From 66c6d2c1dfd4b3ef222bb64d3ccef9be915e0895 Mon Sep 17 00:00:00 2001 From: pennae Date: Fri, 22 Sep 2023 20:55:05 +0200 Subject: initial commit without warranty of any kind, express or impliend --- example/default.nix | 7 ++++ example/example.key | 7 ++++ example/example.nix | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++ example/secrets.yaml | 21 ++++++++++ 4 files changed, 141 insertions(+) create mode 100644 example/default.nix create mode 100644 example/example.key create mode 100644 example/example.nix create mode 100644 example/secrets.yaml (limited to 'example') diff --git a/example/default.nix b/example/default.nix new file mode 100644 index 0000000..bec7622 --- /dev/null +++ b/example/default.nix @@ -0,0 +1,7 @@ +{ pkgs ? import {} +}: + +import ../. { + inherit pkgs; + configuration = ./example.nix; +} diff --git a/example/example.key b/example/example.key new file mode 100644 index 0000000..b909ea7 --- /dev/null +++ b/example/example.key @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBxkBCpST6VJEfjUBzm3dQlljOyLW5BS5PND8ivm/thDQAAAJj8yiBW/Mog +VgAAAAtzc2gtZWQyNTUxOQAAACBxkBCpST6VJEfjUBzm3dQlljOyLW5BS5PND8ivm/thDQ +AAAEBXKPGOexD2ynQZKK/w5WimXmtLHagt8JzotMGv1gKywHGQEKlJPpUkR+NQHObd1CWW +M7ItbkFLk80PyK+b+2ENAAAAE2RoaXZhZWxAY2hjb3JkYWloa2gBAg== +-----END OPENSSH PRIVATE KEY----- diff --git a/example/example.nix b/example/example.nix new file mode 100644 index 0000000..ce399ee --- /dev/null +++ b/example/example.nix @@ -0,0 +1,106 @@ +# example config for a qemu image of openwrt that is accessible +# via port 2222 on localhost. the root password is set to `a` +# and a few utilities are installed, otherwise the configuration +# is a subset of the default config. +# +# to use this example run a squashfs image of openwrt +# (eg https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/openwrt-22.03.5-x86-64-generic-squashfs-combined.img.gz) +# with something like +# +# qemu-system-x86_64 -M q35,accel=kvm \ +# -drive file=openwrt-22.03.5-x86-64-generic-squashfs-combined.img,id=d0,if=none,bus=0,unit=0 \ +# -device ide-hd,drive=d0,bus=ide.0 \ +# -nic user,hostfwd=tcp::2222-:22,hostfwd=tcp::8080-:80 +# +# and run `uci set network.lan.proto=dhcp; uci commit; reload_config` +# from the serial console. +# +# age keys for sops are as follow: +# +# SOPS_AGE_KEY=AGE-SECRET-KEY-1292U9T04N6MJUK223038MD246X4G2K8GPDWHVHY09JVCLSRUS6TQ6988D9 + +{ + openwrt.example = { + deploy.host = "localhost"; + deploy.sshConfig = { + Port = 2222; + NoHostAuthenticationForLocalhost = true; + IdentityFile = ./example.key; + }; + + packages = [ "losetup" "mount-utils" "coreutils-stat" "htop" ]; + users.root.hashedPassword = "$6$n/dIMAV5QZyMp6UQ$fSvzsPZ8Vl1kzq9Mm3oQy81hxDkPqv04YPSlBOpqjMQKGu6xjcIuXrrfvf3Dcm8ea46oG8XtEPm6AViOFESF81"; + etc."dropbear/authorized_keys".text = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGQEKlJPpUkR+NQHObd1CWWM7ItbkFLk80PyK+b+2EN example@key + ''; + + uci.sopsSecrets = ./secrets.yaml; + # leave the ucitrack and firewall packages as they are, retaining defaults if + # freshly installed. the firewall rules are verbose and ucitrack is mostly not + # necessary, so we don't want to include either here. we also keep luci to not + # break the web interface, although configuration through the web ui is discouraged. + # rpcd is needed for luci. + uci.retain = [ "ucitrack" "firewall" "luci" "rpcd" ]; + uci.settings = { + dropbear.dropbear = [{ + PasswordAuth = "on"; + RootPasswordAuth = "on"; + Port = 22; + }]; + + network = { + device = [{ + name = "br-lan"; + ports = "eth0"; + type = "bridge"; + }]; + + globals = [{ + ula_prefix = "fd10:155d:7ef5::/48"; + }]; + + interface.lan = { + device = "br-lan"; + proto = "dhcp"; + }; + + interface.loopback = { + device = "lo"; + ipaddr = "127.0.0.1"; + netmask = "255.0.0.0"; + proto = "static"; + }; + }; + + uhttpd.uhttpd.main = { + listen_http = [ "0.0.0.0:80" "[::]:80" ]; + lua_prefix = [ "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua" ]; + home = "/www"; + cgi_prefix = "/cgi-bin"; + ubus_prefix = "/ubus"; + }; + + system = { + system = [{ + hostname = "OpenWrt"; + timezone = "UTC"; + ttylogin = 0; + log_size = 64; + urandom_seed = 0; + notes._secret = "notes"; + }]; + + timeserver.ntp = { + enabled = true; + enable_server = false; + server = [ + "0.openwrt.pool.ntp.org" + "1.openwrt.pool.ntp.org" + "2.openwrt.pool.ntp.org" + "3.openwrt.pool.ntp.org" + ]; + }; + }; + }; + }; +} diff --git a/example/secrets.yaml b/example/secrets.yaml new file mode 100644 index 0000000..c39d0a8 --- /dev/null +++ b/example/secrets.yaml @@ -0,0 +1,21 @@ +notes: ENC[AES256_GCM,data:n0mIh8xH33lfehAl8hVtaT01Ge4dUOYI9r4=,iv:YtDWrrLWL0PHADc5mQi2XGjUh2XJLuESuv2Hz61JcmU=,tag:Y/1nhr3iBwFxUrNoeEIKow==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1megd5nhnhr03x5syey7ualp0sgk72j0gskjvc7jtj052pd28ndtsalql9m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVC82aTZJMGhBV0JTM3Rx + SkEreDYwTmFENWpkNThLK09DblNDS09HVVFvClQ2dkIrOUt6Zm5wSjZVbWdkeFdw + Sk9nRTFobTJ5LzZUYllIS3VmR1VMTE0KLS0tIExLZnAwaURkODN5VjE5TXNCNStT + dVdFSUdTTVIxa1ZCdEc4ZS9iYnJkZTQKFdpjkFFIXEV0/V6twZBwh5CszlvSQNVb + STPm1i2CMHanYSORzZMWfwahZII2D7hy8oRdM6TxULYvPqktgj8+Ew== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-22T18:51:22Z" + mac: ENC[AES256_GCM,data:SpQt2upVEbXNjguWcBcn907M0Y8autst7ptJZhE62m81AFv60ziZYdslRm7a5r2nqaG38PVTJSTvvfsi25zw/Gcfc0bTDl+PxU3Ew4Bt2Nq7M8HWOmhZZrCb4N1N0uePhjEIOsw0dY2BYc77BW+C2DDOIiF3vjGLLmfO2naWk98=,iv:uEY7MMzi+Ekfrmw5ygShypr7QFpNoh0/R987DhgmkvU=,tag:zdSH0CPmU1KolNHaIRRrWQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 -- cgit v1.2.3