ar
/
nibylandia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nibylandia/nixos/scylla/configuration.nix

596 lines
15 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
imports = [ ./hardware-configuration.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot = {
kernelPackages = pkgs.linuxPackages_latest;
kernelParams =
[ "arm-smmu.disable_bypass=0" "pci=pcie_bus_perf" "iommu.passthrough=1" ];
# Setup SFP+ network interfaces early so systemd can pick everything up.
initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.restool}/bin/restool
copy_bin_and_libs ${pkgs.restool}/bin/ls-main
copy_bin_and_libs ${pkgs.restool}/bin/ls-addni
# Patch paths
sed -i "1i #!$out/bin/sh" $out/bin/ls-main
'';
initrd.postDeviceCommands = ''
ls-addni dpmac.7
ls-addni dpmac.8
ls-addni dpmac.9
ls-addni dpmac.10
'';
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.all.autoconf" = 0;
"net.ipv6.conf.all.use_tempaddr" = 0;
};
};
age.secrets = {
wgNibylandiaScylla.file = ../../secrets/wg/nibylandia_scylla.age;
wgDN42Scylla.file = ../../secrets/wg/dn42_w1kl4s_scylla.age;
ddnsKeyKea = {
file = ../../secrets/lan/nibylandia-ddns-kea.age;
mode = "444";
};
ddnsKeyBind = {
file = ../../secrets/lan/nibylandia-ddns-bind.age;
mode = "400";
owner = "named";
group = "named";
};
};
networking.hostName = "scylla";
networking.wireless.enable = false;
time.timeZone = "Europe/Warsaw";
systemd.network.enable = true;
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces = {
eth0 = {
useDHCP = true;
macAddress = "50:7b:9d:b5:fa:e8";
};
lan = {
ipv4.addresses = [{
address = "192.168.24.1";
prefixLength = 24;
}];
};
eth1 = {
ipv4.addresses = [{
address = "192.168.20.1";
prefixLength = 24;
}];
};
};
networking.nameservers = [ "192.168.20.1" ];
networking.vlans = {
lan = {
id = 10;
interface = "eth1";
};
};
networking.wireguard.interfaces = {
wg-nibylandia = {
ips = [ "10.255.255.2/24" ];
privateKeyFile = config.age.secrets.wgNibylandiaScylla.path;
listenPort = 51315;
allowedIPsAsRoutes = true;
peers = [{
publicKey = "xwTYtejNZCtOyPMNcZVlsBIGYae6aUQczh7UwujLxXg=";
allowedIPs = [ "10.255.255.0/24" ];
endpoint = "zorigami.is-a.cat:51315";
persistentKeepalive = 15;
}];
};
dn42_w1kl4s_1 = {
ips = [ "fd25:af2d:1f51:255::1/64" "fe80::255:acab/64" ];
privateKeyFile = config.age.secrets.wgDN42Scylla.path;
listenPort = 51516;
allowedIPsAsRoutes = false;
peers = [{
publicKey = "zNP632K1qrezFIl8NQK1tR3XEdYHat/YgzdCXnFIWDE=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "193.31.26.15:53137";
}];
postSetup = ''
${pkgs.iproute}/bin/ip addr add dev dn42_w1kl4s_1 172.20.148.161/32 peer 172.23.193.2/32
'';
};
};
networking.firewall.enable = true;
networking.firewall.logRefusedConnections = false;
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "lan" "eth1" "virbr1" "virbr2" ];
forwardPorts = [
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.101.2:22";
sourcePort = 11520;
proto = "tcp";
} # sdomi's vm
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:22";
sourcePort = 23;
proto = "tcp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.32:22";
sourcePort = 32;
proto = "tcp";
}
{
destination = "192.168.20.31";
sourcePort = 2582;
proto = "tcp";
}
{
destination = "192.168.20.31";
sourcePort = "51411:51423";
proto = "tcp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:80";
sourcePort = 80;
proto = "tcp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:443";
sourcePort = 443;
proto = "tcp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:2005";
sourcePort = 2005;
proto = "tcp";
}
{
destination = "192.168.20.31";
sourcePort = "51411:51423";
proto = "udp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:80";
sourcePort = 80;
proto = "udp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:443";
sourcePort = 443;
proto = "udp";
}
{
loopbackIPs = [ "185.102.189.133" ];
destination = "192.168.20.31:2005";
sourcePort = 2005;
proto = "udp";
}
];
};
networking.firewall.allowedTCPPorts = [
179 # bgp
53
5201
6443 # k3s
];
networking.firewall.allowedUDPPorts = [
179 # bgp
53
51315
51516 # dn42-w1kl4s
];
networking.firewall.interfaces."eth1".allowedTCPPorts = [ 8123 ];
networking.firewall.interfaces."lan".allowedTCPPorts = [ 8123 ];
systemd.network.wait-online.extraArgs = [ "--any" ];
services.k3s = {
enable = false;
role = "server";
};
services.kea = {
dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [ "lan/192.168.24.1" "eth1/192.168.20.1" ];
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
rebind-timer = 2000;
renew-timer = 1000;
valid-lifetime = 4000;
dhcp-ddns = {
enable-updates = true;
ncr-protocol = "UDP";
ncr-format = "JSON";
server-ip = "127.0.0.1";
server-port = 53001;
};
ddns-send-updates = true;
ddns-replace-client-name = "when-not-present";
ddns-update-on-renew = true;
ddns-override-client-update = true;
ddns-override-no-update = true;
subnet4 = [
{
subnet = "192.168.24.0/24";
pools = [{ pool = "192.168.24.40 - 192.168.24.240"; }];
reservations-out-of-pool = true;
reservations-in-subnet = true;
ddns-qualifying-suffix = "nibylandia.lan.";
option-data = [
{
name = "routers";
data = "192.168.24.1";
}
{
name = "domain-name-servers";
data = "192.168.24.1";
}
];
reservations = [{
hw-address = "34:15:13:b6:2a:e7";
hostname = "yamaha";
ip-address = "192.168.24.11";
}];
}
{
subnet = "192.168.20.0/24";
pools = [{ pool = "192.168.20.40 - 192.168.20.240"; }];
reservations-out-of-pool = true;
reservations-in-subnet = true;
ddns-qualifying-suffix = "nibylandia.lan.";
option-data = [
{
name = "routers";
data = "192.168.20.1";
}
{
name = "domain-name-servers";
data = "192.168.20.1";
}
];
reservations = [
{
hw-address = "00:02:c9:53:9a:c2";
hostname = "stereolith";
ip-address = "192.168.20.31";
}
{
hw-address = "00:30:93:12:0f:bf";
hostname = "microlith";
ip-address = "192.168.20.32";
}
];
}
];
};
};
dhcp-ddns = {
enable = true;
settings = {
dns-server-timeout = 100;
ip-address = "127.0.0.1";
ncr-format = "JSON";
ncr-protocol = "UDP";
forward-ddns = {
ddns-domains = [{
key-name = "bind-key-2021-12-27";
dns-servers = [{ ip-address = "192.168.20.1"; }];
name = "nibylandia.lan.";
}];
};
reverse-ddns = {
ddns-domains = [
{
key-name = "bind-key-2021-12-27";
dns-servers = [{ ip-address = "192.168.20.1"; }];
name = "20.168.192.in-addr.arpa.";
}
{
key-name = "bind-key-2021-12-27";
dns-servers = [{ ip-address = "192.168.20.1"; }];
name = "24.168.192.in-addr.arpa.";
}
];
};
tsig-keys = [{
name = "bind-key-2021-12-27";
algorithm = "HMAC-SHA512";
secret = "__keaInclude ${config.age.secrets.ddnsKeyKea.path}";
}];
};
};
};
services.bind = {
enable = true;
listenOn = [ "192.168.20.1" "192.168.24.1" ];
forwarders = [ "8.8.8.8" "1.1.1.1" "8.8.4.4" "1.0.0.1" ];
cacheNetworks = [ "192.168.20.0/24" "192.168.24.0/24" ];
zones = {
"nibylandia.lan" = {
master = true;
file = "/var/lib/bind/nibylandia.lan.zone";
extraConfig = ''
allow-update { key "bind-key-2021-12-27"; };
'';
};
"20.168.192.in-addr.arpa" = {
master = true;
file = "/var/lib/bind/20.168.192.in-addr.arpa.zone";
extraConfig = ''
allow-update { key "bind-key-2021-12-27"; };
'';
};
"24.168.192.in-addr.arpa" = {
master = true;
file = "/var/lib/bind/24.168.192.in-addr.arpa.zone";
extraConfig = ''
allow-update { key "bind-key-2021-12-27"; };
'';
};
};
extraConfig = ''
key "bind-key-2021-12-27" {
algorithm hmac-sha512;
include "${config.age.secrets.ddnsKeyBind.path}";
};
'';
extraOptions = ''
dnssec-validation no;
'';
};
services.bird2 = {
enable = true;
checkConfig = false;
config = ''
define OWNAS = 4242423137;
define OWNIP = 172.20.148.161;
define OWNIPv6 = fd25:af2d:1f51:255::1;
define OWNNET = 172.20.148.160/27;
define OWNNETv6 = fdc0:b038:c31e::/48;
define OWNNETSET = [ 172.20.148.160/27+ ];
define OWNNETSETv6 = [ fdc0:b038:c31e::/48+ ];
router id OWNIP;
protocol device {
scan time 10;
}
/*
* Utility functions
*/
function is_self_net() {
return net ~ OWNNETSET;
}
function is_self_net_v6() {
return net ~ OWNNETSETv6;
}
function is_valid_network() {
return net ~ [
172.20.0.0/14{21,29}, # dn42
172.20.0.0/24{28,32}, # dn42 Anycast
172.21.0.0/24{28,32}, # dn42 Anycast
172.22.0.0/24{28,32}, # dn42 Anycast
172.23.0.0/24{28,32}, # dn42 Anycast
172.31.0.0/16+, # ChaosVPN
10.100.0.0/14+, # ChaosVPN
10.127.0.0/16{16,32}, # neonetwork
10.0.0.0/8{15,24} # Freifunk.net
];
}
roa4 table dn42_roa;
roa6 table dn42_roa_v6;
protocol static {
roa4 { table dn42_roa; };
include "/etc/bird/roa_dn42.conf";
};
protocol static {
roa6 { table dn42_roa_v6; };
include "/etc/bird/roa_dn42_v6.conf";
};
function is_valid_network_v6() {
return net ~ [
fd00::/8{44,64} # ULA address space as per RFC 4193
];
}
protocol kernel {
scan time 20;
ipv6 {
import none;
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = OWNIPv6;
accept;
};
};
};
protocol kernel {
scan time 20;
ipv4 {
import none;
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = OWNIP;
accept;
};
};
}
protocol static {
route OWNNET reject;
ipv4 {
import all;
export none;
};
}
protocol static {
route OWNNETv6 reject;
ipv6 {
import all;
export none;
};
}
template bgp dnpeers {
local as OWNAS;
path metric 1;
ipv4 {
import filter {
if is_valid_network() && !is_self_net() then {
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
} else accept;
} else reject;
};
export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
import limit 1000 action block;
};
ipv6 {
import filter {
if is_valid_network_v6() && !is_self_net_v6() then {
if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
} else accept;
} else reject;
};
export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
import limit 1000 action block;
};
}
include "/etc/bird/peers/*";
'';
};
security.polkit.enable = true;
virtualisation.libvirtd.enable = true;
services.avahi = {
enable = true;
reflector = true;
allowInterfaces = [ "lan" "eth1" ];
};
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays =
[ (self: super: { restool = self.callPackage ./pkgs/restool { }; }) ];
environment.systemPackages = with pkgs; [
pv
libarchive
lshw
zip
file
tcpdump
lsof
restool
ethtool
pciutils
usbutils
dig
dstat
wget
bind
nmap
iperf
config.boot.kernelPackages.perf
];
programs = {
mtr.enable = true;
mosh.enable = true;
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
zsh = {
enable = true;
enableBashCompletion = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
};
command-not-found.enable = false;
};
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6rEwERSm/Fj4KO4SxFIo0BUvi9YNyf8PSL1FteMcMt arachnist@monolith"
];
services.openssh.enable = true;
system.stateVersion = "22.05";
}
Reference in New Issue View Git Blame Copy Permalink