From cc1dcaede46f3bcd9b2f2e1479a43057c8848b21 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 7 Jul 2023 15:55:13 +0200 Subject: [PATCH] add barebones installer, not tested yet --- flake.lock | 86 +++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 38 ++++++++++++++++++++ hidden-announce.nix | 49 ++++++++++++++++++++++++++ installer.nix | 25 +++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hidden-announce.nix create mode 100644 installer.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..704046b8 --- /dev/null +++ b/flake.lock @@ -0,0 +1,86 @@ +{ + "nodes": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688466019, + "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1688259758, + "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688460648, + "narHash": "sha256-yax5BYOfpE0+95kyJmEcfKEdZBaFvCENDogBB4VQB3Q=", + "owner": "davhau", + "repo": "nixos-generators", + "rev": "34bbb3e12b75576f61770e995ea9a1cac0c36c25", + "type": "github" + }, + "original": { + "owner": "davhau", + "ref": "all-formats", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1688590700, + "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 00000000..254dbace --- /dev/null +++ b/flake.nix @@ -0,0 +1,38 @@ +{ + description = "clan.lol base operating system"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-generators.url = "github:davhau/nixos-generators/all-formats"; + nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; + flake-parts.url = "github:hercules-ci/flake-parts"; + flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + }; + + outputs = inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } ({ lib, config, ... }: { + systems = lib.systems.flakeExposed; + flake = { + nixosConfigurations.installer = lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + config.flake.nixosModules.installer + inputs.nixos-generators.nixosModules.all-formats + ]; + }; + nixosModules = { + installer = { + imports = [ + ./installer.nix + ./hidden-announce.nix + ]; + }; + hidden-announce = { + imports = [ + ./hidden-announce.nix + ]; + }; + }; + }; + }); +} diff --git a/hidden-announce.nix b/hidden-announce.nix new file mode 100644 index 00000000..de33976c --- /dev/null +++ b/hidden-announce.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: +{ + options.hidden-announce = { + enable = lib.mkEnableOption "hidden-announce"; + script = lib.mkOption { + type = lib.types.package; + default = pkgs.writers.writeDash "test-output"; + description = '' + script to run when the hidden tor service was started and they hostname is known. + takes the hostname as $1 + ''; + }; + }; + + config = lib.mkIf config.hidden-announce.enable { + services.tor = { + enable = true; + relay.onionServices.hidden-ssh = { + version = 3; + map = [{ + port = 22; + target.port = 22; + }]; + }; + client.enable = true; + }; + systemd.services.hidden-ssh-announce = { + description = "irc announce hidden ssh"; + after = [ "tor.service" "network-online.target" ]; + wants = [ "tor.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # ${pkgs.tor}/bin/torify + ExecStart = pkgs.writers.writeDash "announce-hidden-service" '' + set -efu + until test -e ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname; do + echo "still waiting for ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname" + sleep 1 + done + + ${config.hidden-announce.script} "$(cat ${config.services.tor.settings.DataDirectory}/onion/hidden-ssh/hostname)" + ''; + PrivateTmp = "true"; + User = "tor"; + Type = "oneshot"; + }; + }; + }; +} diff --git a/installer.nix b/installer.nix new file mode 100644 index 00000000..5fd0a90d --- /dev/null +++ b/installer.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: +{ + systemd.tmpfiles.rules = [ + "d /var/shared 0777 root root - -" + ]; + services.openssh.settings.PermitRootLogin = "yes"; + system.activationScripts.root-password = '' + ${pkgs.pwgen}/bin/pwgen -s 16 1 > /var/shared/root-password + echo "root:$(cat /var/shared/root-password)" | chpasswd + ''; + hidden-announce = { + enable = true; + script = pkgs.writers.writeDash "write-hostname" '' + echo "$1" > /var/shared/onion-hostname + ''; + }; + services.getty.autologinUser = lib.mkForce "root"; + programs.bash.interactiveShellInit = '' + if [ "$(tty)" = "/dev/tty1" ]; then + echo "ssh://root:$(cat /var/shared/root-password)@$(cat /var/shared/onion-hostname)" + fi + ''; + # TODO find a place to put this + # isoImage.squashfsCompression = "zstd -Xcompression-level 1"; +}