| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252 |
- (add-to-load-path (dirname (current-filename)))
- (use-modules (gnu)
- (gnu system)
- (guix modules)
- ;;(endlessh-service)
- (public-keys))
- (use-service-modules certbot dbus desktop docker networking
- ssh sysctl web)
- (use-package-modules admin
- certs
- package-management
- ssh
- tls)
- (define %nginx-deploy-hook
- (program-file
- "nginx-deploy-hook"
- #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
- (kill pid SIGHUP))))
- (define %my-base-services
- (modify-services %base-services
- (guix-service-type config =>
- (guix-configuration (inherit config)
- (discover? #t)
- (substitute-urls
- (append (list
- "https://bordeaux-us-east-mirror.cbaines.net/"
- "https://guix.tobias.gr")
- %default-substitute-urls))
- (authorized-keys
- (append (list
- ;; setting up guix deploy from dobby.
- (local-file "./dobby-guix-signing-key.pub")
- (plain-file
- "guix.tobias.gr"
- "(public-key
- (ecc
- (curve Ed25519)
- (q #E21911E159DB6D031A763509A255B054360A4A96F5668CBBAC48052E67D274D3#)
- )
- )
- ")
- (plain-file
- "bordeaux.guix.gnu.org.signing.key"
- "
- (public-key
- (ecc
- (curve Ed25519)
- (q #7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#)
- )
- )")
- )))
- (extra-options '("--max-jobs=1"))))
- ;; security stuff.
- (sysctl-service-type config =>
- (sysctl-configuration
- (settings
- (append
- '(
- ;;disable ipv6
- ("net.ipv6.conf.all.disable_ipv6" . "1")
- ("net.ipv6.conf.all.disable_policy" . "1")
- ("net.ipv6.conf.default.disable_ipv6" . "1")
- ("net.ipv6.conf.default.disable_policy" . "1")
- ("net.ipv6.conf.enp0s10.disable_ipv6" . "1")
- ("net.ipv6.conf.enp0s10.disable_policy" . "1")
- ("net.ipv6.conf.lo.disable_ipv6" . "1")
- ("net.ipv6.conf.lo.disable_policy" . "1")
- ;; disable ebpf in kernel virtual machine for unprivledged users
- ("sysctl kernel.unprivileged_bpf_disabled" . "1")
- ("spec_store_bypass_disable" . "on")
- ("spectre_v2" . "on")
- ("lld_flush" . "on")
- ;; need to enable apparmor for this...
- ;;("lockdown" . "confidentiality")
- ("init_on_alloc" . "1")
- ("init_on_free" . "1")
- ("page_alloc.shuffle" . "1")
- ;;("slab_nomerge")
- ("vsyscall" . "1")
- ;; ("slub_debug" . "F")
- ("randomize_kstack_offset" . "1")
- ;; disable re-leading a running kernel
- ("kernel.kexec_load_disabled" . "1")
- ;; restrict kernel pointers
- ("kernel.kptr_restrict" . "2")
- ;; unprivledegd users cannot get perf events
- ("kernel.perf_event_paranoid" . "3")
- ;; only privledged users can use bpf
- ("net.core.bpf_jit_harden" . "2")
- ("kernel.unprivleged_bpf" . "1")
- ;; prevest some proofing attacks
- ("net.ipv4.conf.all.rp_filter" . "1")
- ("net.ipv4.conf.default.rp_filter" . "1")
- ;; disable icmp redirects and
- ;; RFC1620 shared media redirects
- ("net.ipv4.conf.all.accept_redirects" . "0")
- ("net.ipv4.conf.all.secure_redirects" . "0")
- ("net.ipv4.conf.all.send_redirects" . "0")
- ("net.ipv4.conf.all.shared_media" . "0")
- ("net.ipv4.conf.default.accept_redirects" . "0")
- ("net.ipv4.conf.default.secure_redirects" . "0")
- ("net.ipv4.conf.default.send_redirects" . "0")
- ("net.ipv4.conf.default.shared_media" . "0")
- ("net.ipv6.conf.all.accept_redirects" . "0")
- ("net.ipv6.conf.default.accept_redirects" . "0")
- ;; disallow source-routed packets
- ("net.ipv4.conf.all.accept_source_route" . "0")
- ("net.ipv4.conf.default.accept_source_route" . "0")
- ("net.ipv6.conf.all.accept_source_route" . "0")
- ("net.ipv6.conf.default.accept_source_route" . "0")
- ;; disable pings sent to a broadcast address
- ("net.ipv4.icmp_echo_ignore_broadcasts" . "1")
- ;; disable bogus icmp error responses
- ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
- ;; protect against time-wait assassination hazards in tcp
- ("net.ipv4.tcp_rfc1337" . "1")
- ("net.ipv4.tcp_sack" . "0")
- ("net.ipv4.tcp_dsack" . "0")
- ("net.ipv4.tcp_timestamps" . "0")
- ("vm.mmap_rnd_bits" . "32")
- ("vm.mmap_rnd_compat_bits" . "16")
- ("net.ipv4.icmp_echo_ignore_all" . "1")
- )
- %default-sysctl-settings))))))
- (define %system
- (operating-system
- (host-name "aquinas")
- (timezone "America/Chicago")
- (locale "en_US.UTF-8")
- ;; This goofy code will generate the grub.cfg
- ;; without installing the grub bootloader on disk.
- (bootloader (bootloader-configuration
- (bootloader
- (bootloader
- (inherit grub-bootloader)
- (installer #~(const #true))))))
- (file-systems (cons (file-system
- (device "/dev/sda")
- (mount-point "/")
- (type "ext4"))
- %base-file-systems))
- (swap-devices (list (swap-space
- (target "/dev/sdb"))))
- (initrd-modules (cons "virtio_scsi" ; Needed to find the disk
- %base-initrd-modules))
- (users (cons (user-account
- (name "joshua")
- (group "users")
- ;; Adding the account to the "wheel" group
- ;; makes it a sudoer.
- (supplementary-groups '("wheel"))
- (home-directory "/home/joshua"))
- %base-user-accounts))
- ;; let joshua execute a privledged command via "sudo joshua" w/o
- ;; prompting for a password.
- (sudoers-file
- (plain-file "sudoers"
- (string-append (plain-file-content %sudoers-specification)
- (format #f "~a ALL = NOPASSWD: ALL~%"
- "joshua"))))
- (packages (cons* nss-certs ;for HTTPS access
- openssh-sans-x
- %base-packages))
- (services (cons*
- (service certbot-service-type
- (certbot-configuration
- (email "mysubscriptions@member.fsf.org")
- (webroot "/srv/www/")
- (certificates
- (list
- (certificate-configuration
- (name "the-nx.com")
- (domains '("the-nx.com" "www.the-nx.com"))
- (deploy-hook %nginx-deploy-hook))))))
- (dbus-service)
- (service dhcp-client-service-type)
- (service docker-service-type)
- (elogind-service)
- (service openssh-service-type
- (openssh-configuration
- (openssh openssh-sans-x)
- (password-authentication? #false)
- ;;(port-number 63355)
- (authorized-keys
- `(("joshua" ,(plain-file "id_rsa.pub" %joshua-ssh-key))))
- ))
- ;; TODO my firewall is NOT working!
- ;;(service nftables-service-type)
- (service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name '("the-nx.com"))
- (listen (list ;;"80"
- "443 ssl http2"
- ;;"[::]:80"
- ;;"[::80]:443 ssl http2"
- ))
- (root "/srv/www/html/the-nx.com")
- (ssl-certificate "/etc/letsencrypt/live/the-nx.com/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/the-nx.com/privkey.pem")
- (locations
- (list
- (nginx-location-configuration ;; for certbot
- (uri "/.well-known")
- (body (list "root /srv/www;")))
- (nginx-location-configuration
- (uri "/")
- (body
- (list
- ;; prevent nginx server detection.
- "server_tokens off;\n"
- "proxy_pass http://127.0.0.1:9000;\n"
- "proxy_set_header X-Real-IP $remote_addr;\n"
- "proxy_set_header Host $host;\n"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n"
- "client_max_body_size 0;\n"
- "# Websocket\n"
- "proxy_http_version 1.1;\n"
- "proxy_set_header Upgrade $http_upgrade;\n"))))))))))
- %my-base-services))))
- (list (machine
- (operating-system %system)
- (environment managed-host-environment-type)
- (configuration (machine-ssh-configuration
- (host-name "198.58.111.31")
- (system "x86_64-linux")
- (user "joshua")
- (identity "~/.ssh/id_rsa")
- (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJNUfLuM02Mrxj8zQcBcFx7RwIcLTrtu9enCIEP/79tr root@(none)")
- (port 22)))))
|
