4 files changed, 258 insertions, 0 deletions

diff --git a/nixos/modules/sentinel-fwlogs.nix b/nixos/modules/sentinel-fwlogs.nix
new file mode 100644
index 0000000..b7b056a
--- /dev/null
+++ b/nixos/modules/sentinel-fwlogs.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  imports = [ ./sentinel.nix ];
+
+
+  options = {
+
+    services.sentinel.fwlogs = {
+        enable = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to enable the Turris Sentinel Firewall logs collector.
+            The services.sentinel.enable has to be enabled as well.
+          '';
+        };
+      };
+  };
+
+
+  config = mkIf config.services.sentinel.enable && config.services.sentinel.fwlogs.enable {
+    environment.systemPackages = [ pkgs.sentinel-fwlogs ];
+
+    systemd.services.sentinel-fwlogs = {
+      description = "Turris Sentinel Firewall Logs";
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.sentinel-fwlogs ];
+      serviceConfig.ExecStart = "${pkgs.sentinel-fwlogs}/bin/sentinel-fwlogs";
+    };
+
+  };
+
+}
diff --git a/nixos/modules/sentinel-minipot.nix b/nixos/modules/sentinel-minipot.nix
new file mode 100644
index 0000000..f0b022e
--- /dev/null
+++ b/nixos/modules/sentinel-minipot.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cnf = config.sentinel.minipot;
+  inherit (pkgs) sentinel-minipot;
+
+  minipotOpts = { name, port }: {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to enable the Turris Sentinel ${name} Minipot.
+        The services.sentinel.enable and service.sentinel.minipot.enable have to be enabled as well.
+      '';
+    };
+    port = mkOption {
+      type = types.port;
+      default = port;
+      description = "The port ${name} minipot should bind to.";
+    };
+  };
+
+in {
+
+  imports = [ ./sentinel.nix ];
+
+
+  options = {
+    services.sentinel.minipot = {
+        enable = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to enable the Turris Sentinel Minipot system.
+            The services.sentinel.enable has to be enabled as well.
+          '';
+        };
+
+      http = minipotOpts { name = "HTTP"; port = 80805; };
+      ftp = minipotOpts { name = "FTP"; port = 80805; };
+      smtp = minipotOpts { name = "SMTP"; port = 80805; };
+      telnet = minipotOpts { name = "Telnet"; port = 80805; };
+    };
+  };
+
+
+  config = mkIf config.services.sentinel.enable && cnf.enable {
+    assertions = [
+      {
+        assertion = cnf.http.enable || cnf.ftp.enable || cnf.smtp.enable || cnf.telnet.enable;
+        message = "Sentinel minipot requires at least one of the protocols to be enabled";
+      }
+    ];
+
+    environment.systemPackages = [ sentinel-minipot ];
+
+    systemd.services.sentinel-minipot = {
+      description = "Turris Sentinel Minipot";
+      wantedBy = [ "multi-user.target" ];
+      path = [ sentinel-minipot ];
+      serviceConfig.ExecStart = "${sentinel-minipot}/bin/sentinel-minipot"
+        + optionalString cnf.http.enable " --http=${cnf.http.port}"
+        + optionalString cnf.ftp.enable " --ftp=${cnf.ftp.port}"
+        + optionalString cnf.smtp.enable " --smtp=${cnf.smtp.port}"
+        + optionalString cnf.telnet.enable " --telnet=${cnf.telnet.port}";
+    };
+
+  };
+
+}
diff --git a/nixos/modules/sentinel.nix b/nixos/modules/sentinel.nix
new file mode 100644
index 0000000..5362524
--- /dev/null
+++ b/nixos/modules/sentinel.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options = {
+
+    services.sentinel = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable the Turris Sentinel attact prevention system.
+        '';
+      };
+      deviceToken = mkOption {
+        type = types.str;
+        description = ''
+          Turris Sentinel token. You can use `sentinel-device-token -c` to get new one.
+        '';
+      };
+
+      faillogs = {
+        enable = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to enable the Turris Sentinel fail logs collector.
+            The services.sentinel.enable has to be enabled as well.
+          '';
+        };
+      };
+    };
+
+  };
+
+
+  config = mkIf config.services.sentinel.enable {
+    environment.systemPackages = [ pkgs.sentinel-proxy ];
+    #environment.etc.cups.source = "/var/lib/cups";
+
+    #systemd.services.sentinel-proxy = {
+    #  description = "Turris Sentinel proxy";
+    #  wantedBy = [ "multi-user.target" ];
+    #  path = [ sentinel-proxy ];
+    #  serviceConfig.ExecStart = "${sentinel-proxy}/bin/sentinel-proxy -f ";
+    #};
+
+  };
+
+}
diff --git a/nixos/modules/turris-board.nix b/nixos/modules/turris-board.nix
new file mode 100644
index 0000000..4b8aa0d
--- /dev/null
+++ b/nixos/modules/turris-board.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  options = {
+    turris.board = mkOption {
+      type = types.enum [ "omnia" "mox" ];
+      description = "The unique Turris board identifier.";
+    };
+
+    turris.device = mkOption {
+      type = types.str;
+      example = "/dev/mmcblk0";
+      description = "The device used to boot the Turris system.";
+    };
+  };
+
+  config = {
+    assertions = [{
+      assertion = config.turris.board != null;
+      message = "Turris board has to be specified";
+    }];
+
+    # We do not need Grub as U-Boot supports boot using extlinux like file
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+    # Use early print to the serial console
+    boot.kernelParams = [
+      "earlyprintk" "console=ttyMV0,115200" "earlycon=ar3700_uart,0xd0012000"
+      "boot.shell_on_fail"
+    ];
+
+    # Use the latest kernel
+    boot.kernelPackages = pkgs.linuxPackages_latest;
+
+    # The supported deployment is on BTRFS
+    boot.supportedFilesystems = [ "btrfs" ];
+
+    # Cover nix memory consumption peaks by compressing the RAM
+    zramSwap = {
+      enable = true;
+      memoryPercent = 100;
+    };
+    # Nix is really memory hungry so we have to sometimes also use swap device.
+    # We expect that to be the second partition on the root device.
+    swapDevices = [{
+      device = config.turris.device + "p2";
+      priority = 0;
+    }];
+
+    fileSystems = {
+      # Root filesystem is expected to be on:
+      # Mox: SD card
+      # Omnia: internam MMC storage
+      "/" = {
+        device = config.turris.device + "p1";
+        fsType = "btrfs";
+      };
+    };
+
+    # The default hostname
+    # TODO set this only if not already set
+    networking.hostName = "nixturris";
+
+    # Enable flakes for nix as we are using that instead of legacy setup
+    nix = {
+      package = pkgs.nixFlakes;
+      extraOptions = "experimental-features = nix-command flakes";
+    };
+
+    # Allow root access over SSH
+    # TODO allow disable as it is nice only for initial setup
+    services.openssh = {
+      enable = true;
+      passwordAuthentication = true;
+      permitRootLogin = "yes";
+    };
+
+    # Set default editor
+    # TODO probably switch to nano later on
+    programs.vim.defaultEditor = true;
+
+    # The additional administration packages
+    environment.systemPackages =  with pkgs; [
+      (pkgs.nixos-rebuild.override { nix = config.nix.package.out; })
+      git # This is required to access the repository
+      htop
+    ];
+
+    # No need for installer tools in standard system
+    system.disableInstallerTools = true;
+  };
+}