diff --git a/docs/setup.sh b/docs/setup.sh index a7cf03b2..ffd0762d 100755 --- a/docs/setup.sh +++ b/docs/setup.sh @@ -39,13 +39,13 @@ sudo ssh-to-pgp \ echo ">>> Setting up SSH Keys..... " ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" echo "" >> ./keys/ssh/keys.txt -echo "# `whoami`@`hostname`" >> ./keys/ssh/keys.txt +echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt echo ">>> Setting up Distributed Build SSH Keys..... " sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" echo "" >> ./keys/ssh/builder-keys.txt -echo "# root@`hostname`" >> ./keys/ssh/builder-keys.txt +echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt # Add all changes to git and and push diff --git a/nixos/common/services/forgejo-runner.nix b/nixos/common/services/forgejo-runner.nix index badc74f1..ee1f913f 100644 --- a/nixos/common/services/forgejo-runner.nix +++ b/nixos/common/services/forgejo-runner.nix @@ -10,7 +10,7 @@ services.gitea-actions-runner.instances."${hostname}" = { enable = true; name = "${hostname}"; - labels = [ "nixos" ]; + labels = [ "host://-self-hosted" ]; url = "https://git.sysctl.io"; tokenFile = "/run/secrets/services/forgejo_token"; }; diff --git a/nixos/hosts/framework-server/builder.nix b/nixos/hosts/framework-server/builder.nix index cc368cd5..a03a4389 100644 --- a/nixos/hosts/framework-server/builder.nix +++ b/nixos/hosts/framework-server/builder.nix @@ -1,5 +1,6 @@ { inputs, config, lib, pkgs, modulesPath, desktop, username, ... }: { - # Testing remote builldings + # For remote builds + # see home-manager: bash.nix: nixos-rebuild-remote users.users.${username}.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/builder-keys.txt ]; # For cross-architecture builds diff --git a/nixos/hosts/nixos-iso-console/default.nix b/nixos/hosts/nixos-iso-console/default.nix index 192ced8c..8a653f56 100644 --- a/nixos/hosts/nixos-iso-console/default.nix +++ b/nixos/hosts/nixos-iso-console/default.nix @@ -6,4 +6,13 @@ networking.hostName = "nixos-iso-console"; networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow passworded ssh + services.openssh = { + enable = true; + openFirewall = false; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = mkForce true; + }; } diff --git a/nixos/hosts/nixos-iso-desktop/default.nix b/nixos/hosts/nixos-iso-desktop/default.nix index 82911faf..61a0b8c1 100644 --- a/nixos/hosts/nixos-iso-desktop/default.nix +++ b/nixos/hosts/nixos-iso-desktop/default.nix @@ -6,4 +6,13 @@ networking.hostName = "nixos-iso-desktop"; networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow passworded ssh + services.openssh = { + enable = true; + openFirewall = false; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = mkForce true; + }; } diff --git a/nixos/hosts/nixos-rpi4-img/default.nix b/nixos/hosts/nixos-rpi4-img/default.nix index c0cbcfda..581421b8 100644 --- a/nixos/hosts/nixos-rpi4-img/default.nix +++ b/nixos/hosts/nixos-rpi4-img/default.nix @@ -6,4 +6,13 @@ # nixpkgs.crossSystem.system = "armv7l-linux"; networking.hostName = "nixos-rpi4-img"; networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow passworded ssh + services.openssh = { + enable = true; + openFirewall = false; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = mkForce true; + }; } \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/xinetd.nix b/nixos/hosts/osaka-linode-01/xinetd.nix deleted file mode 100644 index 9333a82e..00000000 --- a/nixos/hosts/osaka-linode-01/xinetd.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ config, lib, pkgs, ... }: { - networking.firewall.allowedUDPPorts = [ - 3478 # Headscale DERP UDP - 10000 # Jitsi - ]; - networking.firewall.allowedTCPPorts = [ - 80 # HTTP - 443 # HTTPS - 25 # SMTP (explicit TLS => STARTTLS) - 465 # ESMTP (implicit TLS) - 587 # ESMTP (explicit TLS => STARTTLS) - 143 # IMAP4 (explicit TLS => STARTTLS) - 993 # IMAP4 (implicit TLS) - 4190 # Sieve support - 42420 # Vintage Story - 25565 # Minecraft - 1443 # Headscale DERP - 4443 # jitsi-jvb - 5222 # Jitsi - 5347 # Jitsi - 5280 # Jitsi - ]; - networking.firewall.extraCommands = '' - iptables -t nat -A PREROUTING -d 172.234.84.222 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -s 10.100.0.2 -j SNAT --to-source 172.234.84.222 - iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # PORT 10000 - iptables -t nat -A PREROUTING -p udp --dport 10000 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p udp --dport 10000 -j MASQUERADE - - # PORT 3478 - iptables -t nat -A PREROUTING -p udp --dport 3478 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p udp --dport 3478 -j MASQUERADE - - # PORT 4443 - iptables -t nat -A PREROUTING -p tcp --dport 4443 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p tcp --dport 4443 -j MASQUERADE - - # PORT 5222 - iptables -t nat -A PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p tcp --dport 5222 -j MASQUERADE - - # PORT 5347 - iptables -t nat -A PREROUTING -p tcp --dport 5347 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p tcp --dport 5347 -j MASQUERADE - - # PORT 5280 - iptables -t nat -A PREROUTING -p tcp --dport 5280 -j DNAT --to-destination 10.100.0.2 - iptables -t nat -A POSTROUTING -p tcp --dport 5280 -j MASQUERADE - ''; - - services.xinetd = { - enable = true; - services = [ - { - name = "http"; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 80"; - } - { - name = "https"; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 443"; - } - { - name = "minecraft"; - port = 25565; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 25565"; - } - { - name = "vintage-story"; - port = 42420; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 42420"; - } - - ################################################ mail - { - name = "mail 25"; - port = 25; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 25"; - } - { - name = "mail 465"; - port = 465; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 465"; - } - { - name = "mail 587"; - port = 587; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 587"; - } - { - name = "mail 143"; - port = 143; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 143"; - } - { - name = "mail 993"; - port = 993; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 993"; - } - { - name = "mail 4190"; - port = 4190; - protocol = "tcp"; - unlisted = true; - server = "/usr/bin/env"; # Placeholder. - extraConfig = "redirect = 10.100.0.2 4190"; - } - ################################################ /mail - - ]; - }; -} \ No newline at end of file diff --git a/nixos/users/root/default.nix b/nixos/users/root/default.nix deleted file mode 100644 index d0c10c04..00000000 --- a/nixos/users/root/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, desktop, lib, pkgs, ... }: { - # Define a user account. - users.users.root = { - openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/keys.txt ]; - }; -} \ No newline at end of file