# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ ../common-cli.nix ./hardware-configuration.nix ./users.nix ./services.nix ]; nix.settings.trusted-users = [ "root" "paul" ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; supportedFilesystems = [ "zfs" ]; tmp.useTmpfs = true; kernel.sysctl."net.ipv6.conf.all.forwarding" = true; }; documentation.nixos.enable = false; services.zfs = { autoSnapshot.enable = true; autoScrub = { enable = true; interval = "monthly"; }; }; hardware.usb-modeswitch.enable = true; # eno1 -> VLAN100 -> Internet # eno2 -> LAN # eno3 -> Legacy client DHCP # eno4 -> Pas utilisé networking = { hostName = "loutreos"; # Define your hostname. hostId = "7e66e347"; hosts = { "127.0.0.1" = [ "gitea.nyanlout.re" ]; }; useNetworkd = true; useDHCP = false; vlans = { bouygues = { id = 100; interface = "eno1"; }; }; interfaces = { bouygues = { # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303 macAddress = "E8:AD:A6:21:73:68"; useDHCP = true; }; eno2 = { ipv4.addresses = [ { address = "10.30.0.1"; prefixLength = 16; } ]; }; enp0s21u1.useDHCP = true; }; # NAT bouygues <-> eno2 nat = { enable = true; externalInterface = "bouygues"; # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE # externalIP = "0.0.0.0"; internalIPs = [ "10.30.0.0/16" ]; internalInterfaces = [ "eno2" ]; forwardPorts = [ { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;} { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];} ]; }; firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ ]; interfaces.eno2 = { allowedTCPPorts = [ 111 2049 4000 4001 4002 # NFS 3483 9000 9090 # Slimserver 1935 # RTMP ]; allowedUDPPorts = [ 111 2049 4000 4001 4002 # NFS 3483 # Slimserver 67 # DHCP ]; }; extraCommands = '' ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true ip6tables -w -F loutreos-forward 2>/dev/null || true ip6tables -w -X loutreos-forward 2>/dev/null || true ip6tables -w -N loutreos-forward ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A loutreos-forward -j ACCEPT -i eno2 ip6tables -A loutreos-forward -j nixos-fw-log-refuse ip6tables -w -A FORWARD -j loutreos-forward # Redirect local network request from server external IP to internal IP # Make the server available even without internet access iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 ''; # remove refs to nixos-fw-log-refuse before restarting firewall # prevents "ressource busy" errors extraStopCommands = '' ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true ''; }; }; systemd.network.networks = { "40-bouygues" = { dhcpV4Config.RouteMetric = 1; dhcpV6Config = { DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; WithoutRA = "solicit"; }; ipv6AcceptRAConfig.DHCPv6Client = true; networkConfig = { KeepConfiguration = "dhcp-on-stop"; IPv6AcceptRA = true; DHCPPrefixDelegation = true; }; dhcpPrefixDelegationConfig.SubnetId = "0"; }; "40-eno1".linkConfig.RequiredForOnline = "no"; "40-eno2" = { networkConfig = { IPv6SendRA = true; DHCPPrefixDelegation = true; DHCPServer = true; }; dhcpServerConfig = { # MIN = 10.30.100.0 #PoolOffset = 25500; # MAX = 10.30.200.0 #PoolSize = 25500; EmitRouter = true; EmitDNS = true; DNS = [ "1.1.1.1" "1.0.0.1" ]; }; dhcpServerStaticLeases = [ # IPMI { dhcpServerStaticLeaseConfig = { Address = "10.30.1.1"; MACAddress = "ac:1f:6b:4b:01:15"; }; } # paul-fixe { dhcpServerStaticLeaseConfig = { Address = "10.30.50.1"; MACAddress = "b4:2e:99:ed:24:26"; }; } # salonled { dhcpServerStaticLeaseConfig = { Address = "10.30.40.1"; MACAddress = "e0:98:06:85:e9:ce"; }; } # miroir-bleu { dhcpServerStaticLeaseConfig = { Address = "10.30.40.2"; MACAddress = "e0:98:06:86:38:fc"; }; } # miroir-orange { dhcpServerStaticLeaseConfig = { Address = "10.30.40.3"; MACAddress = "50:02:91:78:be:be"; }; } ]; ipv6SendRAConfig = { EmitDNS = true; DNS = [ "2606:4700:4700::1111" "2606:4700:4700::1001" ]; }; }; "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; }; nixpkgs.overlays = [ (import ../../overlays/transmission.nix) ]; services.openssh = { enable = true; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; X11Forwarding = true; }; }; users = { groups.autossh = { }; users.autossh = { home = "/home/autossh"; createHome = true; group = "autossh"; isSystemUser = true; }; }; # Options explanations # -N disable shell # -R 0.0.0.0:2222:127.0.0.1:22 redirect SSH port on VPS server on port 2222 # -R 127.0.0.1:2525:127.0.0.1:25 redirect SMTP port on VPS port 2525 services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ]; virtualisation.podman.enable = true; security.sudo.wheelNeedsPassword = false; system.stateVersion = "18.03"; }