Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add initial fw configs

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-11-10 18:40:26 +01:00
parent aaf92c8953
commit 3260eaf3a3
10 changed files with 301 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
fleet.nix
View File

@@ -40,6 +40,10 @@
username = "steamdeck.cloonar.com"; username = "steamdeck.cloonar.com";
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDj14N3imYWbcLShJS0f1tv74cFuMblK1YmaEMhjVkj7WlNaIJYmE0BVXTR+An/XeBsOPGo4lr+E/gi4Io0mlNrD0xa4EqPyB/rXdmHpP3PVmIf2A1pIwnKqEVcgRrzp5ZdYxhYnHSPFe2kaF98J0wtLOTci85t8i9PwxVC1SyUM2J/AC3b/av9udGNyDdguGAXk/QaTlyPQz1QEk4VE+J/FblG5N5Hyq4xp20pcKtyEhNOMBFUQvoqAKdVIRH9Bhml8ksLivbIKkW6nJMEPfe03eG9FencR4SHltUXAk10KSLcwXyBKHp9opVPanMSy/lhoqyynJSfvITQs2xhp1W9wc5AEQHc6j/oOoGk/tUWlvUTSxZw/oG8pPvqeAYvtKtZWpS+UqvPzgx53fsdwSSy4tlTU1hjj35RM1dSchTJMs/9ohZN/ePoaCIDwRU2JThXrZqD50feP7+Tmaqhisk+I2WZokL4unfxz71PtRz2UK71jqiMMr8+R8e3LP32340= root@steamdeck"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDj14N3imYWbcLShJS0f1tv74cFuMblK1YmaEMhjVkj7WlNaIJYmE0BVXTR+An/XeBsOPGo4lr+E/gi4Io0mlNrD0xa4EqPyB/rXdmHpP3PVmIf2A1pIwnKqEVcgRrzp5ZdYxhYnHSPFe2kaF98J0wtLOTci85t8i9PwxVC1SyUM2J/AC3b/av9udGNyDdguGAXk/QaTlyPQz1QEk4VE+J/FblG5N5Hyq4xp20pcKtyEhNOMBFUQvoqAKdVIRH9Bhml8ksLivbIKkW6nJMEPfe03eG9FencR4SHltUXAk10KSLcwXyBKHp9opVPanMSy/lhoqyynJSfvITQs2xhp1W9wc5AEQHc6j/oOoGk/tUWlvUTSxZw/oG8pPvqeAYvtKtZWpS+UqvPzgx53fsdwSSy4tlTU1hjj35RM1dSchTJMs/9ohZN/ePoaCIDwRU2JThXrZqD50feP7+Tmaqhisk+I2WZokL4unfxz71PtRz2UK71jqiMMr8+R8e3LP32340= root@steamdeck";
} }
{
username = "fw.cloonar.com";
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDj14N3imYWbcLShJS0f1tv74cFuMblK1YmaEMhjVkj7WlNaIJYmE0BVXTR+An/XeBsOPGo4lr+E/gi4Io0mlNrD0xa4EqPyB/rXdmHpP3PVmIf2A1pIwnKqEVcgRrzp5ZdYxhYnHSPFe2kaF98J0wtLOTci85t8i9PwxVC1SyUM2J/AC3b/av9udGNyDdguGAXk/QaTlyPQz1QEk4VE+J/FblG5N5Hyq4xp20pcKtyEhNOMBFUQvoqAKdVIRH9Bhml8ksLivbIKkW6nJMEPfe03eG9FencR4SHltUXAk10KSLcwXyBKHp9opVPanMSy/lhoqyynJSfvITQs2xhp1W9wc5AEQHc6j/oOoGk/tUWlvUTSxZw/oG8pPvqeAYvtKtZWpS+UqvPzgx53fsdwSSy4tlTU1hjj35RM1dSchTJMs/9ohZN/ePoaCIDwRU2JThXrZqD50feP7+Tmaqhisk+I2WZokL4unfxz71PtRz2UK71jqiMMr8+R8e3LP32340= root@steamdeck";
}
]; ];
in { in {
imports = builtins.map create_users users; imports = builtins.map create_users users;

60
hosts/fw.cloonar.com/configuration.nix Normal file
View File

@@ -0,0 +1,60 @@
{ ... }: {
imports = [
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/lego/lego.nix
./utils/modules/nginx.nix
./utils/modules/autoupgrade.nix
./utils/modules/promtail
./utils/modules/borgbackup.nix
./utils/modules/netdata.nix
./modules/networking.nix
./modules/firewall.nix
./modules/dhcp4.nix
./modules/avahi.nix
./modules/openconnect.nix
./hardware-configuration.nix
];
nixpkgs.config.permittedInsecurePackages = [
];
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
environment.systemPackages = with pkgs; [
vim # my preferred editor
htop # to see the system load
ppp # for some manual debugging of pppd
ethtool # manage NIC settings (offload, NIC feeatures, ...)
tcpdump # view network traffic
conntrack-tools # view network connection states
];
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "fw";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg";
system.stateVersion = "22.05";
}

1
hosts/fw.cloonar.com/fleet.nix Symbolic link
View File

@@ -0,0 +1 @@
../../fleet.nix

9
hosts/fw.cloonar.com/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

10
hosts/fw.cloonar.com/modules/avahi.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }: {
services.avahi = {
enable = true;
reflector = true;
interfaces = [
"lan"
"multimedia"
];
};
}

45
hosts/fw.cloonar.com/modules/dhcp4.nix Normal file
View File

@@ -0,0 +1,45 @@
{ ... }: {
services.dhcpd4 = {
enable = true;
interfaces = [ "lan" "server" "smart" "multimedia" "guest" ];
extraConfig = ''
option domain-name-servers 10.42.97.1, 9.9.9.9;
option subnet-mask 255.255.255.0;
subnet 10.42.96.0 netmask 255.255.255.0 {
option broadcast-address 10.42.96.255;
option routers 10.42.97.1;
interface lan;
range 10.42.96.128 10.42.96.254;
}
subnet 10.42.97.0 netmask 255.255.255.0 {
option broadcast-address 10.42.97.255;
option routers 10.42.97.1;
interface server;
range 10.42.96.128 10.42.97.254;
}
subnet 10.42.99.0 netmask 255.255.255.0 {
option broadcast-address 10.42.99.255;
option routers 10.42.99.1;
interface multimedia;
range 10.42.99.128 10.42.99.254;
}
subnet 10.42.100.0 netmask 255.255.255.0 {
option broadcast-address 10.42.100.255;
option routers 10.42.100.1;
interface smart;
range 10.42.100.128 10.42.100.254;
}
subnet 10.42.254.0 netmask 255.255.255.0 {
option broadcast-address 10.42.254.255;
option routers 10.42.254.1;
interface guest;
range 10.42.100.128 10.42.254.254;
}
'';
};
}

87
hosts/fw.cloonar.com/modules/firewall.nix Normal file
View File

@@ -0,0 +1,87 @@
{ ... }: {
networking = {
nat.enable = false;
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
table inet filter {
# enable flow offloading for better throughput
flowtable f {
hook ingress priority 0;
devices = { lan, server, wg0, smart, multimedia, guest };
}
chain output {
type filter hook output priority 100; policy accept;
}
chain input {
type filter hook input priority filter; policy drop;
# Allow trusted networks to access the router
iifname {
"lan",
"wg0"
} counter accept
# Accept mDNS for avahi reflection
iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
# Allow returning traffic from wg0 and drop everthing else
iifname "wg0" ct state { established, related } counter accept
iifname "wg0" drop
}
chain forward {
type filter hook forward priority filter; policy drop;
# enable flow offloading for better throughput
ip protocol { tcp, udp } flow offload @f
# multimedia airplay
iifname "multimedia" oifname { "lan" } counter accept
# lan and vpn to any
iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept
# Allow trusted network WAN access
iifname {
"lan",
"server",
"multimedia",
"smart",
"wg0",
} oifname {
"wan",
} counter accept comment "Allow trusted LAN to WAN"
# Allow established WAN to return
iifname {
"wan",
} oifname {
"lan",
"server",
"multimedia",
"smart",
"wg0",
} ct state established,related counter accept comment "Allow established back to LANs"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
# Setup NAT masquerading on the ppp0 interface
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname { "wan", "wrwks" } masquerade
}
}
'';
};
};
}

74
hosts/fw.cloonar.com/modules/networking.nix Normal file
View File

@@ -0,0 +1,74 @@
{ ... }: {
networking = {
useDHCP = false;
nameserver = [ "9.9.9.9" "149.112.112.112" ];
# Define VLANS
vlans = {
wan = {
id = 10;
interface = "enp1s0";
};
lan = {
id = 1;
interface = "enp2s0";
};
server = {
id = 2;
interface = "enp3s0";
};
multimedia = {
id = 3;
interface = "enp4s0";
};
smart = {
id = 4094;
interface = "enp4s0";
};
guest = {
id = 100;
interface = "enp4s0";
};
};
interfaces = {
# Don't request DHCP on the physical interfaces
enp1s0.useDHCP = false;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
# Handle the VLANs
wan.useDHCP = true;
lan = {
ipv4.addresses = [{
address = "10.42.96.1";
prefixLength = 24;
}];
};
server = {
ipv4.addresses = [{
address = "10.42.97.1";
prefixLength = 24;
}];
};
multimedia = {
ipv4.addresses = [{
address = "10.42.99.1";
prefixLength = 24;
}];
};
smart = {
ipv4.addresses = [{
address = "10.42.100.1";
prefixLength = 24;
}];
};
guest = {
ipv4.addresses = [{
address = "10.42.254.1";
prefixLength = 24;
}];
};
};
};
}

10
hosts/fw.cloonar.com/modules/openconnect.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }: {
networking.openconnect.interfaces = {
wrwks = {
gateway = "vpn.wrwks.at";
passwordFile = "/var/lib/secrets/openconnect-passwd";
protocol = "anyconnect";
user = "exdpolakovics@wrwks.local";
};
};
}

1
hosts/fw.cloonar.com/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils