From e15b25055b7064924371c2c64b19924be8538793 Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Sat, 17 Sep 2022 19:22:48 +0800 Subject: [PATCH] add aux router configuration --- aux-etc-nixos/configuration.nix | 151 ++++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 aux-etc-nixos/configuration.nix diff --git a/aux-etc-nixos/configuration.nix b/aux-etc-nixos/configuration.nix new file mode 100644 index 0000000..30a96a4 --- /dev/null +++ b/aux-etc-nixos/configuration.nix @@ -0,0 +1,151 @@ +{ config, pkgs, ... }: + +let + netifWan = "enp0s26f7u3"; + netifLan = "enp0s25"; + netifWifi = "wlp1s0"; +in +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + networking.hostName = "aux"; + + networking.interfaces."${netifWan}".useDHCP = true; + services.hostapd = { + enable = true; + interface = netifWifi; + hwMode = "g"; + ssid = "M-Labs"; + wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix); + extraConfig = '' + ieee80211d=1 + country_code=HK + ieee80211n=1 + wmm_enabled=1 + auth_algs=1 + wpa_key_mgmt=WPA-PSK + rsn_pairwise=CCMP + ''; + }; + networking.interfaces."${netifLan}" = { + ipv4.addresses = [{ + address = "192.168.14.1"; + prefixLength = 24; + }]; + }; + networking.interfaces."${netifWifi}" = { + ipv4.addresses = [{ + address = "192.168.15.1"; + prefixLength = 24; + }]; + }; + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 67 ]; + trustedInterfaces = [ netifLan ]; + }; + services.bind = { + enable = true; + listenOn = []; + listenOnIpv6 = []; + forwarders = []; + extraOptions = "listen-on-v6 port 5354 { ::1; };"; + cacheNetworks = [ "::1/128" ]; + }; + services.dnsmasq = { + enable = true; + servers = ["::1#5354"]; + extraConfig = '' + interface=${netifWifi} + interface=${netifLan} + bind-interfaces + dhcp-range=interface:${netifLan},192.168.14.81,192.168.14.254,24h + dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h + + no-resolv + + # Google can't do DNS geolocation correctly and slows down websites of everyone using + # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you + # cannot reach. + address=/fonts.googleapis.com/142.250.207.74 + ''; + }; + networking.nat = { + enable = true; + externalInterface = netifWan; + internalInterfaces = [ netifLan netifWifi ]; + extraCommands = '' + iptables -w -N block-lan-from-wifi + iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP + iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP + iptables -w -A FORWARD -j block-lan-from-wifi + ''; + extraStopCommands = '' + iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true + iptables -w -F block-lan-from-wifi 2>/dev/null|| true + iptables -w -X block-lan-from-wifi 2>/dev/null|| true + ''; + }; + + time.timeZone = "Asia/Hong_Kong"; + + nixpkgs.config.allowUnfree = true; + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplipWithPlugin ]; + services.printing.browsing = true; + services.printing.listenAddresses = [ "*:631" ]; + services.printing.defaultShared = true; + hardware.sane.enable = true; + hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ]; + + users.extraUsers.root = { + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" + ]; + shell = pkgs.fish; + }; + # https://github.com/NixOS/nixpkgs/issues/155357 + security.sudo.enable = true; + users.users.sb = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" + ]; + shell = pkgs.fish; + }; + users.users.backupdl = { + isNormalUser = true; + shell = pkgs.fish; + }; + + documentation.enable = false; + environment.systemPackages = with pkgs; [ + wget vim git usbutils pciutils file lm_sensors acpi + psmisc + iw + tmux + bind + ]; + + programs.mosh.enable = true; + programs.fish.enable = true; + + services.openssh.enable = true; + services.openssh.forwardX11 = true; + services.openssh.passwordAuthentication = false; + services.openssh.extraConfig = + '' + StreamLocalBindUnlink yes + ''; + + system.stateVersion = "22.05"; +}