/yhNI9p86vs/pA+sJmBlsYAWOA5qAnXoIL2u4 +1CBB9t+uMnQKhyPoBoDq6QXmM1HlFhxtkKVlLyEHxARxu7g/inFtghPqYD/HyjVJ +V6h9OdKEgY+wcn6GGLXGjrSMAsIZP2w8fPQfS45UAtjK+cFODFKElxGZrjqgJP1w +/Jw6nB03yKMGsMHNkiwC2BJbK3+pT92JfyqXRg3REw0hVMZghcsoNtWfBoNYLvFY +qwk+bvf5bVdLxLMEv33+B3F8SScXuwMUpBwCeMi58ltt+OuOVhh8PLA9ncA6tGa9 +tzyUo7i8qjGTremSilWIdRYqOexriPKCdnYcJcw/L9Vl2H3QbIj7uVxbszQbqDGS +KM43U5cXgpMIYI9CwxnWB8np7n/IXZFG5E+9afd4kYTLShzaObzu2I1yom0O4Ks7 +HsdvlsBgv4iT6ctquHtU6IFsa/Wfm4ntDiAcczoQEXs0F2v839FH62TPTY70xzyd +wQhAdCegb6MYVmVmQL9jv8QDfxwUxtsohbW3ncBDYrdy2rmeiZDGaRJVEbyf6MKI +OfaobRGXY0NnOURX9/fkXSydDKd3rIhOMubfUq0+Smm3YrsHWeZVvNMCAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/configs/porani/syncthing.nix b/configs/porani/syncthing.nix index 8f6ca0f..3c5ad22 100644 --- a/configs/porani/syncthing.nix +++ b/configs/porani/syncthing.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: { - networking.firewall.interfaces."tinc.insecure".allowedTCPPorts = [ 8384 ]; + networking.firewall.interfaces."tinc.secure".allowedTCPPorts = [ 8384 ]; custom.samba-share = { enable = true; @@ -12,7 +12,7 @@ }; services.syncthing = { - guiAddress = lib.mkForce "${config.networking.hostName}.insecure:8384"; + guiAddress = lib.mkForce "${config.networking.hostName}.secret:8384"; enable = true; openDefaultPorts = true; declarative = { diff --git a/configs/porani/tinc.nix b/configs/porani/tinc.nix index 5357629..d59624f 100644 --- a/configs/porani/tinc.nix +++ b/configs/porani/tinc.nix @@ -6,7 +6,7 @@ # openPort = true; # connectTo = [ "sputnik" ]; #}; - "insecure" = { + "secure" = { enable = true; openPort = true; connectTo = [ "sputnik" ]; diff --git a/configs/sputnik/tinc.nix b/configs/sputnik/tinc.nix index 408357d..38ae53b 100644 --- a/configs/sputnik/tinc.nix +++ b/configs/sputnik/tinc.nix @@ -4,7 +4,7 @@ enable = true; openPort = true; }; - "insecure" = { + "secret" = { enable = true; openPort = true; }; diff --git a/configs/sternchen/configuration.nix b/configs/sternchen/configuration.nix new file mode 100644 index 0000000..515d7b2 --- /dev/null +++ b/configs/sternchen/configuration.nix @@ -0,0 +1,81 @@ +{ config, pkgs, lib, ... }: { + + imports = [ + + + ./hardware-configuration.nix + + ./packages.nix + #./syncthing.nix + ./tinc.nix + + ]; + + networking.hostName = "sternchen"; + + system.custom.mainUser.userName = "tina"; + + system.custom.wifi.interfaces = [ "wlp3s0" ]; + + security.wrappers = { + pmount.source = "${pkgs.pmount}/bin/pmount"; + pumount.source = "${pkgs.pmount}/bin/pumount"; + }; + + # keybase + services.keybase.enable = false; + services.kbfs.enable = false; + + programs.custom.steam.enable = false; + programs.custom.video.enable = false; + + services.printing.enable = true; + + # fonts + # ----- + programs.custom.urxvt.fontSize = 12; + programs.custom.xterm.fontSize = 12; + system.custom.fonts.dpi = 100; + + virtualisation = { + docker.enable = false; + + virtualbox = { + host.enable = false; + guest.x11 = false; + guest.enable = false; + }; + }; + + configuration.desktop = { + width = 1366; + height = 768; + }; + + custom.samba-share = { + enable = false; + folders = { + #public = "/home/palo/movies"; + share = "/home/share"; + #syncthing = "/mnt/syncthing"; + #movies = "/mnt/syncthing/movies"; + #series = "/mnt/syncthing/series"; + }; + }; + + # enable this to use sidequest + programs.adb.enable = false; + users.users.mainUser.extraGroups = [ "adbusers" "video" ]; + + # for congress and streaming + hardware.opengl = { + enable = true; + extraPackages = [ pkgs.vaapiIntel ]; + driSupport32Bit = true; + }; + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + +} + diff --git a/configs/sternchen/hardware-configuration.nix b/configs/sternchen/hardware-configuration.nix new file mode 100644 index 0000000..94143af --- /dev/null +++ b/configs/sternchen/hardware-configuration.nix @@ -0,0 +1,79 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + + imports = [ ]; + + boot.initrd.availableKernelModules = + [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Use the systemd-boot EFI boot loader, not grub + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + zramSwap = { + enable = true; + numDevices = 2; + swapDevices = 1; + memoryPercent = 50; + }; + + #fileSystems."/share/" = { + # device = "/dev/ram1"; + # fsType = "tmpfs"; + #}; + + #fileSystems."/browsers/" = { + # #device = "/dev/ram2"; + # #fsType = "tmpfs"; + # options = [ "noatime" "nodiratime" "discard" ]; + # device = "/dev/vg/browser"; + # fsType = "ext4"; + #}; + + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + # lvm volume group + # ---------------- + boot.initrd.luks.devices = { + vg = { + device = "/dev/sda2"; + preLVM = true; + }; + }; + + # NTFS support + # ------------ + environment.systemPackages = [ pkgs.ntfs3g ]; + + # root + # ---- + fileSystems."/" = { + options = [ "noatime" "nodiratime" "discard" ]; + device = "/dev/vg/root"; + fsType = "ext4"; + }; + + # home + # ---- + fileSystems."/home" = { + options = [ "noatime" "nodiratime" "discard" ]; + device = "/dev/vg/home"; + fsType = "ext4"; + }; + + # boot + # ---- + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "vfat"; + }; + +} diff --git a/configs/sternchen/packages.nix b/configs/sternchen/packages.nix new file mode 100644 index 0000000..5151b17 --- /dev/null +++ b/configs/sternchen/packages.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +let unstable = import { }; +in { + + # overlay included + #nixpkgs.overlays = [ (import ) ]; + + environment.systemPackages = with pkgs; [ + darktable + keepass + ]; + +} diff --git a/configs/sternchen/syncthing.nix b/configs/sternchen/syncthing.nix new file mode 100644 index 0000000..23cf351 --- /dev/null +++ b/configs/sternchen/syncthing.nix @@ -0,0 +1,77 @@ +{ config, pkgs, lib, ... }: { + + services.syncthing = { + enable = true; + openDefaultPorts = false; + user = "palo"; + dataDir = "/home/palo/.syncthing"; + configDir = "/home/palo/.syncthing"; + declarative = { + cert = toString ; + key = toString ; + overrideFolders = true; + folders = { + + # on encrypted drive + # ------------------ + private = { + enable = true; + path = "/home/palo/private"; + }; + desktop = { + enable = true; + path = "/home/palo/desktop"; + }; + finance = { + enable = true; + path = "/home/palo/finance"; + }; + fotos = { + enable = true; + path = "/home/palo/fotos"; + }; + samples = { + enable = true; + path = "/home/palo/samples"; + }; + zettlr = { + enable = true; + path = "/home/palo/zettlr"; + }; + programs = { + enable = true; + path = "/home/palo/programs"; + }; + + # no need to be encrypted + # ----------------------- + books = { + enable = true; + path = "/home/palo/books"; + }; + music-library = { + enable = true; + path = "/home/palo/music-library"; + }; + music-projects = { + enable = true; + path = "/home/palo/music-projects"; + }; + smartphone-folder = { + enable = true; + path = "/home/palo/smartphone-folder"; + }; + processing = { + enable = true; + path = "/home/palo/sketchbook"; + }; + + }; + }; + }; + + system.permown."/home/palo/music-library" = { + owner = "palo"; + group = "users"; + }; +} diff --git a/configs/sternchen/tinc.nix b/configs/sternchen/tinc.nix new file mode 100644 index 0000000..d006f26 --- /dev/null +++ b/configs/sternchen/tinc.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + module.cluster.services.tinc = { + #"private" = { + # enable = true; + # openPort = true; + # connectTo = [ "sputnik" ]; + #}; + #"retiolum" = { + # enable = true; + # openPort = true; + #}; + "secret" = { + enable = true; + openPort = true; + connectTo = [ "sputnik" ]; + }; + }; + +} diff --git a/configs/sternchen/wifi-access-point.nix b/configs/sternchen/wifi-access-point.nix new file mode 100644 index 0000000..db5f81f --- /dev/null +++ b/configs/sternchen/wifi-access-point.nix @@ -0,0 +1,84 @@ +{ lib, pkgs, ... }: + +let + wifi = "wlp0s29u1u2"; + ipAddress = "10.123.145.1"; + prefixLength = 24; + servedAddressRange = "10.123.145.2,10.123.145.150,12h"; + ssid = "bumbumbum"; + wifiPassword = lib.fileContents ; + +in { + # todo only open needed ports + networking.firewall.trustedInterfaces = [ wifi ]; + + networking.networkmanager.unmanaged = [ wifi ]; + networking.dhcpcd.denyInterfaces = [ wifi ]; + + networking.interfaces."${wifi}".ipv4.addresses = [{ + address = ipAddress; + prefixLength = prefixLength; + }]; + + # forward traffic coming in trough the access point => provide internet and vpn network access + # todo : forward to own servers + boot.kernel.sysctl = { + "net.ipv4.conf.${wifi}.forwarding" = true; + "net.ipv6.conf.${wifi}.forwarding" = true; + }; + + systemd.services.hostapd = { + description = "hostapd wireless AP"; + path = [ pkgs.hostapd ]; + + # start manual + # wantedBy = [ "network.target" ]; + + after = [ + "${wifi}-cfg.service" + "nat.service" + "bind.service" + "dhcpd.service" + "sys-subsystem-net-devices-${wifi}.device" + ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${ + pkgs.writeText "hostapd.conf" '' + interface=${wifi} + hw_mode=g + channel=10 + ieee80211d=1 + country_code=DE + ieee80211n=1 + wmm_enabled=1 + + ssid=${ssid} + auth_algs=1 + wpa=2 + wpa_key_mgmt=WPA-PSK + rsn_pairwise=CCMP + wpa_passphrase=${wifiPassword} + '' + }"; + Restart = "always"; + }; + }; + + services.dnsmasq = { + enable = true; + extraConfig = '' + # Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to + # localhost and udp port 67 to world: + interface=${wifi} + + # Explicitly specify the address to listen on + listen-address=${ipAddress} + + # Dynamic range of IPs to make available to LAN PC and the lease time. + # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records. + dhcp-range=${servedAddressRange} + ''; + }; + +} diff --git a/configs/sternchen/wireshark.nix b/configs/sternchen/wireshark.nix new file mode 100644 index 0000000..f4c1b07 --- /dev/null +++ b/configs/sternchen/wireshark.nix @@ -0,0 +1,45 @@ +{ pkgs, config, ... }: { + + users.users.mainUser.extraGroups = [ "wireshark" ]; + programs.wireshark.enable = true; + + environment.systemPackages = [ + + pkgs.wireshark + + # alternative packet analyzer (only works with elasticsearch) + pkgs.packetbeat7 + ]; + + # elastic search is good for analysing stuff + # https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana + services.elasticsearch.enable = true; + services.elasticsearch.listenAddress = + "${config.networking.hostName}.private"; + services.kibana.enable = true; + services.kibana.elasticsearch.hosts = + [ "http://${config.networking.hostName}.private:9200" ]; + services.kibana.listenAddress = "${config.networking.hostName}.private"; + services.kibana.port = 5601; + + # using tshark with elastic search + # -------------------------------- + # tshark -r file.pcap -T ek > packages.json + # curl -XPOST "sterni.private:9200/packets/doc/_bulk" -H 'Content-Type: application/json' --data-binary "@packets.json" + + services.nginx = { + enable = true; + statusPage = true; + virtualHosts = { + "kibana.${config.networking.hostName}.private" = { + serverAliases = [ ]; + locations."/" = { + proxyPass = "http://${config.networking.hostName}.private:${ + toString config.services.kibana.port + }"; + }; + }; + }; + }; + +} diff --git a/configs/sterni/tinc.nix b/configs/sterni/tinc.nix index 7774472..0b0c31f 100644 --- a/configs/sterni/tinc.nix +++ b/configs/sterni/tinc.nix @@ -14,7 +14,7 @@ with lib; enable = true; openPort = true; }; - "insecure" = { + "secret" = { enable = true; openPort = true; connectTo = [ "sputnik" ]; diff --git a/configs/workhorse/tinc.nix b/configs/workhorse/tinc.nix index cc96007..ffe59c3 100644 --- a/configs/workhorse/tinc.nix +++ b/configs/workhorse/tinc.nix @@ -10,7 +10,7 @@ enable = true; openPort = true; }; - "insecure" = { + "secret" = { enable = true; openPort = true; connectTo = [ "sputnik" ]; diff --git a/shell.nix b/shell.nix index 7323ff3..7f8ff07 100644 --- a/shell.nix +++ b/shell.nix @@ -2,7 +2,7 @@ let # host used to install stuff. (can be an onion id if you use torify) #installHost = "localhost"; - installHost = "adsf.onion"; + installHost = "mobi.private"; #ops = import ../plops ; ops = import ((import { }).fetchgit { @@ -132,7 +132,7 @@ let hostPattern = name: if name == "porani" then - "${name}.insecure" + "${name}.secret" else if name == "dummy" then "95.217.223.75" else @@ -233,7 +233,7 @@ in pkgs.mkShell { buildInputs = with pkgs; (servers [ "workhorse" "sputnik" "porani" "dummy" ]) - ++ (desktops [ "pepe" "workout" "sterni" "mobi" ]) ++ [ + ++ (desktops [ "pepe" "workout" "sterni" "mobi" "sternchen" ]) ++ [ (pkgs.writers.writeBashBin "reformat" '' find ${ toString ./. diff --git a/system/all/sshd-known-hosts-private.nix b/system/all/sshd-known-hosts-private.nix index 2f400c0..86cffe6 100644 --- a/system/all/sshd-known-hosts-private.nix +++ b/system/all/sshd-known-hosts-private.nix @@ -5,9 +5,9 @@ "sterni.private" = { hostNames = [ "sterni.private" - "sterni.insecure" + "sterni.secret" config.module.cluster.services.tinc.private.hosts.sterni.tincIp - config.module.cluster.services.tinc.insecure.hosts.sterni.tincIp + config.module.cluster.services.tinc.secret.hosts.sterni.tincIp ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt"; @@ -24,9 +24,9 @@ "sputnik.private" = { hostNames = [ "sputnik.private" - "sputnik.insecure" + "sputnik.secret" config.module.cluster.services.tinc.private.hosts.sputnik.tincIp - config.module.cluster.services.tinc.insecure.hosts.sputnik.tincIp + config.module.cluster.services.tinc.secret.hosts.sputnik.tincIp ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8"; @@ -34,17 +34,17 @@ "workhorse.private" = { hostNames = [ "workhorse.private" - "workhorse.insecure" + "workhorse.secret" config.module.cluster.services.tinc.private.hosts.workhorse.tincIp - config.module.cluster.services.tinc.insecure.hosts.workhorse.tincIp + config.module.cluster.services.tinc.secret.hosts.workhorse.tincIp ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB"; }; - "porani.insecure" = { + "porani.secret" = { hostNames = [ - "porani.insecure" - config.module.cluster.services.tinc.insecure.hosts.porani.tincIp + "porani.secret" + config.module.cluster.services.tinc.secret.hosts.porani.tincIp ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK"; diff --git a/system/all/syncthing.nix b/system/all/syncthing.nix index 737f002..0d3c78c 100644 --- a/system/all/syncthing.nix +++ b/system/all/syncthing.nix @@ -27,7 +27,7 @@ with lib; { id = "6YOIA4E-X52ZD5Z-FPNWPRS-77QIMMU-VDIXVZB-6BPQN7A-FFJDU4W-EXEGFAI"; addresses = - [ "tcp://porani.insecure:22000" "tcp://porani.insecure:21027" ]; + [ "tcp://porani.secret:22000" "tcp://porani.secret:21027" ]; }; } // { smartphone = { diff --git a/system/all/tinc.nix b/system/all/tinc.nix index 63c9fa2..4079662 100644 --- a/system/all/tinc.nix +++ b/system/all/tinc.nix @@ -44,7 +44,7 @@ in { }; }; # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" - "insecure" = { + "secret" = { networkSubnet = "10.123.42.0/24"; port = 721; extraConfig = '' @@ -54,6 +54,11 @@ in { privateEd25519KeyFile = toString ; privateRsaKeyFile = toString ; hosts = { + sternchen = { + tincIp = "10.123.42.25"; + # publicKey = lib.fileContents ; + publicKey = lib.fileContents ; + }; sterni = { tincIp = "10.123.42.24"; # publicKey = lib.fileContents ; diff --git a/system/desktop/home-manager/ssh.nix b/system/desktop/home-manager/ssh.nix index 089e208..46c8be8 100644 --- a/system/desktop/home-manager/ssh.nix +++ b/system/desktop/home-manager/ssh.nix @@ -15,7 +15,7 @@ with lib; { identitiesOnly = true; user = "root"; }; - "*.insecure" = { + "*.secret" = { identityFile = "~/.ssh/card_rsa.pub"; identitiesOnly = true; user = "root"; diff --git a/system/desktop/user.nix b/system/desktop/user.nix index 4f35006..908ac1a 100644 --- a/system/desktop/user.nix +++ b/system/desktop/user.nix @@ -3,7 +3,7 @@ system.custom.mainUser = { enable = true; - userName = "palo"; + userName = lib.mkDefault "palo"; authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles; };