# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { config, depot, pkgs, ... }: let inherit (depot.ops) secrets; in { imports = [ ../lib/bvm.nix ../lib/as205479-web.nix ./radius.nix ]; # Networking! networking = { hostName = "bvm-radius"; hostId = "dcc75f10"; tempAddresses = "disabled"; interfaces.enp1s0 = { ipv4.addresses = [{ address = "10.100.0.207"; prefixLength = 23; }]; }; interfaces.enp2s0 = { ipv4.addresses = [{ address = "92.118.28.9"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2a09:a441::9"; prefixLength = 32; }]; }; defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; firewall = { allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ 443 ]; extraCommands = '' # Allow JANET inbound RADIUS traffic. # roaming0.ja.net iptables -A nixos-fw -p udp --dport 1812 --src 194.82.174.185 -j nixos-fw-accept ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:128::185 -j nixos-fw-accept # roaming1.ja.net iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.233 -j nixos-fw-accept ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:12a::233 -j nixos-fw-accept # roaming2.ja.net iptables -A nixos-fw -p udp --dport 1812 --src 194.83.56.249 -j nixos-fw-accept ip6tables -A nixos-fw -p udp --dport 1812 --src 2001:630:1:129::249 -j nixos-fw-accept # Allow inbound RADIUS from authenticators. ip6tables -A nixos-fw -p udp --dport 1812 --src 2a09:a443::/64 -j nixos-fw-accept iptables -A nixos-fw -p udp --dport 1812 --src 92.118.30.0/24 -j nixos-fw-accept ''; }; }; my.ip.tailscale = "100.120.98.116"; security.acme = { acceptTerms = true; email = "letsencrypt@lukegb.com"; certs."as205479.net" = { extraDomainNames = [ "www.as205479.net" ]; dnsProvider = "gcloud"; credentialsFile = secrets.gcpDNSCredentials; dnsPropagationCheck = false; postRun = '' systemctl restart freeradius ''; }; }; system.stateVersion = "21.05"; }