it-infra/aux-etc-nixos/configuration.nix

184 lines
6.8 KiB
Nix

{ config, pkgs, ... }:
let
netifWan = "enp0s25";
netifLan = "enp3s0";
netifWifi = "wlp1s0";
in
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.blacklistedKernelModules = [ "r8169" ];
boot.extraModulePackages = [ (pkgs.callPackage ./r8169 { kernel = config.boot.kernelPackages.kernel; }) ];
networking.hostName = "aux";
networking.interfaces."${netifWan}".useDHCP = true;
services.hostapd = {
enable = true;
interface = netifWifi;
hwMode = "g";
ssid = "M-Labs";
wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
extraConfig = ''
ieee80211d=1
country_code=HK
ieee80211n=1
wmm_enabled=1
auth_algs=1
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
'';
};
networking.interfaces."${netifLan}" = {
ipv4.addresses = [{
address = "192.168.14.1";
prefixLength = 24;
}];
};
networking.interfaces."${netifWifi}" = {
ipv4.addresses = [{
address = "192.168.15.1";
prefixLength = 24;
}];
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 ];
trustedInterfaces = [ netifLan ];
};
services.bind = {
enable = true;
listenOn = [];
listenOnIpv6 = [];
forwarders = [];
extraOptions = "listen-on-v6 port 5354 { ::1; };";
cacheNetworks = [ "::1/128" ];
};
services.dnsmasq = {
enable = true;
servers = ["::1#5354"];
extraConfig = ''
interface=${netifWifi}
interface=${netifLan}
bind-interfaces
dhcp-range=interface:${netifLan},192.168.14.81,192.168.14.254,24h
dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h
no-resolv
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
address=/fonts.googleapis.com/142.250.207.74
'';
};
networking.nat = {
enable = true;
externalInterface = netifWan;
internalInterfaces = [ netifLan netifWifi ];
extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
iptables -w -N block-insecure-devices
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
iptables -w -A FORWARD -j block-insecure-devices
'';
extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true
'';
};
time.timeZone = "Asia/Hong_Kong";
nixpkgs.config.allowUnfree = true;
services.avahi.enable = true;
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplipWithPlugin ];
services.printing.browsing = true;
services.printing.listenAddresses = [ "*:631" ];
services.printing.defaultShared = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
systemd.sockets.cups.wants = [ "network-setup.service" ];
systemd.sockets.cups.after = [ "network-setup.service" ];
systemd.sockets.cups.wantedBy = [ "multi-user.target" ];
systemd.services.cups.wantedBy = [ "multi-user.target" ];
users.extraUsers.root = {
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
# https://github.com/NixOS/nixpkgs/issues/155357
security.sudo.enable = true;
users.users.sb = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
users.users.backupdl = {
isNormalUser = true;
shell = pkgs.fish;
};
systemd.services.ssh-reverse-proxy = {
description = "SSH Reverse Proxy";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Restart = "always";
RestartSec = "1min";
User = "backupdl";
Group = "users";
ExecStart = "${pkgs.openssh}/bin/ssh -R 42.200.147.171:3940:localhost:22 -o ServerAliveInterval=60 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes -N -T nixbld.m-labs.hk";
};
};
documentation.enable = false;
environment.systemPackages = with pkgs; [
wget vim git usbutils pciutils file lm_sensors acpi
psmisc
iw
tmux
bind
];
programs.mosh.enable = true;
programs.fish.enable = true;
services.openssh.enable = true;
services.openssh.forwardX11 = true;
services.openssh.passwordAuthentication = false;
services.openssh.extraConfig =
''
StreamLocalBindUnlink yes
'';
system.stateVersion = "22.05";
}