fediversity/test-installer-configuration
Archived
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

First test

Browse source
This commit is contained in:
Nicolas Jeannerod 2024-10-25 15:53:33 +02:00
parent dd89642966
commit efaa107cc2
Signed by: Niols
GPG key ID: 35DB9EC8886E1CB8
3 changed files with 9 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -7,7 +7,7 @@
outputs = { self, nixpkgs, snf, disko }:
let
vmName = "vm02186";
vmName = "fedi01";
in {
nixosConfigurations.${vmName} = nixpkgs.lib.nixosSystem {

1
hardware-configuration.nix
View file

@ -2,6 +2,7 @@
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix")];
services.qemuGuest.enable = true;
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];

89
procolix-configuration.nix
View file

@ -6,14 +6,14 @@
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "vm02186";
hostName = "fedi01";
domain = "procolix.com";
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
address = "185.206.232.186";
address = "95.215.187.101";
prefixLength = 24;
}
];
@ -21,7 +21,7 @@
ipv6 = {
addresses = [
{
address = "2a00:51c0:12:1201::186";
address = "2a00:51c0:13:1305::101";
prefixLength = 64;
}
];
@ -29,92 +29,17 @@
};
};
defaultGateway = {
address = "185.206.232.1";
address = "95.215.187.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2a00:51c0:12:1201::1";
address = "2a00:51c0:13:1305::1";
interface = "eth0";
};
nameservers = [ "95.215.185.6" "95.215.185.7" ];
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
#!/usr/sbin/nft -f
flush ruleset
########### define usefull variables here #####################
define wan = eth0
define ssh_allow = {
83.161.147.127/32, # host801 ipv4
95.215.185.92/32, # host088 ipv4
95.215.185.211/32, # host089 ipv4
95.215.185.34/32, # nagios2 ipv4
95.215.185.181/32, # ansible.procolix.com
95.215.185.235/32, # ansible-hq
}
define snmp_allow = {
95.215.185.31/32, # cacti ipv4
}
define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4
}
########### here starts the automated bit #####################
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# established/related connections
ct state established,related accept
ct state invalid drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface
iifname lo accept
# icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22)
tcp dport {ssh} accept
# open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443)
tcp dport {http,https} accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain postrouting {
}
chain prerouting {
}
}
'';
};
# nameservers = [ "95.215.185.6" "95.215.185.7" ];
# firewall.enable = false;
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";