daeva: add skeleton config for new laptop

Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>

2 files changed, 164 insertions, 0 deletions

diff --git a/daeva/configuration.nix b/daeva/configuration.nix
new file mode 100644
index 0000000..a2ae9fa
--- /dev/null
+++ b/daeva/configuration.nix
@@ -0,0 +1,75 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ ../hardware-configuration.nix
+      ../secrets.nix
+      ../overlays.nix
+      ../unfree.nix
+      ../services/clamav.nix
+      ../services/firewall.nix
+      ../services/docker.nix
+      ../services/dnsmasq.nix
+      ../services/sound.nix
+      ../services/x11.nix
+      ../services/x11-intel.nix
+      ../services/x11-laptop.nix
+      ../services/gnome.nix
+      ../services/dbus.nix
+      ../services/haveged.nix
+      ../services/printing.nix
+      ../system/bluetooth.nix
+      ../system/ca.nix
+      ../system/console.nix
+      ../system/documentation.nix
+      ../system/fonts.nix
+      ../system/i18n.nix
+      ../system/networking.nix
+      ../system/packages.nix
+      ../system/security.nix
+      ../system/timezone.nix
+      ../system/users.nix
+      ../system/wireshark.nix
+      ../system/yubikey-gpg.nix
+      ../programs/mtr.nix
+      ../system/nix.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  boot.initrd.luks = {
+    gpgSupport = true;
+    device = {
+      luks- = {
+        device = "/dev/disk/by-uuid/";
+        gpgCard = {
+          publicKey = ./public.asc;
+          encryptedPass = ./luks-passphrase.asc;
+        };
+      };
+    };
+  };
+  boot.blacklistedKernelModules = [
+    "iptables"
+  ];
+
+  networking.hostName = "daeva";
+
+  # Only keep a week instead of 2
+  nix.gc.options = "--delete-older-than 7d";
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "20.09"; # Did you read the comment?
+
+}
diff --git a/daeva/nftables-rules.nft b/daeva/nftables-rules.nft
new file mode 100644
index 0000000..22ed7f9
--- /dev/null
+++ b/daeva/nftables-rules.nft
@@ -0,0 +1,89 @@
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        ct state invalid counter drop comment "drop invalid packets"
+        ct state established,related counter accept comment "accept related connections"
+        iif lo counter accept
+        iif != lo ip daddr 127.0.0.1/8 counter drop
+        iif != lo ip6 daddr ::1/128 counter drop
+        ip protocol icmp counter accept
+        ip6 nexthdr ipv6-icmp counter accept
+        udp dport domain ip saddr 172.16.0.0/12 counter accept
+        tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
+        tcp dport http-alt ip saddr { 127.0.0.1/8, 10.100.0.0/8 } counter accept
+        counter
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state established,related counter accept
+        ip saddr 172.16.0.0/12 ip daddr 0.0.0.0/8 counter accept
+        ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
+        iifname "docker0" oifname "enp0s25" counter accept
+        iifname "docker0" oifname "wlp2s0" counter accept
+        iifname "docker0" oifname != "docker0" counter accept
+        counter
+    }
+
+    chain output {
+        type filter hook output priority 0; policy drop;
+        ct state established,related counter accept
+        icmp type echo-request counter accept
+        icmp type echo-reply counter accept
+        udp dport domain counter accept
+        tcp dport http counter accept
+        tcp dport https counter accept
+        tcp dport ssh counter accept
+        tcp dport bootps counter accept
+        udp dport bootps counter accept
+        tcp dport ntp counter accept
+        udp dport ntp counter accept
+        tcp dport nntps counter accept
+        udp dport nntps counter accept
+        tcp dport submission counter accept
+        tcp dport imaps counter accept
+        tcp dport 2222 counter accept
+        tcp dport hkp counter accept
+        udp dport hkp counter accept
+        tcp dport 9100 counter accept
+        tcp dport git counter accept
+        udp dport git counter accept
+        tcp dport rsync counter accept
+        udp dport rsync counter accept
+        tcp dport 8000 counter accept
+        tcp dport http-alt counter accept
+        udp dport openvpn counter accept
+        tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept
+        ip daddr 127.0.0.0/8 counter accept
+        tcp dport 5222 counter accept
+        tcp dport 6697 counter accept
+        counter
+    }
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority 0;
+        counter
+   }
+   chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 172.16.0.0/12 oifname enp0s25 counter masquerade
+        ip saddr 172.16.0.0/12 oifname wlp2s0 counter masquerade
+        counter
+   }
+}
+
+table ip6 nat {
+    chain prerouting {
+        type nat hook prerouting priority 0;
+        counter
+   }
+   chain postrouting {
+        type nat hook postrouting priority 100;
+        ip6 saddr fcdd::/48 oifname enp0s25 counter masquerade
+        ip6 saddr fcdd::/48 oifname wlp2s0 counter masquerade
+        counter
+   }
+}