Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / f21ca388baf762c2f9bcc26da8fe84a259a095c9 / . / bgpwtf / machines / modules / router.nix
blob: f476077a7cae28855547559763d019691348272b [file] [log] [blame]
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]1# Generic configuration for any bgpwtf router.
2
3{ config, pkgs, lib, ... }:
4
5with builtins;
6
7rec {
8 imports = [
9 ./routing.nix
10 ./rename-interfaces.nix
11 ./rsh-unbound.nix
12 ./bootstrap.nix
13 ./prometheus.nix
14 ];
15
16 environment.systemPackages = with pkgs; [
17 tcpdump htop dstat file strace gdb mtr
18 vim wget curl htop dstat whois bind
Serge Bazanski957d9112022-06-12 12:26:02 +0200[diff] [blame]19 rxvt-unicode-unwrapped.terminfo dhcpcd efibootmgr
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]20 ];
21 networking.useDHCP = false;
22 networking.firewall.enable = false;
Serge Bazanski957d9112022-06-12 12:26:02 +0200[diff] [blame]23 networking.useNetworkd = true;
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]24 boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
25 boot.kernel.sysctl."net.ipv4.conf.*.accept_redirects" = 0;
26 boot.kernel.sysctl."net.ipv4.conf.*.send_redirects" = 0;
27 boot.kernel.sysctl."net.ipv4.conf.*.accept_source_route" = 0;
28 boot.kernel.sysctl."net.ipv4.conf.*.proxy_arp" = 0;
29 boot.kernel.sysctl."net.ipv4.conf.*.secure_redirects" = 1;
30 boot.kernel.sysctl."net.ipv4.conf.*.bootp_relay" = 0;
31 boot.kernel.sysctl."net.ipv4.conf.*.arp_filter" = 1;
32 boot.kernel.sysctl."net.ipv4.conf.*.arp_ignore" = 1;
33 boot.kernel.sysctl."net.ipv4.conf.*.arp_announce" = 2;
34 boot.kernel.sysctl."net.ipv4.conf.*.rp_filter" = 0;
35 boot.kernel.sysctl."net.ipv6.conf.*.forwarding" = 1;
36 boot.kernel.sysctl."net.ipv6.conf.*.accept_ra" = 0;
37 boot.kernel.sysctl."net.ipv6.conf.*.autoconf" = 0;
38 boot.kernel.sysctl."net.ipv6.conf.*.router_solicitations" = 0;
Serge Bazanski51007152020-11-10 19:39:53 +0100[diff] [blame]39 boot.kernel.sysctl."net.ipv6.route.max_size" = 2147483647;
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]40
Serge Bazanski11248d82021-09-06 12:07:35 +0000[diff] [blame]41 # Limit nscd memory usage, as it sometimes just blows up and the OOMkiller
42 # sucks at picking it up.
43 systemd.services.nscd.serviceConfig.MemoryMax = "1G";
44
Bartosz Stebel76de8f82020-12-10 08:30:38 +0100[diff] [blame]45 # enable coredumpctl
46 systemd.coredump.enable = true;
47
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]48 # Use Chrony instead of systemd-timesyncd
49 time.timeZone = "Europe/Warsaw";
50 services.chrony.enable = true;
51 networking.nameservers = [ "8.8.8.8" ];
52
53 # Enable the OpenSSH daemon.
54 services.openssh.enable = true;
Serge Bazanskid602c282021-10-28 21:10:47 +0200[diff] [blame]55 services.openssh.passwordAuthentication = false;
56 # Allow for slightly more unauthenticated connections between dropping them,
57 # otherwise public bruteforcing will cause DoS preventing actual users from
58 # logging in.
59 services.openssh.extraConfig = ''
60 MaxStartups 100:30:1000
61 '';
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]62 users.users.root.openssh.authorizedKeys.keys = [
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]63 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia"
64 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC"
65 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGkMgEVwQM8yeuFUYL2TwlJIq9yUNBmHnwce46zeL2PK2CkMz7sxT/om7sp/K5XDiqeD05Nioe+Dr3drP6B8uI33S5NgxPIfaqQsRS+CBEgk6cqFlcdlKETU/DT+/WsdoO173n7mgGeafPInEuQuGDUID0Fl099kIxtqfAhdeZFMM6/szAZEZsElLJ8K6dp1Ni/jmnXCZhjivZH3AZUlnqrmtDG7FY1bgcOfDXAal45LItughGPtrdiigXe9DK2fW3+9DBZZduh5DMJTNlphAZ+nfSrbyHVKUg6WsgMSprur4KdU47q1QwzqqvEj75JcdP1jOWoZi4F6VJDte9Wb9lhD1jGgjxY9O6Gs4CH35bx15W7CN9hgNa0C8NbPJe/fZYIeMZmJ1m7O2xmnYwP8j+t7RNJWu7Pa3Em4mOEXvhBF07Zfq+Ye/4SluoRgADy5eII2x5fFo5EBhInxK0/X8wF6XZvysalVifoCh7T4Edejoi91oAxFgYAxbboXGlod0eEHIi2hla8SM9+IBHOChmgawKBYp2kzAJyAmHNBF+Pah9G4arVCj/axp/SJZDZbJQoI7UT/fJzEtvlb5RWrHXRq+y6IvjpUq4pzpDWW04+9UMqEEXRmhWOakHfEVM9rN8h3aJBflLUBBnh0Z/hVsKNh8bCRHaKtah8TrD9i+wMw== patryk.jakuszew@gmail.com"
66 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC33naG1ptCvUcRWX9cj9wXM1nW1lyQC4SvMJzWlr9aMD96O8hQ2JMkuIUgUJvorAY02QRplQ2BuoVoVkdkzwjMyi1bL3OdgcKo7Z1yByClGTTocqNJYY0lcUb6EJH8+6e6F9ydrQlSxNzL1uCaA7phZr+yPcmAmWbSfioXn98yXNkE0emHxzJv/nypJY56sDCMC2IXDRd8L2goDtPwgPEW7bWfAQdIFMJ75xOidZOTxJ8eqyXLw/kxY5UlyX66jdoYz1sE5XUHuoQl1AOG9UdlMo0aMhUvP4pX5l7r7EnA9OttKMFB3oWqkVK/R6ynZ52YNOU5BZ9V+Ppaj34W0xNu+p0mbHcCtXYCTrf/OU0hcZDbDaNTjs6Vtcm2wYw9iAKX7Tex+eOMwUwlrlcyPNRV5BTot7lGNYfauHCSIuWJKN4NhCLR/NtVNh4/94eKkPTwJsY6XqDcS7q49wPAs4DAH7BJgsbHPOqygVHrY0YYEfz3Pj0HTxJHQMCP/hQX4fXEGt0BjgoVJbXPAQtPyeg0JuxiUg+b4CgVVfQ6R060MlM1BZzhmh+FY5MJH6nJppS0aHYCvSg8Z68NUlCPKy0jpcyfuAIWQWwSGG1O010WShQG2ELsvNdg5/4HVdCGNl5mmoom6JOd72FOZyQlHDFfeQUQRn9HOeCq/c51rK99SQ== bartek@IHM"
67 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTR292kx/2CNuWYIsZ6gykQ036aBGrmheIuZa6S1D2x implr@thonk"
Serge Bazanskiffb80d02021-04-19 09:11:04 +0200[diff] [blame]68 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"
Serge Bazanski6abe4fa2020-10-03 00:18:34 +0200[diff] [blame]69 ];
70}