From 89516c54778d7797e8897fa126a8ed0e7af57233 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Fri, 21 Feb 2025 12:36:07 +0200 Subject: [PATCH] Centralize IPv6 GUA prefix configuration --- base.nix | 330 ++++++++++++++++++++------------------ machine-confs/helium.nix | 8 +- machine-confs/lithium.nix | 8 +- services/siit-dc.nix | 7 +- 4 files changed, 181 insertions(+), 172 deletions(-) diff --git a/base.nix b/base.nix index 54e40dc..3471c94 100644 --- a/base.nix +++ b/base.nix @@ -1,183 +1,193 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { - ######################################## Packages ############################################### - environment.systemPackages = with pkgs; [ - tmux - git - nvi - p7zip - tree - btop - pwgen - ssss - dig - termshark - ]; - - ######################################## ZSH configuration ###################################### - users.defaultUserShell = pkgs.zsh; - environment.shells = with pkgs; [ zsh ]; - programs.zsh = { - enable = true; - autosuggestions.enable = true; - syntaxHighlighting.enable = true; - ohMyZsh = { - enable = true; - plugins = [ - "history-substring-search" - "tmux" - ]; - theme = "af-magic"; - }; - interactiveShellInit = '' - ZSH_TMUX_AUTOSTART=false - ZSH_TMUX_AUTOQUIT=false - ZSH_TMUX_CONFIG=/etc/tmux.conf - ''; - promptInit = '' - if [ -n "$IN_NIX_SHELL" ]; then - setopt PROMPT_SUBST - RPROMPT+='[nix]' - fi - ''; + options.custom.gua_pref = lib.mkOption { + type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); + default = null; + description = "IPv6 GUA Prefix to use in other confs"; }; - ######################################## tmux configuration ##################################### - programs.tmux.enable = true; - programs.tmux.extraConfig = '' - unbind C-b - set -g prefix M-w - bind M-w send-prefix + config = { + custom.gua_pref = "2001:14ba:a090:39"; - bind s split-window -v - bind v split-window -h + ######################################## Packages ############################################### + environment.systemPackages = with pkgs; [ + tmux + git + nvi + p7zip + tree + btop + pwgen + ssss + dig + termshark + ]; - # Smart pane switching with awareness of Vim splits. - bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-h) || tmux select-pane -L" - bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-j) || tmux select-pane -D" - bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-k) || tmux select-pane -U" - bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-l) || tmux select-pane -R" - - bind -n C-Left select-pane -L - bind -n C-Right select-pane -R - bind -n C-Up select-pane -U - bind -n C-Down select-pane -D - - # resize panes more easily - bind -r h resize-pane -L 10 - bind -r j resize-pane -D 10 - bind -r k resize-pane -U 10 - bind -r l resize-pane -R 10 - - bind M-c attach -c "#{pane_current_path}" - - set -s escape-time 0 - ''; - - ######################################## SSH and fail2ban configuration ######################### - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPiupf3xK6eWvno7R2rDYPuDxVvbmzWh5EkR1rquvV9hAAAABHNzaDo= vili@helium" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHr/1uVk5cWRWAELvwVvBG+eAbkKqpH2gat1yKKO11roAAAABHNzaDo= vili@lithium" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOk8akyi6Ob1EOPugxnjdlMQs9rOAbxBbakT8olBFe7 backup_ssh" - ]; - - services.fail2ban = { - enable = true; - maxretry = 10; - bantime = "10m"; - bantime-increment = { + ######################################## ZSH configuration ###################################### + users.defaultUserShell = pkgs.zsh; + environment.shells = with pkgs; [ zsh ]; + programs.zsh = { enable = true; - maxtime = "1d"; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + ohMyZsh = { + enable = true; + plugins = [ + "history-substring-search" + "tmux" + ]; + theme = "af-magic"; + }; + interactiveShellInit = '' + ZSH_TMUX_AUTOSTART=false + ZSH_TMUX_AUTOQUIT=false + ZSH_TMUX_CONFIG=/etc/tmux.conf + ''; + promptInit = '' + if [ -n "$IN_NIX_SHELL" ]; then + setopt PROMPT_SUBST + RPROMPT+='[nix]' + fi + ''; }; - jails = { - DEFAULT.settings = { - findtime = 3600; + + ######################################## tmux configuration ##################################### + programs.tmux.enable = true; + programs.tmux.extraConfig = '' + unbind C-b + set -g prefix M-w + bind M-w send-prefix + + bind s split-window -v + bind v split-window -h + + # Smart pane switching with awareness of Vim splits. + bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-h) || tmux select-pane -L" + bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-j) || tmux select-pane -D" + bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-k) || tmux select-pane -U" + bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iq vim && tmux send-keys C-l) || tmux select-pane -R" + + bind -n C-Left select-pane -L + bind -n C-Right select-pane -R + bind -n C-Up select-pane -U + bind -n C-Down select-pane -D + + # resize panes more easily + bind -r h resize-pane -L 10 + bind -r j resize-pane -D 10 + bind -r k resize-pane -U 10 + bind -r l resize-pane -R 10 + + bind M-c attach -c "#{pane_current_path}" + + set -s escape-time 0 + ''; + + ######################################## SSH and fail2ban configuration ######################### + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPiupf3xK6eWvno7R2rDYPuDxVvbmzWh5EkR1rquvV9hAAAABHNzaDo= vili@helium" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHr/1uVk5cWRWAELvwVvBG+eAbkKqpH2gat1yKKO11roAAAABHNzaDo= vili@lithium" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOk8akyi6Ob1EOPugxnjdlMQs9rOAbxBbakT8olBFe7 backup_ssh" + ]; + + services.fail2ban = { + enable = true; + maxretry = 10; + bantime = "10m"; + bantime-increment = { + enable = true; + maxtime = "1d"; + }; + jails = { + DEFAULT.settings = { + findtime = 3600; + }; }; }; - }; - ######################################## Localization ########################################### - i18n.defaultLocale = "en_US.UTF-8"; + ######################################## Localization ########################################### + i18n.defaultLocale = "en_US.UTF-8"; - i18n.extraLocaleSettings = { - LC_ADDRESS = "fi_FI.UTF-8"; - LC_IDENTIFICATION = "fi_FI.UTF-8"; - LC_MEASUREMENT = "fi_FI.UTF-8"; - LC_MONETARY = "fi_FI.UTF-8"; - LC_NAME = "fi_FI.UTF-8"; - LC_NUMERIC = "fi_FI.UTF-8"; - LC_PAPER = "fi_FI.UTF-8"; - LC_TELEPHONE = "fi_FI.UTF-8"; - LC_TIME = "fi_FI.UTF-8"; - }; - - services.xserver.xkb = { - layout = "us,"; - variant = "de_se_fi,"; - }; - console = pkgs.lib.mkForce { - font = "Lat2-Terminus16"; - useXkbConfig = true; # use xkbOptions in tty. - }; - time.timeZone = "Europe/Helsinki"; - - ######################################## Memory management ###################################### - zramSwap.enable = true; - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 8 * 1024; - } - ]; - - ######################################## Housekeeping ########################################### - system.autoUpgrade = { - enable = true; - dates = "04:00"; - randomizedDelaySec = "30min"; - allowReboot = true; - rebootWindow = { - lower = "03:30"; - upper = "05:00"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "fi_FI.UTF-8"; + LC_IDENTIFICATION = "fi_FI.UTF-8"; + LC_MEASUREMENT = "fi_FI.UTF-8"; + LC_MONETARY = "fi_FI.UTF-8"; + LC_NAME = "fi_FI.UTF-8"; + LC_NUMERIC = "fi_FI.UTF-8"; + LC_PAPER = "fi_FI.UTF-8"; + LC_TELEPHONE = "fi_FI.UTF-8"; + LC_TIME = "fi_FI.UTF-8"; }; - }; - nix = { - settings = { - auto-optimise-store = true; - tarball-ttl = 0; + services.xserver.xkb = { + layout = "us,"; + variant = "de_se_fi,"; }; - gc = { - automatic = true; - options = "--delete-older-than 7d"; - dates = "05:00"; - randomizedDelaySec = "30min"; + console = pkgs.lib.mkForce { + font = "Lat2-Terminus16"; + useXkbConfig = true; # use xkbOptions in tty. }; - }; + time.timeZone = "Europe/Helsinki"; - ######################################## Misc. ################################################## - nixpkgs.config.allowUnfree = true; + ######################################## Memory management ###################################### + zramSwap.enable = true; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 8 * 1024; + } + ]; - networking = { - # Easiest to use and most distros use this by default. - networkmanager = { + ######################################## Housekeeping ########################################### + system.autoUpgrade = { enable = true; - # Use EUI-64 addresses by default, so that addresses are predictable - settings."connection"."ipv6.addr-gen-mode" = 0; + dates = "04:00"; + randomizedDelaySec = "30min"; + allowReboot = true; + rebootWindow = { + lower = "03:30"; + upper = "05:00"; + }; }; - # IPv6 privacy addresses for outgoing traffic - tempAddresses = "default"; - }; - users.mutableUsers = false; # Force all user management to happen throught nix-files + nix = { + settings = { + auto-optimise-store = true; + tarball-ttl = 0; + }; + gc = { + automatic = true; + options = "--delete-older-than 7d"; + dates = "05:00"; + randomizedDelaySec = "30min"; + }; + }; - boot.loader = { - systemd-boot.enable = pkgs.lib.mkDefault true; - efi.canTouchEfiVariables = pkgs.lib.mkDefault true; - timeout = pkgs.lib.mkDefault 0; + ######################################## Misc. ################################################## + nixpkgs.config.allowUnfree = true; + + networking = { + # Easiest to use and most distros use this by default. + networkmanager = { + enable = true; + # Use EUI-64 addresses by default, so that addresses are predictable + settings."connection"."ipv6.addr-gen-mode" = 0; + }; + # IPv6 privacy addresses for outgoing traffic + tempAddresses = "default"; + }; + + users.mutableUsers = false; # Force all user management to happen throught nix-files + + boot.loader = { + systemd-boot.enable = pkgs.lib.mkDefault true; + efi.canTouchEfiVariables = pkgs.lib.mkDefault true; + timeout = pkgs.lib.mkDefault 0; + }; }; } diff --git a/machine-confs/helium.nix b/machine-confs/helium.nix index aa3c19d..31fcf26 100644 --- a/machine-confs/helium.nix +++ b/machine-confs/helium.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { networking = { hostName = "helium"; @@ -6,9 +6,9 @@ wg-quick.interfaces = { wg0 = { autostart = true; - address = [ "2001:14ba:a090:39ff::2/64" ]; + address = [ "${config.custom.gua_pref}ff::2/64" ]; dns = [ - "2001:14ba:a090:39ff::1" + "${config.custom.gua_pref}ff::1" "vsinerva.fi" ]; privateKeyFile = "/root/wireguard-keys/privatekey-home"; @@ -50,7 +50,7 @@ }; services.clatd = { enable = true; - settings.clat-v6-addr = "2001:14ba:a090:39ff::c2"; + settings.clat-v6-addr = "${config.custom.gua_pref}ff::c2"; }; systemd.services.clatd.wants = [ "wg-quick-wg0.service" ]; diff --git a/machine-confs/lithium.nix b/machine-confs/lithium.nix index 09f8939..1502154 100644 --- a/machine-confs/lithium.nix +++ b/machine-confs/lithium.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { networking = { hostName = "lithium"; @@ -6,9 +6,9 @@ wg-quick.interfaces = { wg0 = { autostart = true; - address = [ "2001:14ba:a090:39ff::3/64" ]; + address = [ "${config.custom.gua_pref}ff::3/64" ]; dns = [ - "2001:14ba:a090:39ff::1" + "${config.custom.gua_pref}ff::1" "vsinerva.fi" ]; privateKeyFile = "/root/wireguard-keys/privatekey-home"; @@ -32,7 +32,7 @@ }; services.clatd = { enable = true; - settings.clat-v6-addr = "2001:14ba:a090:39ff::c3"; + settings.clat-v6-addr = "${config.custom.gua_pref}ff::c3"; }; systemd.services.clatd.wants = [ "wg-quick-wg0.service" ]; diff --git a/services/siit-dc.nix b/services/siit-dc.nix index 4e142b2..e52a210 100644 --- a/services/siit-dc.nix +++ b/services/siit-dc.nix @@ -1,6 +1,5 @@ -{ ... }: +{ config, ... }: let - gua_pref = "2001:14ba:a090:39"; v4_pref = "192.168.251"; in { @@ -8,12 +7,12 @@ in jool = { enable = true; siit.default = { - global.pool6 = "${gua_pref}46::/96"; + global.pool6 = "${config.custom.gua_pref}46::/96"; # Explicit address mappings eamt = [ { - "ipv6 prefix" = "${gua_pref}d1:be24:11ff:fe42:dd76/128"; + "ipv6 prefix" = "${config.custom.gua_pref}d1:be24:11ff:fe42:dd76/128"; "ipv4 prefix" = "${v4_pref}.1/32"; } ];