From 8ad145776332ff3b73d30b27eabd2e92975c27fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 13:07:03 +0100 Subject: [PATCH 1/8] Enable trimming of trailing whitespace as a pre-commit hook --- flake.nix | 4 ++++ infra/vm02116/configuration.nix | 8 ++++---- infra/vm02179/configuration.nix | 8 ++++---- infra/vm02187/configuration.nix | 10 +++++----- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/flake.nix b/flake.nix index 7fca607..9f2652d 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,10 @@ enable = true; inherit files; }; + trim-trailing-whitespace = { + enable = true; + inherit files; + }; }; devShells.default = pkgs.mkShell { diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix index 4ac97bc..48fb17d 100644 --- a/infra/vm02116/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -84,7 +84,7 @@ ########### here starts the automated bit ##################### table inet filter { chain input { - type filter hook input priority 0; + type filter hook input priority 0; policy drop; # established/related connections @@ -97,7 +97,7 @@ # loopback interface iifname lo accept - + # icmp ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. @@ -126,10 +126,10 @@ table ip nat { chain postrouting { - } + } chain prerouting { } - } + } ''; }; }; diff --git a/infra/vm02179/configuration.nix b/infra/vm02179/configuration.nix index e514c52..5b10d8b 100644 --- a/infra/vm02179/configuration.nix +++ b/infra/vm02179/configuration.nix @@ -72,7 +72,7 @@ ########### here starts the automated bit ##################### table inet filter { chain input { - type filter hook input priority 0; + type filter hook input priority 0; policy drop; # established/related connections @@ -85,7 +85,7 @@ # loopback interface iifname lo accept - + # icmp ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. @@ -113,10 +113,10 @@ table ip nat { chain postrouting { - } + } chain prerouting { } - } + } ''; }; }; diff --git a/infra/vm02187/configuration.nix b/infra/vm02187/configuration.nix index 9b3718e..2c8edbf 100644 --- a/infra/vm02187/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -33,7 +33,7 @@ $wgUseImageMagick = true; $wgMaxShellMemory = 524288; $wgSVGMetadataCutoff = 1024*1024; - $wgAllowExternalImages = false; + $wgAllowExternalImages = false; ## Permissions $wgGroupPermissions['*']['edit'] = false; @@ -139,7 +139,7 @@ ########### here starts the automated bit ##################### table inet filter { chain input { - type filter hook input priority 0; + type filter hook input priority 0; policy drop; # established/related connections @@ -152,7 +152,7 @@ # loopback interface iifname lo accept - + # icmp ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. @@ -181,10 +181,10 @@ table ip nat { chain postrouting { - } + } chain prerouting { } - } + } ''; }; }; From da127445bc16a3f2929a4aecf5c88f8ca8845106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 13:10:56 +0100 Subject: [PATCH 2/8] Clean-up VMs configurations --- infra/vm02116/configuration.nix | 56 ------------------------ infra/vm02179/configuration.nix | 7 --- infra/vm02186/procolix-configuration.nix | 2 - infra/vm02187/configuration.nix | 11 ----- 4 files changed, 76 deletions(-) diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix index 48fb17d..ba06610 100644 --- a/infra/vm02116/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -1,26 +1,11 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). - { pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - # This will install and configure Forgejo - ./forgejo.nix - ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # networking.hostName = "nixos"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - # Networking networking = { hostName = "vm02116"; @@ -137,34 +122,8 @@ # Set your time zone. time.timeZone = "Europe/Amsterdam"; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users = { @@ -204,14 +163,6 @@ subversion ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - # List services that you want to enable: services = { openssh = { @@ -222,12 +173,6 @@ }; }; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # @@ -245,5 +190,4 @@ # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "24.05"; - } diff --git a/infra/vm02179/configuration.nix b/infra/vm02179/configuration.nix index 5b10d8b..d92e221 100644 --- a/infra/vm02179/configuration.nix +++ b/infra/vm02179/configuration.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { pkgs, ... }: { @@ -182,8 +178,6 @@ wget ]; - # List services that you want to enable: - # Enable the OpenSSH daemon. services.openssh.enable = true; @@ -194,5 +188,4 @@ # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - } diff --git a/infra/vm02186/procolix-configuration.nix b/infra/vm02186/procolix-configuration.nix index 44412f7..179261d 100644 --- a/infra/vm02186/procolix-configuration.nix +++ b/infra/vm02186/procolix-configuration.nix @@ -182,8 +182,6 @@ wget ]; - # List services that you want to enable: - # Enable the OpenSSH daemon. services.openssh.enable = true; diff --git a/infra/vm02187/configuration.nix b/infra/vm02187/configuration.nix index 2c8edbf..9bb2786 100644 --- a/infra/vm02187/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -1,15 +1,6 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -244,8 +235,6 @@ wget ]; - # List services that you want to enable: - # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; From 3bc484754f21a21b3bcb3dc1e672b42506da75bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 15:04:48 +0100 Subject: [PATCH 3/8] Move networking config of vm02116 to `infra/common` --- infra/common/default.nix | 1 + infra/common/networking.nix | 117 ++++++++++++++++++++++++++++++ infra/vm02116/configuration.nix | 123 +------------------------------- 3 files changed, 119 insertions(+), 122 deletions(-) create mode 100644 infra/common/default.nix create mode 100644 infra/common/networking.nix diff --git a/infra/common/default.nix b/infra/common/default.nix new file mode 100644 index 0000000..b0372b0 --- /dev/null +++ b/infra/common/default.nix @@ -0,0 +1 @@ +{ imports = [ ./networking.nix ]; } diff --git a/infra/common/networking.nix b/infra/common/networking.nix new file mode 100644 index 0000000..7688e0e --- /dev/null +++ b/infra/common/networking.nix @@ -0,0 +1,117 @@ +{ + config = { + services.openssh.enable = true; + + networking = { + hostName = "vm02116"; + domain = "procolix.com"; + interfaces = { + eth0 = { + ipv4 = { + addresses = [ + { + address = "185.206.232.34"; + prefixLength = 24; + } + ]; + }; + ipv6 = { + addresses = [ + { + address = "2a00:51c0:12:1201::20"; + prefixLength = 64; + } + ]; + }; + }; + }; + defaultGateway = { + address = "185.206.232.1"; + interface = "eth0"; + }; + defaultGateway6 = { + address = "2a00:51c0:12:1201::1"; + interface = "eth0"; + }; + nameservers = [ + "2a00:51c0::5fd7:b906" + "95.215.185.7" + ]; + firewall.enable = false; + nftables = { + enable = true; + ruleset = '' + #!/usr/sbin/nft -f + + flush ruleset + + ########### define usefull variables here ##################### + define wan = eth0 + define ssh_allow = { + 83.161.147.127/32, # host801 ipv4 + 95.215.185.92/32, # host088 ipv4 + 95.215.185.211/32, # host089 ipv4 + 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.235, # ansible-hq + } + define snmp_allow = { + 95.215.185.31/32, # cacti ipv4 + } + define nrpe_allow = { + 95.215.185.34/32, # nagios2 ipv4 + } + + ########### here starts the automated bit ##################### + table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + + # established/related connections + ct state established,related accept + ct state invalid drop + + # Limit ping requests. + ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop + + # loopback interface + iifname lo accept + + # icmp + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept + # Without the nd-* ones ipv6 will not work. + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept + + # open tcp ports: sshd (22) + #ip saddr $ssh_allow tcp dport {ssh} accept + tcp dport {ssh} accept + + # open tcp ports: snmp (161) + ip saddr $snmp_allow udp dport {snmp} accept + + # open tcp ports: nrpe (5666) + ip saddr $nrpe_allow tcp dport {nrpe} accept + + # open tcp ports: http (80,443) + tcp dport {http,https} accept + } + chain forward { + type filter hook forward priority 0; + } + chain output { + type filter hook output priority 0; + } + } + + table ip nat { + chain postrouting { + } + chain prerouting { + } + } + ''; + }; + }; + }; +} diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix index ba06610..20a5243 100644 --- a/infra/vm02116/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -6,119 +6,6 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # Networking - networking = { - hostName = "vm02116"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.34"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::20"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ - "2a00:51c0::5fd7:b906" - "95.215.185.7" - ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.235, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - #ip saddr $ssh_allow tcp dport {ssh} accept - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -163,15 +50,7 @@ subversion ]; - # List services that you want to enable: - services = { - openssh = { - enable = true; - }; - xe-guest-utilities = { - enable = true; - }; - }; + services.xe-guest-utilities.enable = true; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. From c8d9b1c66942fdb2409748772b0debf50c4a4b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 15:07:09 +0100 Subject: [PATCH 4/8] Factorise networking config of vm02179 into `infra/common` --- infra/common/networking.nix | 25 +++++-- infra/vm02116/configuration.nix | 7 ++ infra/vm02179/configuration.nix | 123 +++----------------------------- 3 files changed, 35 insertions(+), 120 deletions(-) diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 7688e0e..d6464d6 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -1,16 +1,30 @@ +{ config, lib, ... }: + +let + inherit (lib) mkOption; + +in { + options = { + procolix.vm = { + name = mkOption { }; + ip4 = mkOption { }; + ip6 = mkOption { }; + }; + }; + config = { services.openssh.enable = true; networking = { - hostName = "vm02116"; + hostName = config.procolix.vm.name; domain = "procolix.com"; interfaces = { eth0 = { ipv4 = { addresses = [ { - address = "185.206.232.34"; + address = config.procolix.vm.ip4; prefixLength = 24; } ]; @@ -18,7 +32,7 @@ ipv6 = { addresses = [ { - address = "2a00:51c0:12:1201::20"; + address = config.procolix.vm.ip6; prefixLength = 64; } ]; @@ -34,8 +48,9 @@ interface = "eth0"; }; nameservers = [ - "2a00:51c0::5fd7:b906" + "95.215.185.6" "95.215.185.7" + "2a00:51c0::5fd7:b906" ]; firewall.enable = false; nftables = { @@ -52,6 +67,7 @@ 95.215.185.92/32, # host088 ipv4 95.215.185.211/32, # host089 ipv4 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.181/32, # ansible.procolix.com 95.215.185.235, # ansible-hq } define snmp_allow = { @@ -84,7 +100,6 @@ ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept # open tcp ports: sshd (22) - #ip saddr $ssh_allow tcp dport {ssh} accept tcp dport {ssh} accept # open tcp ports: snmp (161) diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix index 20a5243..b0e6ebd 100644 --- a/infra/vm02116/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -1,6 +1,13 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02116"; + ip4 = "185.206.232.34"; + ip6 = "2a00:51c0:12:1201::20"; + }; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/infra/vm02179/configuration.nix b/infra/vm02179/configuration.nix index d92e221..1420ee9 100644 --- a/infra/vm02179/configuration.nix +++ b/infra/vm02179/configuration.nix @@ -1,122 +1,18 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02179"; + ip4 = "185.206.232.179"; + ip6 = "2a00:51c0:12:1201::179"; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking = { - hostName = "vm02179"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.179"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::179"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ - "95.215.185.6" - "95.215.185.7" - ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -178,9 +74,6 @@ wget ]; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave From fe6d68446b77210471754a1dcd4b2d63d2b96196 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 13:26:10 +0100 Subject: [PATCH 5/8] Factorise networking config of vm02186 into `infra/common` --- infra/common/networking.nix | 2 +- infra/vm02186/procolix-configuration.nix | 123 ++--------------------- 2 files changed, 9 insertions(+), 116 deletions(-) diff --git a/infra/common/networking.nix b/infra/common/networking.nix index d6464d6..25715e6 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -68,7 +68,7 @@ in 95.215.185.211/32, # host089 ipv4 95.215.185.34/32, # nagios2 ipv4 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235, # ansible-hq + 95.215.185.235/32, # ansible-hq } define snmp_allow = { 95.215.185.31/32, # cacti ipv4 diff --git a/infra/vm02186/procolix-configuration.nix b/infra/vm02186/procolix-configuration.nix index 179261d..497e147 100644 --- a/infra/vm02186/procolix-configuration.nix +++ b/infra/vm02186/procolix-configuration.nix @@ -1,122 +1,18 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02186"; + ip4 = "185.206.232.186"; + ip6 = "2a00:51c0:12:1201::186"; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking = { - hostName = "vm02186"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.186"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::186"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ - "95.215.185.6" - "95.215.185.7" - ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235/32, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -182,9 +78,6 @@ wget ]; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave From f56c00eb5999cda255353adabeddf7fe9e1dafb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 13:29:44 +0100 Subject: [PATCH 6/8] Factorise networking config of vm02187 into `infra/common` --- infra/common/networking.nix | 5 +- infra/vm02187/configuration.nix | 124 +++----------------------------- 2 files changed, 12 insertions(+), 117 deletions(-) diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 25715e6..49b539c 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -14,7 +14,10 @@ in }; config = { - services.openssh.enable = true; + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; networking = { hostName = config.procolix.vm.name; diff --git a/infra/vm02187/configuration.nix b/infra/vm02187/configuration.nix index 9bb2786..a7aab90 100644 --- a/infra/vm02187/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -1,6 +1,14 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02187"; + ip4 = "185.206.232.187"; + ip6 = "2a00:51c0:12:1201::187"; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -67,119 +75,6 @@ users.users.nginx.extraGroups = [ "acme" ]; - networking = { - hostName = "vm02187"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.187"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::187"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ - "95.215.185.6" - "95.215.185.7" - ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - # ip saddr $ssh_allow tcp dport {ssh} accept - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -235,9 +130,6 @@ wget ]; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; security.sudo.wheelNeedsPassword = false; # This value determines the NixOS release from which the default From 18559dab546003b0bca45e6a8e41db7119793c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 20 Nov 2024 15:51:09 +0100 Subject: [PATCH 7/8] Move nftables ruleset to separate file --- infra/common/networking.nix | 76 ++----------------------------- infra/common/nftables-ruleset.nft | 71 +++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 71 deletions(-) create mode 100644 infra/common/nftables-ruleset.nft diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 49b539c..376a9ca 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -22,6 +22,7 @@ in networking = { hostName = config.procolix.vm.name; domain = "procolix.com"; + interfaces = { eth0 = { ipv4 = { @@ -42,6 +43,7 @@ in }; }; }; + defaultGateway = { address = "185.206.232.1"; interface = "eth0"; @@ -50,85 +52,17 @@ in address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; + nameservers = [ "95.215.185.6" "95.215.185.7" "2a00:51c0::5fd7:b906" ]; + firewall.enable = false; nftables = { enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235/32, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; + rulesetFile = ./nftables-ruleset.nft; }; }; }; diff --git a/infra/common/nftables-ruleset.nft b/infra/common/nftables-ruleset.nft new file mode 100644 index 0000000..523027b --- /dev/null +++ b/infra/common/nftables-ruleset.nft @@ -0,0 +1,71 @@ +#!/usr/sbin/nft -f + +flush ruleset + +########### define usefull variables here ##################### + +define wan = eth0 +define ssh_allow = { + 83.161.147.127/32, # host801 ipv4 + 95.215.185.92/32, # host088 ipv4 + 95.215.185.211/32, # host089 ipv4 + 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.181/32, # ansible.procolix.com + 95.215.185.235/32, # ansible-hq +} +define snmp_allow = { + 95.215.185.31/32, # cacti ipv4 +} +define nrpe_allow = { + 95.215.185.34/32, # nagios2 ipv4 +} + +########### here starts the automated bit ##################### + +table inet filter { + chain input { + type filter hook input priority 0; + policy drop; + + # established/related connections + ct state established,related accept + ct state invalid drop + + # Limit ping requests. + ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop + + # loopback interface + iifname lo accept + + # icmp + ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept + # Without the nd-* ones ipv6 will not work. + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept + + # open tcp ports: sshd (22) + tcp dport {ssh} accept + + # open tcp ports: snmp (161) + ip saddr $snmp_allow udp dport {snmp} accept + + # open tcp ports: nrpe (5666) + ip saddr $nrpe_allow tcp dport {nrpe} accept + + # open tcp ports: http (80,443) + tcp dport {http,https} accept + } + chain forward { + type filter hook forward priority 0; + } + chain output { + type filter hook output priority 0; + } +} + +table ip nat { + chain postrouting { + } + chain prerouting { + } +} From 60ec9aab2ac939b9d7342d5aefa25aec4b628b47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 21 Nov 2024 11:32:48 +0100 Subject: [PATCH 8/8] Follow @kevin's recommendations --- infra/common/networking.nix | 1 + infra/common/nftables-ruleset.nft | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 376a9ca..49a069b 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -57,6 +57,7 @@ in "95.215.185.6" "95.215.185.7" "2a00:51c0::5fd7:b906" + "2a00:51c0::5fd7:b907" ]; firewall.enable = false; diff --git a/infra/common/nftables-ruleset.nft b/infra/common/nftables-ruleset.nft index 523027b..0bd23c3 100644 --- a/infra/common/nftables-ruleset.nft +++ b/infra/common/nftables-ruleset.nft @@ -10,7 +10,6 @@ define ssh_allow = { 95.215.185.92/32, # host088 ipv4 95.215.185.211/32, # host089 ipv4 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com 95.215.185.235/32, # ansible-hq } define snmp_allow = {