diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 616c927..330a373 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -5,6 +5,7 @@ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/flaresolverr.nix" ../common-cli.nix ./hardware-configuration.nix + ./network.nix ./users.nix ./services.nix ]; @@ -21,8 +22,6 @@ tmp.useTmpfs = true; - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; - # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported enableContainers = false; }; @@ -37,258 +36,6 @@ }; }; - hardware.usb-modeswitch.enable = true; - - # eno1 -> VLAN100 -> Internet - # eno2 -> LAN - # eno3 -> Legacy client DHCP - # eno4 -> Pas utilisé - - networking = { - hostName = "loutreos"; # Define your hostname. - hostId = "7e66e347"; - - hosts = { - "127.0.0.1" = [ "gitea.nyanlout.re" ]; - }; - - useNetworkd = true; - useDHCP = false; - - nameservers = [ - "1.1.1.1" - "1.0.0.1" - ]; - - vlans = { - bouygues = { - id = 100; - interface = "eno1"; - }; - }; - - interfaces = { - bouygues = { - # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 - macAddress = "E8:AD:A6:21:73:68"; - useDHCP = true; - }; - eno2 = { - ipv4.addresses = [ - { address = "10.30.0.1"; prefixLength = 16; } - ]; - }; - enp0s21u1.useDHCP = true; - }; - - # NAT bouygues <-> eno2 - nat = { - enable = true; - externalInterface = "bouygues"; - # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE - # externalIP = "0.0.0.0"; - internalIPs = [ "10.30.0.0/16" ]; - internalInterfaces = [ "eno2" ]; - forwardPorts = [ - { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} - { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} - ]; - }; - - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ ]; - interfaces.eno2 = { - allowedTCPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 9000 9090 # Slimserver - 1935 # RTMP - ]; - allowedUDPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 # Slimserver - 67 # DHCP - ]; - }; - extraCommands = '' - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - # Redirect local network request from server external IP to internal IP - # Make the server available even without internet access - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true - ''; - }; - }; - - systemd.network = { - enable = true; - - netdevs = { - "10-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1450"; - }; - wireguardConfig = { - PrivateKeyFile = "/run/keys/wireguard-privkey"; - FirewallMark = 51820; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - Endpoint = "89.234.141.83:8095"; - PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; - PresharedKeyFile = "/run/keys/wireguard-psk.key"; - AllowedIPs = ["0.0.0.0/0" "::/0"]; - PersistentKeepalive = 15; - }; - } - ]; - }; - }; - - networks = { - "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; - dhcpV6Config = { - DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig.DHCPv6Client = true; - networkConfig = { - KeepConfiguration = "dhcp-on-stop"; - IPv6AcceptRA = true; - DHCPPrefixDelegation = true; - }; - dhcpPrefixDelegationConfig.SubnetId = "0"; - }; - "40-eno1".linkConfig.RequiredForOnline = "no"; - "10-wg0" = { - matchConfig.Name = "wg0"; - address = [ - "89.234.141.196/32" - "2a00:5881:8119:400::1/128" - ]; - # routingPolicyRules = [ - # { - # routingPolicyRuleConfig = { - # FirewallMark = "51820"; - # InvertRule = true; - # Table = "51820"; - # Priority = "10"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "10.0.0.0/8"; - # Priority = "9"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "192.168.0.0/16"; - # Priority = "9"; - # }; - # } - # { - # routingPolicyRuleConfig = { - # To = "89.234.141.83/32"; - # Priority = "5"; - # }; - # } - # ]; - # routes = [ - # { - # routeConfig = { - # Destination = "0.0.0.0/0"; - # Table = 51820; - # }; - # } - # ]; - }; - "40-eno2" = { - networkConfig = { - IPv6SendRA = true; - DHCPPrefixDelegation = true; - DHCPServer = true; - }; - dhcpServerConfig = { - # MIN = 10.30.100.0 - #PoolOffset = 25500; - # MAX = 10.30.200.0 - #PoolSize = 25500; - EmitRouter = true; - EmitDNS = true; - DNS = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - dhcpServerStaticLeases = [ - # IPMI - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.1.1"; - MACAddress = "ac:1f:6b:4b:01:15"; - }; - } - # paul-fixe - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.50.1"; - MACAddress = "b4:2e:99:ed:24:26"; - }; - } - # salonled - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.1"; - MACAddress = "e0:98:06:85:e9:ce"; - }; - } - # miroir-bleu - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.2"; - MACAddress = "e0:98:06:86:38:fc"; - }; - } - # miroir-orange - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.3"; - MACAddress = "50:02:91:78:be:be"; - }; - } - ]; - ipv6SendRAConfig = { - EmitDNS = true; - DNS = [ - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; - }; - }; - # Set 4G connection as low routing priority - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; - }; - }; - services.openssh = { enable = true; settings = { diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix new file mode 100644 index 0000000..0f83980 --- /dev/null +++ b/systems/LoutreOS/network.nix @@ -0,0 +1,309 @@ +{ config, pkgs, inputs, ... }: + +{ + boot = { + kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + # Enable LTE drivers + hardware.usb-modeswitch.enable = true; + + ################## + # NETWORK CONFIG # + ################## + + # eno1 -> VLAN100 -> Internet + # eno2 -> LAN + # eno3 -> Pas utilisé + # eno4 -> Pas utilisé + # enp0s21u1 -> Clé 4G Bouygues + # wg0 -> Tunnel Wireguard ARN + + networking = { + hostName = "loutreos"; # Define your hostname. + hostId = "7e66e347"; + + useNetworkd = true; + useDHCP = false; + + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + + vlans = { + bouygues = { + id = 100; + interface = "eno1"; + }; + }; + + interfaces = { + bouygues = { + # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 + macAddress = "E8:AD:A6:21:73:68"; + useDHCP = true; + }; + eno2 = { + ipv4.addresses = [ + { address = "10.30.0.1"; prefixLength = 16; } + ]; + }; + enp0s21u1.useDHCP = true; + }; + + # NAT bouygues <-> eno2 + nat = { + enable = true; + externalInterface = "bouygues"; + internalIPs = [ "10.30.0.0/16" ]; + internalInterfaces = [ "eno2" ]; + forwardPorts = [ + { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} + { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} + ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; + + # Open ports on local netwok only + interfaces.eno2 = { + allowedTCPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 9000 9090 # Slimserver + 1935 # RTMP + ]; + allowedUDPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 # Slimserver + 67 # DHCP + ]; + }; + + extraCommands = '' + # Forward all IPv6 traffic from local network and reject incoming traffic + ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true + ip6tables -w -F loutreos-forward 2>/dev/null || true + ip6tables -w -X loutreos-forward 2>/dev/null || true + ip6tables -w -N loutreos-forward + ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -A loutreos-forward -j ACCEPT -i eno2 + ip6tables -A loutreos-forward -j nixos-fw-log-refuse + ip6tables -w -A FORWARD -j loutreos-forward + + # Redirect local network request from server external IP to internal IP + # Make the server available even without internet access + iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true + iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 + ''; + # remove refs to nixos-fw-log-refuse before restarting firewall + # prevents "ressource busy" errors + extraStopCommands = '' + ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + ''; + }; + }; + + ################# + # ROUTING RULES # + ################# + + # 0: from all lookup local + # 50: from all ipproto tcp dport 25 lookup vpn + # 100: from all lookup fiber + # 200: from all lookup lte + # 32766: from all lookup main + # 32767: from all lookup default + + systemd.network = { + enable = true; + + config = { + routeTables = { + fiber = 1; + lte = 2; + vpn = 3; + }; + addRouteTablesToIPRoute2 = true; + }; + + # Wireguard ARN device configuation + netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1450"; + }; + wireguardConfig = { + PrivateKeyFile = "/run/keys/wireguard-privkey"; + RouteTable = "vpn"; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + Endpoint = "89.234.141.83:8095"; + PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; + PresharedKeyFile = "/run/keys/wireguard-psk.key"; + AllowedIPs = ["0.0.0.0/0" "::/0"]; + PersistentKeepalive = 15; + }; + } + ]; + }; + }; + + networks = { + ######### + # FIBER # + ######### + + # Set DHCP client magic settings for Bouygues + # Put routes in fiber table + "40-bouygues" = { + dhcpV4Config.RouteTable = "fiber"; + dhcpV6Config = { + DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + DHCPv6Client = true; + RouteTable = "fiber"; + }; + networkConfig = { + KeepConfiguration = "dhcp-on-stop"; + IPv6AcceptRA = true; + DHCPPrefixDelegation = true; + }; + # Static attribution of first IPv6 subnet + dhcpPrefixDelegationConfig.SubnetId = "0"; + + # Route everything to fiber link with a priority of 100 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + Table = "fiber"; + Priority = "100"; + Family = "both"; + }; + } + ]; + }; + + # Don't check VLAN physical interface as it is not directly used + "40-eno1".linkConfig.RequiredForOnline = "no"; + + ####### + # LTE # + ####### + + # Put routes in lte table + "40-enp0s21u1" = { + dhcpV4Config.RouteTable = "lte"; + + # Route all to lte link with a priority of 200 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + Table = "lte"; + Priority = "200"; + Family = "both"; + }; + } + ]; + }; + + ####### + # VPN # + ####### + + # Wireguard ARN network configuation + "10-wg0" = { + matchConfig.Name = "wg0"; + address = [ + "89.234.141.196/32" + "2a00:5881:8119:400::1/128" + ]; + routingPolicyRules = [ + # Route outgoing emails to VPN table + { + routingPolicyRuleConfig = { + DestinationPort = "25"; + Table = "vpn"; + Priority = "50"; + Family = "both"; + }; + } + ]; + }; + + ####### + # LAN # + ####### + + # LAN DHCP server config + "40-eno2" = { + networkConfig = { + IPv6SendRA = true; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + dhcpServerConfig = { + EmitRouter = true; + EmitDNS = true; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + dhcpServerStaticLeases = [ + # IPMI + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.1.1"; + MACAddress = "ac:1f:6b:4b:01:15"; + }; + } + # paul-fixe + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.50.1"; + MACAddress = "b4:2e:99:ed:24:26"; + }; + } + # salonled + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.1"; + MACAddress = "e0:98:06:85:e9:ce"; + }; + } + # miroir-bleu + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.2"; + MACAddress = "e0:98:06:86:38:fc"; + }; + } + # miroir-orange + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.3"; + MACAddress = "50:02:91:78:be:be"; + }; + } + ]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = [ + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + }; + }; + }; + }; +}