nixos-config/systems/LoutreOS/configuration.nix

255 lines
6.6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
../common-cli.nix
./hardware-configuration.nix
./users.nix
./services.nix
];
nix.settings.trusted-users = [ "root" "paul" ];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [ "zfs" ];
tmp.useTmpfs = true;
kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
# Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
enableContainers = false;
};
documentation.nixos.enable = false;
services.zfs = {
autoSnapshot.enable = true;
autoScrub = {
enable = true;
interval = "monthly";
};
};
hardware.usb-modeswitch.enable = true;
# eno1 -> VLAN100 -> Internet
# eno2 -> LAN
# eno3 -> Legacy client DHCP
# eno4 -> Pas utilisé
networking = {
hostName = "loutreos"; # Define your hostname.
hostId = "7e66e347";
hosts = {
"127.0.0.1" = [ "gitea.nyanlout.re" ];
};
useNetworkd = true;
useDHCP = false;
vlans = {
bouygues = {
id = 100;
interface = "eno1";
};
};
interfaces = {
bouygues = {
# Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
macAddress = "E8:AD:A6:21:73:68";
useDHCP = true;
};
eno2 = {
ipv4.addresses = [
{ address = "10.30.0.1"; prefixLength = 16; }
];
};
enp0s21u1.useDHCP = true;
};
# NAT bouygues <-> eno2
nat = {
enable = true;
externalInterface = "bouygues";
# Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE
# externalIP = "0.0.0.0";
internalIPs = [ "10.30.0.0/16" ];
internalInterfaces = [ "eno2" ];
forwardPorts = [
{ destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
{ destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
];
};
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ ];
interfaces.eno2 = {
allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver
1935 # RTMP
];
allowedUDPPorts = [
111 2049 4000 4001 4002 # NFS
3483 # Slimserver
67 # DHCP
];
};
extraCommands = ''
ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
ip6tables -w -F loutreos-forward 2>/dev/null || true
ip6tables -w -X loutreos-forward 2>/dev/null || true
ip6tables -w -N loutreos-forward
ip6tables -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A loutreos-forward -j ACCEPT -i eno2
ip6tables -A loutreos-forward -j nixos-fw-log-refuse
ip6tables -w -A FORWARD -j loutreos-forward
# Redirect local network request from server external IP to internal IP
# Make the server available even without internet access
iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 || true
iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
'';
# remove refs to nixos-fw-log-refuse before restarting firewall
# prevents "ressource busy" errors
extraStopCommands = ''
ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true
'';
};
};
systemd.network.networks = {
"40-bouygues" = {
dhcpV4Config.RouteMetric = 1;
dhcpV6Config = {
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
WithoutRA = "solicit";
};
ipv6AcceptRAConfig.DHCPv6Client = true;
networkConfig = {
KeepConfiguration = "dhcp-on-stop";
IPv6AcceptRA = true;
DHCPPrefixDelegation = true;
};
dhcpPrefixDelegationConfig.SubnetId = "0";
};
"40-eno1".linkConfig.RequiredForOnline = "no";
"40-eno2" = {
networkConfig = {
IPv6SendRA = true;
DHCPPrefixDelegation = true;
DHCPServer = true;
};
dhcpServerConfig = {
# MIN = 10.30.100.0
#PoolOffset = 25500;
# MAX = 10.30.200.0
#PoolSize = 25500;
EmitRouter = true;
EmitDNS = true;
DNS = [
"1.1.1.1"
"1.0.0.1"
];
};
dhcpServerStaticLeases = [
# IPMI
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.1.1";
MACAddress = "ac:1f:6b:4b:01:15";
};
}
# paul-fixe
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.50.1";
MACAddress = "b4:2e:99:ed:24:26";
};
}
# salonled
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.1";
MACAddress = "e0:98:06:85:e9:ce";
};
}
# miroir-bleu
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.2";
MACAddress = "e0:98:06:86:38:fc";
};
}
# miroir-orange
{
dhcpServerStaticLeaseConfig = {
Address = "10.30.40.3";
MACAddress = "50:02:91:78:be:be";
};
}
];
ipv6SendRAConfig = {
EmitDNS = true;
DNS = [
"2606:4700:4700::1111"
"2606:4700:4700::1001"
];
};
};
"40-enp0s21u1".dhcpV4Config.RouteMetric = 1024;
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = true;
};
};
users = {
groups.autossh = { };
users.autossh = {
home = "/home/autossh";
createHome = true;
group = "autossh";
isSystemUser = true;
};
};
# Options explanations
# -N disable shell
# -R 0.0.0.0:2222:127.0.0.1:22 redirect SSH port on VPS server on port 2222
# -R 127.0.0.1:2525:127.0.0.1:25 redirect SMTP port on VPS port 2525
services.autossh.sessions = [
{
extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net";
monitoringPort = 20000;
name = "backup-ssh-reverse";
user = "autossh";
}
];
virtualisation.podman.enable = true;
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "18.03";
}