diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix index ccb68d8..330a373 100644 --- a/systems/LoutreOS/configuration.nix +++ b/systems/LoutreOS/configuration.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, inputs, ... }: { @@ -9,6 +5,7 @@ "${inputs.nixpkgs-unstable}/nixos/modules/services/misc/flaresolverr.nix" ../common-cli.nix ./hardware-configuration.nix + ./network.nix ./users.nix ./services.nix ]; @@ -25,8 +22,6 @@ tmp.useTmpfs = true; - kernel.sysctl."net.ipv6.conf.all.forwarding" = true; - # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported enableContainers = false; }; @@ -41,180 +36,6 @@ }; }; - hardware.usb-modeswitch.enable = true; - - # eno1 -> VLAN100 -> Internet - # eno2 -> LAN - # eno3 -> Legacy client DHCP - # eno4 -> Pas utilisé - - networking = { - hostName = "loutreos"; # Define your hostname. - hostId = "7e66e347"; - - hosts = { - "127.0.0.1" = [ "gitea.nyanlout.re" ]; - }; - - useNetworkd = true; - useDHCP = false; - - vlans = { - bouygues = { - id = 100; - interface = "eno1"; - }; - }; - - interfaces = { - bouygues = { - # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 - macAddress = "E8:AD:A6:21:73:68"; - useDHCP = true; - }; - eno2 = { - ipv4.addresses = [ - { address = "10.30.0.1"; prefixLength = 16; } - ]; - }; - enp0s21u1.useDHCP = true; - }; - - # NAT bouygues <-> eno2 - nat = { - enable = true; - externalInterface = "bouygues"; - # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE - # externalIP = "0.0.0.0"; - internalIPs = [ "10.30.0.0/16" ]; - internalInterfaces = [ "eno2" ]; - forwardPorts = [ - { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} - { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} - ]; - }; - - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ ]; - interfaces.eno2 = { - allowedTCPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 9000 9090 # Slimserver - 1935 # RTMP - ]; - allowedUDPPorts = [ - 111 2049 4000 4001 4002 # NFS - 3483 # Slimserver - 67 # DHCP - ]; - }; - extraCommands = '' - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - # Redirect local network request from server external IP to internal IP - # Make the server available even without internet access - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true - ''; - }; - }; - - systemd.network.networks = { - "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; - dhcpV6Config = { - DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig.DHCPv6Client = true; - networkConfig = { - KeepConfiguration = "dhcp-on-stop"; - IPv6AcceptRA = true; - DHCPPrefixDelegation = true; - }; - dhcpPrefixDelegationConfig.SubnetId = "0"; - }; - "40-eno1".linkConfig.RequiredForOnline = "no"; - "40-eno2" = { - networkConfig = { - IPv6SendRA = true; - DHCPPrefixDelegation = true; - DHCPServer = true; - }; - dhcpServerConfig = { - # MIN = 10.30.100.0 - #PoolOffset = 25500; - # MAX = 10.30.200.0 - #PoolSize = 25500; - EmitRouter = true; - EmitDNS = true; - DNS = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - dhcpServerStaticLeases = [ - # IPMI - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.1.1"; - MACAddress = "ac:1f:6b:4b:01:15"; - }; - } - # paul-fixe - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.50.1"; - MACAddress = "b4:2e:99:ed:24:26"; - }; - } - # salonled - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.1"; - MACAddress = "e0:98:06:85:e9:ce"; - }; - } - # miroir-bleu - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.2"; - MACAddress = "e0:98:06:86:38:fc"; - }; - } - # miroir-orange - { - dhcpServerStaticLeaseConfig = { - Address = "10.30.40.3"; - MACAddress = "50:02:91:78:be:be"; - }; - } - ]; - ipv6SendRAConfig = { - EmitDNS = true; - DNS = [ - "2606:4700:4700::1111" - "2606:4700:4700::1001" - ]; - }; - }; - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; - }; - services.openssh = { enable = true; settings = { diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix new file mode 100644 index 0000000..141298b --- /dev/null +++ b/systems/LoutreOS/network.nix @@ -0,0 +1,306 @@ +{ config, pkgs, inputs, ... }: + +{ + boot = { + kernel.sysctl."net.ipv6.conf.all.forwarding" = true; + }; + + # Enable LTE drivers + hardware.usb-modeswitch.enable = true; + + ################## + # NETWORK CONFIG # + ################## + + # eno1 -> VLAN100 -> Internet + # eno2 -> LAN + # eno3 -> Pas utilisé + # eno4 -> Pas utilisé + # enp0s21u1 -> Clé 4G Bouygues + # wg0 -> Tunnel Wireguard ARN + + networking = { + hostName = "loutreos"; # Define your hostname. + hostId = "7e66e347"; + + useNetworkd = true; + useDHCP = false; + + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + + vlans = { + bouygues = { + id = 100; + interface = "eno1"; + }; + }; + + interfaces = { + bouygues = { + # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 + macAddress = "E8:AD:A6:21:73:68"; + useDHCP = true; + }; + eno2 = { + ipv4.addresses = [ + { address = "10.30.0.1"; prefixLength = 16; } + ]; + }; + enp0s21u1.useDHCP = true; + }; + + # NAT bouygues <-> eno2 + nat = { + enable = true; + externalInterface = "bouygues"; + internalIPs = [ "10.30.0.0/16" ]; + internalInterfaces = [ "eno2" ]; + forwardPorts = [ + { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} + { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} + ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ ]; + + # Open ports on local netwok only + interfaces.eno2 = { + allowedTCPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 9000 9090 # Slimserver + 1935 # RTMP + ]; + allowedUDPPorts = [ + 111 2049 4000 4001 4002 # NFS + 3483 # Slimserver + 67 # DHCP + ]; + }; + + extraCommands = '' + # Forward all IPv6 traffic from local network and reject incoming traffic + ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true + ip6tables -w -F loutreos-forward 2>/dev/null || true + ip6tables -w -X loutreos-forward 2>/dev/null || true + ip6tables -w -N loutreos-forward + ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -A loutreos-forward -j ACCEPT -i eno2 + ip6tables -A loutreos-forward -j nixos-fw-log-refuse + ip6tables -w -A FORWARD -j loutreos-forward + + # Redirect local network request from server external IP to internal IP + # Make the server available even without internet access + iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true + iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 + ''; + # remove refs to nixos-fw-log-refuse before restarting firewall + # prevents "ressource busy" errors + extraStopCommands = '' + ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + ''; + }; + }; + + systemd.services.systemd-networkd.serviceConfig = { + LoadCredential = [ + "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private" + "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared" + ]; + }; + + systemd.network = let + routeTables = { + vpn = 3; + }; + in { + enable = true; + + config = { + inherit routeTables; + addRouteTablesToIPRoute2 = true; + }; + + # Wireguard ARN device configuation + netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1450"; + }; + wireguardConfig = { + PrivateKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.private.wg0"; + # Wait for 24.11 + # PrivateKey = "@network.wireguard.private.wg0"; + RouteTable = routeTables.vpn; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + Endpoint = "89.234.141.83:8095"; + PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g="; + PresharedKeyFile = "/run/credentials/systemd-networkd.service/network.wireguard.preshared.wg0"; + # Wait for 24.11 + # PresharedKey = "@network.wireguard.preshared.wg0"; + AllowedIPs = ["0.0.0.0/0" "::/0"]; + PersistentKeepalive = 15; + }; + } + ]; + }; + }; + + networks = { + ######### + # FIBER # + ######### + + # Set route metric to highest priority + # Set DHCP client magic settings for Bouygues + "40-bouygues" = { + dhcpV4Config.RouteMetric = 1; + + dhcpV6Config = { + DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; + WithoutRA = "solicit"; + }; + + ipv6AcceptRAConfig.DHCPv6Client = true; + + networkConfig = { + KeepConfiguration = "dhcp-on-stop"; + IPv6AcceptRA = true; + DHCPPrefixDelegation = true; + }; + + # Static attribution of first IPv6 subnet + dhcpPrefixDelegationConfig.SubnetId = "0"; + }; + + # Don't check VLAN physical interface as it is not directly used + "40-eno1".linkConfig.RequiredForOnline = "no"; + + ####### + # LTE # + ####### + + # Set LTE route to lower priority + "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; + + ####### + # VPN # + ####### + + # Wireguard ARN network configuation + "10-wg0" = let + vpnIPv4 = "89.234.141.196/32"; + vpnIPv6 = "2a00:5881:8119:400::1/128"; + in { + matchConfig.Name = "wg0"; + address = [ + vpnIPv4 + vpnIPv6 + ]; + routingPolicyRules = [ + # Route outgoing emails to VPN table + { + routingPolicyRuleConfig = { + IncomingInterface = "lo"; + DestinationPort = "25"; + Table = routeTables.vpn; + Priority = 50; + Family = "both"; + }; + } + # Route packets originating from wg0 device to VPN table + # Allow server to respond on the wg0 interface requests + { + routingPolicyRuleConfig = { + From = vpnIPv4; + Table = routeTables.vpn; + Priority = 49; + }; + } + { + routingPolicyRuleConfig = { + From = vpnIPv6; + Table = routeTables.vpn; + Priority = 49; + }; + } + ]; + }; + + ####### + # LAN # + ####### + + # LAN DHCP server config + "40-eno2" = { + networkConfig = { + IPv6SendRA = true; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + dhcpServerConfig = { + EmitRouter = true; + EmitDNS = true; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + dhcpServerStaticLeases = [ + # IPMI + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.1.1"; + MACAddress = "ac:1f:6b:4b:01:15"; + }; + } + # paul-fixe + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.50.1"; + MACAddress = "b4:2e:99:ed:24:26"; + }; + } + # salonled + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.1"; + MACAddress = "e0:98:06:85:e9:ce"; + }; + } + # miroir-bleu + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.2"; + MACAddress = "e0:98:06:86:38:fc"; + }; + } + # miroir-orange + { + dhcpServerStaticLeaseConfig = { + Address = "10.30.40.3"; + MACAddress = "50:02:91:78:be:be"; + }; + } + ]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = [ + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + }; + }; + }; + }; +} diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix index e4f0e79..fac5b6c 100644 --- a/systems/LoutreOS/services.nix +++ b/systems/LoutreOS/services.nix @@ -77,14 +77,14 @@ in }; services = { - postfix = { - relayHost = "mailvps.nyanlout.re"; - relayPort = 587; - config = { - smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; - smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; - }; - }; + # postfix = { + # relayHost = "mailvps.nyanlout.re"; + # relayPort = 587; + # config = { + # smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt"; + # smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key"; + # }; + # }; rspamd.workers.controller.extraConfig = '' secure_ip = ["0.0.0.0/0", "::"];