Browse Source

bunch of changes plus switch to git-crypt

master
parent
commit
5907dc0bf6
16 changed files with 170 additions and 23 deletions
  1. +3
    -0
      .gitattributes
  2. +1
    -4
      .gitignore
  3. +3
    -1
      README.md
  4. +17
    -2
      common/default.nix
  5. +1
    -0
      common/graphical.nix
  6. +6
    -5
      common/headfull.nix
  7. +2
    -2
      common/mail.nix
  8. +123
    -7
      common/tor.nix
  9. +3
    -2
      common/xdg.nix
  10. BIN
      dotfiles/mail/mbsync/config
  11. BIN
      dotfiles/mail/msmtp/config
  12. +3
    -0
      dotfiles/mail/mutt/mailsync.sh
  13. +7
    -0
      machines/xanadu/default.nix
  14. +1
    -0
      pkgs/tmux.nix
  15. BIN
      secrets/deployment.nix
  16. BIN
      secrets/passwords.nix

+ 3
- 0
.gitattributes View File

@@ -0,0 +1,3 @@
secrets/* filter=git-crypt diff=git-crypt
dotfiles/mail/msmtp/* filter=git-crypt diff=git-crypt
dotfiles/mail/mbsync/* filter=git-crypt diff=git-crypt

+ 1
- 4
.gitignore View File

@@ -1,5 +1,2 @@
secrets/*
dotfiles/mail/msmtp/*
dotfiles/mail/mbsync/*
dotfiles/weechat/*
configuration.nix
dotfiles/weechat/*

+ 3
- 1
README.md View File

@@ -9,7 +9,9 @@ Currently the machines populated by this configuration are:


Features in need of development are:
* weechat-matrix and vim-prosession !!!
* japanese keyboard support
* switch to pass in dotfiles
* security hardening through sandboxing
* set up eirin to have regular and automated backups
* reroute all internet traffic through tor
* make firefox sync to fujiwara and setup fujiwara

+ 17
- 2
common/default.nix View File

@@ -1,5 +1,17 @@
{ config, pkgs, ... }:
{
with pkgs;
let
my-python-packages = python-packages: with python-packages; [
pandas
requests
pillow
matrix-nio
Logbook
# other python packages you want
];
python-pkgs = python3.withPackages my-python-packages;
in
{
imports =
[
./security.nix
@@ -8,6 +20,7 @@
./xdg.nix
./sandboxing.nix
(import "${builtins.fetchTarball https://github.com/rycee/home-manager/archive/release-19.09.tar.gz}/nixos")
./../secrets/deployment.nix
./../pkgs/vim.nix
./../pkgs/zsh.nix
./../pkgs/tmux.nix
@@ -16,7 +29,7 @@

# basic set of tools & ssh
environment.systemPackages = with pkgs; [
wget neovim tmux git rsync
wget neovim tmux git git-crypt pinentry-curses rsync imagemagick python-pkgs
];

services.openssh = {
@@ -47,5 +60,7 @@
'';
console.earlySetup = true;
boot.loader.timeout = 1;
networking.domain = "govanify.com";
programs.gnupg.agent.enable = true;
}


+ 1
- 0
common/graphical.nix View File

@@ -12,6 +12,7 @@
kanshi # autorandr
wofi grim wl-clipboard firefox-wayland
mpv imv slurp
tor-browser-bundle-bin
];
};



+ 6
- 5
common/headfull.nix View File

@@ -9,15 +9,16 @@
environment.systemPackages = with pkgs; [
weechat cmus # dev
cargo python clang meson ninja
asciinema #texlive
#python38Packages.matrix-nio
asciinema
texlive.combined.scheme-medium
];



home-manager.users.govanify = {
home.file.".config/weechat".source = ./../dotfiles/weechat;
};
# TODO: do that cleanly
#home-manager.users.govanify = {
#home.file.".config/weechat".source = ./../dotfiles/weechat;
#};

networking.networkmanager.enable = true;
# Enable CUPS to print documents.


+ 2
- 2
common/mail.nix View File

@@ -2,7 +2,7 @@

# basic set of tools & ssh
environment.systemPackages = with pkgs; [
neomutt msmtp isync notmuch abook
neomutt msmtp isync notmuch abook lynx
];

# XDG_CONFIG_HOME does not get parsed correctly so we do it manually
@@ -11,7 +11,7 @@
home.file.".config/mbsync/config".source = ./../dotfiles/mail/mbsync/config;
home.file.".config/mutt".source = ./../dotfiles/mail/mutt;
};
environment.shellAliases = { neomutt = "mutt"; };
#environment.shellAliases = { neomutt = "mutt"; };

# not sure why but here is let's encrypt cross signed X3 cert, needed for my
# mail server apparently


+ 123
- 7
common/tor.nix View File

@@ -1,9 +1,125 @@
{ config, pkgs, ... }:
{
services.tor= {
enable = true;
client.enable = true;
client.transparentProxy.enable = true;
{config, lib, ...}:
with lib;
let
cfg = config.modules.tor.transparentProxy;
transPort = "9040";
dnsPort = "5353";
torUid = toString config.ids.uids.tor;
ianaReserved = "0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3";
in {
options = {
modules.tor.transparentProxy = {
enable = mkEnableOption "Transparent tor proxy";
outputNic = mkOption {
type = types.str;
default = "enp0s2";
description = "Interface to use for internet access.";
};
inputNic = mkOption {
type = types.str;
default = "enp0s2";
description = "Interface to allow inbound traffic for firewall ports.";
};
virtualNetwork = mkOption {
type = types.str;
default = "10.192.0.0/10";
description = "Cidr that tor will use to map tor accessed hosts to.";
};
exceptionNetworks = mkOption {
type = types.listOf types.str;
default = [ "127.0.0.1/8" ];
description = "Cidr networks to access in the clear.";
};
honorFirewallPorts = mkOption {
type = types.bool;
default = true;
description = "If enabled firewall rules will be generated to for `networking.firewall.allowedTCPPorts`.";
};
};
};
config = mkIf cfg.enable {
services.tor = {
# makes ourselves reachable through ssh, keys and hostname in /var/lib/tor
hiddenServices.ssh = { map = [{port = 22;}]; };
enable = true;
extraConfig = ''
VirtualAddrNetworkIPv4 ${cfg.virtualNetwork}
AutomapHostsOnResolve 1
TransPort ${transPort}
DNSPort ${dnsPort}
'';
};
networking.nameservers = ["127.0.0.1"];
networking.firewall.enable = true;
networking.firewall.extraCommands = let
transExceptions = concatStringsSep " " cfg.exceptionNetworks;
in ''
### flush iptables
iptables -F
iptables -t nat -F

### set iptables *nat
#nat .onion addresses
iptables -t nat -A OUTPUT -d ${cfg.virtualNetwork} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}

#nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${dnsPort}

#don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN

for _except in ${transExceptions + " " + ianaReserved}; do
iptables -t nat -A OUTPUT -d $_except -j RETURN
done

#redirect whatever fell thru to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''iptables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
(unique (config.networking.firewall.allowedTCPPorts ++ config.services.openssh.ports))}
''}

iptables -A INPUT -j DROP

#*filter FORWARD
iptables -A FORWARD -j DROP

#*filter OUTPUT
#possible leak fix. See warning.
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP

iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

#allow Tor process output
iptables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

#allow loopback output
iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT

#tor transproxy magic
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

#allow access to lan hosts in ${transExceptions}
for _except in ${transExceptions}; do
iptables -A OUTPUT -d $_except -j ACCEPT
done

#Log & Drop everything else.
iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
iptables -A OUTPUT -j DROP

#Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
'';
};
# TODO: actually relay connection through the proxy(iptables?)
}

+ 3
- 2
common/xdg.nix View File

@@ -20,8 +20,9 @@
ZDOTDIR = "$XDG_CONFIG_HOME/zsh";
CARGO_HOME = "$XDG_DATA_HOME/cargo";
WINEPREFIX = "$XDG_DATA_HOME/wineprefixes/default";
WEECHAT_HOME = "$XDG_CONFIG_HOME/weechat";
GNUPGHOME = "$XDG_DATA_HOME/gnupg";
# does not parse it correctly for some reason
WEECHAT_HOME = "~/.config/weechat";
GNUPGHOME = "~/.config/gnupg";
GRADLE_USER_HOME = "$XDG_DATA_HOME/gradle";
GEM_HOME = "$XDG_DATA_HOME/gem";
GEM_SPEC_CACHE = "$XDG_CACHE_HOME/gem";


BIN
dotfiles/mail/mbsync/config View File


BIN
dotfiles/mail/msmtp/config View File


+ 3
- 0
dotfiles/mail/mutt/mailsync.sh View File

@@ -5,6 +5,9 @@ pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync wil
# Run only if not already running in other instance
pgrep -x mbsync >/dev/null && { echo "mbsync is already running." ; exit ;}

# check if the mailserver is online || if we have internet connection
ping -q -c 1 govanify.com > /dev/null || { echo "No internet connection detected."; exit ;}

# Check account for new mail. Notify if there is new content.
syncandnotify() {
acc="$(echo "$account" | sed "s/.*\///")"


+ 7
- 0
machines/xanadu/default.nix View File

@@ -66,4 +66,11 @@
/ooooooooooooo
Welcome to Xanadu
'';

modules.tor.transparentProxy = {
enable = true;
outputNic = "wlp1s0";
inputNic = "wlp1s0";
};

}

+ 1
- 0
pkgs/tmux.nix View File

@@ -10,6 +10,7 @@
set -g @resurrect-processes ':all:'
set -g @continuum-restore 'on'
set -g @continuum-boot 'on'
set -sg escape-time 10
'';

};


BIN
secrets/deployment.nix View File


BIN
secrets/passwords.nix View File


Loading…
Cancel
Save