From a7477e7819f658bf58b11491c84bc16234663234 Mon Sep 17 00:00:00 2001 From: Kenny Ballou Date: Tue, 15 Dec 2020 11:12:58 -0700 Subject: daeva: add skeleton config for new laptop Signed-off-by: Kenny Ballou --- daeva/configuration.nix | 75 ++++++++++++++++++++++++++++++++++++++++ daeva/nftables-rules.nft | 89 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 164 insertions(+) create mode 100644 daeva/configuration.nix create mode 100644 daeva/nftables-rules.nft diff --git a/daeva/configuration.nix b/daeva/configuration.nix new file mode 100644 index 0000000..a2ae9fa --- /dev/null +++ b/daeva/configuration.nix @@ -0,0 +1,75 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ ../hardware-configuration.nix + ../secrets.nix + ../overlays.nix + ../unfree.nix + ../services/clamav.nix + ../services/firewall.nix + ../services/docker.nix + ../services/dnsmasq.nix + ../services/sound.nix + ../services/x11.nix + ../services/x11-intel.nix + ../services/x11-laptop.nix + ../services/gnome.nix + ../services/dbus.nix + ../services/haveged.nix + ../services/printing.nix + ../system/bluetooth.nix + ../system/ca.nix + ../system/console.nix + ../system/documentation.nix + ../system/fonts.nix + ../system/i18n.nix + ../system/networking.nix + ../system/packages.nix + ../system/security.nix + ../system/timezone.nix + ../system/users.nix + ../system/wireshark.nix + ../system/yubikey-gpg.nix + ../programs/mtr.nix + ../system/nix.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.initrd.luks = { + gpgSupport = true; + device = { + luks- = { + device = "/dev/disk/by-uuid/"; + gpgCard = { + publicKey = ./public.asc; + encryptedPass = ./luks-passphrase.asc; + }; + }; + }; + }; + boot.blacklistedKernelModules = [ + "iptables" + ]; + + networking.hostName = "daeva"; + + # Only keep a week instead of 2 + nix.gc.options = "--delete-older-than 7d"; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.09"; # Did you read the comment? + +} diff --git a/daeva/nftables-rules.nft b/daeva/nftables-rules.nft new file mode 100644 index 0000000..22ed7f9 --- /dev/null +++ b/daeva/nftables-rules.nft @@ -0,0 +1,89 @@ +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + ct state invalid counter drop comment "drop invalid packets" + ct state established,related counter accept comment "accept related connections" + iif lo counter accept + iif != lo ip daddr 127.0.0.1/8 counter drop + iif != lo ip6 daddr ::1/128 counter drop + ip protocol icmp counter accept + ip6 nexthdr ipv6-icmp counter accept + udp dport domain ip saddr 172.16.0.0/12 counter accept + tcp dport 3000 ip saddr 127.0.0.1/8 counter accept + tcp dport 8000 ip saddr 127.0.0.1/8 counter accept + tcp dport http-alt ip saddr { 127.0.0.1/8, 10.100.0.0/8 } counter accept + counter + } + + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related counter accept + ip saddr 172.16.0.0/12 ip daddr 0.0.0.0/8 counter accept + ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept + iifname "docker0" oifname "enp0s25" counter accept + iifname "docker0" oifname "wlp2s0" counter accept + iifname "docker0" oifname != "docker0" counter accept + counter + } + + chain output { + type filter hook output priority 0; policy drop; + ct state established,related counter accept + icmp type echo-request counter accept + icmp type echo-reply counter accept + udp dport domain counter accept + tcp dport http counter accept + tcp dport https counter accept + tcp dport ssh counter accept + tcp dport bootps counter accept + udp dport bootps counter accept + tcp dport ntp counter accept + udp dport ntp counter accept + tcp dport nntps counter accept + udp dport nntps counter accept + tcp dport submission counter accept + tcp dport imaps counter accept + tcp dport 2222 counter accept + tcp dport hkp counter accept + udp dport hkp counter accept + tcp dport 9100 counter accept + tcp dport git counter accept + udp dport git counter accept + tcp dport rsync counter accept + udp dport rsync counter accept + tcp dport 8000 counter accept + tcp dport http-alt counter accept + udp dport openvpn counter accept + tcp dport postgresql ip daddr { 127.0.0.1/8, 10.0.0.0/8 } counter accept + ip daddr 127.0.0.0/8 counter accept + tcp dport 5222 counter accept + tcp dport 6697 counter accept + counter + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; + counter + } + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 172.16.0.0/12 oifname enp0s25 counter masquerade + ip saddr 172.16.0.0/12 oifname wlp2s0 counter masquerade + counter + } +} + +table ip6 nat { + chain prerouting { + type nat hook prerouting priority 0; + counter + } + chain postrouting { + type nat hook postrouting priority 100; + ip6 saddr fcdd::/48 oifname enp0s25 counter masquerade + ip6 saddr fcdd::/48 oifname wlp2s0 counter masquerade + counter + } +} -- cgit v1.2.1