Modularise setup, add hardening config

2019-08-11 19:53:02 +01:00 · 2019-08-11 19:53:02 +01:00 · 1a6f73119f
commit 1a6f73119f
parent bbfa1000c8
6 changed files with 137 additions and 10 deletions
--- a/build01/configuration.nix
+++ b/build01/configuration.nix
@ -1,9 +1,14 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports = [
    ./hardware-configuration.nix
    ./buildkite.nix
+
+    ../profiles/common.nix
+    ../profiles/docker.nix
+
+    ../users/adisbladis.nix
  ];

  # /boot is a mirror raid
@ -29,17 +34,9 @@
    '';
  };

-  services.openssh.enable = true;
-
-  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:000607203159" ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.supportedFilesystems = [ "zfs" ];

-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    22
-  ];
-
-  system.stateVersion = "18.03"; # Did you read the comment?
+  system.stateVersion = "19.09";

 }
--- a/profiles/common.nix
+++ b/profiles/common.nix
@ -0,0 +1,52 @@
+{ pkgs, lib, config, ... }:
+
+{
+
+  imports = [ ./security.nix ];
+
+  # Nicer interactive shell
+  programs.fish.enable = true;
+  # And for the zsh peeps
+  programs.zsh.enable = true;
+
+  # Entropy gathering daemon
+  services.haveged.enable = true;
+
+  nix = let
+    asGB = size: toString (size * 1024 * 1024);
+  in {
+    extraOptions = ''
+      # auto-free the /nix/store
+      min-free = ${asGB 10}
+      max-free = ${asGB 200}
+    '';
+    # Hard-link duplicated files
+    autoOptimiseStore = true;
+  };
+
+  # No mutable users
+  users.mutableUsers = false;
+
+  services.openssh.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+
+  # Make debugging failed units easier
+  systemd.extraConfig = ''
+    DefaultStandardOutput=journal
+    DefaultStandardError=journal
+  '';
+
+  # The nix-community is global :)
+  time.timeZone = "UTC";
+
+  # Assign keys from all users in wheel group
+  # This is only done because nixops cant be deployed from any other account
+  users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (lib.flatten (
+    builtins.map (u: u.openssh.authorizedKeys.keys)
+      (lib.attrValues (lib.filterAttrs (_: u: lib.elem "wheel" u.extraGroups)
+        config.users.extraUsers))));
+
+
+}
--- a/profiles/docker.nix
+++ b/profiles/docker.nix
@ -0,0 +1,15 @@
+{...}:
+
+{
+
+  virtualisation.docker = {
+    enable = true;
+    # Clean docker images periodically
+    autoPrune = {
+      enable = true;
+      # Do not only remove "dangling" images (orphaned layers), also remove unused
+      flags = [ "--all" ];
+    };
+  };
+
+}
--- a/profiles/security.nix
+++ b/profiles/security.nix
@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  # Allow sudo from SSH authenticated users
+  # This requires users in the wheel group to log in
+  # over ssh with an agent and enable forwarding
+  security.pam.services.sudo.sshAgentAuth = true;
+  security.pam.enableSSHAgentAuth = true;
+
+  # Dont let users create their own authorized keys files
+  services.openssh.authorizedKeysFiles = lib.mkForce [
+    "/etc/ssh/authorized_keys.d/%u"
+  ];
+
+  networking.firewall.enable = true;
+
+  services.openssh.challengeResponseAuthentication = false;
+  services.openssh.passwordAuthentication = false;
+
+  # Ban brute force SSH
+  services.fail2ban.enable = true;
+
+}
--- a/users/adisbladis.nix
+++ b/users/adisbladis.nix
@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+
+let
+  userLib = import ./lib.nix { inherit lib; };
+  keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:000607203159"
+  ];
+
+in {
+  users.users.adisbladis = {
+    openssh.authorizedKeys.keys = keys;
+    useDefaultShell = true;
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+    ];
+    uid = userLib.mkUid "adis";
+  };
+
+  nix.trustedUsers = [ "adisbladis" ];
+
+}
--- a/users/lib.nix
+++ b/users/lib.nix
@ -0,0 +1,17 @@
+{ lib }:
+
+let
+  chrs = lib.listToAttrs (lib.imap (i: v: {name=v; value=i + 96;}) lib.lowerChars);
+  ord = c: builtins.getAttr c chrs;
+
+in {
+  # Make a unique UID from a 4-char identifier
+  mkUid = id: let  # TODO: Assert length
+    chars = lib.stringToCharacters id;
+    n = builtins.map (c: lib.mod (ord c) 10) chars;
+    s = builtins.concatStringsSep "" (builtins.map (i: builtins.toString i) n);
+
+  in
+    assert lib.length chars == 4;
+    1000 + lib.toInt s;
+}