Created
May 1, 2024 23:12
-
-
Save telent/5278a527e648a5c8d3ffd46ac1f34082 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, pkgs, lib, modulesPath, ... } : | |
let | |
inherit (pkgs.liminix.services) oneshot longrun bundle target; | |
inherit (pkgs.pseudofile) dir symlink; | |
inherit (pkgs) writeText dropbear ifwait serviceFns; | |
sshkeys = import ../users/dan/authorized-keys.nix; | |
svc = config.system.service; | |
in rec { | |
boot = { | |
tftp = { | |
freeSpaceBytes = 3 * 1024 * 1024; | |
serverip = "10.0.0.1"; | |
ipaddr = "10.0.0.8"; | |
}; | |
}; | |
imports = [ | |
"${modulesPath}/network" | |
"${modulesPath}/vlan" | |
"${modulesPath}/ssh" | |
"${modulesPath}/firewall" | |
"${modulesPath}/ntp" | |
"${modulesPath}/watchdog" | |
"${modulesPath}/dnsmasq" | |
]; | |
hostname = "lenscap"; # because what else do you call the thing covering the camera? | |
# the WAN interface is plugged into my switch, the LAN | |
# interface is plugged into the camera | |
services.dhcpc = | |
let iface = config.hardware.networkInterfaces.wan; | |
in svc.network.dhcp.client.build { | |
interface = iface; | |
dependencies = [ config.services.hostname ]; | |
}; | |
services.defaultroute4 = svc.network.route.build { | |
via = "$(output ${services.dhcpc} router)"; | |
target = "default"; | |
dependencies = [services.dhcpc]; | |
}; | |
services.sshd = svc.ssh.build { }; | |
services.int = svc.network.address.build { | |
interface = config.hardware.networkInterfaces.lan; | |
address = "10.2.3.1"; | |
prefixLength = 24; | |
family = "inet"; | |
}; | |
services.dnsmasq = svc.dnsmasq.build { | |
interface = services.int; | |
ranges = ["10.2.3.2,10.2.3.250"]; | |
hosts.camera = { | |
mac = "00:14:06:ff:gg:hh"; | |
v4 = "10.2.3.79"; | |
leasetime = 86400; | |
}; | |
domain = "cam"; | |
}; | |
services.watchdog = svc.watchdog.build { | |
watched = with config.services ; [ sshd dhcpc ]; | |
}; | |
services.resolvconf = oneshot rec { | |
dependencies = [ services.dhcpc ]; | |
name = "resolvconf"; | |
up = '' | |
. ${serviceFns} | |
( in_outputs ${name} | |
for i in $(output ${services.dhcpc} dns); do | |
echo "nameserver $i" > resolv.conf | |
done | |
) | |
''; | |
}; | |
services.packet_forwarding = svc.network.forward.build { }; | |
services.rtspforward = svc.firewall.build { | |
rules = { | |
dnat = { | |
type = "nat"; | |
hook = "prerouting"; | |
family = "ip"; | |
priority = "-100"; | |
policy = "accept"; | |
rules = [ | |
"iif eth0.2 tcp dport 554 dnat to 10.2.3.79" | |
]; | |
}; | |
masq = { | |
type = "nat"; | |
hook = "postrouting"; | |
family = "ip"; | |
priority = "-100"; | |
policy = "accept"; | |
rules = [ | |
"tcp sport 554 masquerade" | |
]; | |
}; | |
}; | |
}; | |
filesystem = dir { | |
etc = dir { | |
"resolv.conf" = symlink "${services.resolvconf}/.outputs/resolv.conf"; | |
}; | |
}; | |
users.root = { | |
# mkpasswd -m sha512crypt | |
passwd = "$6$Iu8gv5U[....]FYnnpLVe//"; | |
openssh.authorizedKeys.keys = sshkeys; | |
}; | |
defaultProfile.packages = with pkgs; [ | |
nftables | |
tcpdump | |
(levitate.override { | |
config = { | |
services = { | |
inherit (config.services) dhcpc sshd watchdog; | |
}; | |
defaultProfile.packages = [ mtdutils ]; | |
users.root = config.users.root; | |
}; | |
}) | |
]; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment