From f300ea69b66427bd2a5a92a4c4f0db0aa99392b0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 31 Oct 2022 15:15:00 +0100
Subject: ...

---
 hosts/eos/default.nix | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++
 hosts/eos/ruleset.nft | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 202 insertions(+)
 create mode 100644 hosts/eos/default.nix
 create mode 100644 hosts/eos/ruleset.nft

(limited to 'hosts/eos')

diff --git a/hosts/eos/default.nix b/hosts/eos/default.nix
new file mode 100644
index 00000000..1c5347e7
--- /dev/null
+++ b/hosts/eos/default.nix
@@ -0,0 +1,101 @@
+{ flake, config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    nfsroot
+  ];
+
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    boot = {
+      initrd = {
+        availableKernelModules = [ "nvme" "ahci" "xhci_pci" "usbhid" "sd_mod" "sr_mod" ];
+        kernelModules = [ "igb" ];
+      };
+      kernelModules = [ "kvm-amd" ];
+      extraModulePackages = [ ];
+
+      plymouth.enable = true;
+
+      tmpOnTmpfs = true;
+    };
+
+    hardware = {
+      enableRedistributableFirmware = true;
+      cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware;
+
+      nvidia = {
+        modesetting.enable = true;
+        powerManagement.enable = true;
+      };
+
+      opengl.enable = true;
+    };
+
+    environment.etc."machine-id".text = "f457b21333f1491e916521151ff5d468";
+
+    networking = {
+      hostId = "f457b213";
+
+      domain = "asgard.yggdrasil";
+      search = [ "asgard.yggdrasil" "yggdrasil" ];
+
+      hosts = {
+        "127.0.0.1" = [ "eos.asgard.yggdrasil" "eos" ];
+        "::1" = [ "eos.asgard.yggdrasil" "eos" ];
+      };
+
+      firewall.enable = false;
+      nftables = {
+        enable = true;
+        rulesetFile = ./ruleset.nft;
+      };
+    };
+
+    services.resolved = {
+      llmnr = "false";
+    };
+
+    zramSwap.enable = true;
+
+    system.stateVersion = config.system.nixos.release; # No state
+
+
+    time.timeZone = "Europe/Berlin";
+    time.hardwareClockInLocalTime = true;
+    i18n.defaultLocale = "en_DK.UTF-8";
+
+
+    environment.systemPackages = with pkgs; [ cifs-utils ];
+
+    security.pam.mount = {
+      enable = true;
+      extraVolumes = [
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"home-eos\" mountpoint=\"~\" />"
+        "<volume sgrp=\"users\" fstype=\"cifs\" server=\"vidhar.lan.yggdrasil\" path=\"%(USER)\" mountpoint=\"/run/media/%(USER)/vidhar\" />"
+      ];
+    };
+
+
+    services.xserver = {
+      enable = true;
+      displayManager.sddm = {
+        enable = true;
+        settings = {
+          Users.HideUsers = "gkleen";
+        };
+      };
+      desktopManager.plasma5.enable = true;
+
+      videoDrivers = [ "nvidia" ];
+    };
+  };
+}
diff --git a/hosts/eos/ruleset.nft b/hosts/eos/ruleset.nft
new file mode 100644
index 00000000..7b38a059
--- /dev/null
+++ b/hosts/eos/ruleset.nft
@@ -0,0 +1,101 @@
+define icmp_protos = {ipv6-icmp, icmp, igmp}
+
+table arp filter {
+  limit lim_arp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+    limit name lim_arp counter drop
+
+    counter
+  }
+}
+
+table inet filter {
+  limit lim_reject {
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp {
+    rate over 50 mbytes/second burst 50 mbytes
+  }
+
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter drop
+
+
+    iifname lo counter accept
+
+
+    limit name lim_reject log level debug prefix "drop forward: " counter drop
+    log level debug prefix "reject forward: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid input: " counter drop
+
+
+    iifname lo counter accept
+    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip6 daddr ::1/128 counter reject
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+    tcp dport 22 counter accept
+    udp dport 60000-61000 counter accept
+
+
+    ct state {established, related} counter accept
+
+
+    limit name lim_reject log level debug prefix "drop input: " counter drop
+    log level debug prefix "reject input: " counter
+    meta l4proto tcp ct state new counter reject with tcp reset
+    ct state new counter reject
+
+
+    counter
+  }
+
+  chain output {
+    type filter hook output priority filter
+    policy accept
+
+
+    oifname lo counter accept
+
+    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos counter accept
+
+
+    counter
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3