customs/configuration.nix

576 lines
16 KiB
Nix
Raw Permalink Normal View History

2020-06-21 21:37:59 +00:00
{ config, pkgs, ... }:
let
2020-10-23 19:50:49 +00:00
# hscloud checkout, hscloud.routing used to set up dynamic routing (OSPFv6 via bird)
hscloud = fetchGit {
url = "https://gerrit.hackerspace.pl/hscloud.git";
name = "hscloud";
rev = "e401735fdd241b25dac4cb82d828dcfa6f84b198";
};
2020-07-25 11:49:33 +00:00
hw = builtins.fromJSON (builtins.readFile ./hw.json);
2020-07-25 11:48:33 +00:00
fw = import ./fw-7535.nix;
2020-06-21 21:37:59 +00:00
vuko-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle";
2020-10-23 19:50:49 +00:00
q3k-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia";
2020-07-25 11:48:33 +00:00
networks = {
uplink = {
description = "Hackerspace Internet Uplink";
hw_addr = builtins.elemAt fw.hw_addresses 0;
ipv4 = "185.236.240.5";
ipv6 = "2a0d:eb00:2137:1::3";
2020-06-22 21:30:35 +00:00
};
2020-07-25 11:48:33 +00:00
lan = {
description = "Hackerspace LAN";
hw_addr = builtins.elemAt fw.hw_addresses 1;
ipv4 = "10.8.1.2";
2020-10-23 19:50:49 +00:00
ipv6 = "2a0d:eb00:4242::1";
2020-06-22 18:55:34 +00:00
};
2020-07-25 11:48:33 +00:00
managment = {
description = "Management network (temporary routing)";
hw_addr = builtins.elemAt fw.hw_addresses 2;
};
lte = {
description = "temp LTE uplink";
hw_addr = builtins.elemAt fw.hw_addresses 3;
};
vpn = {
description = "Hackerspace members vpn";
ipv4 = "10.9.1.1";
2020-06-26 21:23:47 +00:00
};
};
hostname = "customs";
2020-06-26 21:26:59 +00:00
openvpn-auth = import ./openvpn-auth { inherit pkgs; };
secrets-path = "/etc/nixos/secrets/";
update_authorized_keys = pkgs.writeShellScriptBin "update_authorized_keys" ''
${pkgs.python3.withPackages (pp: [ pp.ldap3 ])}/bin/python ${./update_authorized_keys.py} ${hostname} ${secrets-path}/ldap-password.txt
'';
2020-06-21 21:37:59 +00:00
in {
imports =
2020-06-22 21:47:36 +00:00
[
2020-06-21 21:37:59 +00:00
./ulogd2/service.nix
2020-07-25 12:02:23 +00:00
#./hardware-configuration.nix
2020-06-21 21:37:59 +00:00
<nixpkgs/nixos/modules/profiles/minimal.nix>
2020-07-25 11:49:33 +00:00
<nixpkgs/nixos/modules/profiles/all-hardware.nix>
2020-10-23 19:50:49 +00:00
"${hscloud}/bgpwtf/machines/modules/routing.nix"
2020-10-23 23:14:12 +00:00
./checkinator-tracker.nix
./checkinator-web.nix
2020-10-26 18:28:38 +00:00
./mikrotik-exporter.nix
2021-09-27 15:07:41 +00:00
./netboot.nix
2020-10-28 22:58:27 +00:00
./laserproxy/service.nix
2020-06-21 21:37:59 +00:00
];
2020-06-21 21:37:59 +00:00
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
2020-07-25 11:49:33 +00:00
boot.loader.grub.device = "nodev";
boot.loader.grub.extraConfig = ''
serial --unit=0 --speed=115200
terminal_input serial
terminal_output serial
'';
boot.kernelParams = ["console=tty0" "console=ttyS0,115200"];
2020-11-01 12:47:43 +00:00
time.timeZone = "Europe/Warsaw";
2020-07-25 11:49:33 +00:00
fileSystems."/" = {
device = "/dev/disk/by-partuuid/${hw.rootUUID}";
fsType = "ext4";
};
2020-06-21 21:37:59 +00:00
2020-11-08 18:32:04 +00:00
services.postfix = let acme_dir = "/var/lib/acme"; in {
enable = true;
domain = "customs.hackerspace.pl";
hostname = "customs.hackerspace.pl";
destination = [ "localhost" ];
sslCert = "${acme_dir}/customs.hackerspace.pl/full.pem";
sslKey = "${acme_dir}/customs.hackerspace.pl/key.pem";
enableSmtp = true;
enableSubmission = false;
#relayHost = "hackerspace.pl";
extraConfig = ''
inet_interfaces = loopback-only
'';
};
2020-10-23 22:36:17 +00:00
fileSystems."/mnt/secrets" = {
fsType = "tmpfs";
options = [ "rw" "mode=755" "size=200M" "nosuid" "nodev" "relatime" "noexec" ];
};
networking.hostName = hostname;
2020-10-28 22:58:27 +00:00
networking.useDHCP = false;
networking.vlans = {
laser = {
id = 4001;
interface = "lan";
};
2021-06-12 19:43:35 +00:00
bms = {
id = 4002;
interface = "lan";
};
2020-10-28 22:58:27 +00:00
};
2020-06-21 21:37:59 +00:00
2020-10-25 11:42:50 +00:00
systemd.services.secrets = {
enable = true;
description = "Copy secrets and fix permissions";
script = ''
${pkgs.coreutils}/bin/install --owner=root --mode=700 --directory /mnt/secrets/nginx/
${pkgs.coreutils}/bin/install --owner=root --mode=400 -t /mnt/secrets/nginx/ \
${secrets-path}/nginx/at.hackerspace.pl.key \
${secrets-path}/nginx/at.hackerspace.pl.crt
2020-10-26 16:01:43 +00:00
${pkgs.acl}/bin/setfacl -m "u:nginx:rx" /mnt/secrets/nginx
${pkgs.acl}/bin/setfacl -m "u:nginx:r" /mnt/secrets/nginx/*
2020-10-25 11:42:50 +00:00
'';
2020-10-26 16:01:43 +00:00
wantedBy = [ "nginx.service" ];
partOf = [ "nginx.service" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = "true";
serviceConfig.User = "root";
2020-10-25 11:42:50 +00:00
};
2020-10-28 17:34:04 +00:00
services.prometheus.exporters.node = {
enable = true;
listenAddress = "[::1]";
port = 9100;
2020-10-28 22:58:27 +00:00
enabledCollectors = [ "systemd" ];
2020-10-28 17:34:04 +00:00
};
2020-07-25 11:48:33 +00:00
systemd.network.links = builtins.listToAttrs (map (
name: { name = "10-link-${name}"; value = {
enable = true;
matchConfig = {
MACAddress = networks."${name}".hw_addr;
};
linkConfig = {
Name = "${name}";
};
}; }
) (builtins.filter (name: builtins.hasAttr "hw_addr" networks."${name}") (builtins.attrNames networks)));
2020-06-26 21:23:47 +00:00
2020-06-26 22:12:14 +00:00
#networking.interfaces.vpn = {
# virtual = true;
# name = "vpn";
# #ipv4.addresses = [ { address = 10.9.1.1; prefixlen = 16; } ];
#};
2020-06-26 21:23:47 +00:00
2020-07-25 11:48:33 +00:00
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
2020-06-22 18:55:34 +00:00
# using nftables so firewall has to be disabled
2020-06-21 21:40:02 +00:00
networking.firewall.enable = false;
2020-06-21 21:37:59 +00:00
networking.nftables.enable = true;
networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iifname lo accept
# accept traffic originated from us
ct state {established, related} accept
# ICMP
2020-06-22 18:55:34 +00:00
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query, nd-router-solicit } accept
2020-06-21 21:37:59 +00:00
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
# allow "ping"
2020-06-21 21:54:31 +00:00
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
2020-06-21 21:37:59 +00:00
ip protocol icmp icmp type echo-request accept
2020-10-23 19:50:49 +00:00
# allow OSPFv3
ip6 nexthdr 89 accept
2020-06-22 18:55:34 +00:00
tcp dport 22 accept
tcp dport 53 accept
2020-06-22 21:42:43 +00:00
udp dport 53 accept
2020-10-23 23:14:12 +00:00
tcp dport 80 accept
2020-10-26 16:01:43 +00:00
tcp dport 443 accept
2021-09-27 15:07:41 +00:00
udp dport tftp accept
2020-10-23 17:56:24 +00:00
2020-11-04 01:01:30 +00:00
iifname managment udp dport tftp accept
2020-10-24 00:06:51 +00:00
iifname lan tcp dport 8080 accept
2020-10-23 17:56:24 +00:00
# openvpn-members
udp dport 20001 accept
2020-10-24 01:09:55 +00:00
tcp dport 20001 accept
2020-11-12 21:30:21 +00:00
# laserproxy
udp dport 40200 accept
udp dport 50200 accept
2020-06-21 21:37:59 +00:00
counter drop
}
# Allow all outgoing connections.
chain output {
2020-10-28 10:30:41 +00:00
type filter hook output priority 0; policy accept;
2020-06-21 21:37:59 +00:00
}
chain forward {
2020-06-22 18:55:34 +00:00
type filter hook forward priority 0; policy drop;
ct state {established, related} jump accepted
oifname "loop" jump accepted
2020-06-22 18:55:34 +00:00
ip saddr 10.8.0.0/16 iifname "lan" jump accepted
ip saddr 10.9.0.0/16 iifname "vpn" jump accepted
2020-10-26 16:32:03 +00:00
ip6 saddr 2a0d:eb00:4242::0/64 iifname "lan" jump accepted
ip6 saddr 2a0d:eb00:4242:1::0/64 iifname "vpn" jump accepted
ip6 saddr 2a0d:eb00:4242:1::1/128 iifname "loop" jump accepted
2020-06-22 18:55:34 +00:00
}
chain accepted {
# IMPORTANT
# Log all connections to the outside world from LAN interface, as we are
# required to do so
oifname != "uplink" accept
iifname "uplink" accept
ip daddr { 10.0.0.0/8, 225.225.225.225/32 } accept
ip6 daddr { 2a0d:eb00::/29, fe80::/8 } accept
log group 2 accept
}
}
table inet net {
chain postrouting {
type nat hook postrouting priority 100;
2020-07-25 11:48:33 +00:00
ip saddr 10.8.0.0/16 oifname uplink snat ${networks.uplink.ipv4}
ip saddr 10.9.0.0/16 oifname uplink snat ${networks.uplink.ipv4}
2020-06-22 18:55:34 +00:00
}
chain prerouting {
type nat hook prerouting priority -100;
# Access to staszkecoin from Internet
ip version 4 iifname "uplink" tcp dport 8333 dnat 10.8.1.49
2020-06-21 21:37:59 +00:00
}
}
'';
systemd.services."loop-netdev" = let n = "loop"; in {
description = "Dummy interface: loop";
wantedBy = [ "network-setup.service" "sys-subsystem-net-devices-${n}.device" ];
partOf = [ "network-setup.service" ];
after = [ "network-pre.target" ];
before = [ "network-setup.service" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
path = [ pkgs.iproute ];
script = ''
# Remove Dead Interfaces
ip link show "${n}" >/dev/null 2>&1 && ip link delete "${n}"
ip link add "${n}" type dummy
ip link set "${n}" up
'';
postStop = ''
ip link delete "${n}"
'';
};
2020-07-25 11:48:33 +00:00
networking.interfaces = {
uplink = {
ipv4.addresses = [ { address = networks.uplink.ipv4; prefixLength = 31; } ];
ipv6.addresses = [
2020-10-26 16:32:03 +00:00
{ address = networks.uplink.ipv6; prefixLength = 112; }
2020-07-25 11:48:33 +00:00
];
};
lan = {
ipv4.addresses = [ { address = networks.lan.ipv4; prefixLength = 16; } ];
2020-10-23 19:50:49 +00:00
ipv6.addresses = [ { address = networks.lan.ipv6; prefixLength = 64; } ];
2020-07-25 11:48:33 +00:00
};
loop = {
2020-11-04 12:57:53 +00:00
ipv6.addresses = [ { address = "2a0d:eb00:4242:1::1"; prefixLength = 128; } ];
};
2020-10-28 22:58:27 +00:00
laser = {
ipv4.addresses = [ { address = "10.11.0.1"; prefixLength = 24; } ];
};
2021-06-12 19:43:35 +00:00
bms = {
ipv4.addresses = [ { address = "10.11.1.1"; prefixLength = 24; } ];
};
2020-07-25 11:48:33 +00:00
managment = {
ipv4.addresses = [ { address = "10.10.1.1"; prefixLength = 24; } ];
};
lte = {
ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ];
};
};
2020-06-22 19:23:46 +00:00
2020-07-25 11:48:33 +00:00
networking.defaultGateway = {
address = "185.236.240.4";
interface = "uplink";
};
networking.defaultGateway6 = {
2020-10-26 16:05:31 +00:00
address = "2a0d:eb00:2137:1::1";
2020-07-25 11:48:33 +00:00
interface = "uplink";
};
2020-06-21 21:37:59 +00:00
2020-10-26 18:28:38 +00:00
2020-07-25 11:48:33 +00:00
networking.nameservers = [ "1.0.0.1" "8.8.8.8" ];
2020-06-21 21:37:59 +00:00
2020-11-08 18:32:25 +00:00
services.openssh = {
enable = true;
passwordAuthentication = false;
logLevel = "INFO";
};
2020-10-23 19:50:49 +00:00
users.users.root.openssh.authorizedKeys.keys = [ vuko-pubkey q3k-pubkey ];
2020-06-21 21:37:59 +00:00
2020-06-26 21:25:58 +00:00
services.dhcpd4 = {
enable = true;
configFile = ./dhcpd.conf;
interfaces = ["lan"];
2020-06-26 21:28:19 +00:00
};
2020-06-26 21:25:58 +00:00
2020-10-23 19:50:49 +00:00
hscloud.routing = {
enable = true;
# TODO(q3k): make this optional in upstream
extra = "";
routerID = "185.236.240.5";
tables.master.program = true;
pipe.v6.aggregate_to_kernel = {
table = "master";
peerTable = "aggregate";
filterIn = ''
if source = RTS_OSPF then accept;
if source = RTS_OSPF_EXT2 then accept;
reject;
'';
};
ospf.v6.upstream = {
table = "aggregate";
area."0.0.0.0" = {
interfaces.uplink = { type = "bcast"; };
interfaces.lan = { type = "bcast"; stub = true; };
interfaces.loop = { type = "ptp"; stub = true; };
2020-10-23 19:50:49 +00:00
};
};
};
2020-10-23 20:14:05 +00:00
services.radvd = {
enable = true;
config = ''
2020-10-26 16:02:02 +00:00
interface lan {
2020-10-23 20:14:05 +00:00
AdvSendAdvert on;
2020-10-26 16:02:02 +00:00
prefix 2a0d:eb00:4242::/64 {
};
route 0::/0 { };
};
interface vpn {
AdvSendAdvert on;
prefix 2a0d:eb00:4242:1::/64 {
AdvRouterAddr on;
};
route 0::/0 { };
2020-10-23 20:14:05 +00:00
};
'';
};
2020-10-23 17:22:35 +00:00
2020-11-11 08:28:13 +00:00
services.logrotate = {
enable = true;
paths = {
ulogd = {
enable = true;
frequency = "weekly";
path = "/var/log/ulogd.pcap";
extraConfig = ''
postrotate
${pkgs.killall}/bin/killall -HUP ulogd
endscript
'';
keep = 55;
};
};
};
2020-10-26 20:48:27 +00:00
services.cron = let
log-neigh = pkgs.writeShellScript "log-neigh" ''
mkdir -p /var/log/arptables
chmod 700 /var/log/arptables
# Larger than 10MB? rotate.
if [[ $(find /var/log/arptables/arptables.log -type f -size +10485760c 2>/dev/null) ]]; then
f=/var/log/arptables/$(date "+%s").log
cp /var/log/arptables/arptables.log $f
gzip -9 $f
2020-10-28 10:30:41 +00:00
rm /var/log/arptables/arptables.log
2020-10-26 20:48:27 +00:00
fi
ip neigh >> /var/log/arptables/arptables.log
date --iso-8601=seconds >> /var/log/arptables/arptables.log
'';
in {
2020-11-08 18:32:04 +00:00
mailto = "vuko@hackerspace.pl";
2020-10-26 20:48:27 +00:00
enable = true;
systemCronJobs = [
2020-10-28 10:30:41 +00:00
"*/5 * * * * root ${log-neigh}"
2020-11-11 08:32:57 +00:00
"0 3 * * * root ${update_authorized_keys}/bin/update_authorized_keys"
2020-10-26 20:48:27 +00:00
];
};
2020-06-22 21:30:35 +00:00
services.knot = {
enable = true;
extraConfig = ''
server:
2020-07-25 11:48:33 +00:00
listen: ${networks.uplink.ipv4}@53
listen: ${networks.uplink.ipv6}@53
2020-06-22 21:30:35 +00:00
zone:
- domain: waw.hackerspace.pl
storage: ${./zones}
file: waw.hackerspace.pl
- domain: i
storage: ${./zones}
file: i
2020-06-22 21:40:35 +00:00
- domain: api.ustream.tv
2020-06-22 21:30:35 +00:00
storage: ${./zones}
2020-06-22 21:40:35 +00:00
file: api.ustream.tv
2020-06-22 21:30:35 +00:00
- domain: api.eye.fi
storage: ${./zones}
file: api.eye.fi
log:
- target: syslog
any: info
'';
};
2020-10-23 23:14:12 +00:00
services.nginx.enable = true;
2020-10-26 16:01:43 +00:00
services.nginx.mapHashBucketSize = 64;
services.nginx.appendHttpConfig = ''
server_names_hash_bucket_size 64;
'';
2020-10-25 09:37:25 +00:00
2020-11-08 18:33:05 +00:00
security.acme = {
2020-11-11 08:29:28 +00:00
email = "bofh@hackerspace.pl";
2020-11-08 18:33:05 +00:00
acceptTerms = true;
};
2020-10-25 09:37:25 +00:00
services.nginx.virtualHosts."customs.hackerspace.pl" = {
2020-11-01 12:47:43 +00:00
default = true;
2020-11-08 18:33:05 +00:00
enableACME = true;
2020-11-01 12:47:43 +00:00
2020-11-08 18:33:21 +00:00
locations."/" = {
extraConfig = ''
return 302 https://isztar.mf.gov.pl;
'';
};
2020-10-25 09:37:25 +00:00
locations."/metrics/luftdaten" = {
proxyPass = "http://10.8.0.146";
};
locations."/metrics/spejsiot" = {
proxyPass = "http://spejsiot.waw.hackerspace.pl/metrics";
};
locations."/metrics/apm" = {
proxyPass = "http://10.8.1.40:5000/metrics";
};
locations."/metrics/vending" = {
proxyPass = "http://10.8.1.32:8000/";
};
locations."/metrics/sztancarka" = {
proxyPass = "http://10.8.0.96:8888/";
};
locations."/metrics/mikrotik" = {
proxyPass = "http://127.0.0.1:9436/metrics";
extraConfig = ''
allow 209.250.231.127;
deny all;
'';
};
locations."/metrics/node" = {
2020-10-28 17:34:04 +00:00
proxyPass = "http://[::1]:9100/metrics";
2020-10-25 09:37:25 +00:00
extraConfig = ''
allow 209.250.231.127;
deny all;
'';
};
locations."/stats/sztancarka-ppm" = {
proxyPass = "http://10.8.0.96:9090/api/v1/query?query=rate%28cut_count_total%5B15m%5D%29+*+60";
};
locations."/stats/sztancarka-last-24h" = {
proxyPass = "http://10.8.0.96:9090/api/v1/query?query=round(increase(cut_count_total[24h]))";
};
};
2020-10-28 22:58:27 +00:00
2020-10-23 16:48:05 +00:00
services.unbound = {
enable = true;
interfaces = [
networks.lan.ipv4
"127.0.0.1"
"::1"
# networks.lan.ipv6 TODO
];
2020-10-23 18:14:06 +00:00
allowedAccess = [
"127.0.0.1/8"
"10.0.0.0/8"
];
2020-10-23 16:48:05 +00:00
extraConfig = builtins.concatStringsSep "\n" ((map (
name: ''
stub-zone:
name: ${name}
stub-addr: ${networks.uplink.ipv4}
''
) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i"]) ++ [''
2020-10-23 16:48:05 +00:00
forward-zone:
name: "."
forward-addr: 185.236.240.1
'']);
};
2020-06-22 21:30:35 +00:00
2020-06-26 21:26:59 +00:00
# Public VPN access for Hackerspace members
services.openvpn.servers.members.config = ''
script-security 3
auth-user-pass-verify ${openvpn-auth}/bin/openvpn-auth-member via-env
verify-client-cert none
username-as-common-name
#user _openvpn
#group _openvpn
2020-11-07 17:30:23 +00:00
multihome
2020-06-26 21:26:59 +00:00
port 20001
proto udp
2020-11-07 17:30:23 +00:00
proto udp6
2020-06-26 21:26:59 +00:00
dev vpn
2020-06-26 21:59:55 +00:00
dev-type tun
ca ${secrets-path}/openvpn-public/ca.crt
cert ${secrets-path}/openvpn-public/server.crt
key ${secrets-path}/openvpn-public/server.key
dh ${secrets-path}/openvpn-public/dh.pem
2020-06-26 21:26:59 +00:00
server 10.9.1.0 255.255.255.0
push "route 10.8.0.0 255.255.0.0"
push "route 10.9.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 10.11.0.0 255.255.0.0"
2020-07-25 11:48:33 +00:00
push "dhcp-option DNS ${networks.lan.ipv4}"
2020-06-26 21:26:59 +00:00
push "dhcp-option DOMAIN waw.hackerspace.pl"
ifconfig-pool-persist /var/lib/openvpn-public/ipp.txt
2020-06-26 22:10:42 +00:00
#client-config-dir /var/lib/openvpn-public/ccd
2020-06-26 21:26:59 +00:00
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
2020-06-26 21:28:19 +00:00
'';
2020-06-22 21:30:35 +00:00
2020-06-21 22:03:12 +00:00
environment.systemPackages = with pkgs; [
2020-10-23 19:50:49 +00:00
vim tcpdump htop nmon tmux git file procps parted dmidecode ack utillinux nmap mosh ncdu tree lz4 bind
rxvt_unicode.terminfo update_authorized_keys
2020-06-21 22:03:12 +00:00
];
programs.mtr.enable = true;
environment.variables = {
EDITOR = "vim";
};
2020-06-22 21:47:36 +00:00
system.stateVersion = "20.03";
boot.vesa = false;
boot.loader.grub.splashImage = null;
2020-06-21 21:37:59 +00:00
}