Created
February 7, 2020 23:37
-
-
Save disassembler/238bfcff1f55c0febe6ea05b3ba7c538 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Edit this configuration file to define what should be installed on | |
| # your system. Help is available in the configuration.nix(5) man page | |
| # and in the NixOS manual (accessible by running ‘nixos-help’). | |
| { config, lib, pkgs, ... }: | |
| let | |
| secrets = import ../load-secrets.nix; | |
| shared = import ../shared.nix; | |
| externalInterface = "enp0s16u2"; | |
| internalInterfaces = [ | |
| "lan" | |
| #"enp3s0" | |
| "wg0" | |
| ]; | |
| unifiTCPPorts = [ | |
| 8080 | |
| 8443 | |
| 8880 | |
| 6789 | |
| ]; | |
| unifiUDPPorts = (lib.range 5656 5699) ++ [ | |
| 3478 | |
| 10001 | |
| 1900 | |
| ]; | |
| in { | |
| imports = | |
| [ # Include the results of the hardware scan. | |
| ./hardware.nix | |
| ]; | |
| # Use the GRUB 2 boot loader. | |
| boot.loader.grub.enable = true; | |
| boot.loader.grub.version = 2; | |
| boot.loader.grub.device = "/dev/sda"; | |
| boot.kernelParams = [ "console=ttyS0,115200n8" ]; | |
| # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. | |
| boot.supportedFilesystems = [ "zfs" ]; | |
| networking = { | |
| hostId = "4a946549"; | |
| hostName = "greenacres"; | |
| nameservers = [ "10.36.3.1" "8.8.8.8" ]; | |
| vlans = { | |
| lan = { | |
| interface = "br0"; | |
| id = 3; | |
| }; | |
| }; | |
| bridges = { | |
| br0.interfaces = [ | |
| "enp2s0" | |
| "enp3s0" # switch | |
| ]; | |
| }; | |
| interfaces = { | |
| ${externalInterface} = { | |
| useDHCP = true; | |
| }; | |
| lan = { | |
| ipv4.addresses = [{ | |
| address = "10.36.3.1"; | |
| prefixLength = 24; | |
| }]; | |
| }; | |
| #enp3s0 = { | |
| # ipv4.addresses = [{ | |
| # address = "10.36.4.1"; | |
| # prefixLength = 24; | |
| # }]; | |
| #}; | |
| }; | |
| nat = { | |
| enable = true; | |
| externalInterface = "${externalInterface}"; | |
| internalIPs = [ "10.36.3.0/24" "10.36.9.0/24" ]; | |
| internalInterfaces = [ "lan" ]; | |
| }; | |
| dhcpcd.persistent = true; | |
| firewall = { | |
| enable = true; | |
| allowPing = true; | |
| extraCommands = let | |
| dropPortNoLog = port: | |
| '' | |
| ip46tables -A nixos-fw -p tcp \ | |
| --dport ${toString port} -j nixos-fw-refuse | |
| ip46tables -A nixos-fw -p udp \ | |
| --dport ${toString port} -j nixos-fw-refuse | |
| ''; | |
| dropPortIcmpLog = | |
| '' | |
| iptables -A nixos-fw -p icmp \ | |
| -j LOG --log-prefix "iptables[icmp]: " | |
| ip6tables -A nixos-fw -p ipv6-icmp \ | |
| -j LOG --log-prefix "iptables[icmp-v6]: " | |
| ''; | |
| refusePortOnInterface = port: interface: | |
| '' | |
| ip46tables -A nixos-fw -i ${interface} -p tcp \ | |
| --dport ${toString port} -j nixos-fw-log-refuse | |
| ip46tables -A nixos-fw -i ${interface} -p udp \ | |
| --dport ${toString port} -j nixos-fw-log-refuse | |
| ''; | |
| acceptPortOnInterface = port: interface: | |
| '' | |
| ip46tables -A nixos-fw -i ${interface} -p tcp \ | |
| --dport ${toString port} -j nixos-fw-accept | |
| ip46tables -A nixos-fw -i ${interface} -p udp \ | |
| --dport ${toString port} -j nixos-fw-accept | |
| ''; | |
| # IPv6 flat forwarding. For ipv4, see nat.forwardPorts | |
| forwardPortToHost = port: interface: proto: host: | |
| '' | |
| ip6tables -A FORWARD -i ${interface} \ | |
| -p ${proto} -d ${host} \ | |
| --dport ${toString port} -j ACCEPT | |
| ''; | |
| privatelyAcceptPort = port: | |
| lib.concatMapStrings | |
| (interface: acceptPortOnInterface port interface) | |
| internalInterfaces; | |
| publiclyRejectPort = port: | |
| refusePortOnInterface port externalInterface; | |
| allowPortOnlyPrivately = port: | |
| '' | |
| ${privatelyAcceptPort port} | |
| ${publiclyRejectPort port} | |
| ''; | |
| in lib.concatStrings [ | |
| (lib.concatMapStrings allowPortOnlyPrivately | |
| ([ | |
| 67 # DHCP | |
| 53 # DNS | |
| 80 # nginx | |
| 9100 # prometheus | |
| ] ++ unifiTCPPorts ++ unifiUDPPorts )) | |
| (lib.concatMapStrings dropPortNoLog | |
| [ | |
| 23 # Common from public internet | |
| 143 # Common from public internet | |
| 139 # From RT AP | |
| 515 # From RT AP | |
| 9100 # From RT AP | |
| ]) | |
| (dropPortIcmpLog) | |
| '' | |
| # allow from trusted interfaces | |
| ip46tables -A FORWARD -m state --state NEW -i br0 -o ${externalInterface} -j ACCEPT | |
| ip46tables -A FORWARD -m state --state NEW -i wg0 -o ${externalInterface} -j ACCEPT | |
| # allow traffic with existing state | |
| ip46tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # block forwarding from external interface | |
| ip6tables -A FORWARD -i ${externalInterface} -j DROP | |
| '' | |
| ]; | |
| allowedTCPPorts = [ 32400 ]; | |
| allowedUDPPorts = [ 51820 ]; | |
| }; | |
| wireguard.interfaces = { | |
| wg0 = { | |
| ips = [ "10.36.9.1/24" ]; | |
| listenPort = 51820; | |
| postSetup = '' | |
| ip link set mtu 1392 dev wg0 | |
| ''; | |
| privateKeyFile = "/var/lib/wg-keys/wg0.key"; | |
| peers = [ | |
| { | |
| publicKey = "RtwIQ8Ni8q+/E5tgYPFUnHrOhwAnkGOEe98h+vUYmyg="; | |
| allowedIPs = [ "10.40.33.0/24" "10.40.9.1/32" ]; | |
| endpoint = "prophet.samleathers.com:51820"; | |
| persistentKeepalive = 30; | |
| } | |
| ]; | |
| }; | |
| }; | |
| }; | |
| nixpkgs = { | |
| config = { | |
| allowUnfree = true; | |
| }; | |
| overlays = [ | |
| #(import ../overlays/plex.nix) | |
| ]; | |
| }; | |
| i18n = { | |
| consoleFont = "Lat2-Terminus16"; | |
| consoleKeyMap = "us"; | |
| defaultLocale = "en_US.UTF-8"; | |
| }; | |
| time.timeZone = "America/New_York"; | |
| # List packages installed in system profile. To search, run: | |
| # $ nix search wget | |
| environment.systemPackages = with pkgs; [ | |
| wget | |
| vim | |
| tmux | |
| screen | |
| ]; | |
| # Some programs need SUID wrappers, can be configured further or are | |
| # started in user sessions. | |
| # programs.mtr.enable = true; | |
| # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; | |
| # List services that you want to enable: | |
| # Enable the OpenSSH daemon. | |
| services = { | |
| openssh.enable = true; | |
| dnsmasq = { | |
| enable = true; | |
| extraConfig = let | |
| greenacres_cnames = [ | |
| "router" | |
| "ns" | |
| "plex" | |
| "unifi" | |
| ]; | |
| greenacres_ipv4 = "10.36.3.1"; | |
| createAddress = domain: ipv4: name: '' | |
| address=/${name}.${domain}/${ipv4} | |
| ''; | |
| in '' | |
| ${lib.concatMapStrings (createAddress "greenacres.theleathers.net" greenacres_ipv4) greenacres_cnames} | |
| ''; | |
| }; | |
| unifi = { | |
| enable = true; | |
| unifiPackage = pkgs.unifiStable; | |
| }; | |
| dhcpd4 = { | |
| interfaces = [ "lan" ]; | |
| enable = true; | |
| machines = [ | |
| { hostName = "camera"; ethernetAddress = "a4:5d:36:d6:22:d9"; ipAddress = "10.36.3.50"; } | |
| { hostName = "ideapad"; ethernetAddress = "28:39:26:94:02:cf"; ipAddress = "10.36.3.90"; } | |
| ]; | |
| extraConfig = '' | |
| # Allow UniFi devices to locate the controller from a separate VLAN | |
| option space ubnt; | |
| option ubnt.UNIFI-IP-ADDRESS code 1 = ip-address; | |
| option ubnt.UNIFI-IP-ADDRESS 10.36.3.1; | |
| class "ubnt" { | |
| match if substring (option vendor-class-identifier, 0, 4) = "ubnt"; | |
| option vendor-class-identifier "ubnt"; | |
| vendor-option-space ubnt; | |
| } | |
| subnet 10.36.3.0 netmask 255.255.255.0 { | |
| option domain-search "greenacres.theleathers.net"; | |
| option subnet-mask 255.255.255.0; | |
| option broadcast-address 10.36.3.255; | |
| option routers 10.36.3.1; | |
| option domain-name-servers 10.36.3.1; | |
| range 10.36.3.100 10.36.3.200; | |
| } | |
| subnet 10.36.4.0 netmask 255.255.255.0 { | |
| option domain-search "greenacres.theleathers.net"; | |
| option subnet-mask 255.255.255.0; | |
| option broadcast-address 10.36.4.255; | |
| option routers 10.36.4.1; | |
| option domain-name-servers 10.36.4.1; | |
| range 10.36.4.100 10.36.4.200; | |
| } | |
| ''; | |
| }; | |
| journald = { | |
| rateLimitBurst = 0; | |
| extraConfig = "SystemMaxUse=50M"; | |
| }; | |
| prometheus = { | |
| enable = true; | |
| extraFlags = [ | |
| "--storage.tsdb.retention.time 7d" | |
| ]; | |
| exporters = { | |
| blackbox = { | |
| enable = true; | |
| configFile = pkgs.writeText "blackbox-exporter.yaml" (builtins.toJSON { | |
| modules = { | |
| https_2xx = { | |
| prober = "http"; | |
| timeout = "5s"; | |
| http = { | |
| fail_if_not_ssl = true; | |
| }; | |
| }; | |
| htts_2xx = { | |
| prober = "http"; | |
| timeout = "5s"; | |
| }; | |
| ssh_banner = { | |
| prober = "tcp"; | |
| timeout = "10s"; | |
| tcp = { | |
| query_response = [ { expect = "^SSH-2.0-"; } ]; | |
| }; | |
| }; | |
| tcp_v4 = { | |
| prober = "tcp"; | |
| timeout = "5s"; | |
| tcp = { | |
| preferred_ip_protocol = "ip4"; | |
| }; | |
| }; | |
| tcp_v6 = { | |
| prober = "tcp"; | |
| timeout = "5s"; | |
| tcp = { | |
| preferred_ip_protocol = "ip6"; | |
| }; | |
| }; | |
| icmp_v4 = { | |
| prober = "icmp"; | |
| timeout = "60s"; | |
| icmp = { | |
| preferred_ip_protocol = "ip4"; | |
| }; | |
| }; | |
| icmp_v6 = { | |
| prober = "icmp"; | |
| timeout = "5s"; | |
| icmp = { | |
| preferred_ip_protocol = "ip6"; | |
| }; | |
| }; | |
| }; | |
| }); | |
| }; | |
| #surfboard = { | |
| # enable = true; | |
| #}; | |
| node = { | |
| enable = true; | |
| enabledCollectors = [ | |
| "systemd" | |
| "tcpstat" | |
| "conntrack" | |
| "diskstats" | |
| "entropy" | |
| "filefd" | |
| "filesystem" | |
| "loadavg" | |
| "meminfo" | |
| "netdev" | |
| "netstat" | |
| "stat" | |
| "time" | |
| "vmstat" | |
| "logind" | |
| "interrupts" | |
| "ksmd" | |
| ]; | |
| }; | |
| unifi = { | |
| enable = false; | |
| unifiAddress = "https://unifi.greenacres.theleathers.net"; | |
| unifiUsername = "prometheus"; | |
| unifiPassword = secrets.unifi_password_ro; | |
| openFirewall = true; | |
| }; | |
| }; | |
| scrapeConfigs = [ | |
| { | |
| job_name = "prometheus"; | |
| scrape_interval = "5s"; | |
| static_configs = [ | |
| { | |
| targets = [ | |
| "localhost:9090" | |
| ]; | |
| } | |
| ]; | |
| } | |
| { | |
| job_name = "node"; | |
| scrape_interval = "10s"; | |
| static_configs = [ | |
| { | |
| targets = [ | |
| "router.greenacres.theleathers.net:9100" | |
| ]; | |
| labels = { | |
| alias = "router.greenacres.theleathers.net"; | |
| }; | |
| } | |
| ]; | |
| } | |
| ]; | |
| }; | |
| grafana = { | |
| enable = true; | |
| addr = "0.0.0.0"; | |
| }; | |
| nginx = { | |
| enable = true; | |
| virtualHosts = { | |
| "10.36.3.1" = { | |
| enableACME = false; | |
| forceSSL = false; | |
| locations."/".extraConfig = '' | |
| proxy_pass http://localhost:3000/; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| ''; | |
| }; | |
| }; | |
| }; | |
| plex = { | |
| enable = true; | |
| }; | |
| # not working | |
| udev.extraRules = '' | |
| SUBSYSTEM=="net", ATTR{address}=="06:cf:d2:6e:be:01", NAME="verizon0" | |
| ''; | |
| }; | |
| users.users.sam = { | |
| isNormalUser = true; | |
| description = "Sam Leathers"; | |
| uid = 1000; | |
| extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. | |
| openssh.authorizedKeys.keys = shared.sam_ssh_keys; | |
| }; | |
| users.users.root = { | |
| openssh.authorizedKeys.keys = with shared; sam_ssh_keys ++ rod_ssh_keys; | |
| }; | |
| system.stateVersion = "19.09"; | |
| } |
Author
disassembler
commented
Feb 7, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment