2020-06-21 21:37:59 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
2020-10-23 19:50:49 +00:00
|
|
|
# hscloud checkout, hscloud.routing used to set up dynamic routing (OSPFv6 via bird)
|
|
|
|
hscloud = fetchGit {
|
|
|
|
url = "https://gerrit.hackerspace.pl/hscloud.git";
|
|
|
|
name = "hscloud";
|
|
|
|
rev = "e401735fdd241b25dac4cb82d828dcfa6f84b198";
|
|
|
|
};
|
|
|
|
|
2020-07-25 11:49:33 +00:00
|
|
|
hw = builtins.fromJSON (builtins.readFile ./hw.json);
|
2020-07-25 11:48:33 +00:00
|
|
|
fw = import ./fw-7535.nix;
|
2020-06-21 21:37:59 +00:00
|
|
|
vuko-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle";
|
2020-10-23 19:50:49 +00:00
|
|
|
q3k-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia";
|
2020-07-25 11:48:33 +00:00
|
|
|
networks = {
|
|
|
|
uplink = {
|
|
|
|
description = "Hackerspace Internet Uplink";
|
|
|
|
hw_addr = builtins.elemAt fw.hw_addresses 0;
|
|
|
|
ipv4 = "185.236.240.5";
|
|
|
|
ipv6 = "2a0d:eb00:2137:1::3";
|
2020-06-22 21:30:35 +00:00
|
|
|
};
|
2020-07-25 11:48:33 +00:00
|
|
|
lan = {
|
|
|
|
description = "Hackerspace LAN";
|
|
|
|
hw_addr = builtins.elemAt fw.hw_addresses 1;
|
|
|
|
ipv4 = "10.8.1.2";
|
2020-10-23 19:50:49 +00:00
|
|
|
ipv6 = "2a0d:eb00:4242::1";
|
2020-06-22 18:55:34 +00:00
|
|
|
};
|
2020-07-25 11:48:33 +00:00
|
|
|
managment = {
|
|
|
|
description = "Management network (temporary routing)";
|
|
|
|
hw_addr = builtins.elemAt fw.hw_addresses 2;
|
|
|
|
};
|
|
|
|
lte = {
|
|
|
|
description = "temp LTE uplink";
|
|
|
|
hw_addr = builtins.elemAt fw.hw_addresses 3;
|
|
|
|
};
|
|
|
|
vpn = {
|
|
|
|
description = "Hackerspace members vpn";
|
|
|
|
ipv4 = "10.9.1.1";
|
2020-06-26 21:23:47 +00:00
|
|
|
};
|
|
|
|
};
|
2020-11-07 17:39:34 +00:00
|
|
|
hostname = "customs";
|
2020-06-26 21:26:59 +00:00
|
|
|
openvpn-auth = import ./openvpn-auth { inherit pkgs; };
|
2020-11-07 17:39:34 +00:00
|
|
|
secrets-path = "/etc/nixos/secrets/";
|
|
|
|
update_authorized_keys = pkgs.writeShellScriptBin "update_authorized_keys" ''
|
|
|
|
${pkgs.python3.withPackages (pp: [ pp.ldap3 ])}/bin/python ${./update_authorized_keys.py} ${hostname} ${secrets-path}/ldap-password.txt
|
|
|
|
'';
|
|
|
|
|
2020-06-21 21:37:59 +00:00
|
|
|
in {
|
|
|
|
imports =
|
2020-06-22 21:47:36 +00:00
|
|
|
[
|
2020-06-21 21:37:59 +00:00
|
|
|
./ulogd2/service.nix
|
2020-07-25 12:02:23 +00:00
|
|
|
#./hardware-configuration.nix
|
2020-06-21 21:37:59 +00:00
|
|
|
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
2020-07-25 11:49:33 +00:00
|
|
|
<nixpkgs/nixos/modules/profiles/all-hardware.nix>
|
2020-10-23 19:50:49 +00:00
|
|
|
"${hscloud}/bgpwtf/machines/modules/routing.nix"
|
2020-10-23 23:14:12 +00:00
|
|
|
./checkinator-tracker.nix
|
|
|
|
./checkinator-web.nix
|
2020-10-26 18:28:38 +00:00
|
|
|
./mikrotik-exporter.nix
|
2021-09-27 15:07:41 +00:00
|
|
|
./netboot.nix
|
2020-10-28 22:58:27 +00:00
|
|
|
./laserproxy/service.nix
|
2020-06-21 21:37:59 +00:00
|
|
|
];
|
|
|
|
|
2020-06-26 22:23:24 +00:00
|
|
|
|
2020-06-21 21:37:59 +00:00
|
|
|
boot.loader.grub.enable = true;
|
|
|
|
boot.loader.grub.version = 2;
|
2020-07-25 11:49:33 +00:00
|
|
|
boot.loader.grub.device = "nodev";
|
|
|
|
boot.loader.grub.extraConfig = ''
|
|
|
|
serial --unit=0 --speed=115200
|
|
|
|
terminal_input serial
|
|
|
|
terminal_output serial
|
|
|
|
'';
|
|
|
|
boot.kernelParams = ["console=tty0" "console=ttyS0,115200"];
|
|
|
|
|
2020-11-01 12:47:43 +00:00
|
|
|
time.timeZone = "Europe/Warsaw";
|
|
|
|
|
2020-07-25 11:49:33 +00:00
|
|
|
fileSystems."/" = {
|
|
|
|
device = "/dev/disk/by-partuuid/${hw.rootUUID}";
|
|
|
|
fsType = "ext4";
|
|
|
|
};
|
2020-06-21 21:37:59 +00:00
|
|
|
|
2020-11-08 18:32:04 +00:00
|
|
|
services.postfix = let acme_dir = "/var/lib/acme"; in {
|
|
|
|
enable = true;
|
|
|
|
domain = "customs.hackerspace.pl";
|
|
|
|
hostname = "customs.hackerspace.pl";
|
|
|
|
destination = [ "localhost" ];
|
|
|
|
sslCert = "${acme_dir}/customs.hackerspace.pl/full.pem";
|
|
|
|
sslKey = "${acme_dir}/customs.hackerspace.pl/key.pem";
|
|
|
|
enableSmtp = true;
|
|
|
|
enableSubmission = false;
|
|
|
|
#relayHost = "hackerspace.pl";
|
|
|
|
extraConfig = ''
|
|
|
|
inet_interfaces = loopback-only
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-10-23 22:36:17 +00:00
|
|
|
fileSystems."/mnt/secrets" = {
|
|
|
|
fsType = "tmpfs";
|
|
|
|
options = [ "rw" "mode=755" "size=200M" "nosuid" "nodev" "relatime" "noexec" ];
|
|
|
|
};
|
|
|
|
|
2020-11-07 17:39:34 +00:00
|
|
|
networking.hostName = hostname;
|
2020-10-28 22:58:27 +00:00
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.vlans = {
|
|
|
|
laser = {
|
|
|
|
id = 4001;
|
|
|
|
interface = "lan";
|
|
|
|
};
|
2021-06-12 19:43:35 +00:00
|
|
|
bms = {
|
|
|
|
id = 4002;
|
|
|
|
interface = "lan";
|
|
|
|
};
|
2020-10-28 22:58:27 +00:00
|
|
|
};
|
2020-06-21 21:37:59 +00:00
|
|
|
|
2020-10-25 11:42:50 +00:00
|
|
|
systemd.services.secrets = {
|
|
|
|
enable = true;
|
|
|
|
description = "Copy secrets and fix permissions";
|
|
|
|
script = ''
|
|
|
|
${pkgs.coreutils}/bin/install --owner=root --mode=700 --directory /mnt/secrets/nginx/
|
|
|
|
${pkgs.coreutils}/bin/install --owner=root --mode=400 -t /mnt/secrets/nginx/ \
|
2020-11-07 17:39:34 +00:00
|
|
|
${secrets-path}/nginx/at.hackerspace.pl.key \
|
|
|
|
${secrets-path}/nginx/at.hackerspace.pl.crt
|
2020-10-26 16:01:43 +00:00
|
|
|
${pkgs.acl}/bin/setfacl -m "u:nginx:rx" /mnt/secrets/nginx
|
|
|
|
${pkgs.acl}/bin/setfacl -m "u:nginx:r" /mnt/secrets/nginx/*
|
2020-10-25 11:42:50 +00:00
|
|
|
'';
|
2020-10-26 16:01:43 +00:00
|
|
|
wantedBy = [ "nginx.service" ];
|
|
|
|
partOf = [ "nginx.service" ];
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
serviceConfig.RemainAfterExit = "true";
|
|
|
|
serviceConfig.User = "root";
|
2020-10-25 11:42:50 +00:00
|
|
|
};
|
|
|
|
|
2020-10-28 17:34:04 +00:00
|
|
|
services.prometheus.exporters.node = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = "[::1]";
|
|
|
|
port = 9100;
|
2020-10-28 22:58:27 +00:00
|
|
|
enabledCollectors = [ "systemd" ];
|
2020-10-28 17:34:04 +00:00
|
|
|
};
|
|
|
|
|
2020-07-25 11:48:33 +00:00
|
|
|
systemd.network.links = builtins.listToAttrs (map (
|
|
|
|
name: { name = "10-link-${name}"; value = {
|
|
|
|
enable = true;
|
|
|
|
matchConfig = {
|
|
|
|
MACAddress = networks."${name}".hw_addr;
|
|
|
|
};
|
|
|
|
linkConfig = {
|
|
|
|
Name = "${name}";
|
|
|
|
};
|
|
|
|
}; }
|
|
|
|
) (builtins.filter (name: builtins.hasAttr "hw_addr" networks."${name}") (builtins.attrNames networks)));
|
2020-06-26 21:23:47 +00:00
|
|
|
|
2020-06-26 22:12:14 +00:00
|
|
|
#networking.interfaces.vpn = {
|
|
|
|
# virtual = true;
|
|
|
|
# name = "vpn";
|
|
|
|
# #ipv4.addresses = [ { address = 10.9.1.1; prefixlen = 16; } ];
|
|
|
|
#};
|
2020-06-26 21:23:47 +00:00
|
|
|
|
2020-07-25 11:48:33 +00:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.ipv4.ip_forward" = true;
|
|
|
|
"net.ipv6.conf.all.forwarding" = true;
|
|
|
|
};
|
|
|
|
|
2020-06-22 18:55:34 +00:00
|
|
|
# using nftables so firewall has to be disabled
|
2020-06-21 21:40:02 +00:00
|
|
|
networking.firewall.enable = false;
|
2020-06-21 21:37:59 +00:00
|
|
|
networking.nftables.enable = true;
|
|
|
|
networking.nftables.ruleset = ''
|
|
|
|
table inet filter {
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority 0;
|
|
|
|
|
|
|
|
# accept any localhost traffic
|
|
|
|
iifname lo accept
|
|
|
|
|
|
|
|
# accept traffic originated from us
|
|
|
|
ct state {established, related} accept
|
|
|
|
|
|
|
|
# ICMP
|
2020-06-22 18:55:34 +00:00
|
|
|
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
|
2020-06-21 21:37:59 +00:00
|
|
|
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
|
|
|
|
|
|
|
# allow "ping"
|
2020-06-21 21:54:31 +00:00
|
|
|
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
|
2020-06-21 21:37:59 +00:00
|
|
|
ip protocol icmp icmp type echo-request accept
|
2020-10-23 19:50:49 +00:00
|
|
|
|
|
|
|
# allow OSPFv3
|
|
|
|
ip6 nexthdr 89 accept
|
|
|
|
|
2020-06-22 18:55:34 +00:00
|
|
|
tcp dport 22 accept
|
|
|
|
tcp dport 53 accept
|
2020-06-22 21:42:43 +00:00
|
|
|
udp dport 53 accept
|
2020-10-23 23:14:12 +00:00
|
|
|
tcp dport 80 accept
|
2020-10-26 16:01:43 +00:00
|
|
|
tcp dport 443 accept
|
2021-09-27 15:07:41 +00:00
|
|
|
udp dport tftp accept
|
2020-10-23 17:56:24 +00:00
|
|
|
|
2020-11-04 01:01:30 +00:00
|
|
|
iifname managment udp dport tftp accept
|
2020-10-24 00:06:51 +00:00
|
|
|
iifname lan tcp dport 8080 accept
|
|
|
|
|
2020-10-23 17:56:24 +00:00
|
|
|
# openvpn-members
|
|
|
|
udp dport 20001 accept
|
2020-10-24 01:09:55 +00:00
|
|
|
tcp dport 20001 accept
|
2020-11-12 21:30:21 +00:00
|
|
|
|
|
|
|
# laserproxy
|
|
|
|
udp dport 40200 accept
|
|
|
|
udp dport 50200 accept
|
2020-06-21 21:37:59 +00:00
|
|
|
|
|
|
|
counter drop
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow all outgoing connections.
|
|
|
|
chain output {
|
2020-10-28 10:30:41 +00:00
|
|
|
type filter hook output priority 0; policy accept;
|
2020-06-21 21:37:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
2020-06-22 18:55:34 +00:00
|
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
ct state {established, related} jump accepted
|
2020-11-07 17:31:32 +00:00
|
|
|
oifname "loop" jump accepted
|
2020-06-22 18:55:34 +00:00
|
|
|
ip saddr 10.8.0.0/16 iifname "lan" jump accepted
|
|
|
|
ip saddr 10.9.0.0/16 iifname "vpn" jump accepted
|
2020-10-26 16:32:03 +00:00
|
|
|
ip6 saddr 2a0d:eb00:4242::0/64 iifname "lan" jump accepted
|
|
|
|
ip6 saddr 2a0d:eb00:4242:1::0/64 iifname "vpn" jump accepted
|
2020-11-07 17:31:32 +00:00
|
|
|
ip6 saddr 2a0d:eb00:4242:1::1/128 iifname "loop" jump accepted
|
2020-06-22 18:55:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain accepted {
|
|
|
|
# IMPORTANT
|
|
|
|
# Log all connections to the outside world from LAN interface, as we are
|
|
|
|
# required to do so
|
|
|
|
oifname != "uplink" accept
|
|
|
|
iifname "uplink" accept
|
|
|
|
ip daddr { 10.0.0.0/8, 225.225.225.225/32 } accept
|
|
|
|
ip6 daddr { 2a0d:eb00::/29, fe80::/8 } accept
|
|
|
|
log group 2 accept
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
table inet net {
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority 100;
|
2020-07-25 11:48:33 +00:00
|
|
|
ip saddr 10.8.0.0/16 oifname uplink snat ${networks.uplink.ipv4}
|
|
|
|
ip saddr 10.9.0.0/16 oifname uplink snat ${networks.uplink.ipv4}
|
2020-06-22 18:55:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority -100;
|
|
|
|
|
|
|
|
# Access to staszkecoin from Internet
|
|
|
|
ip version 4 iifname "uplink" tcp dport 8333 dnat 10.8.1.49
|
2020-06-21 21:37:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
|
2020-11-07 17:31:32 +00:00
|
|
|
systemd.services."loop-netdev" = let n = "loop"; in {
|
|
|
|
description = "Dummy interface: loop";
|
|
|
|
wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-${n}.device" ];
|
|
|
|
partOf = [ "network-setup.service" ];
|
|
|
|
after = [ "network-pre.target" ];
|
|
|
|
before = [ "network-setup.service" ];
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
serviceConfig.RemainAfterExit = true;
|
|
|
|
path = [ pkgs.iproute ];
|
|
|
|
script = ''
|
|
|
|
# Remove Dead Interfaces
|
|
|
|
ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
|
|
|
|
ip link add "${n}" type dummy
|
|
|
|
ip link set "${n}" up
|
|
|
|
'';
|
|
|
|
postStop = ''
|
|
|
|
ip link delete "${n}"
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2020-07-25 11:48:33 +00:00
|
|
|
networking.interfaces = {
|
|
|
|
uplink = {
|
|
|
|
ipv4.addresses = [ { address = networks.uplink.ipv4; prefixLength = 31; } ];
|
|
|
|
ipv6.addresses = [
|
2020-10-26 16:32:03 +00:00
|
|
|
{ address = networks.uplink.ipv6; prefixLength = 112; }
|
2020-07-25 11:48:33 +00:00
|
|
|
];
|
|
|
|
};
|
|
|
|
lan = {
|
|
|
|
ipv4.addresses = [ { address = networks.lan.ipv4; prefixLength = 16; } ];
|
2020-10-23 19:50:49 +00:00
|
|
|
ipv6.addresses = [ { address = networks.lan.ipv6; prefixLength = 64; } ];
|
2020-07-25 11:48:33 +00:00
|
|
|
};
|
2020-11-07 17:31:32 +00:00
|
|
|
loop = {
|
2020-11-04 12:57:53 +00:00
|
|
|
ipv6.addresses = [ { address = "2a0d:eb00:4242:1::1"; prefixLength = 128; } ];
|
|
|
|
};
|
2020-10-28 22:58:27 +00:00
|
|
|
laser = {
|
|
|
|
ipv4.addresses = [ { address = "10.11.0.1"; prefixLength = 24; } ];
|
|
|
|
};
|
2021-06-12 19:43:35 +00:00
|
|
|
bms = {
|
|
|
|
ipv4.addresses = [ { address = "10.11.1.1"; prefixLength = 24; } ];
|
|
|
|
};
|
2020-07-25 11:48:33 +00:00
|
|
|
managment = {
|
|
|
|
ipv4.addresses = [ { address = "10.10.1.1"; prefixLength = 24; } ];
|
|
|
|
};
|
|
|
|
lte = {
|
|
|
|
ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ];
|
|
|
|
};
|
|
|
|
};
|
2020-06-22 19:23:46 +00:00
|
|
|
|
2020-07-25 11:48:33 +00:00
|
|
|
networking.defaultGateway = {
|
|
|
|
address = "185.236.240.4";
|
|
|
|
interface = "uplink";
|
|
|
|
};
|
|
|
|
networking.defaultGateway6 = {
|
2020-10-26 16:05:31 +00:00
|
|
|
address = "2a0d:eb00:2137:1::1";
|
2020-07-25 11:48:33 +00:00
|
|
|
interface = "uplink";
|
|
|
|
};
|
2020-06-21 21:37:59 +00:00
|
|
|
|
2020-10-26 18:28:38 +00:00
|
|
|
|
2020-07-25 11:48:33 +00:00
|
|
|
networking.nameservers = [ "1.0.0.1" "8.8.8.8" ];
|
2020-06-21 21:37:59 +00:00
|
|
|
|
2020-11-08 18:32:25 +00:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
passwordAuthentication = false;
|
|
|
|
logLevel = "INFO";
|
|
|
|
};
|
2020-10-23 19:50:49 +00:00
|
|
|
users.users.root.openssh.authorizedKeys.keys = [ vuko-pubkey q3k-pubkey ];
|
2020-06-21 21:37:59 +00:00
|
|
|
|
2020-06-26 21:25:58 +00:00
|
|
|
services.dhcpd4 = {
|
|
|
|
enable = true;
|
|
|
|
configFile = ./dhcpd.conf;
|
|
|
|
interfaces = ["lan"];
|
2020-06-26 21:28:19 +00:00
|
|
|
};
|
2020-06-26 21:25:58 +00:00
|
|
|
|
2020-10-23 19:50:49 +00:00
|
|
|
hscloud.routing = {
|
|
|
|
enable = true;
|
|
|
|
# TODO(q3k): make this optional in upstream
|
|
|
|
extra = "";
|
|
|
|
routerID = "185.236.240.5";
|
|
|
|
tables.master.program = true;
|
|
|
|
pipe.v6.aggregate_to_kernel = {
|
|
|
|
table = "master";
|
|
|
|
peerTable = "aggregate";
|
|
|
|
filterIn = ''
|
|
|
|
if source = RTS_OSPF then accept;
|
|
|
|
if source = RTS_OSPF_EXT2 then accept;
|
|
|
|
reject;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
ospf.v6.upstream = {
|
|
|
|
table = "aggregate";
|
|
|
|
area."0.0.0.0" = {
|
|
|
|
interfaces.uplink = { type = "bcast"; };
|
|
|
|
interfaces.lan = { type = "bcast"; stub = true; };
|
2020-11-07 17:31:32 +00:00
|
|
|
interfaces.loop = { type = "ptp"; stub = true; };
|
2020-10-23 19:50:49 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-10-23 20:14:05 +00:00
|
|
|
services.radvd = {
|
|
|
|
enable = true;
|
|
|
|
config = ''
|
2020-10-26 16:02:02 +00:00
|
|
|
interface lan {
|
2020-10-23 20:14:05 +00:00
|
|
|
AdvSendAdvert on;
|
2020-10-26 16:02:02 +00:00
|
|
|
prefix 2a0d:eb00:4242::/64 {
|
|
|
|
};
|
|
|
|
route 0::/0 { };
|
|
|
|
};
|
|
|
|
interface vpn {
|
|
|
|
AdvSendAdvert on;
|
|
|
|
prefix 2a0d:eb00:4242:1::/64 {
|
|
|
|
AdvRouterAddr on;
|
|
|
|
};
|
|
|
|
route 0::/0 { };
|
2020-10-23 20:14:05 +00:00
|
|
|
};
|
|
|
|
'';
|
|
|
|
};
|
2020-10-23 17:22:35 +00:00
|
|
|
|
2020-11-11 08:28:13 +00:00
|
|
|
services.logrotate = {
|
|
|
|
enable = true;
|
|
|
|
paths = {
|
|
|
|
ulogd = {
|
|
|
|
enable = true;
|
|
|
|
frequency = "weekly";
|
|
|
|
path = "/var/log/ulogd.pcap";
|
|
|
|
extraConfig = ''
|
|
|
|
postrotate
|
|
|
|
${pkgs.killall}/bin/killall -HUP ulogd
|
|
|
|
endscript
|
|
|
|
'';
|
|
|
|
keep = 55;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-10-26 20:48:27 +00:00
|
|
|
services.cron = let
|
|
|
|
log-neigh = pkgs.writeShellScript "log-neigh" ''
|
|
|
|
mkdir -p /var/log/arptables
|
|
|
|
chmod 700 /var/log/arptables
|
|
|
|
|
|
|
|
# Larger than 10MB? rotate.
|
|
|
|
if [[ $(find /var/log/arptables/arptables.log -type f -size +10485760c 2>/dev/null) ]]; then
|
|
|
|
f=/var/log/arptables/$(date "+%s").log
|
|
|
|
cp /var/log/arptables/arptables.log $f
|
|
|
|
gzip -9 $f
|
2020-10-28 10:30:41 +00:00
|
|
|
rm /var/log/arptables/arptables.log
|
2020-10-26 20:48:27 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
ip neigh >> /var/log/arptables/arptables.log
|
|
|
|
date --iso-8601=seconds >> /var/log/arptables/arptables.log
|
|
|
|
'';
|
|
|
|
in {
|
2020-11-08 18:32:04 +00:00
|
|
|
mailto = "vuko@hackerspace.pl";
|
2020-10-26 20:48:27 +00:00
|
|
|
enable = true;
|
|
|
|
systemCronJobs = [
|
2020-10-28 10:30:41 +00:00
|
|
|
"*/5 * * * * root ${log-neigh}"
|
2020-11-11 08:32:57 +00:00
|
|
|
"0 3 * * * root ${update_authorized_keys}/bin/update_authorized_keys"
|
2020-10-26 20:48:27 +00:00
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2020-06-22 21:30:35 +00:00
|
|
|
services.knot = {
|
|
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
|
|
|
server:
|
2020-07-25 11:48:33 +00:00
|
|
|
listen: ${networks.uplink.ipv4}@53
|
|
|
|
listen: ${networks.uplink.ipv6}@53
|
2020-06-22 21:30:35 +00:00
|
|
|
|
|
|
|
zone:
|
|
|
|
- domain: waw.hackerspace.pl
|
|
|
|
storage: ${./zones}
|
|
|
|
file: waw.hackerspace.pl
|
|
|
|
- domain: i
|
|
|
|
storage: ${./zones}
|
|
|
|
file: i
|
2020-06-22 21:40:35 +00:00
|
|
|
- domain: api.ustream.tv
|
2020-06-22 21:30:35 +00:00
|
|
|
storage: ${./zones}
|
2020-06-22 21:40:35 +00:00
|
|
|
file: api.ustream.tv
|
2020-06-22 21:30:35 +00:00
|
|
|
- domain: api.eye.fi
|
|
|
|
storage: ${./zones}
|
|
|
|
file: api.eye.fi
|
|
|
|
log:
|
|
|
|
- target: syslog
|
|
|
|
any: info
|
|
|
|
'';
|
|
|
|
};
|
2020-10-23 23:14:12 +00:00
|
|
|
|
|
|
|
services.nginx.enable = true;
|
2020-10-26 16:01:43 +00:00
|
|
|
services.nginx.mapHashBucketSize = 64;
|
|
|
|
services.nginx.appendHttpConfig = ''
|
|
|
|
server_names_hash_bucket_size 64;
|
|
|
|
'';
|
2020-10-25 09:37:25 +00:00
|
|
|
|
2020-11-08 18:33:05 +00:00
|
|
|
security.acme = {
|
2020-11-11 08:29:28 +00:00
|
|
|
email = "bofh@hackerspace.pl";
|
2020-11-08 18:33:05 +00:00
|
|
|
acceptTerms = true;
|
|
|
|
};
|
|
|
|
|
2020-10-25 09:37:25 +00:00
|
|
|
services.nginx.virtualHosts."customs.hackerspace.pl" = {
|
2020-11-01 12:47:43 +00:00
|
|
|
default = true;
|
2020-11-08 18:33:05 +00:00
|
|
|
enableACME = true;
|
2020-11-01 12:47:43 +00:00
|
|
|
|
2020-11-08 18:33:21 +00:00
|
|
|
locations."/" = {
|
|
|
|
extraConfig = ''
|
|
|
|
return 302 https://isztar.mf.gov.pl;
|
|
|
|
'';
|
|
|
|
};
|
2020-10-25 09:37:25 +00:00
|
|
|
locations."/metrics/luftdaten" = {
|
|
|
|
proxyPass = "http://10.8.0.146";
|
|
|
|
};
|
|
|
|
locations."/metrics/spejsiot" = {
|
|
|
|
proxyPass = "http://spejsiot.waw.hackerspace.pl/metrics";
|
|
|
|
};
|
|
|
|
locations."/metrics/apm" = {
|
|
|
|
proxyPass = "http://10.8.1.40:5000/metrics";
|
|
|
|
};
|
|
|
|
locations."/metrics/vending" = {
|
|
|
|
proxyPass = "http://10.8.1.32:8000/";
|
|
|
|
};
|
|
|
|
locations."/metrics/sztancarka" = {
|
|
|
|
proxyPass = "http://10.8.0.96:8888/";
|
|
|
|
};
|
|
|
|
locations."/metrics/mikrotik" = {
|
|
|
|
proxyPass = "http://127.0.0.1:9436/metrics";
|
|
|
|
extraConfig = ''
|
|
|
|
allow 209.250.231.127;
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
locations."/metrics/node" = {
|
2020-10-28 17:34:04 +00:00
|
|
|
proxyPass = "http://[::1]:9100/metrics";
|
2020-10-25 09:37:25 +00:00
|
|
|
extraConfig = ''
|
|
|
|
allow 209.250.231.127;
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
locations."/stats/sztancarka-ppm" = {
|
|
|
|
proxyPass = "http://10.8.0.96:9090/api/v1/query?query=rate%28cut_count_total%5B15m%5D%29+*+60";
|
|
|
|
};
|
|
|
|
locations."/stats/sztancarka-last-24h" = {
|
|
|
|
proxyPass = "http://10.8.0.96:9090/api/v1/query?query=round(increase(cut_count_total[24h]))";
|
|
|
|
};
|
|
|
|
};
|
2020-10-28 22:58:27 +00:00
|
|
|
|
2020-10-23 16:48:05 +00:00
|
|
|
services.unbound = {
|
|
|
|
enable = true;
|
|
|
|
interfaces = [
|
|
|
|
networks.lan.ipv4
|
|
|
|
"127.0.0.1"
|
|
|
|
"::1"
|
|
|
|
# networks.lan.ipv6 TODO
|
|
|
|
];
|
2020-10-23 18:14:06 +00:00
|
|
|
allowedAccess = [
|
|
|
|
"127.0.0.1/8"
|
|
|
|
"10.0.0.0/8"
|
|
|
|
];
|
2020-10-23 16:48:05 +00:00
|
|
|
extraConfig = builtins.concatStringsSep "\n" ((map (
|
|
|
|
name: ''
|
|
|
|
stub-zone:
|
|
|
|
name: ${name}
|
|
|
|
stub-addr: ${networks.uplink.ipv4}
|
|
|
|
''
|
2021-02-18 17:27:50 +00:00
|
|
|
) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i"]) ++ [''
|
2020-10-23 16:48:05 +00:00
|
|
|
forward-zone:
|
|
|
|
name: "."
|
|
|
|
forward-addr: 185.236.240.1
|
|
|
|
'']);
|
|
|
|
};
|
2020-06-22 21:30:35 +00:00
|
|
|
|
2020-06-26 21:26:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
# Public VPN access for Hackerspace members
|
|
|
|
services.openvpn.servers.members.config = ''
|
|
|
|
script-security 3
|
|
|
|
auth-user-pass-verify ${openvpn-auth}/bin/openvpn-auth-member via-env
|
|
|
|
verify-client-cert none
|
|
|
|
username-as-common-name
|
|
|
|
|
|
|
|
#user _openvpn
|
|
|
|
#group _openvpn
|
2020-11-07 17:30:23 +00:00
|
|
|
multihome
|
2020-06-26 21:26:59 +00:00
|
|
|
|
|
|
|
port 20001
|
|
|
|
proto udp
|
2020-11-07 17:30:23 +00:00
|
|
|
proto udp6
|
2020-06-26 21:26:59 +00:00
|
|
|
dev vpn
|
2020-06-26 21:59:55 +00:00
|
|
|
dev-type tun
|
2020-11-07 17:39:34 +00:00
|
|
|
ca ${secrets-path}/openvpn-public/ca.crt
|
|
|
|
cert ${secrets-path}/openvpn-public/server.crt
|
|
|
|
key ${secrets-path}/openvpn-public/server.key
|
|
|
|
dh ${secrets-path}/openvpn-public/dh.pem
|
2020-06-26 21:26:59 +00:00
|
|
|
server 10.9.1.0 255.255.255.0
|
|
|
|
|
2021-09-19 10:03:42 +00:00
|
|
|
push "route 10.8.0.0 255.255.0.0"
|
|
|
|
push "route 10.9.0.0 255.255.0.0"
|
|
|
|
push "route 10.10.0.0 255.255.0.0"
|
|
|
|
push "route 10.11.0.0 255.255.0.0"
|
2020-07-25 11:48:33 +00:00
|
|
|
push "dhcp-option DNS ${networks.lan.ipv4}"
|
2020-06-26 21:26:59 +00:00
|
|
|
push "dhcp-option DOMAIN waw.hackerspace.pl"
|
|
|
|
|
|
|
|
ifconfig-pool-persist /var/lib/openvpn-public/ipp.txt
|
2020-06-26 22:10:42 +00:00
|
|
|
#client-config-dir /var/lib/openvpn-public/ccd
|
2020-06-26 21:26:59 +00:00
|
|
|
client-to-client
|
|
|
|
keepalive 10 120
|
|
|
|
comp-lzo
|
|
|
|
persist-key
|
|
|
|
persist-tun
|
2020-06-26 21:28:19 +00:00
|
|
|
'';
|
2020-06-22 21:30:35 +00:00
|
|
|
|
2020-06-21 22:03:12 +00:00
|
|
|
environment.systemPackages = with pkgs; [
|
2020-10-23 19:50:49 +00:00
|
|
|
vim tcpdump htop nmon tmux git file procps parted dmidecode ack utillinux nmap mosh ncdu tree lz4 bind
|
2020-11-07 17:39:34 +00:00
|
|
|
rxvt_unicode.terminfo update_authorized_keys
|
2020-06-21 22:03:12 +00:00
|
|
|
];
|
|
|
|
programs.mtr.enable = true;
|
|
|
|
|
|
|
|
environment.variables = {
|
|
|
|
EDITOR = "vim";
|
|
|
|
};
|
|
|
|
|
2020-06-22 21:47:36 +00:00
|
|
|
system.stateVersion = "20.03";
|
2020-06-26 22:23:24 +00:00
|
|
|
|
|
|
|
boot.vesa = false;
|
|
|
|
boot.loader.grub.splashImage = null;
|
2020-06-21 21:37:59 +00:00
|
|
|
}
|
|
|
|
|