post(nixos): attach complete configuration.nix

2020-11-09 01:08:18 +00:00 · 2020-11-09 01:08:18 +00:00 · 53bdc4548e
parent a1c0b6b1d0
commit 53bdc4548e
1 changed files with 263 additions and 1 deletions
--- a/source/_posts/caddy-nixos-part-2.md
+++ b/source/_posts/caddy-nixos-part-2.md
@ -257,7 +257,7 @@ Once enabled, any device not whitelisted in the policy will not be accessible.
 Based on [Ubuntu Wiki](https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings) and [ArchWiki](https://wiki.archlinux.org/index.php/sysctl).
-```
+``` nix
  ## Enable BBR module
  boot.kernelModules = [ "tcp_bbr" ];
@ -328,5 +328,267 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
    automatic = true;
    # Every Monday 01:00 (UTC)
    dates = "Monday 01:00 UTC";
    options = "--delete-older-than 7d";
  };
  # Run garbage collection whenever there is less than 500MB free space left
  nix.extraOptions = ''
    min-free = ${toString (500 * 1024 * 1024)}
  '';
 ```
 ## Complete configuration.nix
 ``` nix /etc/nixos/configuration.nix
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.ens3.useDHCP = true;
  environment.systemPackages = with pkgs; [
    dnsutils wormhole-william p7zip
  ];
  environment.shellAliases = {
    ls = "ls -l";
    la = "ls -a";
    wormhole = "wormhole-william";
  };
  time.timeZone = "UTC";
  ## Unattended upgrade
  system.autoUpgrade = {
    enable = true;
    allowReboot = true;
    dates = "weekly UTC";
  };
  ## Garbage collection
  # https://nixos.wiki/wiki/Storage_optimization#Automation
  nix.gc = {
    automatic = true;
    dates = "Monday 01:00 UTC";
    options = "--delete-older-than 7d";
  };
  # Run garbage collection whenever there is less than 500MB free space left
  nix.extraOptions = ''
    min-free = ${toString (500 * 1024 * 1024)}
  '';
  ## Optional: Clear >1 month-old logs
  systemd = {
    services.clear-log = {
      description = "Clear >1 month-old logs every week";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.systemd}/bin/journalctl --vacuum-time=30d";
      };
    };
    timers.clear-log = {
      wantedBy = [ "timers.target" ];
      partOf = [ "clear-log.service" ];
      timerConfig.OnCalendar = "weekly UTC";
    };
  };
  ## Hardened kernel
  boot.kernelPackages = pkgs.linuxPackages_hardened;
  ## Enable BBR
  boot.kernelModules = [ "tcp_bbr" ];
  ## Network hardening and performance
  boot.kernel.sysctl = {
    # Disable magic SysRq key
    "kernel.sysrq" = 0;
    # Ignore ICMP broadcasts to avoid participating in Smurf attacks
    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
    # Ignore bad ICMP errors
    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
    # Reverse-path filter for spoof protection
    "net.ipv4.conf.default.rp_filter" = 1;
    "net.ipv4.conf.all.rp_filter" = 1;
    # SYN flood protection
    "net.ipv4.tcp_syncookies" = 1;
    # Do not accept ICMP redirects (prevent MITM attacks)
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.secure_redirects" = 0;
    "net.ipv4.conf.default.secure_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    # Do not send ICMP redirects (we are not a router)
    "net.ipv4.conf.all.send_redirects" = 0;
    # Do not accept IP source route packets (we are not a router)
    "net.ipv4.conf.all.accept_source_route" = 0;
    "net.ipv6.conf.all.accept_source_route" = 0;
    # Protect against tcp time-wait assassination hazards
    "net.ipv4.tcp_rfc1337" = 1;
    # Latency reduction
    "net.ipv4.tcp_fastopen" = 3;
    ## Bufferfloat mitigations
    # Requires >= 4.9 & kernel module
    "net.ipv4.tcp_congestion_control" = "bbr";
    # Requires >= 4.19
    "net.core.default_qdisc" = "cake";
  };
  ## USBGuard
  # Load "/var/lib/usbguard/rules.conf" by default
  services.usbguard.enable = true;
  ## DNS-over-TLS
  services.stubby = {
    enable = true;
    # ::1 cause error, use 0::1 instead
    listenAddresses = [ "0::1" "127.0.0.1" ];
    roundRobinUpstreams = false;
    upstreamServers =
      ''
        ## Cloudflare DNS
        - address_data: 2606:4700:4700::1111
          tls_auth_name: "cloudflare-dns.com"
        - address_data: 2606:4700:4700::1001
          tls_auth_name: "cloudflare-dns.com"
        - address_data: 1.1.1.1
          tls_auth_name: "cloudflare-dns.com"
        - address_data: 1.0.0.1
          tls_auth_name: "cloudflare-dns.com"
      '';
  };
  networking.nameservers = [ "::1" "127.0.0.1" ];
  services.resolved = {
    enable = true;
    fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
  };
  ## Port forwarding
  networking.firewall = {
    enable = true;
    interfaces.ens3 = {
      allowedTCPPorts = [ 443 4430 ];
    };
    extraCommands =
      ''
        ip6tables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 4430
      '';
  };
  ## Create service users
  users = {
    mutableUsers = false; # Disable passwd
    users = {
      root = {
        hashedPassword = "*"; # Disable root password
      };
      nixos = {
        passwordFile = "/etc/nixos/nixos.password";
        isNormalUser = true;
        extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
      };
      caddyProxy = {
        home = "/var/lib/caddyProxy";
        createHome = true;
      };
      caddyTor = {
        home = "/var/lib/caddyTor";
        createHome = true;
      };
      caddyI2p = {
        home = "/var/lib/caddyI2p";
        createHome = true;
      };
    };
    groups = {
      caddyProxy = {
        members = [ "caddyProxy" ];
      };
      caddyTor = {
        members = [ "caddyTor" ];
      };
      caddyI2p = {
        members = [ "caddyI2p" ];
      };
    };
  };
  ## Requires OTP to login & sudo
  security.pam = {
    services.login.googleAuthenticator.enable = true;
    services.sudo.googleAuthenticator.enable = true;
  };
  ### The rest will be explained in the next articles
  ## Caddy web server
  require = [ /etc/caddy/caddyProxy.nix /etc/caddy/caddyTor.nix /etc/caddy/caddyI2p.nix ];
  services.caddyProxy = {
    enable = false;
    config = "/etc/caddy/caddyProxy.conf";
  };
  services.caddyTor = {
    enable = false;
    config = "/etc/caddy/caddyTor.conf";
  };
  services.caddyI2p = {
    enable = false;
    config = "/etc/caddy/caddyI2p.conf";
  };
  ## Tor onion
  services.tor = {
    enable = true;
    enableGeoIP = false;
    hiddenServices = {
      proxy = {
        version = 3;
        map = [
          {
            port = "80";
            toHost = "[::1]";
            toPort = "8080";
          }
        ];
      };
    };
    extraConfig =
      ''
        ClientUseIPv4 0
        ClientUseIPv6 1
        ClientPreferIPv6ORPort 1
      '';
  };
  ## I2P Eepsite
  services.i2pd = {
    enable = true;
    enableIPv4 = false;
    enableIPv6 = true;
    ifname = "ens3";
    address = "xxxx";
    inTunnels = {
      proxy = {
        enable = true;
        keys = "proxy-keys.dat";
        inPort = 80;
        address = "::1";
        destination = "::1";
        port = 8081;
      };
    };
  };
 }
 ```