From 6648abd0f57e7cd703cca46c303c39bdc27d657c Mon Sep 17 00:00:00 2001 From: Mark Nipper Date: Fri, 14 Jun 2024 01:14:12 -0700 Subject: Add SSH rules for nftables on ginaz --- hosts/ginaz/default.nix | 30 ++++++++++++++++++++++++++++++ hosts/secrets/ginaz.yaml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 hosts/secrets/ginaz.yaml (limited to 'hosts') diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix index 625547d..3812f41 100644 --- a/hosts/ginaz/default.nix +++ b/hosts/ginaz/default.nix @@ -46,5 +46,35 @@ services.openssh.settings.X11Forwarding = true; services.xserver.videoDrivers = [ "amdgpu" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../secrets/ginaz.yaml; + + secrets = { + "nftables/ssh" = {}; + }; + }; + system.stateVersion = "23.11"; + + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = config.sops.secrets."nftables/ssh".path; + }; + wantedBy = [ "multi-user.target" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = config.sops.secrets."nftables/ssh".path; + }; + wantedBy = [ "multi-user.target" ]; + }; } diff --git a/hosts/secrets/ginaz.yaml b/hosts/secrets/ginaz.yaml new file mode 100644 index 0000000..298fff5 --- /dev/null +++ b/hosts/secrets/ginaz.yaml @@ -0,0 +1,31 @@ +nftables: + ssh: ENC[AES256_GCM,data:mGh0TM88dWZfymF7+Xt896POHOqoDrcsicncILYFRA5DBw3AjnaaG28Da+qcJ7/VrXGFVIRm4b8L+QeTJ9Uk/h1VEYUpmaPdqY4yaK9CPTDqKmLSLsTgrIvzbUjxJ062+KOx1ovGlLqpZnkiSgHyY2h7uYbxPnq+fvrboPRoxwZiIc8UQTs7KFsQolZPka5It5kXsa6mYdaCKYp36ypTCmD1dCnkneveiYxDg/58O9UJLSbMV7vbB2020B6ga8PsG/5UbFGMzOlktejgqgfr3ZQlU+A8E8Oh4S9uweDEBsg8W+XIDH3pV7qYflkUqCctunzUNdn94RtasAiBkLd5RIV23hiII4NbPnxke3jOtO/OElmU9WxXcIHX/obZ8pPnTZYNeeNxeubkph0KJJE0DKnEKFwetF0J4wnxj90R1hxAFYLXBOYEzVANuC8bVuVw0M0GB6yRzKbxA1uxeUAbq1njBurDfVAZwUh4y551YYTJJxRq+4VPDikkE7X35smRYgRzckxhWnNvg1mggcI+ZUuGkp9XYjHOwifumib1i95xeXAD5aIiS3GTTTFPLajOlbJhdU9RHA/6WY98PEJmU4sybWS1REMkI3LfxjibLACds9B3NQYpbwIrYu4WdLrio5eQp8ifAUv1nMQAfJDYX+Vd1TEAqcv01kWiad2FVrNSy1CVphGfTHHgOfk+P/UpLMnC/OmbvTrc74wgmBVdvnMkOca4JvT94d8VtiriJ8vr8l2xOqA8A0sjph8ucInZ7GXIV91fePwFH50kYHQE7a0sSTtGMvzKjRg2/7VtgubY8tNSUO/u5FNXKbPYBwhYKB8DXI5G1m9otPa9PeobeLsLcovRyqfVhqzAIw0htQYvHHC6RZwkHptAa3RcxeB0+dj4IxB7yzayWCcNVcQHdJ+bSB897hgo5c/k26+TnYhz97STlS+/pf4h0To4JnS/+67nFqHMoRUTlmL70JAxkkwvjg+5T76+pFQFB3cPRZF48fiBo2NhpF0PWiSUB9uEIKjfyq5mwQ9tEHDTjv25V8qxcpQitu4W8ydO7L+5ovln68oPaZC5vSe21m4p7msDtg27Y6GLHTVCdFFSi9CmXgb3JCawLWDXkVMpMch1bFYcsOOumYZjBsmosK0Yi4zCZAreSJ6O8pakyjfG/T81a8wPySEjin6NGLj5rEo04YqXqIEoG5hCNQz1WIIsqfeeVZYMhQ2e5jlxqATbvnq8y4dVfP9riuUA1YAYmmwrwTw3OEnhShxtyl49s5FctmPxCPEoskzpQ1rvv45xDyvKN1QrlInu1O/TXPddpbs1eFRiyPBV+rzAwW5ULlsxy5letfqkQZiKMZ0bVIdpgJaTeKeCrZeg5khsRpxf7CIWhCRftzrVaesZKM3YGYGmlOO4FALQbg0vXQlJQBCidNVgtG8v0n/b0TCiLl+pmaItlp8GGYUHrKWLg/iNXQ4EDiXwfxF2TdSRtqkOIQQxo8Odz7fxccGGQNOeD/xCAVZuZgwOtcGGtzBaBIz18pttLRLIfzPr4WnCqlycApux1g8UhyK9zPo9kjeFnwHAseMi7sZb5iQwzSPpT6osZF127g9rgi/ck+1AB8EEsB8AOYw4DmKFCHQ8S7OuWMpAgqtphsy2sW0QOBHdp62bqZBlFofYokw1c72+SoW4ZsTwqX5ECc2pcwdDsdse9jyTHSppap/NguvgLtgfv7uz9tVw6T/Mw5Sq5MlwxFY3J0PFIJU1KjxXGmoTowor+QJVds5PxnWFBX5u6jsHs9ifcub7ddaNXuQHPGcqbyNp/T6pH51/NyymnWRq8/RcHE3DFFFYDl2J9/WY9+y1Q35o8fMo7XWJ5FqArogtAyDE42EjxCvujUos3JJKqcSUueKBimO0oJ1TzgpTCrYi4OoP54dVNRFSGVq5dFAkJ9Dmpeh4a/v1Gxuk9ujvxbRZso8GfM7gnr2FIK3hinipT7F8RHVx07YnJehM93Ul9m237OwJl5hpBBsFRy+yIuBoxd5DEeN3nPuztEOovW5lR+Sj0RB6ipJc5kaHTVx0bZm2SwPVr9RaWeHBq4j2b3HP5+frgR/vnPo3q6RQJLKamLh30mAxtzTV4F77N6LEXp9JFhs9ytv5y9MYwotHIjO6sN6pop1vcIpm/b4tKeYyUDJ6JDVuy/oroS8uAtf378gTRlT/P/ekDLRymyySvwWQ/TVtm5iF0vjt3lUdpwNOoY3J5TJZejCLbDOcShE7PDfKtf0QKGNBmxNh3gqtqDQ5YWoQirTLUv9B2Q7JkRpYZ+gLnkXMe0eu7QFcrjUMGeJwe7F4EOjBd7Xy6Wh72BVi54sYuuWWIgCOAFCjMDqMiLGdu2itnMJN33epOnnj3Dn2liqTDubSRpRaYE5/thVeRXKs+myuiU70R8mKtxol5/0i1HGrolT1Sq5k4O3t4Ibj/rhjqpmQU036T/211YS3DH9MMsP2YlOOv4NXBfptwJ+hKY3R2IoXI/FVHF1q0/8b24+kVefCZ4tOlKViPVLnYlYuxw72ztzhheKsSLMJy/UzMJMV4p250IsPAO8locfPIw==,iv:zHwrBGfdoz2j/5Qko5QNDkh/kkJ/bD/aHvEL5DACmKI=,tag:9YELKHujgP4p5yO5vAwZog==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b0xleWZJc1I0V2Zqelh5 + M2Z3Sk9LNXNFRFN5UUZ2ZTdNZWlmdnhTb1FZCno0ZlMxUVJTcWpvd25sUDlncjcw + dHlkWDVYVjZFeE5lOWEvWDhMZmNodWsKLS0tIElLeFlWL05ObGd1d2hFZWlqaklQ + UTVUK2xWOWZUbEtpS2tGSS85QytFNjgKUjRSciB365SpJodAQKx/eVJeCAbLynoh + +xLINlNopXvc902vJLoWWJotck8DwaV3NafjvL5HVmNDWW/nKtagQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvd3RhelRvTjJRR2luMGoz + aXN5V1VtQUdNNGQxajJlQjdKWmlOZTR5QnhZClV6U1FNYkthWUVFd2ZnRTladHVM + T1U3R3ZORUk5OUh2eHkvd3BFdEtZTlkKLS0tIGl6R25RZWFpd2x3R0VibGhrZG9n + Nmp5TTVkNFNqd29PRVlRZ2lZWDhaQVEKQ5dnzV8gqd21v6AlUfpOrBTyzvpEC2kr + VF7UR0f3VOvnaJ5fDB4nrcHthYbQtxuzhV2wuvZFh+fBle5xRgGRIg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-14T08:07:02Z" + mac: ENC[AES256_GCM,data:6lS4XVKaz+nfr15WygUrbgLw7F9oxMzfEPPMPH+q6Qlf6RtgE5/MGsogiG9FPXiCNcpt0Pn3Fbbc65XcDw40LlrtCp4NV16Yqsh5owTwmpiMxo7Lq/sksWeanqd9+4bC1G2wbELdZyTZ8NhEIEdilnSDraCd1FiP6BeaPfWPsZ0=,iv:ZymgsABe8sHpgsaUOWuAfwZe6D+GTK/soRU1T4RKvn0=,tag:Z3XKuOzm4f7srdX7hiklrA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 -- cgit v1.2.3