diff options
| author | EuAndreh <eu@euandre.org> | 2020-11-16 22:10:25 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2020-11-16 22:26:54 -0300 |
| commit | 1bf3861318f9cc362384722d4f312f3dd439c749 (patch) | |
| tree | 2f06c18b3ede05a935cdbc55787941ee6fe42179 /vps.scm | |
| parent | Fix tests.sh (diff) | |
| download | toph-1bf3861318f9cc362384722d4f312f3dd439c749.tar.gz toph-1bf3861318f9cc362384722d4f312f3dd439c749.tar.xz | |
Add base Guix configuration and start switching to it
- remove NixOS stateVersion from .envrc;
- add guix-reconfigure.sh;
- add vps.scm with initial Guix system configuration;
- update vps.tf to use the new "base-guix" snapshot.
The "base-guix" image doesn't need a password. The "andreh" users has one, but
it is configured for not requiring it when running commands as "sudo".
The expected minimal steps one has to go through for privilege scalation is via
the SSH private key, and accessing the VPS via SSH. Since password login is
disabled and root can't login via SSH either, only the private SSH key allows
access to the server. After that, the attacker will be able to run commands as
root.
Diffstat (limited to 'vps.scm')
| -rw-r--r-- | vps.scm | 53 |
1 files changed, 53 insertions, 0 deletions
@@ -0,0 +1,53 @@ +;; This is an operating system configuration generated +;; by the graphical installer. + +(use-modules (gnu)) +(use-service-modules networking ssh) +(use-package-modules ssh) + +(define ssh-public-key + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org") + +(operating-system + (locale "en_GB.utf8") + (timezone "America/Sao_Paulo") + (keyboard-layout (keyboard-layout "us")) + (host-name "guix-pet-server") + (users (cons* (user-account + (name "andreh") + (group "users") + (home-directory "/home/andreh") + (supplementary-groups '("wheel"))) + %base-user-accounts)) + (sudoers-file (plain-file "sudoers" "\ +root ALL=(ALL) ALL +%wheel ALL=NOPASSWD: ALL\n")) + (packages + (append + (list (specification->package "nss-certs")) + %base-packages)) + (services + (append + (list (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (password-authentication? #false) + (authorized-keys + `(("andreh" ,(plain-file "id_rsa.pub" ssh-public-key)))))) + (service dhcp-client-service-type)) + %base-services)) + (bootloader + (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vda") + (keyboard-layout keyboard-layout))) + (swap-devices + (list (uuid "79a91c82-f3e1-4ed7-8c4e-23569f1ae0ca"))) + (file-systems + (cons* (file-system + (mount-point "/") + (device + (uuid "fddb6a4c-8b8c-4f57-b274-5d6d33200f28" + 'ext4)) + (type "ext4")) + %base-file-systems))) |