xin/default.nix

251 lines
9.0 KiB
Nix
Raw Normal View History

2023-09-12 08:44:05 -06:00
{ config
, lib
, options
, pkgs
, isUnstable
, xinlib
2023-09-12 08:44:05 -06:00
, ...
}:
let
2023-02-22 05:27:13 -07:00
caPubKeys = builtins.concatStringsSep "\n" [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5xMSYMwu6rjjLe2UYs1YGCIBVs35E9db2qAjNltCVPG5UoctxCDXxIz0PMOJrBbfqZzP/6qPU1WAhdGNTZ5eXq/ftnhI+2xFfMg1uzpXZ9vjy8lUCfXIObtoEdZ9h/7OUCN/BnL0ySqsamkcUo8SAj6wXoNCdwk6oncfyTmhPnoW5tCWCS9p7Q/LuWpYGsvW5nFDSxteP7re6SUe10eftIkFAPNhKA2lsrvzMgjxhnXqwIr1qJeY0otcuYA4V5V09FmElbnOWVuy4Pt8SqV4N9ykkAUXZN1Pi7Q4JnCUifRJVWpKHLoJe0mqwMDJbGtt2Akn3EwiGhyaVjq2FFgBKAb7w8UAE8gob8n4+DOx4TQAXlmWviYij2Xh6CvepbamxlJMvVdWgqk53+u4e+/oOQQ9QTmQvAuecg9dSO3m7+hNHEf+0TXjuTNlk9KHRg4s7ZAI+2Stfo1tBrvEeE2fAF//Mw7zaLPKmEbMiXdbDs816gvYtG6Y36fTGyzhowDQAMNm+zbg8YPz7xFukLdSCPt7RcpPnP1iJs/hGBnog5UaG/Cm4ftkm9zKvOaQKIoA/GQ3yQSyltczA+2h5fur6VQQGrQeVhAcXm9a6GaLPWxgvJX/og76CHps0rYzFM3QBlsiJ+Z0sstk5TtBex9nTjwRZ1U9+4DQes2TB4/uxnQ== SUAH CA"
];
2023-07-11 09:12:50 -06:00
breakGlassKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6CO4aa8ymIgPgHRMwVLPnkUXwFQRKJa66R3wGXrAS0 BreakGlass";
managementKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
statusKey = ''
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
'';
2023-09-12 08:44:05 -06:00
gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
myOpenSSH = pkgs.pkgsMusl.callPackage ./pkgs/openssh.nix {
inherit config;
inherit xinlib;
};
2023-09-12 08:44:05 -06:00
in
{
2022-08-25 12:21:35 -06:00
imports = [
./configs
2022-08-25 12:21:35 -06:00
./dbuild
./gui
2022-10-12 13:58:15 -06:00
./modules
./overlays
2022-10-12 13:58:15 -06:00
./pkgs
2022-08-25 12:21:35 -06:00
./services
./users
2023-03-29 08:01:58 -06:00
./monitoring
2022-08-25 12:21:35 -06:00
./bins
];
2023-09-03 19:56:00 -06:00
disabledModules = [
"services/web-apps/gotosocial.nix"
];
2022-08-25 12:21:35 -06:00
options.myconf = {
managementPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
2023-09-12 08:44:05 -06:00
default = [ managementKey statusKey breakGlassKey ];
example = default;
description = "List of management public keys to use";
};
2022-08-25 12:21:35 -06:00
hwPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDEKElNAm/BhLnk4Tlo00eHN5bO131daqt2DIeikw0b2AAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
2023-03-13 08:29:50 -06:00
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOyQpDBHjHb3tWnPO6QAjh6KzWYqpabzfjpuwfEUzmUiHpPiU+f4ejNgRFDf9p84SQDz3EXxUMsW/kJ1crAkwOg= surf"
2022-08-25 12:21:35 -06:00
];
example = default;
description = "List of hardware public keys to use";
2022-08-25 12:21:35 -06:00
};
};
config = {
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
2022-08-25 12:21:35 -06:00
secrets = {
xin_secrets_deploy_key = {
sopsFile = config.xin-secrets.deploy;
owner = "root";
group = "wheel";
mode = "400";
};
2022-08-25 21:23:58 -06:00
};
};
2023-07-11 09:12:50 -06:00
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
Qm9sZDo6RGFlbW9uMCAXDTIyMDEyOTAxMDMxOVoYDzIxMjIwMTI5MDEwMzE5WjAX
MRUwEwYDVQQDEwxCb2xkOjpEYWVtb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARYgIn1RWf059Hb964JEaiU3G248k2ZpBHtrACMmLRRO9reKr/prEJ2ltKrjCaX
+98ButRNIn78U8pL+H+aeE0Zo4GGMIGDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HQ4EFgQUiUdCcaNy3E2bFzO9I76TPlMJ4w4wHwYDVR0jBBgwFoAUiUdCcaNy3E2b
FzO9I76TPlMJ4w4wCgYIKoZIzj0EAwIDSQAwRgIhAOd6ejqevrYAH5JtDdy2Mh9M
OTIx9nDZd+AOAg0wzlzfAiEAvG5taCm14H+qdWbEZVn+vqj6ChtxjH7fqOHv3Xla
HWw=
-----END CERTIFICATE-----
''
];
2022-08-25 12:21:35 -06:00
2022-09-07 18:26:38 -06:00
i18n.defaultLocale = "en_US.utf8";
2022-08-25 12:21:35 -06:00
users.motd = ''
2023-04-18 13:59:18 -06:00
2023-04-18 13:56:33 -06:00
.-
: := .
:: .= -- + -: --
+. =. =- -- := =: .=:
:= -=-: =. -: =: .=: -=. :-.
.: -: +.=--: -.:-. :-: :-: :=:
:=: :. .-: -- ==-.:-- ==-::: ::. :=- .
=-.-- -+:----+=.-=::-==.---.:: :-: .--.
.. : :-:-=::-:*=-:=-=-.:--:-.:=--=++*+- .:-:.
.--. .=: :.=:-+=-:-+=:-=-=-.:--=--==++=====++:...:::.
.-===:. --.-*++::----=+-:-=-:-----=+**++**++===+:::...
.==-::=-:::. ==-=++-:-=-:::=--=-:===+##%*-...-***+==+:::..
.==-:----++-:-::-=::=+--+=-:-==-:::::#@%@+ ***+-+#: ...
======----=**+::===:.-=-:==::::::::::*@%% =%**+==+*-..
:-:::--=---:=+===-:--..-=-.:::::::::::=@%% =@#**+===
:::--::----=-:::=+-::::=-::::::::::::::*@@+ :%%%%#***+..
:::::------#=-:-=-===-::::::::::::::::::=*%*-..:+%%%%@%=. :
:-----------:::==----=----:::::::::::::::::------:---=+**+=+.
.=+========+==--::::::::::::::::::::::::::-=-:::::::::::==#:
:-:--====*=::----::::::::::::::::::::::-:.=-::::::::::::+.
:+=----:.:::---:::::::::::::::::::::::-::-------------=+
.::::......:-=+=--::::----::::::::::::::::--::::::::::::::-::.
.::. .+--===++=-::::::::::::::::::::::::::::::::. .-=.
.::-=+**++=-----:::::=-::::::::::::::::::::::::::.
.::--::. .---------=----=-:::::::::::::::::::::--.
. -:-------------:::::::::::::::::::::--
.=:::---------:::::::::::::::....:--.
:=-:::::---===::::...........::::
-========-:::::::::::::::::.
.....
2023-04-18 13:59:18 -06:00
2022-08-25 12:21:35 -06:00
'';
boot = {
2023-09-12 08:44:05 -06:00
loader = { systemd-boot.configurationLimit = 15; };
kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
2022-11-09 09:52:52 -07:00
kernel.sysctl = {
"net.ipv4.tcp_keepalive_time" = 60;
"net.ipv6.tcp_keepalive_time" = 60;
};
2023-05-26 08:06:02 -06:00
tmp.cleanOnBoot = true;
};
2023-01-31 12:55:24 -07:00
nix = {
2023-07-11 09:12:50 -06:00
settings =
if config.xinCI.enable
2023-09-12 08:44:05 -06:00
then { }
else {
2023-11-17 08:13:58 -07:00
substituters = lib.mkForce [
"https://cache.nixos.org"
"https://nix-binary-cache.otter-alligator.ts.net/"
];
2023-07-11 09:12:50 -06:00
trusted-public-keys = [
"nix-binary-cache.otter-alligator.ts.net:XzgdqR79WNOzcvSHlgh4FDeFNUYR8U2m9dZGI7whuco="
2023-12-12 06:45:58 -07:00
"nix-binary-cache.humpback-trout.ts.net:e9fJhcRtNVp6miW2pffFyK/gZ2et4y6IDigBNrEsAa0="
2023-07-11 09:12:50 -06:00
];
};
2023-01-31 12:55:24 -07:00
};
2023-09-12 08:44:05 -06:00
environment = {
etc."ssh/ca.pub" = { text = caPubKeys; };
systemPackages = with pkgs;
[
age
apg
bind
btop
direnv
git-bug
git-sync
gosignify
got
jq
lz4
minisign
mosh
nix-diff
nix-index
2024-02-29 08:19:38 -07:00
nix-output-monitor
2023-09-12 08:44:05 -06:00
nix-top
pass
ripgrep
2023-12-03 14:01:41 -07:00
sshfs
2023-09-12 08:44:05 -06:00
tmux
]
++ (
if isUnstable
then [ nil ]
else [ ]
);
interactiveShellInit = ''
alias vi=nvim
'';
};
2022-08-25 12:21:35 -06:00
time.timeZone = "US/Mountain";
documentation.man.enable = true;
networking.timeServers = options.networking.timeServers.default;
programs = {
zsh.enable = true;
gnupg.agent.enable = true;
ssh = {
2024-03-08 09:59:09 -07:00
package = myOpenSSH;
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
knownHosts = {
2023-09-25 14:36:25 -06:00
"[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
2023-07-11 09:12:50 -06:00
"[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
};
2023-09-12 08:44:05 -06:00
knownHostsFiles = [ ./configs/ssh_known_hosts ];
2022-08-25 12:21:35 -06:00
startAgent = true;
2023-03-06 08:37:40 -07:00
agentTimeout = "100m";
2023-03-06 08:30:43 -07:00
extraConfig = ''
2023-03-06 08:37:40 -07:00
Host *
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p
VerifyHostKeyDNS yes
AddKeysToAgent 90m
CanonicalizeHostname always
2023-03-06 08:30:43 -07:00
'';
2022-08-25 12:21:35 -06:00
};
};
services.logrotate.checkConfig =
xinlib.todo "logrotate.checkConfig disabled: https://github.com/NixOS/nix/issues/8502" false;
2023-02-19 06:58:29 -07:00
services = {
openssh = {
enable = true;
extraConfig = ''
TrustedUserCAKeys = /etc/ssh/ca.pub
2023-02-19 06:58:29 -07:00
'';
2023-05-26 08:06:02 -06:00
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
2023-09-12 08:44:05 -06:00
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
2023-05-26 08:06:02 -06:00
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
};
2023-02-19 06:58:29 -07:00
};
2022-08-25 12:21:35 -06:00
};
}