From 2069f630f446965dd7f5803b1afb161ce64270a4 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Mon, 30 Nov 2020 16:32:08 +0100 Subject: [PATCH] Configure DNS and Docker on Ingenico laptop --- hosts/ingenico-laptop/configuration.nix | 86 +++++++++++++++++++++---- 1 file changed, 73 insertions(+), 13 deletions(-) diff --git a/hosts/ingenico-laptop/configuration.nix b/hosts/ingenico-laptop/configuration.nix index 4660cdf..8ce14c0 100644 --- a/hosts/ingenico-laptop/configuration.nix +++ b/hosts/ingenico-laptop/configuration.nix @@ -17,9 +17,31 @@ }; }; + boot.kernel.sysctl = { + # Turn on execshield + "kernel.exec-shield" = 1; + "kkernel.randomize_va_space" = 1; + # Enable IP spoofing protection + "net.ipv4.conf.all.rp_filter" = 1; + # Disable IP source routing + "knet.ipv4.conf.all.accept_source_route" = 0; + # Ignoring broadcasts request + "net.ipv4.icmp_echo_ignore_broadcasts" = 1; + "fnet.ipv4.icmp_ignore_bogus_error_messages" = 1; + # Make sure spoofed packets get logged + "net.ipv4.conf.all.log_martians" = 1; + # SYN flood protection + "net.ipv4.tcp_syncookies" = 1; + # Control IP packet forwarding + "net.ipv4.ip_forward" = 1; + }; + networking = { hostName = "enix016"; - networkmanager.enable = true; + networkmanager = { + enable = true; + dns = "dnsmasq"; + }; }; networking.interfaces.wlp59s0.useDHCP = true; @@ -35,18 +57,56 @@ time.timeZone = "Europe/Amsterdam"; - environment.etc."openfortivpn/config" = { - text = '' - host = devsslvpn.global.ingenico.com - port = 443 - trusted-cert = e09de6da3902e58b9061f28e13d33088d929f3451367d21f1721a0ed6361a883 - trusted-cert = 33069b6d904330b3fde5c002ca4964b7f413003665e78963d73098fe5f6f7c05 - trusted-cert = 599dba9bee8a920836b68ca5603a11ceee5ec0450201c7a7651f5575d6bbcd3a - set-dns = 0 - set-routes = 1 - insecure-ssl = 0 - cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 - ''; + environment.etc = { + "openfortivpn/config".text = '' + host = devsslvpn.global.ingenico.com + port = 443 + trusted-cert = e09de6da3902e58b9061f28e13d33088d929f3451367d21f1721a0ed6361a883 + trusted-cert = 33069b6d904330b3fde5c002ca4964b7f413003665e78963d73098fe5f6f7c05 + trusted-cert = 599dba9bee8a920836b68ca5603a11ceee5ec0450201c7a7651f5575d6bbcd3a + set-dns = 0 + set-routes = 1 + insecure-ssl = 0 + cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 + ''; + "NetworkManager/conf.d/ingenico.conf".text = '' + [main] + dns=dnsmasq + ''; + "NetworkManager/dnsmasq.d/hosts.conf".text = '' + addn-hosts=/etc/hosts + ''; + "NetworkManager/dnsmasq.d/ingenico.conf".text = '' + server=/.its/172.21.1.131 + server=/.its/172.21.1.146 + server=/.lab.ingenico.com/172.24.15.1 + server=/.lab.ingenico.com/172.24.15.2 + server=/.sandbox.global.ingenico.com/10.138.24.53 + server=/sb.eu.ginfra.net/10.138.24.53 + ''; + "NetworkManager/dnsmasq.d/default.conf".text = '' + server=/~./1.1.1.1 + server=1.1.1.1 + server=/~./1.0.0.1 + server=1.0.0.1 + server=/~./8.8.8.8 + server=8.8.8.8 + server=/~./8.8.4.4 + server=8.8.4.4 + ''; + "docker/daemon.json".text = '' + { + "dns": [ + "172.17.0.1" + ], + "insecure-registries": [ + "docker-registry.services.lab.ingenico.com" + ] + } + ''; + "NetworkManager/dnsmasq.d/docker-bridge.conf".text = '' + listen-address=172.17.0.1 + ''; }; hardware.bluetooth = {