palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

adjustments

Browse source
This commit is contained in:
Ingolf Wagner 2023-05-28 21:24:20 +02:00
parent a267afe6ef
commit 9413ff053f
Signed by: palo
GPG key ID: 76BF5F1928B9618B
5 changed files with 160 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/components/network/hosts.nix
View file

@ -1,6 +1,5 @@
{ {
networking.extraHosts = '' networking.extraHosts = ''
192.168.0.24 scanner
144.76.13.147 robi 144.76.13.147 robi
''; '';
} }

16
nixos/components/network/sshd/default.nix
View file

@ -1,11 +1,9 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
with lib; with lib;
with types; with types;
let let
cfg = config.components.network.sshd;
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ]; defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
cfg = config.components.network.sshd;
in in
{ {
@ -19,18 +17,12 @@ in
enable = mkOption { enable = mkOption {
type = bool; type = bool;
default = true; default = true;
description = "add ssh tools";
}; };
rootKeyFiles = mkOption { rootKeyFiles = mkOption {
type = with types; listOf path; type = with types; listOf path;
default = [ ]; default = [ ];
description = "keys to root login"; description = "keys to root login";
}; };
tools.enable = mkOption {
type = bool;
default = true;
description = "add ssh tools";
};
onlyTincAccess = mkOption { onlyTincAccess = mkOption {
type = bool; type = bool;
default = false; default = false;
@ -42,12 +34,10 @@ in
config = mkMerge [ config = mkMerge [
(mkIf cfg.tools.enable {
environment.systemPackages = [ pkgs.sshfs ];
})
(mkIf cfg.enable { (mkIf cfg.enable {
environment.systemPackages = [ pkgs.sshfs ];
services.openssh = { services.openssh = {
enable = true; enable = true;
forwardX11 = false; forwardX11 = false;

85
nixos/components/network/sshd/known-hosts-bootup.nix
View file

@ -18,50 +18,53 @@ let
in in
{ {
services.openssh.knownHosts = { config = mkIf (config.components.network.sshd.enable) {
"robi-init-ssh" = {
hostNames = [
"[robi]:2222"
"[144.76.13.147]:2222"
];
# SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
};
} // (mapAttrs'
(name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ "[${onionId}]:2222" ];
inherit publicKey;
};
})
computers);
environment.systemPackages = services.openssh.knownHosts = {
let "robi-init-ssh" = {
hostNames = [
"[robi]:2222"
"[144.76.13.147]:2222"
];
# SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
};
} // (mapAttrs'
(name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ "[${onionId}]:2222" ];
inherit publicKey;
};
})
computers);
sshTor = mapAttrsToList environment.systemPackages =
(name: let
{ onionId, ... }:
pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
'')
computers;
passwordTor = mapAttrsToList sshTor = mapAttrsToList
(name: (name:
{ onionId, ... }: { onionId, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" '' pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 ' ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
echo -n "enter password : " '')
read password computers;
echo "$password" > /crypt-ramfs/passphrase
'
'')
computers;
in passwordTor = mapAttrsToList
sshTor ++ passwordTor; (name:
{ onionId, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
echo -n "enter password : "
read password
echo "$password" > /crypt-ramfs/passphrase
'
'')
computers;
in
sshTor ++ passwordTor;
};
} }

46
nixos/components/network/sshd/known-hosts-private.nix
View file

@ -1,25 +1,29 @@
{ config, lib, ... }: { { config, lib, ... }:
with lib;
{
config = mkIf (config.components.network.sshd.enable) {
services.openssh.knownHosts = { services.openssh.knownHosts = {
#"robi_init" = { #"robi_init" = {
# hostNames = [ # hostNames = [
# "robi:2222" # "robi:2222"
# "144.76.13.147:2222" # "144.76.13.147:2222"
# ]; # ];
# fingerprints # fingerprints
# 256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519) # 256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519)
# 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA) # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA)
# publicKey = ""; # publicKey = "";
#}; #};
"robi" = { "robi" = {
hostNames = [ hostNames = [
"robi.private" "robi.private"
"robi" "robi"
"144.76.13.147" "144.76.13.147"
"git.ingolf-wagner.de" "git.ingolf-wagner.de"
"taskd.ingolf-wagner.de" "taskd.ingolf-wagner.de"
]; ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
};
}; };
}; };
} }

176
nixos/components/network/sshd/known-hosts-public.nix
View file

@ -1,94 +1,94 @@
{ config, pkgs, lib, ... }: { pkgs, config, lib, ... }:
with lib; with lib;
{ {
config = mkIf (config.components.network.sshd.enable) {
services.openssh.knownHosts = { services.openssh.knownHosts = {
github = { github = {
hostNames = [ hostNames = [
"*.github.com" "*.github.com"
# List generated with # List generated with
# curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
"192.30.252.*" "192.30.252.*"
"192.30.253.*" "192.30.253.*"
"192.30.254.*" "192.30.254.*"
"192.30.255.*" "192.30.255.*"
"185.199.108.*" "185.199.108.*"
"185.199.109.*" "185.199.109.*"
"185.199.110.*" "185.199.110.*"
"185.199.111.*" "185.199.111.*"
"13.229.188.59" "13.229.188.59"
"13.250.177.223" "13.250.177.223"
"18.194.104.89" "18.194.104.89"
"18.195.85.27" "18.195.85.27"
"35.159.8.160" "35.159.8.160"
"52.74.223.119" "52.74.223.119"
]; ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
}; };
gitlab = { gitlab = {
hostNames = [ "gitlab.com" ]; hostNames = [ "gitlab.com" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=";
}; };
gitlab-bk = { gitlab-bk = {
hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ]; hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw=";
}; };
# space-left # space-left
gitlabSpaceLeft = { gitlabSpaceLeft = {
hostNames = [ "git.space-left.org" ]; hostNames = [ "git.space-left.org" ];
publicKey = publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
}; };
# c-base # c-base
"bnd-cbase" = { "bnd-cbase" = {
hostNames = [ "bnd.cbrp3.c-base.org" ]; hostNames = [ "bnd.cbrp3.c-base.org" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E=";
}; };
"shell.cbase" = { "shell.cbase" = {
hostNames = [ "shell.c-base.org" ]; hostNames = [ "shell.c-base.org" ];
publicKey = publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo";
}; };
"kgb.cbase" = { "kgb.cbase" = {
hostNames = [ "kgb.cbrp3.c-base.org" ]; hostNames = [ "kgb.cbrp3.c-base.org" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8=";
}; };
"cns.cbase" = { "cns.cbase" = {
hostNames = [ "cns.c-base.org" ]; hostNames = [ "cns.c-base.org" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A=";
}; };
"lassulus" = { "lassulus" = {
hostNames = [ "[lassul.us]:45621" ]; hostNames = [ "[lassul.us]:45621" ];
publicKey = publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
}; };
renoise = { renoise = {
hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ]; hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE=";
}; };
git-renoise = { git-renoise = {
hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ]; hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ];
publicKey = publicKey =
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH"; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH";
}; };
"siteground" = { "siteground" = {
hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ]; hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ];
publicKey = publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0="; "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0=";
}; };
"cracksucht.de" = { "cracksucht.de" = {
hostNames = [ "cracksucht.de" ]; hostNames = [ "cracksucht.de" ];
publicKey = publicKey =
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian"; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian";
};
}; };
}; };
} }