diff --git a/infra/common/networking.nix b/infra/common/networking.nix index 7688e0e..d6464d6 100644 --- a/infra/common/networking.nix +++ b/infra/common/networking.nix @@ -1,16 +1,30 @@ +{ config, lib, ... }: + +let + inherit (lib) mkOption; + +in { + options = { + procolix.vm = { + name = mkOption { }; + ip4 = mkOption { }; + ip6 = mkOption { }; + }; + }; + config = { services.openssh.enable = true; networking = { - hostName = "vm02116"; + hostName = config.procolix.vm.name; domain = "procolix.com"; interfaces = { eth0 = { ipv4 = { addresses = [ { - address = "185.206.232.34"; + address = config.procolix.vm.ip4; prefixLength = 24; } ]; @@ -18,7 +32,7 @@ ipv6 = { addresses = [ { - address = "2a00:51c0:12:1201::20"; + address = config.procolix.vm.ip6; prefixLength = 64; } ]; @@ -34,8 +48,9 @@ interface = "eth0"; }; nameservers = [ - "2a00:51c0::5fd7:b906" + "95.215.185.6" "95.215.185.7" + "2a00:51c0::5fd7:b906" ]; firewall.enable = false; nftables = { @@ -52,6 +67,7 @@ 95.215.185.92/32, # host088 ipv4 95.215.185.211/32, # host089 ipv4 95.215.185.34/32, # nagios2 ipv4 + 95.215.185.181/32, # ansible.procolix.com 95.215.185.235, # ansible-hq } define snmp_allow = { @@ -84,7 +100,6 @@ ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept # open tcp ports: sshd (22) - #ip saddr $ssh_allow tcp dport {ssh} accept tcp dport {ssh} accept # open tcp ports: snmp (161) diff --git a/infra/vm02116/configuration.nix b/infra/vm02116/configuration.nix index 20a5243..b0e6ebd 100644 --- a/infra/vm02116/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -1,6 +1,13 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02116"; + ip4 = "185.206.232.34"; + ip6 = "2a00:51c0:12:1201::20"; + }; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/infra/vm02179/configuration.nix b/infra/vm02179/configuration.nix index d92e221..1420ee9 100644 --- a/infra/vm02179/configuration.nix +++ b/infra/vm02179/configuration.nix @@ -1,122 +1,18 @@ { pkgs, ... }: { + imports = [ ../common ]; + + procolix.vm = { + name = "vm02179"; + ip4 = "185.206.232.179"; + ip6 = "2a00:51c0:12:1201::179"; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking = { - hostName = "vm02179"; - domain = "procolix.com"; - interfaces = { - eth0 = { - ipv4 = { - addresses = [ - { - address = "185.206.232.179"; - prefixLength = 24; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a00:51c0:12:1201::179"; - prefixLength = 64; - } - ]; - }; - }; - }; - defaultGateway = { - address = "185.206.232.1"; - interface = "eth0"; - }; - defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; - interface = "eth0"; - }; - nameservers = [ - "95.215.185.6" - "95.215.185.7" - ]; - firewall.enable = false; - nftables = { - enable = true; - ruleset = '' - #!/usr/sbin/nft -f - - flush ruleset - - ########### define usefull variables here ##################### - define wan = eth0 - define ssh_allow = { - 83.161.147.127/32, # host801 ipv4 - 95.215.185.92/32, # host088 ipv4 - 95.215.185.211/32, # host089 ipv4 - 95.215.185.34/32, # nagios2 ipv4 - 95.215.185.181/32, # ansible.procolix.com - 95.215.185.235, # ansible-hq - } - define snmp_allow = { - 95.215.185.31/32, # cacti ipv4 - } - define nrpe_allow = { - 95.215.185.34/32, # nagios2 ipv4 - } - - ########### here starts the automated bit ##################### - table inet filter { - chain input { - type filter hook input priority 0; - policy drop; - - # established/related connections - ct state established,related accept - ct state invalid drop - - # Limit ping requests. - ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop - ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - - # loopback interface - iifname lo accept - - # icmp - ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept - # Without the nd-* ones ipv6 will not work. - ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - - # open tcp ports: sshd (22) - tcp dport {ssh} accept - - # open tcp ports: snmp (161) - ip saddr $snmp_allow udp dport {snmp} accept - - # open tcp ports: nrpe (5666) - ip saddr $nrpe_allow tcp dport {nrpe} accept - - # open tcp ports: http (80,443) - tcp dport {http,https} accept - } - chain forward { - type filter hook forward priority 0; - } - chain output { - type filter hook output priority 0; - } - } - - table ip nat { - chain postrouting { - } - chain prerouting { - } - } - ''; - }; - }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -178,9 +74,6 @@ wget ]; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave