-
Notifications
You must be signed in to change notification settings - Fork 0
/
sandboxos.scm
203 lines (187 loc) · 7.83 KB
/
sandboxos.scm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
(use-modules (gnu)
((gnu packages ssh) #:select(endlessh))
(gnu image)
(gnu tests)
(gnu system image)
((gnu services web) #:select(httpd-service-type httpd-configuration httpd-config-file))
((gnu services ssh) #:select(openssh-service-type openssh-configuration))
((gnu services networking) #:select(static-networking-service-type ntp-service-type))
((gnu services messaging) #:select(prosody-service-type prosody-configuration virtualhost-configuration))
((gnu services shepherd) #:select(shepherd-service shepherd-root-service-type))
((guix records) #:select(define-record-type*))
(guix gexp))
(define-record-type* <endlessh-configuration>
endlessh-configuration make-endlessh-configuration
endlessh-configuration?
;; list of two symbols, allowed values are ipv4, ipv6 or both
(bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6)))
;; integer
(delay_ endlessh-configuration-delay (default 10000))
;; integer
;; Must be in the range
(length endlessh-configuration-length (default 32))
;; integer
(max-clients endlessh-configuration-max-clients (default 4096))
;; integer
(port-number endlessh-configuration-port-number (default 2222))
;; integer
;; Allowed values are 0, 1 and 2
(log-level endlessh-configuration-log-level (default 0)))
(define (endlessh-config->conf config)
"Convert the CONFIG of type <endlessh-config> to a config file."
(let* ((family (endlessh-configuration-bind-family config))
(ipv4 (member 'ipv4 family))
(ipv6 (member 'ipv6 family))
(port (endlessh-configuration-port-number config))
(delay_ (endlessh-configuration-delay config))
(length (endlessh-configuration-length config))
(log-level (endlessh-configuration-log-level config))
(max-clients (endlessh-configuration-max-clients config))
(bind
;; check if both are true (0), or only one of them is present
(if (not (and (equal? ipv4 ipv6) ipv4))
(if ipv4 4
(if ipv6 6
(throw 'endlessh-error
"bind-family must contain at least one value")))
0)))
(mixed-text-file "endlessh.conf"
"# Generated by 'endlessh-config'.\n\n"
"Port " (number->string port) "\n"
"Delay " (number->string delay_) "\n"
"MaxLineLength " (number->string length) "\n"
"MaxClients " (number->string max-clients) "\n"
"LogLevel " (number->string log-level) "\n"
"BindFamily " (number->string bind) "\n")))
(define (endlessh-shepherd-service config)
(shepherd-service
(documentation "Run endlessh tarpit server.")
(provision '(endlessh))
(start #~(make-forkexec-constructor
(list #$(file-append endlessh "/bin/endlessh")
"-f" #$(endlessh-config->conf config))))
(stop #~(make-kill-destructor))))
(define endlessh-service-type
(service-type
(name 'endlessh)
(description "Run endlessh tarpit server.")
(extensions
(list (service-extension shepherd-root-service-type
(compose list endlessh-shepherd-service))))
(default-value (endlessh-configuration))))
(define (add-deploy-signing-key config) (guix-configuration
(inherit config)
(authorized-keys (cons*
(plain-file "signing-key.pub" "(public-key
(ecc
(curve Ed25519)
(q #10C785BB820113894824360A063A72FF50BB03EB3947BD6C901E215EF8384AFC#)
)
)")
%default-authorized-guix-keys
))
))
(define sandbox-os
(operating-system
(host-name "McDJ_Solutions")
(timezone "America/New_York")
(locale "en_US.UTF-8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/vda"))))
(swap-devices (list (swap-space (target "/swapfile"))))
(file-systems (cons (file-system
(device (file-system-label "root-fs"))
(mount-point "/")
(type "ext4"))
%base-file-systems))
(users (cons (user-account
(name "tadhg")
(comment "Tadhg McDonald-Jensen")
(group "users")
(supplementary-groups '("wheel" "audio" "video")))
%base-user-accounts))
(sudoers-file
(plain-file "sudoers"
(string-append (plain-file-content %sudoers-specification)
(format #f "~a ALL = NOPASSWD: ALL~%"
"tadhg"))))
(firmware '())
(packages (cons*
(specification->package "nss-certs")
%base-packages))
(services
(cons*
;; port 585 is old port for IMAPS, using it for ssh as it is unlikely to overlap with any other service trying to use it
(service openssh-service-type
(openssh-configuration
(port-number 585)
(permit-root-login #f)
(allow-empty-passwords? #f)
(password-authentication? #f)
(authorized-keys
`(("tadhg" ,(local-file "deploy_id.pub"))
;;("root" ,(local-file "deploy_id.pub"))
))
))
(service endlessh-service-type (endlessh-configuration
(port-number 22)))
;;; note about initial setup for static networking
;;; first remove existing ip address info since it was totally wrong in 1984hosting vps initially
; ip addr flush eth0
; ip route flush eth0
;;; then add own ip address as XX.XX.XX.XX, (YY=24 probably) and route through gateway which is probably ZZ=1
; ip address add XX.XX.XX.XX/YY brd + dev eth0
; ip route add XX.XX.XX.ZZ dev eth0
; ip route add default via XX.XX.XX.ZZ dev eth0
;;; then add nameserver to resolv.conf so dns lookup works,
;;; can run this twice for both name servers but probably works fine with only one,
;;; XXX is the name server address
; echo nameserver XXX >> /etc/resolv.conf
(service static-networking-service-type
(list (static-networking
(addresses
(list (network-address
(device "eth0")
(value "93.95.227.154/24"))))
(routes
(list (network-route
(destination "default")
(gateway "93.95.227.1"))))
(name-servers '("93.95.224.28" "93.95.224.29")))))
(service ntp-service-type)
(service httpd-service-type
(httpd-configuration
(config
(httpd-config-file
(server-name "sandbox.mcdj.solutions")
(document-root "/home/http/mcdj.solutions")))))
(service prosody-service-type
(prosody-configuration
;; (modules-enabled (cons* "groups" "mam" %default-modules-enabled))
;; (int-components
;; (list
;; (int-component-configuration
;; (hostname "conference.example.net")
;; (plugin "muc")
;; (mod-muc (mod-muc-configuration)))))
(virtualhosts
(list
(virtualhost-configuration
(domain "mcdj.solutions"))))))
(modify-services
%base-services
(guix-service-type config => (add-deploy-signing-key config))
) ;; (end modify-services
)) ;; end (services (cons*
));; end (define sandbox-os (operating-system
(list (machine
(operating-system sandbox-os)
(environment managed-host-environment-type)
(configuration (machine-ssh-configuration
(host-name "sandbox.mcdj.solutions")
(system "x86_64-linux")
(user "tadhg")
(identity "./deploy_id")
(host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdYIrHAM2IoiW6LsipzaDj3PNEGO96dS5f/TJUlfKWi root@McDJ_Solutions")
(port 585)))))