From aa992fc5c60eb4003eef068d4ba335344f11712c Mon Sep 17 00:00:00 2001 From: Lin Yinfeng Date: Thu, 5 Dec 2024 10:35:28 +0800 Subject: [PATCH] hosts/duo: remove --- flake/hosts.nix | 40 ----- lib/data/data.json | 18 -- nixago/sops-yaml.nix | 4 - nixos/hosts/duo/default.nix | 32 ---- nixos/hosts/duo/kernel/configs/merge.nix | 13 -- .../hosts/duo/kernel/configs/nftables.config | 159 ------------------ .../duo/kernel/configs/nftables.config.nix | 147 ---------------- nixos/hosts/duo/nixos-riscv-tweaks.nix | 38 ----- secrets/terraform/hosts/duo.yaml | 42 ----- terraform/hosts.tf | 7 - 10 files changed, 500 deletions(-) delete mode 100644 nixos/hosts/duo/default.nix delete mode 100644 nixos/hosts/duo/kernel/configs/merge.nix delete mode 100644 nixos/hosts/duo/kernel/configs/nftables.config delete mode 100644 nixos/hosts/duo/kernel/configs/nftables.config.nix delete mode 100644 nixos/hosts/duo/nixos-riscv-tweaks.nix delete mode 100644 secrets/terraform/hosts/duo.yaml diff --git a/flake/hosts.nix b/flake/hosts.nix index 7204c4f10..50f0c65a0 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -451,45 +451,6 @@ in name = "hkg0"; system = "x86_64-linux"; }) - - (mkHost { - name = "duo"; - system = "riscv64-linux"; - extraModules = [ - ( - { - config, - lib, - pkgs, - modulesPath, - ... - }: - let - originalModule = import "${inputs.nixos-riscv}/duo-256.nix" { - inherit - config - lib - pkgs - modulesPath - ; - }; - in - lib.updateManyAttrsByPath [ - { - path = [ - "system" - "nssModules" - ]; - update = _old: [ ]; - } - { - path = [ "nixpkgs" ]; - update = _old: { }; - } - ] originalModule - ) - ]; - }) # PLACEHOLDER new host ]; @@ -498,7 +459,6 @@ in "android-boot-image/enchilada" = self.nixosConfigurations.enchilada.config.system.build.bootImage; "linux/enchilada" = self.nixosConfigurations.enchilada.config.boot.kernelPackages.kernel; }; - "riscv64-linux"."bootsd/duo" = self.nixosConfigurations.duo.config.system.build.bootsd; "x86_64-linux"."linux/owl" = self.nixosConfigurations.owl.config.boot.kernelPackages.kernel; }; } diff --git a/lib/data/data.json b/lib/data/data.json index 48c8d8e32..773aa14fa 100644 --- a/lib/data/data.json +++ b/lib/data/data.json @@ -193,24 +193,6 @@ } }, "hosts": { - "duo": { - "b2_backup_key_id": "00462cd88e299860000000027", - "dn42_addresses_v4": [], - "dn42_addresses_v6": [], - "dn42_v6_prefixes": [], - "endpoints": [], - "endpoints_v4": [], - "endpoints_v6": [], - "host_indices": [], - "ike_cert_pem": "-----BEGIN CERTIFICATE-----\nMIIB6TCCAW6gAwIBAgIQHHHwxNLlY4yNHrGnd6FpHjAKBggqhkjOPQQDAzAlMRAw\nDgYDVQQKEwdZaW5mZW5nMREwDwYDVQQDEwhsaTdnLmNvbTAeFw0yNDExMTcxNjQ1\nMjhaFw0yNTAxMTcxMjQ1MjhaMCkxEDAOBgNVBAoTB1lpbmZlbmcxFTATBgNVBAMT\nDGR1by5saTdnLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGf6wpZrxjibMPzR\nafoFel8b7dpKP4u9l0CkPEcjL2P49kZlbeyFhj/433ugzyE7Mm1BaZif4Papc4CZ\nNq42ChaQIJE68+J9zz59M15k/f2mvmUNaL6Ymc4mpc8JxvZvIqNfMF0wEwYDVR0l\nBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQXukUM/qqg\n7vLzRIIk1vA8DMqiHDAXBgNVHREEEDAOggxkdW8ubGk3Zy5jb20wCgYIKoZIzj0E\nAwMDaQAwZgIxAN3GfiddC2HVpUWMJzxJ0UQX3UztwohxPg6kXuZOpYMpswCVzQW8\nHIwCQ85h4Zl/1gIxALAwRUIXljaiYfRjEy2iJBbUQH4tZYpvVO+aNpwlPxSlvSfW\ni7CEtaEX8weu7S+KlA==\n-----END CERTIFICATE-----\n", - "minio_backup_key_id": "backup-duo", - "ssh_host_ed25519_key_pub": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHaMw6vzFKUifYm+DM1PvhSx2Vvb7aSuww+UnWxkO/nw", - "ssh_host_rsa_key_pub": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHj4EDT6nS1Hv+jql3ef0M7I9KweKhdp81FE11qGJB9qL8wWbHk0IHvA/3LHyqGO1CDh9/AjKOJrb9uZEp6ahReGAtJSUx7cPOvxQYLu1WN/8EM4fporSNAdg+CkAKtFKmWRe+84/Lo8L2c09jy4a7plZjZ/15qocgboESai+i9sX5rKuznUKrGC0P+QGa0UEcTZ+KISpWSdLsbaZpd3l/f8gSju8h/UeBizdC6eqWwPSdPulDoRjlWIOO4N4n+l76TUMaDY1y4mC0czbmamqx+a10hImOUFywlclLyeEYlfgZ9gnnFVxrMT1WtLLHh0bL6mQzq1h/veY/sNquv9wfBl/RyH2+2EwPSrU5QSDkqdqX5+NJ+VJWTIoDy8vdC8JiqdOgN187ynufeoUv8ObIFjDnI/OhM6T9BxBWlmyZ4sbMWmwlizM5yQLqGhDr5Br9GZGRSk9xGqCf2bzGV9FlHaSyM21qLTLEGfxjDFMBGMFZw/VHjqXBrjZV178E2Tp/eXiAKf3DpCGG98Evr6eccF7kCXZZu0dDNzQkiRLF0LsYYRQZ88PJhhtobDZZZOFY8HAJ8I+ATX/gdkGxaR8HeiVzIu7ppxo/kyRgzg9Kbj4ujSvNNCC35s07/i5jp7ZBaoWAzBXYns3CtiyIxzKchzAjdPg5ZC6EcSfNG3MUkw==", - "syncthing_device_id": "QWMORI2-FAXYA6R-WWZU733-7QEMNT2-KBUHQXC-RAKALYM-SNJEPPN-KUELOQC", - "wireguard_public_key": "/6JlmeD9sA6VmQb8o9PTaDh6jrVFeVd1Omlh5GFwBGY=", - "zerotier_id": "f283e39525", - "zerotier_public_key": "f283e39525:0:2fc87ceedb5f11a4cf55d7e78bce1e4485ab23cabd2392d070a749f91301ca597ec43805dcd7803648fc6e5b9e616c30f34b6db0470e26a6f65b61d4d9ed7f70" - }, "enchilada": { "b2_backup_key_id": "00462cd88e299860000000023", "dn42_addresses_v4": [], diff --git a/nixago/sops-yaml.nix b/nixago/sops-yaml.nix index 8bc698450..36f24f643 100644 --- a/nixago/sops-yaml.nix +++ b/nixago/sops-yaml.nix @@ -44,10 +44,6 @@ let key = "age1wzm6xztn2m08qr74hg29nv2qlz8537apl4kcqakfyg3gc8l0mcgstrqjpf"; owned = true; }; - duo = { - key = "age1ll4vesj4g09t7954pd3v46nmthcv569xed9g9msadrlz8jhgkcdq6ks7s9"; - owned = true; - }; # PLACEHOLDER new host }; ownedHostKeys = lib.mapAttrsToList (_: cfg: cfg.key) (lib.filterAttrs (_: cfg: cfg.owned) hosts); diff --git a/nixos/hosts/duo/default.nix b/nixos/hosts/duo/default.nix deleted file mode 100644 index fd3f49a8c..000000000 --- a/nixos/hosts/duo/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - suites, - lib, - pkgs, - ... -}: -{ - imports = suites.embeddedServer ++ [ ./nixos-riscv-tweaks.nix ]; - - config = lib.mkMerge [ - { - environment.systemPackages = with pkgs; [ - dnsutils - iperf3 - htop - ]; - - systemd.network.networks."50-end0" = { - matchConfig = { - Name = "end0"; - }; - DHCP = "yes"; - }; - - system.nproc = 1; - documentation.nixos.enable = false; - } - - # stateVersion - { system.stateVersion = "24.05"; } - ]; -} diff --git a/nixos/hosts/duo/kernel/configs/merge.nix b/nixos/hosts/duo/kernel/configs/merge.nix deleted file mode 100644 index 508b313cb..000000000 --- a/nixos/hosts/duo/kernel/configs/merge.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib }: -let - inherit (lib.kernel) yes module; -in -{ - SECURITY = yes; - LIBCRC32C = module; - PROC_CHILDREN = yes; - SYN_COOKIES = yes; - BRIDGE = module; - NET_IPVTI = module; - NETWORK_SECMARK = yes; -} diff --git a/nixos/hosts/duo/kernel/configs/nftables.config b/nixos/hosts/duo/kernel/configs/nftables.config deleted file mode 100644 index fcf7d7713..000000000 --- a/nixos/hosts/duo/kernel/configs/nftables.config +++ /dev/null @@ -1,159 +0,0 @@ -# generate nftables.config.nix -# nix run github:linyinfeng/conf2nix#conf2nix-wrapper -- ./nixos/hosts/duo/kernel-configs/nftables.config --arg kernel 'let pkgs = import {}; f = (builtins.getFlake (toString ./.)); in f.nixosConfigurations.duo.config.boot.kernelPackages.kernel' --argstr preset partial | sponge ./nixos/hosts/duo/kernel-configs/nftables.config.nix - -CONFIG_NETFILTER=y -CONFIG_NETLINK_DIAG=m - -CONFIG_NETFILTER_NETLINK=m -CONFIG_NETFILTER_NETLINK_HOOK=m -CONFIG_NETFILTER_NETLINK_ACCT=m -CONFIG_NETFILTER_NETLINK_QUEUE=m -CONFIG_NETFILTER_NETLINK_LOG=m -CONFIG_NETFILTER_NETLINK_OSF=m -CONFIG_NETFILTER_NETLINK_GLUE_CT=y - -CONFIG_NF_CONNTRACK=m -CONFIG_NF_LOG_SYSLOG=m -CONFIG_NF_CONNTRACK_MARK=y -CONFIG_NF_CONNTRACK_SECMARK=y -CONFIG_NF_CONNTRACK_ZONES=y -CONFIG_NF_CONNTRACK_PROCFS=y -CONFIG_NF_CONNTRACK_EVENTS=y -CONFIG_NF_CONNTRACK_TIMEOUT=y -CONFIG_NF_CONNTRACK_TIMESTAMP=y -CONFIG_NF_CONNTRACK_LABELS=y -CONFIG_NF_CONNTRACK_OVS=y -CONFIG_NF_CT_PROTO_DCCP=y -CONFIG_NF_CT_PROTO_GRE=y -CONFIG_NF_CT_PROTO_SCTP=y -CONFIG_NF_CT_PROTO_UDPLITE=y -CONFIG_NF_CONNTRACK_AMANDA=m -CONFIG_NF_CONNTRACK_FTP=m -CONFIG_NF_CONNTRACK_H323=m -CONFIG_NF_CONNTRACK_IRC=m -CONFIG_NF_CONNTRACK_BROADCAST=m -CONFIG_NF_CONNTRACK_NETBIOS_NS=m -CONFIG_NF_CONNTRACK_SNMP=m -CONFIG_NF_CONNTRACK_PPTP=m -CONFIG_NF_CONNTRACK_SANE=m -CONFIG_NF_CONNTRACK_SIP=m -CONFIG_NF_CONNTRACK_TFTP=m -CONFIG_NF_CT_NETLINK=m -CONFIG_NF_CT_NETLINK_TIMEOUT=m -CONFIG_NF_CT_NETLINK_HELPER=m -CONFIG_NF_NAT=m -CONFIG_NF_NAT_AMANDA=m -CONFIG_NF_NAT_FTP=m -CONFIG_NF_NAT_IRC=m -CONFIG_NF_NAT_SIP=m -CONFIG_NF_NAT_TFTP=m -CONFIG_NF_NAT_REDIRECT=y -CONFIG_NF_NAT_MASQUERADE=y -CONFIG_NF_NAT_OVS=y -CONFIG_NF_TABLES=m -CONFIG_NF_TABLES_INET=y -CONFIG_NF_TABLES_NETDEV=y -CONFIG_NF_DUP_NETDEV=m -CONFIG_NF_FLOW_TABLE_INET=m -CONFIG_NF_FLOW_TABLE=m -CONFIG_NF_FLOW_TABLE_PROCFS=y -CONFIG_NF_DEFRAG_IPV4=m -CONFIG_NF_SOCKET_IPV4=m -CONFIG_NF_TPROXY_IPV4=m -CONFIG_NF_TABLES_IPV4=y -CONFIG_NF_TABLES_ARP=y -CONFIG_NF_DUP_IPV4=m -CONFIG_NF_LOG_ARP=m -CONFIG_NF_LOG_IPV4=m -CONFIG_NF_REJECT_IPV4=m -CONFIG_NF_NAT_SNMP_BASIC=m -CONFIG_NF_NAT_PPTP=m -CONFIG_NF_NAT_H323=m -CONFIG_NF_SOCKET_IPV6=m -CONFIG_NF_TPROXY_IPV6=m -CONFIG_NF_TABLES_IPV6=y -CONFIG_NF_DUP_IPV6=m -CONFIG_NF_REJECT_IPV6=m -CONFIG_NF_LOG_IPV6=m -CONFIG_NF_DEFRAG_IPV6=m -CONFIG_NF_TABLES_BRIDGE=m -CONFIG_NF_CONNTRACK_BRIDGE=m - -CONFIG_IP_NF_IPTABLES=m -CONFIG_IP_NF_MATCH_AH=m -CONFIG_IP_NF_MATCH_ECN=m -CONFIG_IP_NF_MATCH_RPFILTER=m -CONFIG_IP_NF_MATCH_TTL=m -CONFIG_IP_NF_FILTER=m -CONFIG_IP_NF_TARGET_REJECT=m -CONFIG_IP_NF_TARGET_SYNPROXY=m -CONFIG_IP_NF_NAT=m -CONFIG_IP_NF_TARGET_MASQUERADE=m -CONFIG_IP_NF_TARGET_NETMAP=m -CONFIG_IP_NF_TARGET_REDIRECT=m -CONFIG_IP_NF_MANGLE=m -CONFIG_IP_NF_TARGET_ECN=m -CONFIG_IP_NF_TARGET_TTL=m -CONFIG_IP_NF_RAW=m -CONFIG_IP_NF_SECURITY=m -CONFIG_IP_NF_ARPTABLES=m -CONFIG_IP_NF_ARPFILTER=m -CONFIG_IP_NF_ARP_MANGLE=m - -CONFIG_IP6_NF_IPTABLES=m -CONFIG_IP6_NF_MATCH_AH=m -CONFIG_IP6_NF_MATCH_EUI64=m -CONFIG_IP6_NF_MATCH_FRAG=m -CONFIG_IP6_NF_MATCH_OPTS=m -CONFIG_IP6_NF_MATCH_HL=m -CONFIG_IP6_NF_MATCH_IPV6HEADER=m -CONFIG_IP6_NF_MATCH_MH=m -CONFIG_IP6_NF_MATCH_RPFILTER=m -CONFIG_IP6_NF_MATCH_RT=m -CONFIG_IP6_NF_MATCH_SRH=m -CONFIG_IP6_NF_TARGET_HL=m -CONFIG_IP6_NF_FILTER=m -CONFIG_IP6_NF_TARGET_REJECT=m -CONFIG_IP6_NF_TARGET_SYNPROXY=m -CONFIG_IP6_NF_MANGLE=m -CONFIG_IP6_NF_RAW=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_IP6_NF_NAT=m -CONFIG_IP6_NF_TARGET_MASQUERADE=m -CONFIG_IP6_NF_TARGET_NPT=m - -CONFIG_NFT_NUMGEN=m -CONFIG_NFT_CT=m -CONFIG_NFT_FLOW_OFFLOAD=m -CONFIG_NFT_CONNLIMIT=m -CONFIG_NFT_LOG=m -CONFIG_NFT_LIMIT=m -CONFIG_NFT_MASQ=m -CONFIG_NFT_REDIR=m -CONFIG_NFT_NAT=m -CONFIG_NFT_TUNNEL=m -CONFIG_NFT_QUEUE=m -CONFIG_NFT_QUOTA=m -CONFIG_NFT_REJECT=m -CONFIG_NFT_REJECT_INET=m -CONFIG_NFT_COMPAT=m -CONFIG_NFT_HASH=m -CONFIG_NFT_FIB=m -CONFIG_NFT_FIB_INET=m -CONFIG_NFT_XFRM=m -CONFIG_NFT_SOCKET=m -CONFIG_NFT_OSF=m -CONFIG_NFT_TPROXY=m -CONFIG_NFT_SYNPROXY=m -CONFIG_NFT_DUP_NETDEV=m -CONFIG_NFT_FWD_NETDEV=m -CONFIG_NFT_FIB_NETDEV=m -CONFIG_NFT_REJECT_NETDEV=m -CONFIG_NFT_REJECT_IPV4=m -CONFIG_NFT_DUP_IPV4=m -CONFIG_NFT_FIB_IPV4=m -CONFIG_NFT_REJECT_IPV6=m -CONFIG_NFT_DUP_IPV6=m -CONFIG_NFT_FIB_IPV6=m -CONFIG_NFT_BRIDGE_META=m -CONFIG_NFT_BRIDGE_REJECT=m diff --git a/nixos/hosts/duo/kernel/configs/nftables.config.nix b/nixos/hosts/duo/kernel/configs/nftables.config.nix deleted file mode 100644 index 709e40e2c..000000000 --- a/nixos/hosts/duo/kernel/configs/nftables.config.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ lib }: -let - inherit (lib.kernel) yes module; -in -{ - # Linux/riscv 5.10.4 Kernel Configuration - - ### Networking options - "NETFILTER" = yes; # Network packet filtering framework (Netfilter) - - ##### Core Netfilter Configuration - "NETFILTER_NETLINK_ACCT" = module; # Netfilter NFACCT over NFNETLINK interface - "NETFILTER_NETLINK_QUEUE" = module; # Netfilter NFQUEUE over NFNETLINK interface - "NETFILTER_NETLINK_LOG" = module; # Netfilter LOG over NFNETLINK interface - "NETFILTER_NETLINK_OSF" = module; # Netfilter OSF over NFNETLINK interface - "NF_CONNTRACK" = module; # Netfilter connection tracking support - "NF_CONNTRACK_MARK" = yes; # Connection mark tracking support - "NF_CONNTRACK_SECMARK" = yes; # Connection tracking security mark support - "NF_CONNTRACK_ZONES" = yes; # Connection tracking zones - "NF_CONNTRACK_PROCFS" = yes; # Supply CT list in procfs (OBSOLETE) - "NF_CONNTRACK_EVENTS" = yes; # Connection tracking events - "NF_CONNTRACK_TIMEOUT" = yes; # Connection tracking timeout - "NF_CONNTRACK_TIMESTAMP" = yes; # Connection tracking timestamping - "NF_CONNTRACK_LABELS" = yes; # Connection tracking labels - "NF_CT_PROTO_DCCP" = yes; # DCCP protocol connection tracking support - "NF_CT_PROTO_SCTP" = yes; # SCTP protocol connection tracking support - "NF_CT_PROTO_UDPLITE" = yes; # UDP-Lite protocol connection tracking support - "NF_CONNTRACK_AMANDA" = module; # Amanda backup protocol support - "NF_CONNTRACK_FTP" = module; # FTP protocol support - "NF_CONNTRACK_H323" = module; # H.323 protocol support - "NF_CONNTRACK_IRC" = module; # IRC protocol support - "NF_CONNTRACK_NETBIOS_NS" = module; # NetBIOS name service protocol support - "NF_CONNTRACK_SNMP" = module; # SNMP service protocol support - "NF_CONNTRACK_PPTP" = module; # PPtP protocol support - "NF_CONNTRACK_SANE" = module; # SANE protocol support - "NF_CONNTRACK_SIP" = module; # SIP protocol support - "NF_CONNTRACK_TFTP" = module; # TFTP protocol support - "NF_CT_NETLINK" = module; # Connection tracking netlink interface - "NF_CT_NETLINK_TIMEOUT" = module; # Connection tracking timeout tuning via Netlink - "NF_CT_NETLINK_HELPER" = module; # Connection tracking helpers in user-space via Netlink - "NETFILTER_NETLINK_GLUE_CT" = yes; # NFQUEUE and NFLOG integration with Connection Tracking - "NF_NAT" = module; # Network Address Translation support - "NF_TABLES" = module; # Netfilter nf_tables support - "NF_TABLES_INET" = yes; # Netfilter nf_tables mixed IPv4/IPv6 tables support - "NF_TABLES_NETDEV" = yes; # Netfilter nf_tables netdev tables support - "NFT_NUMGEN" = module; # Netfilter nf_tables number generator module - "NFT_CT" = module; # Netfilter nf_tables conntrack module - "NFT_FLOW_OFFLOAD" = module; # Netfilter nf_tables hardware flow offload module - "NFT_CONNLIMIT" = module; # Netfilter nf_tables connlimit module - "NFT_LOG" = module; # Netfilter nf_tables log module - "NFT_LIMIT" = module; # Netfilter nf_tables limit module - "NFT_MASQ" = module; # Netfilter nf_tables masquerade support - "NFT_REDIR" = module; # Netfilter nf_tables redirect support - "NFT_NAT" = module; # Netfilter nf_tables nat module - "NFT_TUNNEL" = module; # Netfilter nf_tables tunnel module - "NFT_QUEUE" = module; # Netfilter nf_tables queue module - "NFT_QUOTA" = module; # Netfilter nf_tables quota module - "NFT_REJECT" = module; # Netfilter nf_tables reject support - "NFT_COMPAT" = module; # Netfilter x_tables over nf_tables module - "NFT_HASH" = module; # Netfilter nf_tables hash module - "NFT_FIB_INET" = module; # Netfilter nf_tables fib inet support - "NFT_XFRM" = module; # Netfilter nf_tables xfrm/IPSec security association matching - "NFT_SOCKET" = module; # Netfilter nf_tables socket match support - "NFT_OSF" = module; # Netfilter nf_tables passive OS fingerprint support - "NFT_TPROXY" = module; # Netfilter nf_tables tproxy support - "NFT_SYNPROXY" = module; # Netfilter nf_tables SYNPROXY expression support - "NF_DUP_NETDEV" = module; # Netfilter packet duplication support - "NFT_DUP_NETDEV" = module; # Netfilter nf_tables netdev packet duplication support - "NFT_FWD_NETDEV" = module; # Netfilter nf_tables netdev packet forwarding support - "NFT_FIB_NETDEV" = module; # Netfilter nf_tables netdev fib lookups support - "NF_FLOW_TABLE_INET" = module; # Netfilter flow table mixed IPv4/IPv6 module - "NF_FLOW_TABLE" = module; # Netfilter flow table module - ##### end of Core Netfilter Configuration - - ##### IP: Netfilter Configuration - "NF_SOCKET_IPV4" = module; # IPv4 socket lookup support - "NF_TPROXY_IPV4" = module; # IPv4 tproxy support - "NF_TABLES_IPV4" = yes; # IPv4 nf_tables support - "NFT_DUP_IPV4" = module; # IPv4 nf_tables packet duplication support - "NFT_FIB_IPV4" = module; # nf_tables fib / ip route lookup support - "NF_TABLES_ARP" = yes; # ARP nf_tables support - "NF_DUP_IPV4" = module; # Netfilter IPv4 packet duplication to alternate destination - "NF_LOG_ARP" = module; # ARP packet logging - "NF_LOG_IPV4" = module; # IPv4 packet logging - "NF_REJECT_IPV4" = module; # IPv4 packet rejection - "NF_NAT_SNMP_BASIC" = module; # Basic SNMP-ALG support - "IP_NF_IPTABLES" = module; # IP tables support (required for filtering/masq/NAT) - "IP_NF_MATCH_AH" = module; # "ah" match support - "IP_NF_MATCH_ECN" = module; # "ecn" match support - "IP_NF_MATCH_RPFILTER" = module; # "rpfilter" reverse path filter match support - "IP_NF_MATCH_TTL" = module; # "ttl" match support - "IP_NF_FILTER" = module; # Packet filtering - "IP_NF_TARGET_REJECT" = module; # REJECT target support - "IP_NF_TARGET_SYNPROXY" = module; # SYNPROXY target support - "IP_NF_NAT" = module; # iptables NAT support - "IP_NF_TARGET_MASQUERADE" = module; # MASQUERADE target support - "IP_NF_TARGET_NETMAP" = module; # NETMAP target support - "IP_NF_TARGET_REDIRECT" = module; # REDIRECT target support - "IP_NF_MANGLE" = module; # Packet mangling - "IP_NF_TARGET_ECN" = module; # ECN target support - "IP_NF_TARGET_TTL" = module; # "TTL" target support - "IP_NF_RAW" = module; # raw table support (required for NOTRACK/TRACE) - "IP_NF_SECURITY" = module; # Security table - "IP_NF_ARPTABLES" = module; # ARP tables support - "IP_NF_ARPFILTER" = module; # ARP packet filtering - "IP_NF_ARP_MANGLE" = module; # ARP payload mangling - ##### end of IP: Netfilter Configuration - - ##### IPv6: Netfilter Configuration - "NF_SOCKET_IPV6" = module; # IPv6 socket lookup support - "NF_TPROXY_IPV6" = module; # IPv6 tproxy support - "NF_TABLES_IPV6" = yes; # IPv6 nf_tables support - "NFT_DUP_IPV6" = module; # IPv6 nf_tables packet duplication support - "NFT_FIB_IPV6" = module; # nf_tables fib / ipv6 route lookup support - "NF_DUP_IPV6" = module; # Netfilter IPv6 packet duplication to alternate destination - "NF_REJECT_IPV6" = module; # IPv6 packet rejection - "NF_LOG_IPV6" = module; # IPv6 packet logging - "IP6_NF_IPTABLES" = module; # IP6 tables support (required for filtering) - "IP6_NF_MATCH_AH" = module; # "ah" match support - "IP6_NF_MATCH_EUI64" = module; # "eui64" address check - "IP6_NF_MATCH_FRAG" = module; # "frag" Fragmentation header match support - "IP6_NF_MATCH_OPTS" = module; # "hbh" hop-by-hop and "dst" opts header match support - "IP6_NF_MATCH_HL" = module; # "hl" hoplimit match support - "IP6_NF_MATCH_IPV6HEADER" = module; # "ipv6header" IPv6 Extension Headers Match - "IP6_NF_MATCH_MH" = module; # "mh" match support - "IP6_NF_MATCH_RPFILTER" = module; # "rpfilter" reverse path filter match support - "IP6_NF_MATCH_RT" = module; # "rt" Routing header match support - "IP6_NF_MATCH_SRH" = module; # "srh" Segment Routing header match support - "IP6_NF_TARGET_HL" = module; # "HL" hoplimit target support - "IP6_NF_FILTER" = module; # Packet filtering - "IP6_NF_TARGET_REJECT" = module; # REJECT target support - "IP6_NF_TARGET_SYNPROXY" = module; # SYNPROXY target support - "IP6_NF_MANGLE" = module; # Packet mangling - "IP6_NF_RAW" = module; # raw table support (required for TRACE) - "IP6_NF_SECURITY" = module; # Security table - "IP6_NF_NAT" = module; # ip6tables NAT support - "IP6_NF_TARGET_MASQUERADE" = module; # MASQUERADE target support - "IP6_NF_TARGET_NPT" = module; # NPT (Network Prefix translation) target support - ##### end of IPv6: Netfilter Configuration - "NF_TABLES_BRIDGE" = module; # Ethernet Bridge nf_tables support - "NFT_BRIDGE_META" = module; # Netfilter nf_table bridge meta support - "NFT_BRIDGE_REJECT" = module; # Netfilter nf_tables bridge reject support - "NF_CONNTRACK_BRIDGE" = module; # IPv4/IPV6 bridge connection tracking support - "NETLINK_DIAG" = module; # NETLINK: socket monitoring interface - ### end of Networking options - # end of Linux/riscv 5.10.4 Kernel Configuration -} diff --git a/nixos/hosts/duo/nixos-riscv-tweaks.nix b/nixos/hosts/duo/nixos-riscv-tweaks.nix deleted file mode 100644 index e8c5e080d..000000000 --- a/nixos/hosts/duo/nixos-riscv-tweaks.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ lib, ... }: -{ - networking.hostName = lib.mkForce "duo"; - networking.firewall.enable = lib.mkForce true; - networking.defaultGateway = lib.mkForce null; - networking.nameservers = lib.mkForce [ ]; - services.udev.enable = lib.mkForce true; - services.nscd.enable = lib.mkForce true; - services.dnsmasq.enable = lib.mkForce false; - services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; - nix.enable = lib.mkForce true; - users.users.root.initialPassword = lib.mkForce null; - - boot.initrd.systemd = { - # enable = lib.mkForce false; - tpm2.enable = false; - }; - - boot.kernelPatches = [ - { - name = "nftables"; - patch = null; - extraStructuredConfig = lib.mapAttrs (_: v: lib.mkForce (v // { optional = false; })) ( - import ./kernel/configs/nftables.config.nix { inherit lib; } - // import ./kernel/configs/merge.nix { inherit lib; } - ); - } - ]; - - fileSystems."/firmware" = { - device = "/dev/disk/by-label/FIRMWARE"; - fsType = "vfat"; - options = [ - "dmask=077" - "fmask=177" - ]; - }; -} diff --git a/secrets/terraform/hosts/duo.yaml b/secrets/terraform/hosts/duo.yaml deleted file mode 100644 index a625a13ac..000000000 --- a/secrets/terraform/hosts/duo.yaml +++ /dev/null @@ -1,42 +0,0 @@ -ssh_host_ed25519_key: ENC[AES256_GCM,data:ViikQlGaTv/DZ30pqY3NB/ZP3C+8sT5QotmTm19l1DIxZainHZMRxx5TdcpZ0GN2qt4po7cNQLXWV+Sax4L0U1T5n0hrVn1eRuKIQfYXElf5ATQ5dZ/YcnkCpnyesCZqb7hTO7ASxrMe0ZXi/UCwKuEP0HlaXJbAFQgBbGbucUsEPVxfFIK/nunAfIwqNY0aw1Q836JD20J0TzH3wzILunXbEZRgrkDF8+ngWKHEL70PeR7zIQUYYAV2J1ed4OUTZNaSikz8a50d0z1dyyzf+9kKEh3/+ylUQKnZyp9zeA51Suo1gNual61S5XamCQ4bq4XzSwuC7TsA2Z/AVHPCBfbI41iY3TzrXsQLTY70MhCB37OKVI1z7ohnt3jSDtkzsEydZagFSy40ljoiOr27cok/u84+bnscE6CWUbrXRFqJl/7fJ21zFgwykuWellPfBHp3zHX7cf1FygZwJl+NE0SUNLyMahqAMnFucMAK3peIrtYmOfnQFzgQC51ofYVyci2U,iv:ksX0GdJEwuXpmWMvUCW7L2PjWGQJJec4Aa0dgpvZH+c=,tag:ujEe6U7mM49aSrq9O8W4BA==,type:str] -ssh_host_rsa_key: ENC[AES256_GCM,data:GqZe2ObtIlhcwoXZKcFewtwrfD7vFqgAAiOj8/XMH7euJwcSLAy+XrPb1fLIVqBoDDURZ9o8ceF7RoKmwnWHXhVRZYwFmx++eLrUZHJJzIilI80gy3xGaqwsRAqJz0Tr2xPchTyEBUfUjcDQpsZR5XcZbBsXJSn0NMU0WnJFlliVAtiukbmytr1Ec0c+07eBCniHNaQIKezgWxCQHn4nOWO2EtsYVFM6Dmtmq7EqOTS2ONkPcn7Z8mZ8Oh4pADasvlcUfdZxTb2tTSMfchtILdCnsC0tQ4hLTQo8s0VBstFPpys+BsiHrUYo8QhhZhQCXN/GBOgo9o4CWL1JrNesznT7g8547UbidKTYZMPbnWEJAJNMRQO1GEB/ij5QTfco9SntAhviOJo1W03bc6H+4dUK4kL1CKzbTMq7v90sbxlEMULU2KIfQCrEw4zy273c4nRZQjyIHgrnMahVW2VDxPlUOX2VtKIcRVbcyjDSfIz1C11Aeb0Z68BvHO9vPnAroVgDaAjVk+WbJtGDsynItMFch9DBjDQTQeaMwkWfPP0qKxPTnVTNMBdFgXClEAiUcQSH2df2dKJkguuiyyKDez5mSiGDeRNaXJs94LXwPjrJto+av+xaS3EzvVwRnXudjo+uT0a4vSveXMaBzoOdzxO8FzMuG2HAcIPMX1MYWNfzzt/LYvTeWzbqdME+s5WFYpBRldEXRJjQYo1tYIhfhzGJsSgLXt87RHZd08CruWvLHgp7yGAjKqZFQO249mghitYxjwWFKHfZeps+U6fXSRe1+JnFo6fs7xzes3p2+u3FdjAH7ByMY82EnsXS9c1+ItRY721WE7lNxdFy3nfCv0Rs20/+fjuKw8fTD6Rh9gAyoz9dVh42lBLbfrgtwMtg64wv5/PN3tBBOOYBzOdS1U4UiCrQ45F+G6WaiYGjFvV/6fxTJXCi7IYJsO41+yzfbRQe7MNraKd1Axi/tDvLp4UL4ztWAMAJAwfMmNWrDuWq8WjYWkQtIgTUPBuma0c7JbqnBorc+4uSK8akZITwqiZYkpjByM+xhzY7SnUERhNhfqZpCUFfhyniGajsIoiczCYnLLhyF8TspGkZSXNDv8JpESg8xrdoHHrdMYzoVeDVNPSKmQDv75pq9Dsqfj3oKXolSgafNxno41wOvLKub1/o9T/vQbitHKCeDIoArsvtGswLlx7M/A4M2OkJJYM3hHRu7/2CQorDU128ByrYLNa5ZpqvRIza1gtzszzRvCbzG4RnoyfT+dsLdsC5bKcYQV46HRwxDk5QCVwsiN4ZbBGyhQOOW9F0FzfNeUkQT9BaNS2buU/tsr7OxddZOGq90rmZezsssUG5yneMoIMzjvthM5ie9XZgfZv3K3o+8tPNqwcYZgPxNhwhjN/qnpgRzv5EJ6xMe0CmZ3GZRqqDOi72azA0+j00DCT7hBaEsAbjvgI2kz+WV5MqVgl3Odpsc2MWJjnzFFLo2/Qq6sTccNU+6PPscPh6DuHxcuIWn1bm6pWnHWg79Xoy88VM86idNjmqgA5IICPx6mXY6AJWmBC7aVhjqzo31ttTqsq6xoxlFdptvYNIz9ZPURm4O27yf5Y7hTOqVXkgbI1TYV7y90P7yTM9jCB1rGkyFl3K8lnyeUb4xk2E4tS081wadPQe0FLRXZ0jlUCGZZu4AqaACzqvEPzkf+A9/gPXjtOCIjOo22tNGo+pLp5JT7xKkx9x4jYBVU/9jIjefrOx1I6iK8kD0mLaQmh3HjJbmFKr7brDBhcsO0UC+jRNiggwaHx+GmxB/5uCH8fhkxdVPb+OTxbPSkMRnUO3zLsWTHuYtmh/vN35S4EN9C6pROJGwq2TrNGMpw8fR35/r3U0/TbXVOQHZbisr2tJXbw2PpiT2jQnkJJUiKbl9k+KYKe9FIYgKfWCEJIGPXpjZlibKbQfUpoVBxqPm3H/Q+Y83LCPvUeUr0e9L/HSIJMmBTagsT8/Re/wXYaHlaM5RpyGEpkzgSSD+oskFF/Haabe79q4WJIr+gENbpBBzimdjZfEMfLtfEHSuJOPUYZcLt7hMfQh26P6kP9KAAvKezHxqtm403a15/yEZIK9puPWsDhu6P4H6C44iTRYKFyYIN2voKcD3pNXWycO13zML4GK3ECkKC8Vqzy1I8lbQIByz2M0I63NvkhH+QZxFbYKJHNl2QpEq34UUEA2bhBjF6Ff4KRjO1mjWeqzU2ibf5svdbSVHGTY6kQNrkU1eJuMBImVoMT59ZKztl4do0HKTSVoNuYeMn6FGo3gdBr7Edgl36saozY6d1EDETN3ADABBDxjweSt32CWXL8QFHU4Gpx3K3U3nL4CB6gh4uNSc0tHamnmYhSs8yDorPXBlXAZ0GNcwGU4GFJSGpeso2Ds6PsD6mIildK5YO+1uFntLnHSYwEQ6Q3ueX2IjEANhaTvmTg0TDUBIczaDAHVizucCWoE7Mpyjga5mQRQwZYJciANZX2d6XIzm6IYhyXB55Xxl6E3OaZ/FGRLikmBiADgvlssbDjmLAcZLS6aOgSczrS9WDzhv+zZGOiyh30ZaQ9aTz8e4dtrvIHLay6QkZ2XIcuWvsddRaFZozMrSqkpzjiGQj6BOGYxLSa6gaY5suoejpWxPpMnSBWSO5ujpGePY2PcHC0HuaXcufhNcBX6yvLtMNPl3sSSO6dn/lz7AN1Tp2QnwaZrnGAe6k5AYXzMBbAbD+2343ByDCTUMHMoMfRdz3XpdT3SyIDO0WXfMe7O+gS/lrF1gbGUuXgI+C7K5I9g72a4oS/l0Jz7zF0aWzuFgKcjm5j6qfVvFabHZdaRX22Hov5SxdN3MoHFOJGe7EWO4mRqr9m/urZic33jAVmJsDsrdJBm06TdBnc/BajcPJ9RXRctE+nRyhaiZSVD/pxmr1xToma5cVorWKuhljauRUEVfpx5VKzglFOxaKrS2vxDc5ZjzUHtrbQ9W1NDfuTqWxNGKsvAPAUnUxDnEqpcglD+lMnAsUt+zC9YlMz7qyORCbbMTwwCu1dthoX3ycX68tk6is6oWgoHEofw7uEG/vukkQFoc6HnTmkfhwW0OHQ3mxaNN55pk9UHXOkYqLQ+2ME8RZLKSLolToAfFPsEsHNT/zjHkV1A4dPVPDUvkHgsHfcANFgkc9yvfptmjrO6u1LhF3FFCq3FS5ZtAh/0Roxl7evkkoJB1j2PGPHDu7ZRdJ8QrNLMCj01s+rXmczHbWcKreDeYPsuVX1HmXjfcwCN0C/cPxAtH8sNceyaaUrk7fdi+2foLzXY43ZU1HsXeyZFfUGuCp0LY6Mv0niEx7hZdoVf1Kqdla4DhaZmkiBzvkXOr+9ESzYzXO82nBdtI2VG6sHSqgnDHb7R/671nf26NNAsHDRNbXFKbVKSNliTeDDDnWrSIhjLekGVyJWXAcQjJUglgNvf7xIuzJ2bZ7qnM/LGHHywDJXqPMRJlsLBHyNDIxd9E6tqAoC40LNLlIczpydwsXMjxfUI7Qv4/ImXS0i28gCYZAF8jVMpPY9XCLOWdafFAupCtomStdHs3/jPYycgoHyUL2jR2kDTWdFA1px8456ozTVDLO7fkyOk24mXA8BH/vOMJONZwDt5FYonH0rMfM2c0Rv9M6LwRiPGGpbt9RZdAS3L0tTjJAnhFaDIM8/eYwbc/nicGOCnUQ0U/7zoPYOwqqt5WdQXiDo71lIWrwoBULzWrIGByN7jfn600vFUkR5tvQTn6MErLkylR034GMAtYFldJ3/44xsfqXBDcsNvf7q7Qko+p8b6ssgilDgEW0ukMFXpOS+VpMcxS9o6ceBLktHMZMzBtB0JTkEhdqb1EYK8Ky1cuxbVA0LAKaYV5TV+4bPtPT7cZXYiIVAM+Y6S61h117HVKV3cGU+xpvwvMO9IZ+q09BdpEqVuii5U6PshfvAJfr+NCO2VwHd1VDkBufuLESu1Zho+gO1DuoGoJJsPMDr8y64HDfC9IzZBdI7voSooDYEENqcsOz6wWPiP7/mIHZQVwGklM3CI3RDvll7Igi0VUE7kzdDrzP6RRtRJbN+ul5YUu/lgMuKi2fYsp87y0hs7J0ann550ym5oCPap4tj9i3rFvGxtoJJUhrLCwnAlrfHiqKhICKg3Wtz1j1o056pxp+OmXm8kaaL6vgOqQI6pGBrA3E3hbXBHaJkXQBly0d18T+CWcu981rR09bz0nR2gDSMD3xxnMtAWVd/A4nQw5xLm8hYO7iiwn6GsUCIHzulCdwxyuEjf4mPEENHPjO70p0Zer7GLH6uJtJaBeXLTrXMQOEwCxQ/r4aRRfuwzIUtfz/r+YzPFtxYieeL7aWqXFNKmQgoHUw8q3rYI3uQk04CGz4+HzSByj1Prk4379g0mGUuB+2JDwM9MmnRYEKt7QCLe1fowY91qNmgjf30EARJ94itiac/8noZspEv3kDM4bLAnWvz6XyO4kMY3cafqUIs05R3HxA==,iv:w7wN/4P+jDAXhcHU6KmzmWt96uNuLH4A3KOsPFHeqYg=,tag:f6yhvwy4IkNMdZAT1ds8Rg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age143hpp7hqp4708z2dy868llsj8u9lc2jyq59ahnzusjvwg5g2u3cs3jaltg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBacmJ1RlhFUXFpdkVjNGNW - aHhldTdxQzc2WHRvT1d4Wld6UkFCMCtWUVJJCmxqUU9IdGVSb01NNnIwdURHdFBv - UnZxdlNMZUsrOHljcFo4eDI5alNDUUkKLS0tIGh4UUF6bGs5MndpNW1GUGlaWjFG - MUFVWWZIOVFFOVdIc2NlQzlDaGF4RmsKQ3CpBbxXbNElHc2+frySmeNUxtxr3l3Z - gLTIENLoflBk5X9gAmb3WnqM8dnAPgaJrc1zOBHbOKhW5/4tHnewKw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ll4vesj4g09t7954pd3v46nmthcv569xed9g9msadrlz8jhgkcdq6ks7s9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WjVwS3FKYnBuQVVvOHlE - S0gxYnpLQ2s5YVNZbGFwUncvQTk0QWFCeG1FCk83Ui9scHNFZjJuWWU5NkUwQVc0 - VGN2bUZ0ODZsbHZpSmFiWm5qSlE3MEkKLS0tIFA0NjFINFhrQkZkNjJ6T2EyTDR2 - SHV4YmpmclNtUTduanpJd0tvVU1lN2MKypHG7IlhIHKHhq+5JQkWFCDAwHZTJUBa - uGBiRql3hgdE5oZPn1TO3IGDN9TubPOT55qRgzDr4Yzp4fSpmmqdrw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-29T14:13:24Z" - mac: ENC[AES256_GCM,data:D3ewRZIfgnTnsmG4o2FGtwiAsPscV3wUo1Nn14uHBMeJ+ZbQEIfgU6itmLJ491+fd5GWkMtt58kqSV5FHFtSSAFQzKB+e6vOjUxrnYuIwhhI/0hhilmtxPP33Cl5JtklW0udBVHQ4oFod2wsRDx376FY5pHYha5wdsIKFa22MDU=,iv:vetSO4+inAKPfsJlHfUl0vPIcA/bZLxWYehi9QeJwuo=,tag:WmlT4zQBqp4cvSYmX0dUnw==,type:str] - pgp: - - created_at: "2024-03-29T02:26:44Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DHQ/8GQIwSu0SAQdASnR//Qw6S4qRp1iGAtMhknKzye9bzGG4x6/81KeffC0w - 8uMZ3HTqXcQ4+6D1nZQInan4SzqrwC0xAfKZcuxC+9kmeikaMINnkBvA+1kx/rMB - 0l4BqesChv0WK1uJVgkwLPM8sM9o9X4CF/Vto3w2bRl3J1O4BCkki49eUzE/myhj - 2KjcrE+DUfVEe9uLDXhAyEuXbvUdln2j5MvktrsBBOoGNyz+qKn4nf59a29JXm31 - =wNTC - -----END PGP MESSAGE----- - fp: 7D2F4C6B9A8300CCDDB641FDDF14B55A7A29C30F - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/terraform/hosts.tf b/terraform/hosts.tf index 547144435..fcdc2c88d 100644 --- a/terraform/hosts.tf +++ b/terraform/hosts.tf @@ -137,13 +137,6 @@ locals { endpoints_v4 = [] endpoints_v6 = [] } - duo = { - records = {} - ddns_records = {} - host_indices = [] - endpoints_v4 = [] - endpoints_v6 = [] - } # PLACEHOLDER new host } }