lois/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

Move networking config of vm02116 to infra/common

Browse source
This commit is contained in:
Nicolas Jeannerod 2024-11-20 15:04:48 +01:00
parent da127445bc
commit 3bc484754f
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
3 changed files with 119 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
infra/common/default.nix Normal file
View file

@ -0,0 +1 @@
{ imports = [ ./networking.nix ]; }

117
infra/common/networking.nix Normal file
View file

@ -0,0 +1,117 @@
{
config = {
services.openssh.enable = true;
networking = {
hostName = "vm02116";
domain = "procolix.com";
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
address = "185.206.232.34";
prefixLength = 24;
}
];
};
ipv6 = {
addresses = [
{
address = "2a00:51c0:12:1201::20";
prefixLength = 64;
}
];
};
};
};
defaultGateway = {
address = "185.206.232.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2a00:51c0:12:1201::1";
interface = "eth0";
};
nameservers = [
"2a00:51c0::5fd7:b906"
"95.215.185.7"
];
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
#!/usr/sbin/nft -f
flush ruleset
########### define usefull variables here #####################
define wan = eth0
define ssh_allow = {
83.161.147.127/32, # host801 ipv4
95.215.185.92/32, # host088 ipv4
95.215.185.211/32, # host089 ipv4
95.215.185.34/32, # nagios2 ipv4
95.215.185.235, # ansible-hq
}
define snmp_allow = {
95.215.185.31/32, # cacti ipv4
}
define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4
}
########### here starts the automated bit #####################
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# established/related connections
ct state established,related accept
ct state invalid drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface
iifname lo accept
# icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22)
#ip saddr $ssh_allow tcp dport {ssh} accept
tcp dport {ssh} accept
# open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443)
tcp dport {http,https} accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain postrouting {
}
chain prerouting {
}
}
'';
};
};
};
}

123
infra/vm02116/configuration.nix
View file

@ -6,119 +6,6 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Networking
networking = {
hostName = "vm02116";
domain = "procolix.com";
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
address = "185.206.232.34";
prefixLength = 24;
}
];
};
ipv6 = {
addresses = [
{
address = "2a00:51c0:12:1201::20";
prefixLength = 64;
}
];
};
};
};
defaultGateway = {
address = "185.206.232.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2a00:51c0:12:1201::1";
interface = "eth0";
};
nameservers = [
"2a00:51c0::5fd7:b906"
"95.215.185.7"
];
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
#!/usr/sbin/nft -f
flush ruleset
########### define usefull variables here #####################
define wan = eth0
define ssh_allow = {
83.161.147.127/32, # host801 ipv4
95.215.185.92/32, # host088 ipv4
95.215.185.211/32, # host089 ipv4
95.215.185.34/32, # nagios2 ipv4
95.215.185.235, # ansible-hq
}
define snmp_allow = {
95.215.185.31/32, # cacti ipv4
}
define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4
}
########### here starts the automated bit #####################
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# established/related connections
ct state established,related accept
ct state invalid drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface
iifname lo accept
# icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22)
#ip saddr $ssh_allow tcp dport {ssh} accept
tcp dport {ssh} accept
# open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443)
tcp dport {http,https} accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain postrouting {
}
chain prerouting {
}
}
'';
};
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
@ -163,15 +50,7 @@
subversion
];
# List services that you want to enable:
services = {
openssh = {
enable = true;
};
xe-guest-utilities = {
enable = true;
};
};
services.xe-guest-utilities.enable = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.