Configure DNS and Docker on Ingenico laptop

2020-11-30 16:32:08 +01:00 · 2020-11-30 16:32:08 +01:00 · 2069f630f4
commit 2069f630f4
parent d42a484f06
1 changed files with 73 additions and 13 deletions
--- a/hosts/ingenico-laptop/configuration.nix
+++ b/hosts/ingenico-laptop/configuration.nix
@ -17,9 +17,31 @@
    };
  };

+  boot.kernel.sysctl = {
+    # Turn on execshield
+    "kernel.exec-shield" = 1;
+    "kkernel.randomize_va_space" = 1;
+    # Enable IP spoofing protection
+    "net.ipv4.conf.all.rp_filter" = 1;
+    # Disable IP source routing
+    "knet.ipv4.conf.all.accept_source_route" = 0;
+    # Ignoring broadcasts request
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+    "fnet.ipv4.icmp_ignore_bogus_error_messages" = 1;
+    # Make sure spoofed packets get logged
+    "net.ipv4.conf.all.log_martians" = 1;
+    #  SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+    # Control IP packet forwarding
+    "net.ipv4.ip_forward" = 1;
+  };
+
  networking = {
    hostName = "enix016";
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+      dns = "dnsmasq";
+    };
  };

  networking.interfaces.wlp59s0.useDHCP = true;
@ -35,8 +57,8 @@

  time.timeZone = "Europe/Amsterdam";

-  environment.etc."openfortivpn/config" = {
-    text = ''
+  environment.etc = {
+   "openfortivpn/config".text = ''
        host = devsslvpn.global.ingenico.com
        port = 443
        trusted-cert = e09de6da3902e58b9061f28e13d33088d929f3451367d21f1721a0ed6361a883
@ -47,6 +69,44 @@
        insecure-ssl = 0
        cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
      '';
+    "NetworkManager/conf.d/ingenico.conf".text = ''
+        [main]
+        dns=dnsmasq
+      '';
+    "NetworkManager/dnsmasq.d/hosts.conf".text = ''
+        addn-hosts=/etc/hosts
+      '';
+    "NetworkManager/dnsmasq.d/ingenico.conf".text = ''
+        server=/.its/172.21.1.131
+        server=/.its/172.21.1.146
+        server=/.lab.ingenico.com/172.24.15.1
+        server=/.lab.ingenico.com/172.24.15.2
+        server=/.sandbox.global.ingenico.com/10.138.24.53
+        server=/sb.eu.ginfra.net/10.138.24.53
+      '';
+    "NetworkManager/dnsmasq.d/default.conf".text = ''
+        server=/~./1.1.1.1
+        server=1.1.1.1
+        server=/~./1.0.0.1
+        server=1.0.0.1
+        server=/~./8.8.8.8
+        server=8.8.8.8
+        server=/~./8.8.4.4
+        server=8.8.4.4
+      '';
+    "docker/daemon.json".text = ''
+        {
+          "dns": [
+            "172.17.0.1"
+          ],
+          "insecure-registries": [
+            "docker-registry.services.lab.ingenico.com"
+          ]
+        }
+      '';
+    "NetworkManager/dnsmasq.d/docker-bridge.conf".text = ''
+        listen-address=172.17.0.1
+      '';
  };

  hardware.bluetooth = {