From efaa107cc2972ed9f01bb5019f45f3d312a785e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 25 Oct 2024 15:53:33 +0200 Subject: [PATCH] First test --- flake.nix | 2 +- hardware-configuration.nix | 1 + procolix-configuration.nix | 89 +++----------------------------------- 3 files changed, 9 insertions(+), 83 deletions(-) diff --git a/flake.nix b/flake.nix index bc01533..a444c18 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ outputs = { self, nixpkgs, snf, disko }: let - vmName = "vm02186"; + vmName = "fedi01"; in { nixosConfigurations.${vmName} = nixpkgs.lib.nixosSystem { diff --git a/hardware-configuration.nix b/hardware-configuration.nix index fe84add..a0bfa19 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -2,6 +2,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix")]; + services.qemuGuest.enable = true; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; diff --git a/procolix-configuration.nix b/procolix-configuration.nix index 08a6b18..48c2c4c 100644 --- a/procolix-configuration.nix +++ b/procolix-configuration.nix @@ -6,14 +6,14 @@ boot.loader.efi.canTouchEfiVariables = true; networking = { - hostName = "vm02186"; + hostName = "fedi01"; domain = "procolix.com"; interfaces = { eth0 = { ipv4 = { addresses = [ { - address = "185.206.232.186"; + address = "95.215.187.101"; prefixLength = 24; } ]; @@ -21,7 +21,7 @@ ipv6 = { addresses = [ { - address = "2a00:51c0:12:1201::186"; + address = "2a00:51c0:13:1305::101"; prefixLength = 64; } ]; @@ -29,92 +29,17 @@ }; }; defaultGateway = { - address = "185.206.232.1"; + address = "95.215.187.1"; interface = "eth0"; }; defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; + address = "2a00:51c0:13:1305::1"; interface = "eth0"; }; - nameservers = [ "95.215.185.6" "95.215.185.7" ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235/32, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; + # nameservers = [ "95.215.185.6" "95.215.185.7" ]; + # firewall.enable = false; }; - # Set your time zone. time.timeZone = "Europe/Amsterdam";