forked from M-Labs/it-infra
184 lines
6.8 KiB
Nix
184 lines
6.8 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
let
|
|
netifWan = "enp0s25";
|
|
netifLan = "enp3s0";
|
|
netifWifi = "wlp1s0";
|
|
in
|
|
{
|
|
imports =
|
|
[ # Include the results of the hardware scan.
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.version = 2;
|
|
boot.loader.grub.device = "/dev/sda";
|
|
|
|
boot.blacklistedKernelModules = [ "r8169" ];
|
|
boot.extraModulePackages = [ (pkgs.callPackage ./r8169 { kernel = config.boot.kernelPackages.kernel; }) ];
|
|
|
|
networking.hostName = "aux";
|
|
|
|
networking.interfaces."${netifWan}".useDHCP = true;
|
|
services.hostapd = {
|
|
enable = true;
|
|
interface = netifWifi;
|
|
hwMode = "g";
|
|
ssid = "M-Labs";
|
|
wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
|
|
extraConfig = ''
|
|
ieee80211d=1
|
|
country_code=HK
|
|
ieee80211n=1
|
|
wmm_enabled=1
|
|
auth_algs=1
|
|
wpa_key_mgmt=WPA-PSK
|
|
rsn_pairwise=CCMP
|
|
'';
|
|
};
|
|
networking.interfaces."${netifLan}" = {
|
|
ipv4.addresses = [{
|
|
address = "192.168.14.1";
|
|
prefixLength = 24;
|
|
}];
|
|
};
|
|
networking.interfaces."${netifWifi}" = {
|
|
ipv4.addresses = [{
|
|
address = "192.168.15.1";
|
|
prefixLength = 24;
|
|
}];
|
|
};
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 67 ];
|
|
trustedInterfaces = [ netifLan ];
|
|
};
|
|
services.bind = {
|
|
enable = true;
|
|
listenOn = [];
|
|
listenOnIpv6 = [];
|
|
forwarders = [];
|
|
extraOptions = "listen-on-v6 port 5354 { ::1; };";
|
|
cacheNetworks = [ "::1/128" ];
|
|
};
|
|
services.dnsmasq = {
|
|
enable = true;
|
|
servers = ["::1#5354"];
|
|
extraConfig = ''
|
|
interface=${netifWifi}
|
|
interface=${netifLan}
|
|
bind-interfaces
|
|
dhcp-range=interface:${netifLan},192.168.14.81,192.168.14.254,24h
|
|
dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h
|
|
|
|
no-resolv
|
|
|
|
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
|
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
|
# cannot reach.
|
|
address=/fonts.googleapis.com/142.250.207.74
|
|
'';
|
|
};
|
|
networking.nat = {
|
|
enable = true;
|
|
externalInterface = netifWan;
|
|
internalInterfaces = [ netifLan netifWifi ];
|
|
extraCommands = ''
|
|
iptables -w -N block-lan-from-wifi
|
|
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
|
|
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
|
|
iptables -w -A FORWARD -j block-lan-from-wifi
|
|
|
|
iptables -w -N block-insecure-devices
|
|
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
|
|
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
|
|
iptables -w -A FORWARD -j block-insecure-devices
|
|
'';
|
|
extraStopCommands = ''
|
|
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
|
|
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
|
|
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
|
|
|
|
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
|
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
|
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
|
'';
|
|
};
|
|
|
|
time.timeZone = "Asia/Hong_Kong";
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
services.avahi.enable = true;
|
|
services.avahi.publish.enable = true;
|
|
services.avahi.publish.userServices = true;
|
|
services.printing.enable = true;
|
|
services.printing.drivers = [ pkgs.hplipWithPlugin ];
|
|
services.printing.browsing = true;
|
|
services.printing.listenAddresses = [ "*:631" ];
|
|
services.printing.defaultShared = true;
|
|
hardware.sane.enable = true;
|
|
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
|
|
systemd.sockets.cups.wants = [ "network-setup.service" ];
|
|
systemd.sockets.cups.after = [ "network-setup.service" ];
|
|
systemd.sockets.cups.wantedBy = [ "multi-user.target" ];
|
|
systemd.services.cups.wantedBy = [ "multi-user.target" ];
|
|
|
|
users.extraUsers.root = {
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
|
];
|
|
shell = pkgs.fish;
|
|
};
|
|
# https://github.com/NixOS/nixpkgs/issues/155357
|
|
security.sudo.enable = true;
|
|
users.users.sb = {
|
|
isNormalUser = true;
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
|
];
|
|
shell = pkgs.fish;
|
|
};
|
|
users.users.backupdl = {
|
|
isNormalUser = true;
|
|
shell = pkgs.fish;
|
|
};
|
|
|
|
systemd.services.ssh-reverse-proxy = {
|
|
description = "SSH Reverse Proxy";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "1min";
|
|
User = "backupdl";
|
|
Group = "users";
|
|
ExecStart = "${pkgs.openssh}/bin/ssh -R 42.200.147.171:3940:localhost:22 -o ServerAliveInterval=60 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes -N -T nixbld.m-labs.hk";
|
|
};
|
|
};
|
|
|
|
documentation.enable = false;
|
|
environment.systemPackages = with pkgs; [
|
|
wget vim git usbutils pciutils file lm_sensors acpi
|
|
psmisc
|
|
iw
|
|
tmux
|
|
bind
|
|
];
|
|
|
|
programs.mosh.enable = true;
|
|
programs.fish.enable = true;
|
|
|
|
services.openssh.enable = true;
|
|
services.openssh.forwardX11 = true;
|
|
services.openssh.passwordAuthentication = false;
|
|
services.openssh.extraConfig =
|
|
''
|
|
StreamLocalBindUnlink yes
|
|
'';
|
|
|
|
system.stateVersion = "22.05";
|
|
}
|