From 5b8b8ae3ec197bd143bd04da47c9d4639315bb86 Mon Sep 17 00:00:00 2001
From: Adrian G L <adrian@lauterer.it>
Date: Tue, 17 Oct 2023 19:42:00 +0200
Subject: [PATCH] fixed networking with new interface, removed nginx and acme
 to fix credentials.

---
 machines/celebrian/configuration.nix | 107 +++++++++++----------------
 profiles/base.nix                    |   4 +-
 profiles/sops.nix                    |  16 ++--
 secrets/secrets.yaml.dec             |   0
 services/nginx.nix                   |   2 +-
 services/ssh.nix                     |  15 ++--
 6 files changed, 64 insertions(+), 80 deletions(-)
 create mode 100644 secrets/secrets.yaml.dec

diff --git a/machines/celebrian/configuration.nix b/machines/celebrian/configuration.nix
index 4c15234..1f29b7a 100644
--- a/machines/celebrian/configuration.nix
+++ b/machines/celebrian/configuration.nix
@@ -6,16 +6,10 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../profiles/base.nix
-      ../services/ssh.nix
+      ../../profiles/base.nix
+      ../../services/ssh.nix
     ];
 
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  #boot.loader.grub.version = 2; #Depreciated
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # Define on which hard drive you want to install Grub.
 
   # Set your time zone.
   time.timeZone = "Europe/Oslo";
@@ -25,8 +19,8 @@
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
   networking.useDHCP = false;                   
-  networking.interfaces.ens18.useDHCP = true;
-  networking.hostName = "addictedmaker"; # Define your hostname.
+  networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
+  networking.hostName = "celebrian"; # Define your hostname.
   networking.domain = "addictedmaker.eu"; # Define your domain.
   
   boot.kernel.sysctl = {
@@ -61,48 +55,48 @@
 
 
   #add proxyserver to acme
-  users.users.kanidm.extraGroups = [ "acme" ];
+  #users.users.kanidm.extraGroups = [ "acme" ];
 
 #sequrity managment through kanidm
-  systemd.services.kanidm = let
-    certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
-  in {
-    requires = [ "acme-finished-${certName}.target" ];
-    serviceConfig.LoadCredential = let
-      certDir = config.security.acme.certs.${certName}.directory;
-    in [
-      "fullchain.pem:${certDir}/fullchain.pem"
-      "key.pem:${certDir}/key.pem"
-    ];
-  };
-
-  services.kanidm = {
-    enableServer = true;
-    #enablePam = true;
-    serverSettings = let
-      credsDir = "/run/credentials/kanidm.service";
-      #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
-    in {
-      origin = "https://${config.services.kanidm.serverSettings.domain}";
-      domain = "auth.${config.networking.domain}";
-      tls_chain = "${credsDir}/fullchain.pem";
-      tls_key = "${credsDir}/key.pem";
-      bindaddress = "localhost:8300";
-    };
-
-    clientSettings = {
-      # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
-      uri = "${config.services.kanidm.serverSettings.bindaddress}";
-      verify_ca = true;
-      verify_hostnames = true;
-    };
-  };
-
-  #environment = {
-  #  etc."kanidm/config".text = ''
-  #    uri="https://auth.${config.networking.domain}"
-  #  '';
-  #}; 
+#  systemd.services.kanidm = let
+#    certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
+#  in {
+#    requires = [ "acme-finished-${certName}.target" ];
+#    serviceConfig.LoadCredential = let
+#      certDir = config.security.acme.certs.${certName}.directory;
+#    in [
+#      "fullchain.pem:${certDir}/fullchain.pem"
+#      "key.pem:${certDir}/key.pem"
+#    ];
+#  };
+#
+#  services.kanidm = {
+#    enableServer = true;
+#    #enablePam = true;
+#    serverSettings = let
+#      credsDir = "/run/credentials/kanidm.service";
+#      #credsDir = "/var/lib/acme/${config.networking.domain}"; #the files are here but not readable
+#    in {
+#      origin = "https://${config.services.kanidm.serverSettings.domain}";
+#      domain = "auth.${config.networking.domain}";
+#      tls_chain = "${credsDir}/fullchain.pem";
+#      tls_key = "${credsDir}/key.pem";
+#      bindaddress = "localhost:8300";
+#    };
+#
+#    clientSettings = {
+#      # This should be at /etc/kanidm/config or ~/.config/kanidm, and configures the kanidm command line tool
+#      uri = "${config.services.kanidm.serverSettings.bindaddress}";
+#      verify_ca = true;
+#      verify_hostnames = true;
+#    };
+			#  };
+#
+#  #environment = {
+#  #  etc."kanidm/config".text = ''
+#  #    uri="https://auth.${config.networking.domain}"
+#  #  '';
+#  #}; 
 
 
 #vpn stuff
@@ -111,7 +105,7 @@
     enable = true;
     user = "headscale";
     address = "127.0.0.1";
-    port = 8080;
+	    port = 8080;
     settings = {
       logtail.enabled = false;
       metrics_listen_addr = "127.0.0.1:9090";
@@ -135,17 +129,6 @@
   #tailscale
   services.tailscale.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-  services.openssh.settings.UseDns = true;
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  services.openssh.startWhenNeeded = true;
-  services.openssh.ports = [ 6969 ];
-  services.endlessh.enable = true; #ssh honeypot
-  services.endlessh.port = 22;
-  services.endlessh.openFirewall = true;
-  services.sshguard.enable = true; #protection against brute force attacks like fail2ban
-
   users.users."root".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
   ];
diff --git a/profiles/base.nix b/profiles/base.nix
index d6c203d..d66c8c6 100644
--- a/profiles/base.nix
+++ b/profiles/base.nix
@@ -3,11 +3,11 @@
 imports =
     [ 
       ../packages/vim.nix
-      ./sops.nix
+      #./sops.nix
     ];
 
   #nix stuff
   nix.gc.automatic = true;
   system.autoUpgrade.enable = true;
 
-}
\ No newline at end of file
+}
diff --git a/profiles/sops.nix b/profiles/sops.nix
index 70eedee..258856c 100644
--- a/profiles/sops.nix
+++ b/profiles/sops.nix
@@ -10,18 +10,20 @@
   # This will add secrets.yml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFile = ../secrets/secrets.yaml;
   # This will automatically import SSH keys as age keys
-  sops.age.sshKeyPaths = [ "/etc/ssh/nixos" "/$HOME/.ssh/nixos" "/home/gunalx/.ssh/nixos" ];
+  sops.age.sshKeyPaths = [
+			 "/etc/ssh/nixos"
+			 #"/$HOME/.ssh/nixos"
+		         #"/home/gunalx/.ssh/nixos"
+			 ];
   # This is using an age key that is expected to already be in the filesystem
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   # This will generate a new key if the key specified above does not exist
-  sops.age.generateKey = true
+  sops.age.generateKey = true;
 
   # This is the actual specification of the secrets.
   #sops.secrets."myservice/my_subdir/my_secret" = {};
-  sops.secrets."acme/creds/domeneshop" = {
-    
-  };
+  sops.secrets."acme/certs/domeneshop" = {  };
 
 }
diff --git a/secrets/secrets.yaml.dec b/secrets/secrets.yaml.dec
new file mode 100644
index 0000000..e69de29
diff --git a/services/nginx.nix b/services/nginx.nix
index 86b379e..754066f 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -15,7 +15,7 @@ in
       extraDomainNames = [ "*.${config.networking.domain}"   "lauterer.it" "*.lauterer.it" "*.256.no" "*.256.no"];
       dnsProvider = "domeneshop";   # from here according to privider https://go-acme.github.io/lego/dns/ 
       dnsPropagationCheck = true;
-      credentialsFile =  config.sops.secrets."acme/creds/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
+      credentialsFile =  config.sops.secrets."acme/certs/domeneshop".path; #need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
     };
   };
 
diff --git a/services/ssh.nix b/services/ssh.nix
index 7f8e30b..328b77b 100644
--- a/services/ssh.nix
+++ b/services/ssh.nix
@@ -11,23 +11,22 @@
     settings.UseDns = true;
     settings.PermitRootLogin = "prohibit-password";
     startWhenNeeded = true;
-    UseDns = true;
-    ports = [ 25264 ];
+    ports = [ 6969 ];
     openFirewall = true;
-    Ciphers = [
+    settings.Ciphers = [
       "chacha20-poly1305@openssh.com"
       "aes256-gcm@openssh.com"
       "aes128-gcm@openssh.com"
       "aes256-ctr"
       # remove some weaker ciphers
-    ]
-  }
-  endlessh = {
+    ];
+  };
+  services.endlessh = {
     enable = true;
     port = 22;
     openFirewall = true;
   };
-  sshguard.enable = true; #protection against brute force attacks like fail2ban
+  services.sshguard.enable = true; #protection against brute force attacks like fail2ban
 
 
-}
\ No newline at end of file
+}