diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index 330a373..ccb68d8 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -1,3 +1,7 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + { config, pkgs, inputs, ... }: { @@ -5,7 +9,6 @@ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/flaresolverr.nix" ../common-cli.nix ./hardware-configuration.nix - ./network.nix ./users.nix ./services.nix ]; @@ -22,6 +25,8 @@ tmp.useTmpfs = true; + kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported enableContainers = false; }; @@ -36,6 +41,180 @@ }; }; + hardware.usb-modeswitch.enable = true; + + # eno1 -> VLAN100 -> Internet + # eno2 -> LAN + # eno3 -> Legacy client DHCP + # eno4 -> Pas utilisé + + networking = { + hostName = "loutreos"; # Define your hostname. + hostId = "7e66e347"; + + hosts = { + "127.0.0.1" = [ "gitea.nyanlout.re" ]; + }; + + useNetworkd = true; + useDHCP = false; + + vlans = { + bouygues = { + id = 100; + interface = "eno1"; + }; + }; + + interfaces = { + bouygues = { + # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 + macAddress = "E8:AD:A6:21:73:68"; + useDHCP = true; + }; + eno2 = { + ipv4.addresses = [ + { address = "10.30.0.1"; prefixLength = 16; } + ]; + }; + enp0s21u1.useDHCP = true; + }; + + # NAT bouygues <-> eno2 + nat = { + enable = true; + externalInterface = "bouygues"; + # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE + # externalIP = "0.0.0.0"; + internalIPs = [ "10.30.0.0/16" ]; + internalInterfaces = [ "eno2" ]; + forwardPorts = [ + { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} + { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} + ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; + interfaces.eno2 = { + allowedTCPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 9000 9090 # Slimserver + 1935 # RTMP + ]; + allowedUDPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 # Slimserver + 67 # DHCP + ]; + }; + extraCommands = '' + ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true + ip6tables -w -F loutreos-forward 2>/dev/null || true + ip6tables -w -X loutreos-forward 2>/dev/null || true + ip6tables -w -N loutreos-forward + ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -A loutreos-forward -j ACCEPT -i eno2 + ip6tables -A loutreos-forward -j nixos-fw-log-refuse + ip6tables -w -A FORWARD -j loutreos-forward + + # Redirect local network request from server external IP to internal IP + # Make the server available even without internet access + iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true + iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 + ''; + # remove refs to nixos-fw-log-refuse before restarting firewall + # prevents "ressource busy" errors + extraStopCommands = '' + ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + ''; + }; + }; + + systemd.network.networks = { + "40-bouygues" = { + dhcpV4Config.RouteMetric = 1; + dhcpV6Config = { + DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig.DHCPv6Client = true; + networkConfig = { + KeepConfiguration = "dhcp-on-stop"; + IPv6AcceptRA = true; + DHCPPrefixDelegation = true; + }; + dhcpPrefixDelegationConfig.SubnetId = "0"; + }; + "40-eno1".linkConfig.RequiredForOnline = "no"; + "40-eno2" = { + networkConfig = { + IPv6SendRA = true; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + dhcpServerConfig = { + # MIN = 10.30.100.0 + #PoolOffset = 25500; + # MAX = 10.30.200.0 + #PoolSize = 25500; + EmitRouter = true; + EmitDNS = true; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + dhcpServerStaticLeases = [ + # IPMI + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.1.1"; + MACAddress = "ac:1f:6b:4b:01:15"; + }; + } + # paul-fixe + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.50.1"; + MACAddress = "b4:2e:99:ed:24:26"; + }; + } + # salonled + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.1"; + MACAddress = "e0:98:06:85:e9:ce"; + }; + } + # miroir-bleu + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.2"; + MACAddress = "e0:98:06:86:38:fc"; + }; + } + # miroir-orange + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.3"; + MACAddress = "50:02:91:78:be:be"; + }; + } + ]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = [ + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + }; + }; + "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; + }; + services.openssh = { enable = true; settings = { diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix deleted file mode 100644 index 141298b..0000000 --- a/systems/LoutreOS/network.nix +++ /dev/null @@ -1,306 +0,0 @@ -{ config, pkgs, inputs, ... }: - -{ - boot = { - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; - }; - - # Enable LTE drivers - hardware.usb-modeswitch.enable = true; - - ################## - # NETWORK CONFIG # - ################## - - # eno1 -> VLAN100 -> Internet - # eno2 -> LAN - # eno3 -> Pas utilisé - # eno4 -> Pas utilisé - # enp0s21u1 -> Clé 4G Bouygues - # wg0 -> Tunnel Wireguard ARN - - networking = { - hostName = "loutreos"; # Define your hostname. - hostId = "7e66e347"; - - useNetworkd = true; - useDHCP = false; - - nameservers = [ - "1.1.1.1" - "1.0.0.1" - ]; - - vlans = { - bouygues = { - id = 100; - interface = "eno1"; - }; - }; - - interfaces = { - bouygues = { - # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 - macAddress = "E8:AD:A6:21:73:68"; - useDHCP = true; - }; - eno2 = { - ipv4.addresses = [ - { address = "10.30.0.1"; prefixLength = 16; } - ]; - }; - enp0s21u1.useDHCP = true; - }; - - # NAT bouygues <-> eno2 - nat = { - enable = true; - externalInterface = "bouygues"; - internalIPs = [ "10.30.0.0/16" ]; - internalInterfaces = [ "eno2" ]; - forwardPorts = [ - { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} - { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} - ]; - }; - - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ ]; - - # Open ports on local netwok only - interfaces.eno2 = { - allowedTCPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 9000 9090 # Slimserver - 1935 # RTMP - ]; - allowedUDPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 # Slimserver - 67 # DHCP - ]; - }; - - extraCommands = '' - # Forward all IPv6 traffic from local network and reject incoming traffic - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - # Redirect local network request from server external IP to internal IP - # Make the server available even without internet access - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true - ''; - }; - }; - - systemd.services.systemd-networkd.serviceConfig = { - LoadCredential = [ - "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private" - "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared" - ]; - }; - - systemd.network = let - routeTables = { - vpn = 3; - }; - in { - enable = true; - - config = { - inherit routeTables; - addRouteTablesToIPRoute2 = true; - }; - - # Wireguard ARN device configuation - netdevs = { - "10-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1450"; - }; - wireguardConfig = { - PrivateKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.private.wg0"; - # Wait for 24.11 - # PrivateKey = "@network.wireguard.private.wg0"; - RouteTable = routeTables.vpn; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - Endpoint = "89.234.141.83:8095"; - PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; - PresharedKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.preshared.wg0"; - # Wait for 24.11 - # PresharedKey = "@network.wireguard.preshared.wg0"; - AllowedIPs = ["0.0.0.0/0" "::/0"]; - PersistentKeepalive = 15; - }; - } - ]; - }; - }; - - networks = { - ######### - # FIBER # - ######### - - # Set route metric to highest priority - # Set DHCP client magic settings for Bouygues - "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; - - dhcpV6Config = { - DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; - WithoutRA = "solicit"; - }; - - ipv6AcceptRAConfig.DHCPv6Client = true; - - networkConfig = { - KeepConfiguration = "dhcp-on-stop"; - IPv6AcceptRA = true; - DHCPPrefixDelegation = true; - }; - - # Static attribution of first IPv6 subnet - dhcpPrefixDelegationConfig.SubnetId = "0"; - }; - - # Don't check VLAN physical interface as it is not directly used - "40-eno1".linkConfig.RequiredForOnline = "no"; - - ####### - # LTE # - ####### - - # Set LTE route to lower priority - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; - - ####### - # VPN # - ####### - - # Wireguard ARN network configuation - "10-wg0" = let - vpnIPv4 = "89.234.141.196/32"; - vpnIPv6 = "2a00:5881:8119:400::1/128"; - in { - matchConfig.Name = "wg0"; - address = [ - vpnIPv4 - vpnIPv6 - ]; - routingPolicyRules = [ - # Route outgoing emails to VPN table - { - routingPolicyRuleConfig = { - IncomingInterface = "lo"; - DestinationPort = "25"; - Table = routeTables.vpn; - Priority = 50; - Family = "both"; - }; - } - # Route packets originating from wg0 device to VPN table - # Allow server to respond on the wg0 interface requests - { - routingPolicyRuleConfig = { - From = vpnIPv4; - Table = routeTables.vpn; - Priority = 49; - }; - } - { - routingPolicyRuleConfig = { - From = vpnIPv6; - Table = routeTables.vpn; - Priority = 49; - }; - } - ]; - }; - - ####### - # LAN # - ####### - - # LAN DHCP server config - "40-eno2" = { - networkConfig = { - IPv6SendRA = true; - DHCPPrefixDelegation = true; - DHCPServer = true; - }; - dhcpServerConfig = { - EmitRouter = true; - EmitDNS = true; - DNS = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - dhcpServerStaticLeases = [ - # IPMI - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.1.1"; - MACAddress = "ac:1f:6b:4b:01:15"; - }; - } - # paul-fixe - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.50.1"; - MACAddress = "b4:2e:99:ed:24:26"; - }; - } - # salonled - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.1"; - MACAddress = "e0:98:06:85:e9:ce"; - }; - } - # miroir-bleu - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.2"; - MACAddress = "e0:98:06:86:38:fc"; - }; - } - # miroir-orange - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.3"; - MACAddress = "50:02:91:78:be:be"; - }; - } - ]; - ipv6SendRAConfig = { - EmitDNS = true; - DNS = [ - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; - }; - }; - }; - }; -} diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index fac5b6c..e4f0e79 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -77,14 +77,14 @@ in }; services = { - # postfix = { - # relayHost = "mailvps.nyanlout.re"; - # relayPort = 587; - # config = { - # smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; - # smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; - # }; - # }; + postfix = { + relayHost = "mailvps.nyanlout.re"; + relayPort = 587; + config = { + smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; + smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; + }; + }; rspamd.workers.controller.extraConfig = '' secure_ip = ["0.0.0.0/0", "::"];