the-nx.com-current-config.scm 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252
  1. (add-to-load-path (dirname (current-filename)))
  2. (use-modules (gnu)
  3. (gnu system)
  4. (guix modules)
  5. ;;(endlessh-service)
  6. (public-keys))
  7. (use-service-modules certbot dbus desktop docker networking
  8. ssh sysctl web)
  9. (use-package-modules admin
  10. certs
  11. package-management
  12. ssh
  13. tls)
  14. (define %nginx-deploy-hook
  15. (program-file
  16. "nginx-deploy-hook"
  17. #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
  18. (kill pid SIGHUP))))
  19. (define %my-base-services
  20. (modify-services %base-services
  21. (guix-service-type config =>
  22. (guix-configuration (inherit config)
  23. (discover? #t)
  24. (substitute-urls
  25. (append (list
  26. "https://bordeaux-us-east-mirror.cbaines.net/"
  27. "https://guix.tobias.gr")
  28. %default-substitute-urls))
  29. (authorized-keys
  30. (append (list
  31. ;; setting up guix deploy from dobby.
  32. (local-file "./dobby-guix-signing-key.pub")
  33. (plain-file
  34. "guix.tobias.gr"
  35. "(public-key
  36. (ecc
  37. (curve Ed25519)
  38. (q #E21911E159DB6D031A763509A255B054360A4A96F5668CBBAC48052E67D274D3#)
  39. )
  40. )
  41. ")
  42. (plain-file
  43. "bordeaux.guix.gnu.org.signing.key"
  44. "
  45. (public-key
  46. (ecc
  47. (curve Ed25519)
  48. (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
  49. )
  50. )")
  51. )))
  52. (extra-options '("--max-jobs=1"))))
  53. ;; security stuff.
  54. (sysctl-service-type config =>
  55. (sysctl-configuration
  56. (settings
  57. (append
  58. '(
  59. ;;disable ipv6
  60. ("net.ipv6.conf.all.disable_ipv6" . "1")
  61. ("net.ipv6.conf.all.disable_policy" . "1")
  62. ("net.ipv6.conf.default.disable_ipv6" . "1")
  63. ("net.ipv6.conf.default.disable_policy" . "1")
  64. ("net.ipv6.conf.enp0s10.disable_ipv6" . "1")
  65. ("net.ipv6.conf.enp0s10.disable_policy" . "1")
  66. ("net.ipv6.conf.lo.disable_ipv6" . "1")
  67. ("net.ipv6.conf.lo.disable_policy" . "1")
  68. ;; disable ebpf in kernel virtual machine for unprivledged users
  69. ("sysctl kernel.unprivileged_bpf_disabled" . "1")
  70. ("spec_store_bypass_disable" . "on")
  71. ("spectre_v2" . "on")
  72. ("lld_flush" . "on")
  73. ;; need to enable apparmor for this...
  74. ;;("lockdown" . "confidentiality")
  75. ("init_on_alloc" . "1")
  76. ("init_on_free" . "1")
  77. ("page_alloc.shuffle" . "1")
  78. ;;("slab_nomerge")
  79. ("vsyscall" . "1")
  80. ;; ("slub_debug" . "F")
  81. ("randomize_kstack_offset" . "1")
  82. ;; disable re-leading a running kernel
  83. ("kernel.kexec_load_disabled" . "1")
  84. ;; restrict kernel pointers
  85. ("kernel.kptr_restrict" . "2")
  86. ;; unprivledegd users cannot get perf events
  87. ("kernel.perf_event_paranoid" . "3")
  88. ;; only privledged users can use bpf
  89. ("net.core.bpf_jit_harden" . "2")
  90. ("kernel.unprivleged_bpf" . "1")
  91. ;; prevest some proofing attacks
  92. ("net.ipv4.conf.all.rp_filter" . "1")
  93. ("net.ipv4.conf.default.rp_filter" . "1")
  94. ;; disable icmp redirects and
  95. ;; RFC1620 shared media redirects
  96. ("net.ipv4.conf.all.accept_redirects" . "0")
  97. ("net.ipv4.conf.all.secure_redirects" . "0")
  98. ("net.ipv4.conf.all.send_redirects" . "0")
  99. ("net.ipv4.conf.all.shared_media" . "0")
  100. ("net.ipv4.conf.default.accept_redirects" . "0")
  101. ("net.ipv4.conf.default.secure_redirects" . "0")
  102. ("net.ipv4.conf.default.send_redirects" . "0")
  103. ("net.ipv4.conf.default.shared_media" . "0")
  104. ("net.ipv6.conf.all.accept_redirects" . "0")
  105. ("net.ipv6.conf.default.accept_redirects" . "0")
  106. ;; disallow source-routed packets
  107. ("net.ipv4.conf.all.accept_source_route" . "0")
  108. ("net.ipv4.conf.default.accept_source_route" . "0")
  109. ("net.ipv6.conf.all.accept_source_route" . "0")
  110. ("net.ipv6.conf.default.accept_source_route" . "0")
  111. ;; disable pings sent to a broadcast address
  112. ("net.ipv4.icmp_echo_ignore_broadcasts" . "1")
  113. ;; disable bogus icmp error responses
  114. ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
  115. ;; protect against time-wait assassination hazards in tcp
  116. ("net.ipv4.tcp_rfc1337" . "1")
  117. ("net.ipv4.tcp_sack" . "0")
  118. ("net.ipv4.tcp_dsack" . "0")
  119. ("net.ipv4.tcp_timestamps" . "0")
  120. ("vm.mmap_rnd_bits" . "32")
  121. ("vm.mmap_rnd_compat_bits" . "16")
  122. ("net.ipv4.icmp_echo_ignore_all" . "1")
  123. )
  124. %default-sysctl-settings))))))
  125. (define %system
  126. (operating-system
  127. (host-name "aquinas")
  128. (timezone "America/Chicago")
  129. (locale "en_US.UTF-8")
  130. ;; This goofy code will generate the grub.cfg
  131. ;; without installing the grub bootloader on disk.
  132. (bootloader (bootloader-configuration
  133. (bootloader
  134. (bootloader
  135. (inherit grub-bootloader)
  136. (installer #~(const #true))))))
  137. (file-systems (cons (file-system
  138. (device "/dev/sda")
  139. (mount-point "/")
  140. (type "ext4"))
  141. %base-file-systems))
  142. (swap-devices (list (swap-space
  143. (target "/dev/sdb"))))
  144. (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
  145. %base-initrd-modules))
  146. (users (cons (user-account
  147. (name "joshua")
  148. (group "users")
  149. ;; Adding the account to the "wheel" group
  150. ;; makes it a sudoer.
  151. (supplementary-groups '("wheel"))
  152. (home-directory "/home/joshua"))
  153. %base-user-accounts))
  154. ;; let joshua execute a privledged command via "sudo joshua" w/o
  155. ;; prompting for a password.
  156. (sudoers-file
  157. (plain-file "sudoers"
  158. (string-append (plain-file-content %sudoers-specification)
  159. (format #f "~a ALL = NOPASSWD: ALL~%"
  160. "joshua"))))
  161. (packages (cons* nss-certs ;for HTTPS access
  162. openssh-sans-x
  163. %base-packages))
  164. (services (cons*
  165. (service certbot-service-type
  166. (certbot-configuration
  167. (email "mysubscriptions@member.fsf.org")
  168. (webroot "/srv/www/")
  169. (certificates
  170. (list
  171. (certificate-configuration
  172. (name "the-nx.com")
  173. (domains '("the-nx.com" "www.the-nx.com"))
  174. (deploy-hook %nginx-deploy-hook))))))
  175. (dbus-service)
  176. (service dhcp-client-service-type)
  177. (service docker-service-type)
  178. (elogind-service)
  179. (service openssh-service-type
  180. (openssh-configuration
  181. (openssh openssh-sans-x)
  182. (password-authentication? #false)
  183. ;;(port-number 63355)
  184. (authorized-keys
  185. `(("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))))
  186. ))
  187. ;; TODO my firewall is NOT working!
  188. ;;(service nftables-service-type)
  189. (service nginx-service-type
  190. (nginx-configuration
  191. (server-blocks
  192. (list
  193. (nginx-server-configuration
  194. (server-name '("the-nx.com"))
  195. (listen (list ;;"80"
  196. "443 ssl http2"
  197. ;;"[::]:80"
  198. ;;"[::80]:443 ssl http2"
  199. ))
  200. (root "/srv/www/html/the-nx.com")
  201. (ssl-certificate "/etc/letsencrypt/live/the-nx.com/fullchain.pem")
  202. (ssl-certificate-key "/etc/letsencrypt/live/the-nx.com/privkey.pem")
  203. (locations
  204. (list
  205. (nginx-location-configuration ;; for certbot
  206. (uri "/.well-known")
  207. (body (list "root /srv/www;")))
  208. (nginx-location-configuration
  209. (uri "/")
  210. (body
  211. (list
  212. ;; prevent nginx server detection.
  213. "server_tokens off;\n"
  214. "proxy_pass http://127.0.0.1:9000;\n"
  215. "proxy_set_header X-Real-IP $remote_addr;\n"
  216. "proxy_set_header Host $host;\n"
  217. "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n"
  218. "client_max_body_size 0;\n"
  219. "# Websocket\n"
  220. "proxy_http_version 1.1;\n"
  221. "proxy_set_header Upgrade $http_upgrade;\n"))))))))))
  222. %my-base-services))))
  223. (list (machine
  224. (operating-system %system)
  225. (environment managed-host-environment-type)
  226. (configuration (machine-ssh-configuration
  227. (host-name "198.58.111.31")
  228. (system "x86_64-linux")
  229. (user "joshua")
  230. (identity "~/.ssh/id_rsa")
  231. (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJNUfLuM02Mrxj8zQcBcFx7RwIcLTrtu9enCIEP/79tr root@(none)")
  232. (port 22)))))