forked from M-Labs/it-infra
add aux router configuration
This commit is contained in:
parent
382c8bfaab
commit
e15b25055b
151
aux-etc-nixos/configuration.nix
Normal file
151
aux-etc-nixos/configuration.nix
Normal file
@ -0,0 +1,151 @@
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
netifWan = "enp0s26f7u3";
|
||||||
|
netifLan = "enp0s25";
|
||||||
|
netifWifi = "wlp1s0";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ # Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
|
networking.hostName = "aux";
|
||||||
|
|
||||||
|
networking.interfaces."${netifWan}".useDHCP = true;
|
||||||
|
services.hostapd = {
|
||||||
|
enable = true;
|
||||||
|
interface = netifWifi;
|
||||||
|
hwMode = "g";
|
||||||
|
ssid = "M-Labs";
|
||||||
|
wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
|
||||||
|
extraConfig = ''
|
||||||
|
ieee80211d=1
|
||||||
|
country_code=HK
|
||||||
|
ieee80211n=1
|
||||||
|
wmm_enabled=1
|
||||||
|
auth_algs=1
|
||||||
|
wpa_key_mgmt=WPA-PSK
|
||||||
|
rsn_pairwise=CCMP
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
networking.interfaces."${netifLan}" = {
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = "192.168.14.1";
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
networking.interfaces."${netifWifi}" = {
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = "192.168.15.1";
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
allowedUDPPorts = [ 53 67 ];
|
||||||
|
trustedInterfaces = [ netifLan ];
|
||||||
|
};
|
||||||
|
services.bind = {
|
||||||
|
enable = true;
|
||||||
|
listenOn = [];
|
||||||
|
listenOnIpv6 = [];
|
||||||
|
forwarders = [];
|
||||||
|
extraOptions = "listen-on-v6 port 5354 { ::1; };";
|
||||||
|
cacheNetworks = [ "::1/128" ];
|
||||||
|
};
|
||||||
|
services.dnsmasq = {
|
||||||
|
enable = true;
|
||||||
|
servers = ["::1#5354"];
|
||||||
|
extraConfig = ''
|
||||||
|
interface=${netifWifi}
|
||||||
|
interface=${netifLan}
|
||||||
|
bind-interfaces
|
||||||
|
dhcp-range=interface:${netifLan},192.168.14.81,192.168.14.254,24h
|
||||||
|
dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h
|
||||||
|
|
||||||
|
no-resolv
|
||||||
|
|
||||||
|
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
||||||
|
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
||||||
|
# cannot reach.
|
||||||
|
address=/fonts.googleapis.com/142.250.207.74
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
networking.nat = {
|
||||||
|
enable = true;
|
||||||
|
externalInterface = netifWan;
|
||||||
|
internalInterfaces = [ netifLan netifWifi ];
|
||||||
|
extraCommands = ''
|
||||||
|
iptables -w -N block-lan-from-wifi
|
||||||
|
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
|
||||||
|
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
|
||||||
|
iptables -w -A FORWARD -j block-lan-from-wifi
|
||||||
|
'';
|
||||||
|
extraStopCommands = ''
|
||||||
|
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
|
||||||
|
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
|
||||||
|
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
time.timeZone = "Asia/Hong_Kong";
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
services.printing.enable = true;
|
||||||
|
services.printing.drivers = [ pkgs.hplipWithPlugin ];
|
||||||
|
services.printing.browsing = true;
|
||||||
|
services.printing.listenAddresses = [ "*:631" ];
|
||||||
|
services.printing.defaultShared = true;
|
||||||
|
hardware.sane.enable = true;
|
||||||
|
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
|
||||||
|
|
||||||
|
users.extraUsers.root = {
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
|
];
|
||||||
|
shell = pkgs.fish;
|
||||||
|
};
|
||||||
|
# https://github.com/NixOS/nixpkgs/issues/155357
|
||||||
|
security.sudo.enable = true;
|
||||||
|
users.users.sb = {
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
|
];
|
||||||
|
shell = pkgs.fish;
|
||||||
|
};
|
||||||
|
users.users.backupdl = {
|
||||||
|
isNormalUser = true;
|
||||||
|
shell = pkgs.fish;
|
||||||
|
};
|
||||||
|
|
||||||
|
documentation.enable = false;
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
wget vim git usbutils pciutils file lm_sensors acpi
|
||||||
|
psmisc
|
||||||
|
iw
|
||||||
|
tmux
|
||||||
|
bind
|
||||||
|
];
|
||||||
|
|
||||||
|
programs.mosh.enable = true;
|
||||||
|
programs.fish.enable = true;
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.openssh.forwardX11 = true;
|
||||||
|
services.openssh.passwordAuthentication = false;
|
||||||
|
services.openssh.extraConfig =
|
||||||
|
''
|
||||||
|
StreamLocalBindUnlink yes
|
||||||
|
'';
|
||||||
|
|
||||||
|
system.stateVersion = "22.05";
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user