2023-07-11 09:12:50 -06:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
options,
|
|
|
|
pkgs,
|
|
|
|
xinlib,
|
|
|
|
isUnstable,
|
|
|
|
...
|
|
|
|
}: let
|
2023-06-13 07:19:13 -06:00
|
|
|
inherit (xinlib) todo;
|
2023-02-22 05:27:13 -07:00
|
|
|
caPubKeys = builtins.concatStringsSep "\n" [
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5xMSYMwu6rjjLe2UYs1YGCIBVs35E9db2qAjNltCVPG5UoctxCDXxIz0PMOJrBbfqZzP/6qPU1WAhdGNTZ5eXq/ftnhI+2xFfMg1uzpXZ9vjy8lUCfXIObtoEdZ9h/7OUCN/BnL0ySqsamkcUo8SAj6wXoNCdwk6oncfyTmhPnoW5tCWCS9p7Q/LuWpYGsvW5nFDSxteP7re6SUe10eftIkFAPNhKA2lsrvzMgjxhnXqwIr1qJeY0otcuYA4V5V09FmElbnOWVuy4Pt8SqV4N9ykkAUXZN1Pi7Q4JnCUifRJVWpKHLoJe0mqwMDJbGtt2Akn3EwiGhyaVjq2FFgBKAb7w8UAE8gob8n4+DOx4TQAXlmWviYij2Xh6CvepbamxlJMvVdWgqk53+u4e+/oOQQ9QTmQvAuecg9dSO3m7+hNHEf+0TXjuTNlk9KHRg4s7ZAI+2Stfo1tBrvEeE2fAF//Mw7zaLPKmEbMiXdbDs816gvYtG6Y36fTGyzhowDQAMNm+zbg8YPz7xFukLdSCPt7RcpPnP1iJs/hGBnog5UaG/Cm4ftkm9zKvOaQKIoA/GQ3yQSyltczA+2h5fur6VQQGrQeVhAcXm9a6GaLPWxgvJX/og76CHps0rYzFM3QBlsiJ+Z0sstk5TtBex9nTjwRZ1U9+4DQes2TB4/uxnQ== SUAH CA"
|
|
|
|
];
|
2023-07-11 09:12:50 -06:00
|
|
|
breakGlassKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6CO4aa8ymIgPgHRMwVLPnkUXwFQRKJa66R3wGXrAS0 BreakGlass";
|
|
|
|
managementKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
|
2022-11-07 07:22:51 -07:00
|
|
|
statusKey = ''
|
|
|
|
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
|
|
|
|
'';
|
2023-07-11 09:12:50 -06:00
|
|
|
gosignify = pkgs.callPackage ./pkgs/gosignify.nix {inherit isUnstable;};
|
2023-08-29 07:35:37 -06:00
|
|
|
myOpenSSH = pkgs.callPackage ./pkgs/openssh {};
|
2022-08-25 12:21:35 -06:00
|
|
|
in {
|
|
|
|
imports = [
|
2023-02-22 17:50:13 -07:00
|
|
|
./configs
|
2022-08-25 12:21:35 -06:00
|
|
|
./dbuild
|
|
|
|
./gui
|
2022-10-12 13:58:15 -06:00
|
|
|
./modules
|
2022-10-05 14:05:47 -06:00
|
|
|
./overlays
|
2022-10-12 13:58:15 -06:00
|
|
|
./pkgs
|
2022-08-25 12:21:35 -06:00
|
|
|
./services
|
|
|
|
./system/nix-config.nix
|
|
|
|
./system/nix-lockdown.nix
|
2022-08-25 21:23:58 -06:00
|
|
|
./system/update.nix
|
2022-08-25 12:21:35 -06:00
|
|
|
./users
|
|
|
|
|
2023-03-29 08:01:58 -06:00
|
|
|
./monitoring
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
./bins
|
|
|
|
];
|
|
|
|
|
|
|
|
options.myconf = {
|
2022-11-07 07:22:51 -07:00
|
|
|
managementPubKeys = lib.mkOption rec {
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2023-07-11 09:12:50 -06:00
|
|
|
default = [managementKey statusKey breakGlassKey];
|
2022-11-07 07:22:51 -07:00
|
|
|
example = default;
|
|
|
|
description = "List of management public keys to use";
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
hwPubKeys = lib.mkOption rec {
|
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
default = [
|
|
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
|
|
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
|
|
|
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
|
|
|
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
|
2023-03-13 08:29:50 -06:00
|
|
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOyQpDBHjHb3tWnPO6QAjh6KzWYqpabzfjpuwfEUzmUiHpPiU+f4ejNgRFDf9p84SQDz3EXxUMsW/kJ1crAkwOg= surf"
|
2022-08-25 12:21:35 -06:00
|
|
|
];
|
|
|
|
example = default;
|
2022-11-07 07:22:51 -07:00
|
|
|
description = "List of hardware public keys to use";
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
2023-07-11 09:12:50 -06:00
|
|
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2022-08-25 21:23:58 -06:00
|
|
|
sops.secrets = {
|
|
|
|
xin_secrets_deploy_key = {
|
|
|
|
sopsFile = config.xin-secrets.deploy;
|
|
|
|
owner = "root";
|
|
|
|
group = "wheel";
|
2022-08-31 06:39:38 -06:00
|
|
|
mode = "400";
|
2022-08-25 21:23:58 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-07-11 09:12:50 -06:00
|
|
|
security.pki.caCertificateBlacklist = ["TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2"];
|
|
|
|
security.pki.certificates = [
|
|
|
|
''
|
|
|
|
-----BEGIN CERTIFICATE-----
|
|
|
|
MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
|
|
|
|
Qm9sZDo6RGFlbW9uMCAXDTIyMDEyOTAxMDMxOVoYDzIxMjIwMTI5MDEwMzE5WjAX
|
|
|
|
MRUwEwYDVQQDEwxCb2xkOjpEYWVtb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
|
|
|
|
AARYgIn1RWf059Hb964JEaiU3G248k2ZpBHtrACMmLRRO9reKr/prEJ2ltKrjCaX
|
|
|
|
+98ButRNIn78U8pL+H+aeE0Zo4GGMIGDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
|
|
|
|
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
|
|
|
|
HQ4EFgQUiUdCcaNy3E2bFzO9I76TPlMJ4w4wHwYDVR0jBBgwFoAUiUdCcaNy3E2b
|
|
|
|
FzO9I76TPlMJ4w4wCgYIKoZIzj0EAwIDSQAwRgIhAOd6ejqevrYAH5JtDdy2Mh9M
|
|
|
|
OTIx9nDZd+AOAg0wzlzfAiEAvG5taCm14H+qdWbEZVn+vqj6ChtxjH7fqOHv3Xla
|
|
|
|
HWw=
|
|
|
|
-----END CERTIFICATE-----
|
|
|
|
''
|
|
|
|
];
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2022-09-07 18:26:38 -06:00
|
|
|
i18n.defaultLocale = "en_US.utf8";
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
users.motd = ''
|
2023-04-18 13:59:18 -06:00
|
|
|
|
2023-04-18 13:56:33 -06:00
|
|
|
.-
|
|
|
|
: := .
|
|
|
|
:: .= -- + -: --
|
|
|
|
+. =. =- -- := =: .=:
|
|
|
|
:= -=-: =. -: =: .=: -=. :-.
|
|
|
|
.: -: +.=--: -.:-. :-: :-: :=:
|
|
|
|
:=: :. .-: -- ==-.:-- ==-::: ::. :=- .
|
|
|
|
=-.-- -+:----+=.-=::-==.---.:: :-: .--.
|
|
|
|
.. : :-:-=::-:*=-:=-=-.:--:-.:=--=++*+- .:-:.
|
|
|
|
.--. .=: :.=:-+=-:-+=:-=-=-.:--=--==++=====++:...:::.
|
|
|
|
.-===:. --.-*++::----=+-:-=-:-----=+**++**++===+:::...
|
|
|
|
.==-::=-:::. ==-=++-:-=-:::=--=-:===+##%*-...-***+==+:::..
|
|
|
|
.==-:----++-:-::-=::=+--+=-:-==-:::::#@%@+ ***+-+#: ...
|
|
|
|
======----=**+::===:.-=-:==::::::::::*@%% =%**+==+*-..
|
|
|
|
:-:::--=---:=+===-:--..-=-.:::::::::::=@%% =@#**+===
|
|
|
|
:::--::----=-:::=+-::::=-::::::::::::::*@@+ :%%%%#***+..
|
|
|
|
:::::------#=-:-=-===-::::::::::::::::::=*%*-..:+%%%%@%=. :
|
|
|
|
:-----------:::==----=----:::::::::::::::::------:---=+**+=+.
|
|
|
|
.=+========+==--::::::::::::::::::::::::::-=-:::::::::::==#:
|
|
|
|
:-:--====*=::----::::::::::::::::::::::-:.=-::::::::::::+.
|
|
|
|
:+=----:.:::---:::::::::::::::::::::::-::-------------=+
|
|
|
|
.::::......:-=+=--::::----::::::::::::::::--::::::::::::::-::.
|
|
|
|
.::. .+--===++=-::::::::::::::::::::::::::::::::. .-=.
|
|
|
|
.::-=+**++=-----:::::=-::::::::::::::::::::::::::.
|
|
|
|
.::--::. .---------=----=-:::::::::::::::::::::--.
|
|
|
|
. -:-------------:::::::::::::::::::::--
|
|
|
|
.=:::---------:::::::::::::::....:--.
|
|
|
|
:=-:::::---===::::...........::::
|
|
|
|
-========-:::::::::::::::::.
|
|
|
|
.....
|
2023-04-18 13:59:18 -06:00
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
'';
|
|
|
|
|
2022-10-26 08:16:32 -06:00
|
|
|
boot = {
|
2023-07-11 09:12:50 -06:00
|
|
|
loader = {systemd-boot.configurationLimit = 15;};
|
2022-10-26 08:16:32 -06:00
|
|
|
kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
|
2022-11-09 09:52:52 -07:00
|
|
|
kernel.sysctl = {
|
|
|
|
"net.ipv4.tcp_keepalive_time" = 60;
|
|
|
|
"net.ipv6.tcp_keepalive_time" = 60;
|
|
|
|
};
|
2023-05-26 08:06:02 -06:00
|
|
|
tmp.cleanOnBoot = true;
|
|
|
|
};
|
2022-09-27 09:55:56 -06:00
|
|
|
|
2023-01-31 12:55:24 -07:00
|
|
|
nix = {
|
2023-07-11 09:12:50 -06:00
|
|
|
settings =
|
2023-08-11 07:31:38 -06:00
|
|
|
if config.xinCI.enable
|
|
|
|
then {}
|
|
|
|
else {
|
2023-07-11 09:12:50 -06:00
|
|
|
substituters = ["https://nix-binary-cache.humpback-trout.ts.net/"];
|
|
|
|
trusted-public-keys = [
|
|
|
|
"nix-binary-cache.humpback-trout.ts.net:e9fJhcRtNVp6miW2pffFyK/gZ2et4y6IDigBNrEsAa0="
|
|
|
|
];
|
2023-08-11 07:31:38 -06:00
|
|
|
};
|
2023-01-31 12:55:24 -07:00
|
|
|
};
|
|
|
|
|
2022-10-26 10:26:19 -06:00
|
|
|
environment.systemPackages = with pkgs;
|
|
|
|
[
|
|
|
|
age
|
|
|
|
apg
|
|
|
|
bind
|
|
|
|
btop
|
|
|
|
direnv
|
2023-03-01 18:56:36 -07:00
|
|
|
git-bug
|
2022-10-26 10:26:19 -06:00
|
|
|
git-sync
|
2022-12-18 05:37:03 -07:00
|
|
|
gosignify
|
2022-12-23 12:47:53 -07:00
|
|
|
got
|
2022-10-26 10:26:19 -06:00
|
|
|
jq
|
|
|
|
lz4
|
|
|
|
minisign
|
|
|
|
mosh
|
2023-08-25 10:19:26 -06:00
|
|
|
nb
|
2022-10-26 10:26:19 -06:00
|
|
|
nix-diff
|
|
|
|
nix-index
|
|
|
|
nix-top
|
|
|
|
pass
|
2022-12-23 12:47:53 -07:00
|
|
|
ripgrep
|
2022-10-26 10:26:19 -06:00
|
|
|
taskwarrior
|
|
|
|
tmux
|
2023-07-11 09:12:50 -06:00
|
|
|
]
|
|
|
|
++ (
|
|
|
|
if isUnstable
|
|
|
|
then [nil]
|
|
|
|
else []
|
|
|
|
);
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
environment.interactiveShellInit = ''
|
|
|
|
alias vi=nvim
|
|
|
|
'';
|
|
|
|
|
|
|
|
time.timeZone = "US/Mountain";
|
|
|
|
|
|
|
|
documentation.man.enable = true;
|
|
|
|
|
|
|
|
networking.timeServers = options.networking.timeServers.default;
|
|
|
|
|
|
|
|
programs = {
|
|
|
|
zsh.enable = true;
|
|
|
|
gnupg.agent.enable = true;
|
|
|
|
ssh = {
|
2023-08-29 07:35:37 -06:00
|
|
|
package = myOpenSSH.openssh;
|
2023-07-21 07:35:41 -06:00
|
|
|
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
|
2022-08-26 07:56:20 -06:00
|
|
|
knownHosts = {
|
2023-07-11 09:12:50 -06:00
|
|
|
"[namish.humpback-trout.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
|
|
|
|
"[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
|
2022-08-26 07:56:20 -06:00
|
|
|
};
|
2023-07-11 09:12:50 -06:00
|
|
|
knownHostsFiles = [./configs/ssh_known_hosts];
|
2022-08-25 12:21:35 -06:00
|
|
|
startAgent = true;
|
2023-03-06 08:37:40 -07:00
|
|
|
agentTimeout = "100m";
|
2023-03-06 08:30:43 -07:00
|
|
|
extraConfig = ''
|
2023-03-06 08:37:40 -07:00
|
|
|
Host *
|
|
|
|
controlmaster auto
|
|
|
|
controlpath /tmp/ssh-%r@%h:%p
|
2023-03-14 06:04:16 -06:00
|
|
|
|
|
|
|
VerifyHostKeyDNS yes
|
|
|
|
AddKeysToAgent confirm 90m
|
|
|
|
CanonicalizeHostname always
|
2023-03-06 08:30:43 -07:00
|
|
|
'';
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-07-11 09:12:50 -06:00
|
|
|
environment.etc."ssh/ca.pub" = {text = caPubKeys;};
|
2023-02-19 06:58:29 -07:00
|
|
|
|
2023-06-26 08:28:57 -06:00
|
|
|
services.logrotate.checkConfig =
|
2023-06-13 07:19:13 -06:00
|
|
|
todo "logrotate disabled: https://github.com/NixOS/nix/issues/8502" false;
|
|
|
|
|
2023-02-19 06:58:29 -07:00
|
|
|
services = {
|
|
|
|
openssh = {
|
|
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
2023-06-06 06:36:01 -06:00
|
|
|
TrustedUserCAKeys = /etc/ssh/ca.pub
|
2023-02-19 06:58:29 -07:00
|
|
|
'';
|
2023-05-26 08:06:02 -06:00
|
|
|
settings = {
|
|
|
|
PermitRootLogin = "prohibit-password";
|
|
|
|
PasswordAuthentication = false;
|
2023-07-11 09:12:50 -06:00
|
|
|
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
|
2023-05-26 08:06:02 -06:00
|
|
|
Macs = [
|
|
|
|
"hmac-sha2-512-etm@openssh.com"
|
|
|
|
"hmac-sha2-256-etm@openssh.com"
|
|
|
|
"umac-128-etm@openssh.com"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
2023-02-19 06:58:29 -07:00
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
}
|