Skip to content

Instantly share code, notes, and snippets.

@davidak
Created November 9, 2015 01:26
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save davidak/9517fc1b9fa23cdd5806 to your computer and use it in GitHub Desktop.
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/vda";
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
networking = {
hostName = "cg-gw";
domain = "lan";
interfaces = {
eth0.ip4 = [ { address = "10.0.0.13"; prefixLength = 8; } ];
eth1.ip4 = [ { address = "10.0.0.5"; prefixLength = 8; } ];
};
nameservers = [ "8.8.8.8" "8.8.4.4" ];
defaultGateway = "10.0.0.1";
firewall = {
enable = false;
allowPing = true;
allowedTCPPorts = [];
allowedUDPPorts = [];
};
useDHCP = false;
enableIPv6 = false;
};
time.timeZone = "Europe/Berlin";
i18n = {
consoleFont = "lat9w-16";
consoleKeyMap = "de";
defaultLocale = "de_DE.UTF-8";
};
# System Packages
environment.systemPackages = with pkgs; [
vim
htop
wget
unzip
mailutils
];
services.postfix.enable = true;
services.fail2ban.enable = true;
services.xserver.enable = false;
services.openvpn = {
enable = true;
servers = {
cyberghost = {
config = ''
client
remote 8-ro.cg-dialup.net 80
dev tun0
proto tcp
auth-user-pass /root/.vpn/user.txt
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth MD5
ping 15
ping-exit 90
ping-timer-rem
script-security 2
remote-cert-tls server
route-delay 5
verb 4
comp-lzo
ca /root/.vpn/ca.crt
cert /root/.vpn/client.crt
key /root/.vpn/client.key
'';
up = ''
iptables -A FORWARD -s 10.0.0.0/8 -i eth1 -o eth0 -m conntrack --ctstate NEW -j REJECT
iptables -A FORWARD -s 10.0.0.0/8 -i eth1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev
'';
down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
autoStart = true;
};
};
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAA... davidak" ];
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "15.09";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment