xin/default.nix

240 lines
8.8 KiB
Nix
Raw Normal View History

2023-07-11 09:12:50 -06:00
{
config,
lib,
options,
pkgs,
xinlib,
isUnstable,
...
}: let
inherit (xinlib) todo;
2023-02-22 05:27:13 -07:00
caPubKeys = builtins.concatStringsSep "\n" [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5xMSYMwu6rjjLe2UYs1YGCIBVs35E9db2qAjNltCVPG5UoctxCDXxIz0PMOJrBbfqZzP/6qPU1WAhdGNTZ5eXq/ftnhI+2xFfMg1uzpXZ9vjy8lUCfXIObtoEdZ9h/7OUCN/BnL0ySqsamkcUo8SAj6wXoNCdwk6oncfyTmhPnoW5tCWCS9p7Q/LuWpYGsvW5nFDSxteP7re6SUe10eftIkFAPNhKA2lsrvzMgjxhnXqwIr1qJeY0otcuYA4V5V09FmElbnOWVuy4Pt8SqV4N9ykkAUXZN1Pi7Q4JnCUifRJVWpKHLoJe0mqwMDJbGtt2Akn3EwiGhyaVjq2FFgBKAb7w8UAE8gob8n4+DOx4TQAXlmWviYij2Xh6CvepbamxlJMvVdWgqk53+u4e+/oOQQ9QTmQvAuecg9dSO3m7+hNHEf+0TXjuTNlk9KHRg4s7ZAI+2Stfo1tBrvEeE2fAF//Mw7zaLPKmEbMiXdbDs816gvYtG6Y36fTGyzhowDQAMNm+zbg8YPz7xFukLdSCPt7RcpPnP1iJs/hGBnog5UaG/Cm4ftkm9zKvOaQKIoA/GQ3yQSyltczA+2h5fur6VQQGrQeVhAcXm9a6GaLPWxgvJX/og76CHps0rYzFM3QBlsiJ+Z0sstk5TtBex9nTjwRZ1U9+4DQes2TB4/uxnQ== SUAH CA"
];
2023-07-11 09:12:50 -06:00
breakGlassKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6CO4aa8ymIgPgHRMwVLPnkUXwFQRKJa66R3wGXrAS0 BreakGlass";
managementKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
statusKey = ''
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
'';
2023-07-11 09:12:50 -06:00
gosignify = pkgs.callPackage ./pkgs/gosignify.nix {inherit isUnstable;};
myOpenSSH = pkgs.callPackage ./pkgs/openssh {};
2022-08-25 12:21:35 -06:00
in {
imports = [
./configs
2022-08-25 12:21:35 -06:00
./dbuild
./gui
2022-10-12 13:58:15 -06:00
./modules
./overlays
2022-10-12 13:58:15 -06:00
./pkgs
2022-08-25 12:21:35 -06:00
./services
./system/nix-config.nix
./system/nix-lockdown.nix
2022-08-25 21:23:58 -06:00
./system/update.nix
2022-08-25 12:21:35 -06:00
./users
2023-03-29 08:01:58 -06:00
./monitoring
2022-08-25 12:21:35 -06:00
./bins
];
options.myconf = {
managementPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
2023-07-11 09:12:50 -06:00
default = [managementKey statusKey breakGlassKey];
example = default;
description = "List of management public keys to use";
};
2022-08-25 12:21:35 -06:00
hwPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
2023-03-13 08:29:50 -06:00
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOyQpDBHjHb3tWnPO6QAjh6KzWYqpabzfjpuwfEUzmUiHpPiU+f4ejNgRFDf9p84SQDz3EXxUMsW/kJ1crAkwOg= surf"
2022-08-25 12:21:35 -06:00
];
example = default;
description = "List of hardware public keys to use";
2022-08-25 12:21:35 -06:00
};
};
config = {
2023-07-11 09:12:50 -06:00
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
2022-08-25 12:21:35 -06:00
2022-08-25 21:23:58 -06:00
sops.secrets = {
xin_secrets_deploy_key = {
sopsFile = config.xin-secrets.deploy;
owner = "root";
group = "wheel";
2022-08-31 06:39:38 -06:00
mode = "400";
2022-08-25 21:23:58 -06:00
};
};
2023-07-11 09:12:50 -06:00
security.pki.caCertificateBlacklist = ["TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2"];
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
Qm9sZDo6RGFlbW9uMCAXDTIyMDEyOTAxMDMxOVoYDzIxMjIwMTI5MDEwMzE5WjAX
MRUwEwYDVQQDEwxCb2xkOjpEYWVtb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARYgIn1RWf059Hb964JEaiU3G248k2ZpBHtrACMmLRRO9reKr/prEJ2ltKrjCaX
+98ButRNIn78U8pL+H+aeE0Zo4GGMIGDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQUiUdCcaNy3E2bFzO9I76TPlMJ4w4wHwYDVR0jBBgwFoAUiUdCcaNy3E2b
FzO9I76TPlMJ4w4wCgYIKoZIzj0EAwIDSQAwRgIhAOd6ejqevrYAH5JtDdy2Mh9M
OTIx9nDZd+AOAg0wzlzfAiEAvG5taCm14H+qdWbEZVn+vqj6ChtxjH7fqOHv3Xla
HWw=
-----END CERTIFICATE-----
''
];
2022-08-25 12:21:35 -06:00
2022-09-07 18:26:38 -06:00
i18n.defaultLocale = "en_US.utf8";
2022-08-25 12:21:35 -06:00
users.motd = ''
2023-04-18 13:59:18 -06:00
2023-04-18 13:56:33 -06:00
.-
: := .
:: .= -- + -: --
+. =. =- -- := =: .=:
:= -=-: =. -: =: .=: -=. :-.
.: -: +.=--: -.:-. :-: :-: :=:
:=: :. .-: -- ==-.:-- ==-::: ::. :=- .
=-.-- -+:----+=.-=::-==.---.:: :-: .--.
.. : :-:-=::-:*=-:=-=-.:--:-.:=--=++*+- .:-:.
.--. .=: :.=:-+=-:-+=:-=-=-.:--=--==++=====++:...:::.
.-===:. --.-*++::----=+-:-=-:-----=+**++**++===+:::...
.==-::=-:::. ==-=++-:-=-:::=--=-:===+##%*-...-***+==+:::..
.==-:----++-:-::-=::=+--+=-:-==-:::::#@%@+ ***+-+#: ...
======----=**+::===:.-=-:==::::::::::*@%% =%**+==+*-..
:-:::--=---:=+===-:--..-=-.:::::::::::=@%% =@#**+===
:::--::----=-:::=+-::::=-::::::::::::::*@@+ :%%%%#***+..
:::::------#=-:-=-===-::::::::::::::::::=*%*-..:+%%%%@%=. :
:-----------:::==----=----:::::::::::::::::------:---=+**+=+.
.=+========+==--::::::::::::::::::::::::::-=-:::::::::::==#:
:-:--====*=::----::::::::::::::::::::::-:.=-::::::::::::+.
:+=----:.:::---:::::::::::::::::::::::-::-------------=+
.::::......:-=+=--::::----::::::::::::::::--::::::::::::::-::.
.::. .+--===++=-::::::::::::::::::::::::::::::::. .-=.
.::-=+**++=-----:::::=-::::::::::::::::::::::::::.
.::--::. .---------=----=-:::::::::::::::::::::--.
. -:-------------:::::::::::::::::::::--
.=:::---------:::::::::::::::....:--.
:=-:::::---===::::...........::::
-========-:::::::::::::::::.
.....
2023-04-18 13:59:18 -06:00
2022-08-25 12:21:35 -06:00
'';
boot = {
2023-07-11 09:12:50 -06:00
loader = {systemd-boot.configurationLimit = 15;};
kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
2022-11-09 09:52:52 -07:00
kernel.sysctl = {
"net.ipv4.tcp_keepalive_time" = 60;
"net.ipv6.tcp_keepalive_time" = 60;
};
2023-05-26 08:06:02 -06:00
tmp.cleanOnBoot = true;
};
2023-01-31 12:55:24 -07:00
nix = {
2023-07-11 09:12:50 -06:00
settings =
if config.xinCI.enable
then {}
else {
2023-07-11 09:12:50 -06:00
substituters = ["https://nix-binary-cache.humpback-trout.ts.net/"];
trusted-public-keys = [
"nix-binary-cache.humpback-trout.ts.net:e9fJhcRtNVp6miW2pffFyK/gZ2et4y6IDigBNrEsAa0="
];
};
2023-01-31 12:55:24 -07:00
};
environment.systemPackages = with pkgs;
[
age
apg
bind
btop
direnv
2023-03-01 18:56:36 -07:00
git-bug
git-sync
2022-12-18 05:37:03 -07:00
gosignify
2022-12-23 12:47:53 -07:00
got
jq
lz4
minisign
mosh
2023-08-25 10:19:26 -06:00
nb
nix-diff
nix-index
nix-top
pass
2022-12-23 12:47:53 -07:00
ripgrep
taskwarrior
tmux
2023-07-11 09:12:50 -06:00
]
++ (
if isUnstable
then [nil]
else []
);
2022-08-25 12:21:35 -06:00
environment.interactiveShellInit = ''
alias vi=nvim
'';
time.timeZone = "US/Mountain";
documentation.man.enable = true;
networking.timeServers = options.networking.timeServers.default;
programs = {
zsh.enable = true;
gnupg.agent.enable = true;
ssh = {
package = myOpenSSH.openssh;
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
knownHosts = {
2023-07-11 09:12:50 -06:00
"[namish.humpback-trout.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
"[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
};
2023-07-11 09:12:50 -06:00
knownHostsFiles = [./configs/ssh_known_hosts];
2022-08-25 12:21:35 -06:00
startAgent = true;
2023-03-06 08:37:40 -07:00
agentTimeout = "100m";
2023-03-06 08:30:43 -07:00
extraConfig = ''
2023-03-06 08:37:40 -07:00
Host *
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p
VerifyHostKeyDNS yes
AddKeysToAgent confirm 90m
CanonicalizeHostname always
2023-03-06 08:30:43 -07:00
'';
2022-08-25 12:21:35 -06:00
};
};
2023-07-11 09:12:50 -06:00
environment.etc."ssh/ca.pub" = {text = caPubKeys;};
2023-02-19 06:58:29 -07:00
services.logrotate.checkConfig =
todo "logrotate disabled: https://github.com/NixOS/nix/issues/8502" false;
2023-02-19 06:58:29 -07:00
services = {
openssh = {
enable = true;
extraConfig = ''
TrustedUserCAKeys = /etc/ssh/ca.pub
2023-02-19 06:58:29 -07:00
'';
2023-05-26 08:06:02 -06:00
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
2023-07-11 09:12:50 -06:00
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
2023-05-26 08:06:02 -06:00
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
};
2023-02-19 06:58:29 -07:00
};
2022-08-25 12:21:35 -06:00
};
}