{ config, pkgs, ... }: let netifWan = "enp0s25"; netifLan = "enp3s0"; netifWifi = "wlp1s0"; netifSit = "henet0"; in { imports = [ ./hardware-configuration.nix ./backupdl-module.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; boot.blacklistedKernelModules = [ "r8169" ]; boot.extraModulePackages = [ (pkgs.callPackage ./r8169 { kernel = config.boot.kernelPackages.kernel; }) ]; networking.hostName = "aux"; networking.interfaces."${netifWan}".useDHCP = true; services.hostapd = { enable = true; interface = netifWifi; hwMode = "g"; ssid = "M-Labs"; wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix); extraConfig = '' ieee80211d=1 country_code=HK ieee80211n=1 wmm_enabled=1 auth_algs=1 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP ''; }; networking.interfaces."${netifLan}" = { ipv4.addresses = [{ address = "192.168.1.1"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2001:470:f891:1::"; prefixLength = 64; }]; }; networking.interfaces."${netifWifi}" = { ipv4.addresses = [{ address = "192.168.15.1"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2001:470:f891:2::"; prefixLength = 64; }]; }; networking.sits."${netifSit}" = { dev = netifWan; remote = "216.218.221.6"; local = "94.190.212.123"; ttl = 255; }; networking.interfaces."${netifSit}".ipv6 = { addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; routes = [{ address = "::"; prefixLength = 0; }]; }; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; networking.firewall = { allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 67 ]; trustedInterfaces = [ netifLan ]; }; services.bind = { enable = true; listenOn = []; listenOnIpv6 = []; forwarders = []; extraOptions = "listen-on-v6 port 5354 { ::1; };"; extraConfig = '' zone "mil." IN { type forward; forward only; forwarders { 74.82.42.42; }; }; ''; cacheNetworks = [ "::1/128" ]; }; services.dnsmasq = { enable = true; servers = ["::1#5354"]; extraConfig = '' interface=${netifWifi} interface=${netifLan} bind-interfaces dhcp-range=interface:${netifLan},192.168.1.81,192.168.1.254,24h dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h enable-ra dhcp-range=interface:${netifLan},::,constructor:${netifLan},ra-names dhcp-range=interface:${netifWifi},::,constructor:${netifWifi},ra-only no-resolv # Static IPv4s to make port redirections work dhcp-host=chiron,192.168.1.201 dhcp-host=old-nixbld,192.168.1.202 # Google can't do DNS geolocation correctly and slows down websites of everyone using # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you # cannot reach. address=/fonts.googleapis.com/142.250.207.74 ''; }; networking.nat = { enable = true; externalInterface = netifWan; internalInterfaces = [ netifLan netifWifi ]; forwardPorts = [ { sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; } { sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; } ]; extraCommands = '' iptables -w -N block-lan-from-wifi iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP iptables -w -A FORWARD -j block-lan-from-wifi iptables -w -N block-insecure-devices iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2 iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply iptables -w -A FORWARD -j block-insecure-devices ''; extraStopCommands = '' iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true iptables -w -F block-lan-from-wifi 2>/dev/null|| true iptables -w -X block-lan-from-wifi 2>/dev/null|| true iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true iptables -w -F block-insecure-devices 2>/dev/null|| true iptables -w -X block-insecure-devices 2>/dev/null|| true ''; }; time.timeZone = "Asia/Hong_Kong"; nixpkgs.config.allowUnfree = true; services.avahi.enable = true; services.avahi.publish.enable = true; services.avahi.publish.userServices = true; services.printing.enable = true; services.printing.drivers = [ pkgs.hplipWithPlugin ]; services.printing.browsing = true; services.printing.listenAddresses = [ "*:631" ]; services.printing.defaultShared = true; hardware.sane.enable = true; hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ]; systemd.sockets.cups.wants = [ "network-setup.service" ]; systemd.sockets.cups.after = [ "network-setup.service" ]; systemd.sockets.cups.wantedBy = [ "multi-user.target" ]; systemd.services.cups.wantedBy = [ "multi-user.target" ]; users.extraGroups.plugdev = { }; users.extraUsers.root = { openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" ]; shell = pkgs.fish; }; # https://github.com/NixOS/nixpkgs/issues/155357 security.sudo.enable = true; users.users.sb = { isNormalUser = true; extraGroups = ["lp" "scanner" "plugdev"]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" ]; shell = pkgs.fish; }; documentation.enable = false; environment.systemPackages = with pkgs; [ wget vim git usbutils pciutils file lm_sensors acpi psmisc iw tmux bind nixopsUnstable imagemagick ]; programs.mosh.enable = true; programs.fish.enable = true; services.openssh.enable = true; services.openssh.forwardX11 = true; services.openssh.passwordAuthentication = false; services.openssh.extraConfig = '' StreamLocalBindUnlink yes ''; services.backupdl.enable = true; services.udev.extraRules = '' # label printer SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="plugdev" ''; nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="]; nix.settings.substituters = ["https://nixbld.m-labs.hk" "https://cache.nixos.org"]; nix.settings.trusted-users = ["sb"]; system.stateVersion = "22.05"; }