diff options
| author | Kjetil Ørbekk <kj@orbekk.com> | 2020-11-08 18:23:56 -0500 |
|---|---|---|
| committer | Kjetil Ørbekk <kj@orbekk.com> | 2020-11-08 18:24:30 -0500 |
| commit | 605a2005bb92dc47556ea6e540d4d2d1c515ffdc (patch) | |
| tree | d59a12381014b59baf0e12588b8364db657c4db7 /config | |
| parent | d37a4f11e1ff414f2e9fccf4316a99d914934279 (diff) | |
dragon config
Diffstat (limited to 'config')
| -rw-r--r-- | config/ap.nix | 186 | ||||
| -rw-r--r-- | config/dns.nix | 20 | ||||
| -rw-r--r-- | config/router.nix | 224 | ||||
| -rw-r--r-- | config/web-server.nix | 25 |
4 files changed, 258 insertions, 197 deletions
diff --git a/config/ap.nix b/config/ap.nix deleted file mode 100644 index 4f3c634..0000000 --- a/config/ap.nix +++ /dev/null @@ -1,186 +0,0 @@ -{ config, lib, pkgs, ... }: -let - wan-dev = "enp37s0"; - lan-dev = "wlp39s0"; -in -{ - networking.networkmanager.enable = lib.mkForce false; - - # networking.vlans.lan = { - # id = 110; - # interface = wan-dev; - # }; - # networking.vlans.wan = { - # id = 100; - # interface = wan-dev; - # }; - - networking.firewall = { - enable = lib.mkForce false; - allowedTCPPorts = lib.mkForce [ ]; - allowedUDPPorts = lib.mkForce [ ]; - allowPing = true; - logRefusedConnections = false; - checkReversePath = false; - trustedInterfaces = [ "${lan-dev}" ]; - }; - - services.ferm = { - enable = true; - config = '' - @def $DEV_LAN = ${lan-dev}; - @def $DEV_WAN = ${wan-dev}; - @def $NET_LAN = 10.64.30.0/24; - - domain ip6 table filter chain INPUT { - proto ipv6-icmp ACCEPT; - proto udp dport (dhcpv6-client dhcpv6-server) ACCEPT; - } - - domain (ip ip6) table filter { - chain INPUT { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface lo ACCEPT; - proto icmp icmp-type echo-request ACCEPT; - - interface $DEV_WAN { - # RTMP - # proto (tcp udp) dport 1935 ACCEPT; - - # Factorio - proto udp dport 34197 ACCEPT; - } - - interface $DEV_LAN @subchain "services" { - # 1935 for rtmp testing - proto (tcp udp) dport (ssh domain bootps 1935 4317 5353) ACCEPT; - - # Chromecast - # proto udp dport 32768:61000 ACCEPT; - # proto udp dport (5353 1900) ACCEPT; - # proto tcp dport (8008 8009) ACCEPT; - - # chain logdrop { - # LOG log-level warning log-prefix "dropped-lan "; - # DROP; - # } - # jump logdrop; - } - } - - chain OUTPUT policy ACCEPT; - - chain FORWARD { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface $DEV_LAN ACCEPT; - } - } - - domain ip6 table filter chain INPUT { - chain logdrop { - LOG log-level warning log-prefix "dropped-6 "; - DROP; - } - jump logdrop; - } - - domain ip table nat { - chain POSTROUTING { - saddr $NET_LAN outerface $DEV_WAN MASQUERADE; - } - } - ''; - }; - - services = { - openssh.enable = lib.mkDefault true; - openssh.passwordAuthentication = false; - }; - - boot.kernel.sysctl = { - # Something wrong with Spectrum ipv6 :( - "net.ipv6.conf.all.disable_ipv6" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - }; - - services.hostapd = { - enable = true; - ssid = "2c"; - wpaPassphrase = "mintchip"; - interface = "${lan-dev}"; - hwMode = "g"; - channel = 11; - extraConfig = '' - country_code=US - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - ''; - }; - - networking.useDHCP = true; - networking.dhcpcd = { - enable = true; - denyInterfaces = [ lan-dev ]; - extraConfig = '' - # debug - noipv6rs - interface ${wan-dev} - dhcp - ipv6rs - ia_na 1 - ia_pd 1/::/56 ${lan-dev}/0/64 - ''; - wait = "background"; - }; - - services.dnsmasq = { - enable = true; - servers = [ "8.8.8.8" "8.8.4.4" ]; - extraConfig = '' - dhcp-authoritative - dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h - dhcp-option=option:router,10.64.30.1 - dhcp-option=option:dns-server,10.64.30.1 - dhcp-option=option:netmask,255.255.255.0 - - #dhcp-range=::,constructor:${lan-dev},slaac - ''; - }; - - networking.nat = { - enable = true; - externalInterface = "${wan-dev}"; - internalInterfaces = [ "${lan-dev}" ]; - # internalIPs = [ "10.0.0.0/24" ]; - }; - - # Error matching on link that was already renamed. - # systemd.network.links."40-enp37s0".matchConfig = { - # # OriginalName = lib.mkForce null; - # # MACAddress = "00:d8:61:c2:c6:6c"; - # }; - # systemd.services.dhcpcd.preStart = lib.mkAfter '' - # ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; - # ''; - # networking.interfaces.${wan-dev} = { - # macAddress = "3c:97:0e:19:7e:5c"; - # }; - - networking.interfaces."${lan-dev}" = { - ipv4.addresses = [ { - address = "10.64.30.1"; - prefixLength = 24; - } ]; - }; -} diff --git a/config/dns.nix b/config/dns.nix index 32d54a5..b0e52f6 100644 --- a/config/dns.nix +++ b/config/dns.nix @@ -2,7 +2,7 @@ # dnssec-keygen -K /secret/keys/example.net example.net { config, lib, pkgs, ... }: let - masterZones = [ "orbekk.com" "orbekk.no" "kufieta.net" ]; + masterZones = [ "tommvo.com" "orbekk.com" "orbekk.no" "kufieta.net" ]; zone-files = pkgs.callPackage ../pkgs/zone-files/default.nix { }; in { @@ -13,6 +13,11 @@ in services.bind = { enable = true; + cacheNetworks = [ + "::1/128" + "127.0.0.0/24" + "10.0.0.0/8" + ]; extraOptions = '' serial-update-method unixtime; ''; @@ -39,6 +44,7 @@ in 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 }; + notify-source-v6 2001:470:8e2e:20::d; notify explicit; }; '') masterZones} @@ -62,6 +68,7 @@ in 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 }; + notify-source-v6 2001:470:8e2e:20::d; notify explicit; update-policy { grant dynamic.orbekk.com.key zonesub any; @@ -74,7 +81,16 @@ in preStart = lib.mkAfter '' #rm /var/run/named/*.jnl || true #rm /var/run/named/*.jbk || true - cp -f ${zone-files}/* /var/run/named/ + echo "Copy zone files" + for z in ${zone-files}/*; do + if [[ $z =~ .*dynamic.* && -e "/var/run/named/$(basename $z)" ]]; then + echo "Skip dynamic zone $z" + continue + fi + echo "Copy zone $z" + cp -f $z /var/run/named/ + done + echo "Done copying zone files" ''; }; } diff --git a/config/router.nix b/config/router.nix new file mode 100644 index 0000000..30cf32a --- /dev/null +++ b/config/router.nix @@ -0,0 +1,224 @@ +{ config, lib, pkgs, ... }: +let + wan-dev = "eno1"; + lan-dev = "eno2"; +in +{ + networking.networkmanager.enable = lib.mkForce false; + + networking.nameservers = [ "8.8.8.8" ]; + + networking.vlans = builtins.listToAttrs (map (id: { name = "${lan-dev}.${toString id}"; value = { inherit id; interface = lan-dev; }; } ) [30 100 255]); + + systemd.services.update-dynamic-dns = { + description = "Update dynamic dns records"; + path = with pkgs; [bash dnsutils nettools gawk iproute]; + startLimitIntervalSec = 5; + script = toString ../tools/update-dns.sh; + }; + + networking.dhcpcd.runHook = '' + systemctl restart update-dynamic-dns.service + ''; + + networking.firewall = { + enable = lib.mkForce false; + allowedTCPPorts = lib.mkForce [ ]; + allowedUDPPorts = lib.mkForce [ ]; + allowPing = true; + logRefusedConnections = false; + checkReversePath = false; + }; + + services.ddclient = { + enable = true; + configFile = "/opt/secret/he-ddclient.conf"; + }; + + services.ferm = { + enable = true; + config = '' + @def $DEV_LAN = (${lan-dev}.100 ${lan-dev}.255); + @def $DEV_WAN = (${wan-dev} he0); + @def $NET_LAN = 10.0.0.0/8; + + domain (ip ip6) table filter { + chain INPUT { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface lo ACCEPT; + proto icmp ACCEPT; + + proto (udp udp) dport dhcpv6-client ACCEPT; + + proto 41 ACCEPT; # IPv6 sit tunnel + + interface $DEV_WAN @subchain "wan_services" { + proto (tcp udp) dport (bootpc bootps) ACCEPT; + proto tcp dport ssh ACCEPT; + proto (tcp udp) dport domain ACCEPT; + proto tcp dport (http https) ACCEPT; + } + + interface $DEV_LAN @subchain "lan_services" { + proto (tcp udp) dport (ssh domain bootpc bootps) ACCEPT; + proto tcp dport (http https) ACCEPT; + + # Chromecast + # proto udp dport 32768:61000 ACCEPT; + # proto udp dport (5353 1900) ACCEPT; + # proto tcp dport (8008 8009) ACCEPT; + + # chain logdrop { + # LOG log-level warning log-prefix "dropped-lan "; + # DROP; + # } + # jump logdrop; + } + } + + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface $DEV_LAN ACCEPT; + } + } + + domain ip6 table filter chain INPUT { + proto ipv6-icmp ACCEPT; + } + + domain (ip ip6) table filter chain logdrop { + LOG log-level warning log-prefix "dropped "; + DROP; + } + + domain (ip ip6) table filter chain INPUT { + jump logdrop; + } + + domain ip table nat { + chain POSTROUTING { + saddr $NET_LAN outerface $DEV_WAN MASQUERADE; + } + } + ''; + }; + + services = { + openssh.enable = lib.mkDefault true; + openssh.passwordAuthentication = false; + }; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }; + + #services.hostapd = { + # enable = true; + # # driver = "iwlwifi"; + # ssid = "2c"; + # wpaPassphrase = "mintchip"; + # interface = "${lan-dev}"; + # hwMode = "g"; + # channel = 11; + # extraConfig = '' + # country_code=US + # wpa_key_mgmt=WPA-PSK + # rsn_pairwise=CCMP + # ''; + #}; + + networking.dhcpcd = { + # Wain for v4 and v6 addresses. + # wait = "both"; + extraConfig = '' + debug + noipv6rs + interface ${wan-dev} + dhcp + ipv6rs + ia_na 0 + # ia_pd 1/::/64 ${lan-dev}.100/0/64 + ''; + }; + systemd.services.dhcpcd.preStart = lib.mkAfter '' + ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; + ''; + + services.dnsmasq = { + enable = true; + servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; + extraConfig = '' + port=0 + dhcp-authoritative + dhcp-range=10.65.30.100,10.65.30.255,255.255.255.0,24h + dhcp-option=option:router,10.65.30.1 + dhcp-option=option:dns-server,1.1.1.1,8.8.8.8,8.8.4.4 + dhcp-option=option:netmask,255.255.255.0 + + dhcp-range=::,constructor:${lan-dev}.100,slaac,off-link + ''; + }; + + networking.sits.he0 = { + dev = wan-dev; + local = "74.73.86.185"; + remote = "209.51.161.14"; + }; + + networking.iproute2.enable = true; + networking.iproute2.rttablesExtraConfig = '' + 200 he + ''; + + networking.localCommands = '' + ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true + ip -6 route flush cache + ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he + ip -6 route flush cache + ''; + + # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; + + networking.interfaces.${wan-dev} = { + macAddress = "3c:97:0e:19:7e:5c"; + useDHCP = true; + }; + + networking.interfaces.he0.ipv6 = { + addresses = [ + { address = "2001:470:1f06:1195::2"; prefixLength = 64; } + { address = "2001:470:8e2e:20::d"; prefixLength = 64; } + ]; + # routes = [{ address = "::"; prefixLength = 0; }]; + }; + + networking.interfaces."${lan-dev}".useDHCP = false; + networking.interfaces."${lan-dev}.255".useDHCP = true; + networking.interfaces."${lan-dev}.100" = { + ipv4.addresses = [ { + address = "10.65.30.1"; + prefixLength = 24; + } ]; + useDHCP = false; + }; + networking.interfaces."${lan-dev}.30" = { + ipv4.addresses = [ { + address = "10.64.30.1"; + prefixLength = 24; + } ]; + useDHCP = false; + }; +} diff --git a/config/web-server.nix b/config/web-server.nix index 5f1ae53..fed0814 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -10,6 +10,10 @@ security.acme.email = "kj@orbekk.com"; networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # I'm storing web files in /home. + systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; + services.nginx = { enable = true; package = pkgs.nginxStable.override { @@ -27,6 +31,9 @@ forceSSL = true; }; in { + "tommvo.com" = template // { + root = "/storage/srv/tommvo.com"; + }; "orbekk.no" = template // { root = "/storage/srv/orbekk.com"; }; @@ -89,9 +96,9 @@ # auth_basic_user_file /opt/site/hledger-htpasswd; # ''; # }; - locations."/_matrix" = { - proxyPass = "http://10.0.20.15:11102"; - }; + #locations."/_matrix" = { + # proxyPass = "http://10.0.20.15:11102"; + #}; }; "ympd.orbekk.com" = template // { locations."/" = { @@ -99,13 +106,13 @@ }; }; "git.orbekk.com" = template // { - locations."/".proxyPass = "http://10.0.20.2:11103"; - }; - "hydra.orbekk.com" = template // { - locations."/" = { - proxyPass = "http://10.0.20.2:11101"; - }; + locations."/".proxyPass = "http://localhost:11103"; }; + # "hydra.orbekk.com" = template // { + # locations."/" = { + # proxyPass = "http://10.0.20.2:11101"; + # }; + # }; "kufieta.net" = template // { locations."/".proxyPass = "http://10.0.20.13:8080"; }; |