├── .envrc ├── .envrc.license ├── .github └── workflows │ ├── securix-check-formatting.yaml │ └── securix-check-licensing.yaml ├── .gitignore ├── LICENSES ├── GPL-2.0-only.txt └── MIT.txt ├── README.md ├── REUSE.toml ├── default.nix ├── examples └── basic │ ├── README.md │ └── default.nix ├── hardware ├── default.nix └── x280.nix ├── lib └── default.nix ├── modules ├── auditd.nix ├── authorized-users.nix ├── bastion │ └── default.nix ├── bootloader.nix ├── console.nix ├── default.nix ├── developer-mode │ └── default.nix ├── disko.nix ├── distribution.nix ├── filesystems.nix ├── graphical-interface │ ├── default.nix │ ├── fonts.nix │ ├── plasma.nix │ └── sway │ │ ├── bar-bottom.toml │ │ ├── bar-top.toml │ │ ├── default.nix │ │ └── sway-config.nix ├── http-proxy.nix ├── journal.nix ├── known-hosts.nix ├── networking.nix ├── o11y │ ├── default.nix │ ├── logs.nix │ └── metrics.nix ├── openstack-client.nix ├── package-manager.nix ├── pki.nix ├── power-saving.nix ├── security-keys.nix ├── self.nix ├── shells.nix ├── spiffe.nix ├── ssh-forward.nix ├── ssh-tpm-agent.nix ├── superadmins │ └── default.nix ├── tools │ ├── default.nix │ ├── firefox.nix │ └── password-manager.nix ├── updates │ ├── automatic-pull.nix │ ├── default.nix │ └── permissionless-upgrade.nix └── vpn │ ├── default.nix │ ├── ipsec │ ├── default.nix │ ├── firewall.nix │ ├── github-ipv4.txt │ ├── github-ipv4.txt.license │ ├── networkmanager.nix │ ├── support-local-ts.patch │ └── support-local-ts.patch.license │ ├── netbird │ └── default.nix │ └── wireguard │ ├── README.md │ └── default.nix ├── npins.license ├── npins ├── default.nix ├── default.nix.license ├── sources.json └── sources.json.license ├── shell.nix ├── statix.toml └── workflows └── check-licensing.nix /.envrc: -------------------------------------------------------------------------------- 1 | source_up 2 | use nix 3 | -------------------------------------------------------------------------------- /.envrc.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | 3 | SPDX-License-Identifier: MIT 4 | -------------------------------------------------------------------------------- /.github/workflows/securix-check-formatting.yaml: -------------------------------------------------------------------------------- 1 | jobs: 2 | reuse_lint: 3 | runs-on: ubuntu-latest 4 | steps: 5 | - uses: actions/checkout@v4 6 | - uses: nixbuild/nix-quick-install-action@v29 7 | - uses: DeterminateSystems/magic-nix-cache-action@main 8 | with: 9 | diagnostic-endpoint: '' 10 | use-flakehub: false 11 | - name: Check for statix 12 | run: nix-shell --run 'statix check --config statix.toml' 13 | - name: Check for formatting 14 | run: nix-shell --run 'nixfmt -sc $(find . -name "*.nix" -not -path "./npins")' 15 | name: '[Sécurix] Formatting check' 16 | on: 17 | pull_request: 18 | push: 19 | branches: 20 | - main 21 | -------------------------------------------------------------------------------- /.github/workflows/securix-check-licensing.yaml: -------------------------------------------------------------------------------- 1 | jobs: 2 | reuse_lint: 3 | runs-on: ubuntu-latest 4 | steps: 5 | - uses: actions/checkout@v4 6 | - uses: nixbuild/nix-quick-install-action@v29 7 | - uses: DeterminateSystems/magic-nix-cache-action@main 8 | with: 9 | diagnostic-endpoint: '' 10 | use-flakehub: false 11 | - name: Check for REUSE compliance 12 | run: nix-shell --run 'reuse --root . lint' 13 | name: '[Sécurix] REUSE Licensing conformance' 14 | on: 15 | pull_request: 16 | push: 17 | branches: 18 | - main 19 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result* 2 | .pre-commit-config.yaml 3 | .direnv 4 | -------------------------------------------------------------------------------- /LICENSES/GPL-2.0-only.txt: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 6 | 7 | Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. 12 | 13 | When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. 14 | 15 | To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. 16 | 17 | For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. 18 | 19 | We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. 20 | 21 | Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. 22 | 23 | Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. 24 | 25 | The precise terms and conditions for copying, distribution and modification follow. 26 | 27 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 28 | 29 | 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". 30 | 31 | Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 32 | 33 | 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. 34 | 35 | You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 36 | 37 | 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: 38 | 39 | a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. 40 | 41 | b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. 42 | 43 | c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) 44 | 45 | These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. 46 | 47 | Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. 48 | 49 | In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 50 | 51 | 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: 52 | 53 | a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, 54 | 55 | b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, 56 | 57 | c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) 58 | 59 | The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. 60 | 61 | If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 62 | 63 | 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 64 | 65 | 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 66 | 67 | 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 68 | 69 | 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. 70 | 71 | If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. 72 | 73 | It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. 74 | 75 | This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 76 | 77 | 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 78 | 79 | 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. 80 | 81 | Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 82 | 83 | 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. 84 | 85 | NO WARRANTY 86 | 87 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 88 | 89 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 90 | 91 | END OF TERMS AND CONDITIONS 92 | 93 | How to Apply These Terms to Your New Programs 94 | 95 | If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. 96 | 97 | To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. 98 | 99 | one line to give the program's name and an idea of what it does. Copyright (C) yyyy name of author 100 | 101 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. 102 | 103 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 104 | 105 | You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Also add information on how to contact you by electronic and paper mail. 106 | 107 | If the program is interactive, make it output a short notice like this when it starts in an interactive mode: 108 | 109 | Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. 110 | 111 | The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. 112 | 113 | You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: 114 | 115 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. 116 | 117 | signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice 118 | -------------------------------------------------------------------------------- /LICENSES/MIT.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 6 | associated documentation files (the "Software"), to deal in the Software without restriction, including 7 | without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 | copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the 9 | following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included in all copies or substantial 12 | portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 15 | LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO 16 | EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 17 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 18 | USE OR OTHER DEALINGS IN THE SOFTWARE. 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | # Sécurix: Base OS sécurisé pour poste d'administration 8 | 9 | Ce projet est en **alpha**, aucun support n'est proposé pour l'heure. 10 | 11 | ## Objectifs 12 | 13 | Sécurix est un projet développé et utilisé au département de l'opérateur (OPI) de la DINUM. 14 | 15 | Il constitue un modèle de PC sécurisé conçu pour permettre des accès à la production et d'autres usages critiques en garantissant un niveau de sécurité variable selon la configuration employée. 16 | 17 | Grace à NixOS, ce modèle de PC sécurisé est ré-instantiable pour des cas d'usages variables: poste multi-agent, poste multi-niveaux, poste en intranet seulement, etc. avec des équipes différentes, des souches de VPN différents. 18 | 19 | Construit selon les recommandations de l'ANSSI : . 20 | 21 | ## Cible d'architecture technique 22 | 23 | ### Système d'exploitation 24 | 25 | Sécurix repose sur NixOS avec un noyau Linux personnalisé conformément aux règles ANSSI de durcissement, certains d'entre eux étant désactivables selon le besoin. 26 | 27 | ### Modules de sécurité intégrés 28 | 29 | - Configuration systématique selon les recommandations de l'ANSSI pour les systèmes GNU/Linux : . 30 | - Support avancé de TPM2 et Yubikey pour la gestion des clés d'authentification. 31 | - Chiffrement des données à l'aide de `age` ou d'un serveur Vault. 32 | - Enrôlement centralisé pour Secure Boot avec gestion PK/KEK. 33 | 34 | ## Fonctionnalités en développement (par priorité) 35 | 36 | - **Renforcement de la sécurité** 37 | - Application des recommandations ANSSI pour un durcissement complémentaire: . 38 | - Ajout de la configuration d'un puits de traces pour l'envoi des activités d'un système Sécurix. 39 | 40 | - **Onboarding rapide et gestion centralisée** 41 | - Mise en place d'un serveur "phone home" permettant d'ajouter automatiquement : 42 | - La clé SSH TPM2 du système au dépôt d'infrastructure. 43 | - L'autorisation pour déchiffrer les secrets via `age` (ou intégration future avec Vault). 44 | - Ce morceau d'infrastructure pourra s'insérer dans un processus métier visant à mettre en place un nouveau Sécurix pour un agent. 45 | 46 | - **Support avancé des clés de sécurité** 47 | - Connexion au poste de travail avec Yubikey et le mot de passe ne serait qu'un secours. 48 | - Gestion et rotation des clés Secure Boot avec TPM2 pour renforcer Secure Boot. 49 | 50 | ## Contribuer 51 | 52 | Les contributions sont les bienvenues ! Consultez les issues ouvertes et le guide de contribution pour participer. 53 | 54 | ## Licence 55 | 56 | Sécurix est distribué sous licence MIT. Voir le fichier `LICENSE` pour plus de détails. 57 | -------------------------------------------------------------------------------- /REUSE.toml: -------------------------------------------------------------------------------- 1 | version = 1 2 | 3 | [[annotations]] 4 | SPDX-FileCopyrightText = "NONE" 5 | SPDX-License-Identifier = "MIT" 6 | path = [".github/workflows/*", ".gitignore", "REUSE.toml"] 7 | 8 | -------------------------------------------------------------------------------- /default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # Securix OS generic toolkit entrypoint. 6 | # Use the library to build your OS images and more. 7 | { 8 | sources ? import ./npins, 9 | pkgs ? import sources.nixpkgs { }, 10 | defaultTags ? [ ], 11 | edition ? "unbranded", 12 | }: 13 | let 14 | git-hooks = import sources.git-hooks; 15 | 16 | inherit (pkgs) lib; 17 | 18 | git-checks = git-hooks.run { 19 | src = ./.; 20 | 21 | hooks = { 22 | statix = { 23 | enable = true; 24 | stages = [ "pre-push" ]; 25 | settings.config = toString ./statix.toml; 26 | }; 27 | 28 | nixfmt-rfc-style = { 29 | enable = true; 30 | stages = [ "pre-push" ]; 31 | package = pkgs.nixfmt-rfc-style; 32 | args = [ "-s" ]; 33 | }; 34 | 35 | reuse = { 36 | enable = true; 37 | stages = [ "pre-push" ]; 38 | package = pkgs.reuse; 39 | }; 40 | }; 41 | }; 42 | in 43 | { 44 | lib = import ./lib { 45 | inherit 46 | pkgs 47 | lib 48 | edition 49 | defaultTags 50 | sources 51 | ; 52 | }; 53 | modules = ./modules; 54 | shell = pkgs.mkShell { 55 | packages = [ 56 | pkgs.npins 57 | (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) 58 | ] ++ git-checks.enabledPackages; 59 | 60 | shellHook = lib.concatStringsSep "\n" [ git-checks.shellHook ]; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /examples/basic/README.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | # Un exemple simple d'usage de Sécurix pour votre équipe 8 | 9 | 10 | -------------------------------------------------------------------------------- /examples/basic/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | sources ? import ./npins, 7 | pkgs ? import sources.nixpkgs { }, 8 | securix ? ../securix, 9 | mainDisk ? "/dev/nvme0n1", 10 | }: 11 | let 12 | securix = import securix { 13 | edition = "my-team"; 14 | defaultTags = [ "my-team" ]; 15 | inherit mainDisk pkgs; 16 | }; 17 | inherit (pkgs) lib; 18 | in 19 | rec { 20 | users = securix.lib.readInventory ./inventory; 21 | vpn-profiles = import ./vpn-profiles { inherit lib; }; 22 | # Base system is provided. 23 | terminals = securix.lib.mkTerminals users vpn-profiles ( 24 | { lib, ... }: 25 | { 26 | imports = [ 27 | # Any custom module here... 28 | ]; 29 | 30 | securix = { 31 | # Le terminal est multi-opérateur 32 | users.allowAnyOperator = true; 33 | 34 | # Autorise une GUI configurable par l'inventaire. 35 | graphical-interface.enable = true; 36 | 37 | # Pré-configure des points WiFi par défaut. 38 | preconfigured-wifi-stations.enable = true; 39 | 40 | # Configure l'agent TPM2 pour SSH. 41 | ssh.tpm-agent = { 42 | hostKeys = true; 43 | sshKeys = true; 44 | }; 45 | 46 | # Configure le VPN pour chaque opérateur 47 | # avec un pare-feu strict. 48 | vpn = { 49 | enable = true; 50 | firewall.enable = true; 51 | pskSecretsPath = "your secret path to your PSK."; 52 | }; 53 | }; 54 | } 55 | ); 56 | 57 | docs = securix.lib.mkDocs { inherit users terminals vpn-profiles; }; 58 | } 59 | -------------------------------------------------------------------------------- /hardware/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { imports = [ ./x280.nix ]; } 6 | -------------------------------------------------------------------------------- /hardware/x280.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 6 | # and may be overwritten by future invocations. Please make changes 7 | # to /etc/nixos/configuration.nix instead. 8 | { 9 | config, 10 | lib, 11 | pkgs, 12 | modulesPath, 13 | ... 14 | }: 15 | let 16 | inherit (lib) mkIf; 17 | in 18 | { 19 | imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; 20 | 21 | config = mkIf (config.securix.self.hardwareSKU == "x280") { 22 | boot.initrd.availableKernelModules = [ 23 | "xhci_pci" 24 | "nvme" 25 | "usb_storage" 26 | "sd_mod" 27 | "rtsx_pci_sdmmc" 28 | ]; 29 | boot.initrd.kernelModules = [ ]; 30 | boot.kernelModules = [ 31 | "kvm-intel" 32 | "intel_rapl_common" 33 | ]; 34 | boot.extraModulePackages = [ ]; 35 | 36 | hardware.firmware = [ 37 | # WiFi 38 | pkgs.linux-firmware 39 | pkgs.wireless-regdb 40 | ]; 41 | 42 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 43 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; 44 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /lib/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | defaultTags, 7 | edition, 8 | sources, 9 | lib, 10 | pkgs, 11 | ... 12 | }: 13 | let 14 | inherit (lib) 15 | filterAttrs 16 | mapAttrs' 17 | hasSuffix 18 | removeSuffix 19 | nameValuePair 20 | optional 21 | concatStringsSep 22 | genList 23 | length 24 | mapAttrs 25 | concatMap 26 | mapAttrsToList 27 | ; 28 | autoImport = 29 | inventoryFile: 30 | let 31 | fnOrAttrs = import inventoryFile; 32 | in 33 | assert builtins.isFunction fnOrAttrs || builtins.isAttrs fnOrAttrs; 34 | if builtins.isFunction fnOrAttrs then fnOrAttrs { inherit pkgs; } else fnOrAttrs; 35 | in 36 | rec { 37 | # This will build a Markdown table. 38 | # Inputs: 39 | # [ [ col1 col2 … colN ] [ col1 … colN ] … ] 40 | # Outputs: a string which represents the table in Markdown. 41 | mkMarkdownTable = 42 | header: rows: 43 | let 44 | mkMarkdownTableLine = line: concatStringsSep "|" ([ "" ] ++ line ++ [ "" ]); 45 | mkMarkdownTableLineSeparator = line: mkMarkdownTableLine (genList (_: "-") (length line)); 46 | in 47 | concatStringsSep "\n" ( 48 | [ 49 | (mkMarkdownTableLine header) 50 | (mkMarkdownTableLineSeparator header) 51 | ] 52 | ++ map mkMarkdownTableLine rows 53 | ); 54 | 55 | # This will build a network matrix table 56 | # Inputs: 57 | # [ { cidr, from, to, protos } ] 58 | # Outputs: 59 | # a string which represents the table in Markdown. 60 | mkMarkdownNetworkMatrixTable = 61 | lines: 62 | mkMarkdownTable 63 | [ 64 | "Sous-réseau CIDR" 65 | "Port source" 66 | "Port destination" 67 | "Protocoles" 68 | ] 69 | ( 70 | map ( 71 | { 72 | cidr, 73 | from, 74 | to, 75 | protos, 76 | }: 77 | [ 78 | cidr 79 | (toString from) 80 | (concatStringsSep ", " (map toString to)) 81 | (concatStringsSep "," protos) 82 | ] 83 | ) lines 84 | ); 85 | 86 | # This will read the user-specific inventory and return an attribute set of { $user = $module } 87 | # This can be used to further customize the final OS image. 88 | readInventory = 89 | dir: 90 | let 91 | customizations = filterAttrs (name: type: type == "regular" && hasSuffix ".nix" name) ( 92 | builtins.readDir dir 93 | ); 94 | in 95 | mapAttrs' ( 96 | name: _: nameValuePair (removeSuffix ".nix" name) (autoImport "${dir}/${name}") 97 | ) customizations; 98 | 99 | # This will build an ISO installer that will automatically partition the target system. 100 | # FIXME: 101 | # - LUKS2 should probably get enrolled with the Yubikey as well (?). 102 | # - We should enroll a static set of PK/KEK which comes from the image. 103 | # - Secure Boot key should not be created on the disk. 104 | # - db signer should be pre-provisioned on the Yubikey and enrolled in the system. 105 | # - sign the first generation with it. 106 | # - Upgrade process will need the Yubikey for signing. 107 | buildInstallerImage = 108 | # Put `compression` to `null` to disable it. 109 | { 110 | modules, 111 | compression ? "zstd -Xcompression-level 6", 112 | }: 113 | let 114 | targetSystem = pkgs.nixos modules; 115 | targetSystemFormatScript = targetSystem.config.system.build.formatScript; 116 | targetSystemMountScript = targetSystem.config.system.build.mountScript; 117 | targetSystemClosure = targetSystem.config.system.build.toplevel; 118 | mainDisk = targetSystem.config.securix.self.mainDisk; 119 | in 120 | (pkgs.nixos [ 121 | ( 122 | { config, modulesPath, ... }: 123 | { 124 | imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-base.nix" ]; 125 | 126 | # Reset the original message. 127 | services.getty.helpLine = lib.mkForce '' 128 | This is the Securix live offline installer image edition ${edition}. 129 | 130 | This installer will install your system in ${mainDisk}, if that's not what you want, 131 | contact the system administrators. 132 | 133 | Run: `autoinstall-terminal` to start the automatic installation process. 134 | ''; 135 | services.getty.autologinUser = lib.mkForce "root"; 136 | 137 | networking.hostName = "m${toString targetSystem.config.securix.self.inventoryId}"; 138 | boot.kernelParams = [ 139 | "console=ttyS0,115200" 140 | "console=tty0" 141 | ]; 142 | system.nixos.distroId = "securix"; 143 | system.nixos.tags = 144 | [ 145 | # Taint with the inventory ID not to mis-install the wrong inventory image. 146 | "m${toString targetSystem.config.securix.self.inventoryId}" 147 | "installer" 148 | ] 149 | ++ defaultTags 150 | # Taint developer images. 151 | ++ optional targetSystem.config.securix.self.developer "developer"; 152 | isoImage.storeContents = [ targetSystemClosure ]; 153 | 154 | time.timeZone = "Europe/Paris"; 155 | console = { 156 | # Let the kernel be smart. 157 | font = null; 158 | keyMap = "fr"; 159 | }; 160 | 161 | isoImage.squashfsCompression = compression; 162 | 163 | environment.systemPackages = [ 164 | (pkgs.writeShellScriptBin "autoinstall-terminal" ( 165 | '' 166 | #!/usr/bin/env bash 167 | 168 | log() { 169 | local level="$1" 170 | local msg="$2" 171 | case "$level" in 172 | info) 173 | ${pkgs.gum}/bin/gum log -t rfc822 -l info "$msg" 174 | ;; 175 | warn) 176 | ${pkgs.gum}/bin/gum log -t rfc822 -l warn "$msg" 177 | ;; 178 | error) 179 | ${pkgs.gum}/bin/gum log -t rfc822 -l error "$msg" 180 | ;; 181 | *) 182 | ${pkgs.gum}/bin/gum log -t rfc822 -l debug "$msg" 183 | ;; 184 | esac 185 | } 186 | 187 | log_info() { 188 | local msg="$1" 189 | log info "$msg" 190 | } 191 | 192 | log_warn() { 193 | local msg="$1" 194 | log warn "$msg" 195 | } 196 | 197 | log_error() { 198 | local msg="$1" 199 | log error "$msg" 200 | } 201 | 202 | box_message() { 203 | local msg="$1" 204 | ${pkgs.gum}/bin/gum style --border "rounded" --padding "1" --foreground "yellow" "$msg" 205 | } 206 | 207 | umount -R /mnt || true 208 | 209 | box_message "Welcome in the Securix automatic installer." 210 | log_info "Here is the list of current block devices." 211 | lsblk 212 | 213 | ${pkgs.systemd}/bin/udevadm settle 214 | log_info "${mainDisk} will be re-initialized and formatted, please confirm this is the right target." 215 | ${pkgs.gum}/bin/gum confirm "Proceed with reformatting?" || { log_warn "Operation cancelled."; exit 0; } 216 | 217 | wipefs -fa "${mainDisk}" ; sudo dd if=/dev/zero of="${mainDisk}" bs=4M count=1024; 218 | log_info "${mainDisk} re-initialized and formatted." 219 | 220 | ${pkgs.systemd}/bin/udevadm settle 221 | box_message "Repartitioning ${mainDisk}..." 222 | ${targetSystemFormatScript} 223 | box_message "Mounting ${mainDisk}..." 224 | ${targetSystemMountScript} 225 | box_message "Provisioning Secure Boot keys..." 226 | '' 227 | + ( 228 | if lib.versionOlder pkgs.sbctl.version "0.15" then 229 | '' 230 | ${pkgs.sbctl}/bin/sbctl create-keys --database-path /mnt/etc/secureboot --export /mnt/etc/secureboot/keys 231 | '' 232 | else 233 | '' 234 | ${pkgs.sbctl}/bin/sbctl create-keys --database-path /mnt/etc/secureboot/GUID --export /mnt/etc/secureboot/keys --disable-landlock 235 | '' 236 | ) 237 | + '' 238 | box_message "Burning the image on ${mainDisk}..." 239 | ${config.system.build.nixos-install}/bin/nixos-install --no-channel-copy -j $(nproc) --option substituters "" --system "${targetSystemClosure}" 240 | box_message "Enrolling Secure Boot keys..." 241 | ${pkgs.nixos-enter}/bin/nixos-enter --command "sbctl enroll-keys" 242 | lsblk 243 | log_info "Installation is complete. You can now reboot in the installed system." 244 | '' 245 | )) 246 | ]; 247 | } 248 | ) 249 | ]).config.system.build.isoImage; 250 | 251 | # Build the artifact images for the Securix OS for a given machine. 252 | mkTerminal = 253 | { 254 | name, 255 | userSpecificModule, 256 | vpnProfiles, 257 | extraOperators ? { }, 258 | modules, 259 | edition, 260 | compression ? "zstd -Xcompression-level 6", 261 | }: 262 | let 263 | allModules = [ 264 | userSpecificModule 265 | ../modules 266 | ../hardware 267 | # For Secure Boot. 268 | (import sources.lanzaboote).nixosModules.lanzaboote 269 | "${sources.agenix}/modules/age.nix" 270 | { 271 | securix.self.identifier = name; 272 | securix.self.edition = edition; 273 | _module.args.operators = mapAttrs' ( 274 | fileName: cfg: nameValuePair cfg.securix.self.username cfg.securix.self 275 | ) extraOperators; 276 | _module.args.vpnProfiles = vpnProfiles; 277 | 278 | age.identityPaths = [ 279 | # FIXME: age ne sait pas encore utiliser le TPM2 pour déchiffrer des secrets 280 | # utiliser https://github.com/Foxboron/age-plugin-tpm dans le futur. 281 | "/etc/ssh/ssh_host_ed25519_key" 282 | ]; 283 | 284 | # TODO: when we will have build capacity, we can re-enable it. 285 | # Otherwise, it's too expensive in rebuilds! 286 | documentation.man.man-db.enable = false; 287 | } 288 | ] ++ modules; 289 | in 290 | { 291 | installer = buildInstallerImage { 292 | modules = allModules; 293 | inherit compression; 294 | }; 295 | system = pkgs.nixos allModules; 296 | }; 297 | 298 | # Build all artifacts images for the Securix OS. 299 | mkTerminals = 300 | { 301 | users, 302 | vpn-profiles, 303 | edition, 304 | compression ? "zstd -Xcompression-level 6", 305 | }: 306 | baseSystem: 307 | 308 | mapAttrs ( 309 | name: userSpecificModule: 310 | mkTerminal { 311 | inherit 312 | name 313 | userSpecificModule 314 | edition 315 | compression 316 | ; 317 | # TODO: unify the naming for vpn-profiles... 318 | vpnProfiles = vpn-profiles; 319 | # All the users themselves. 320 | extraOperators = users; 321 | modules = [ baseSystem ]; 322 | } 323 | ) users; 324 | 325 | # Build all documentation outputs for the Securix OS. 326 | mkDocs = 327 | { 328 | users, 329 | vpn-profiles, 330 | terminals, 331 | }: 332 | { 333 | bastions = 334 | let 335 | # TODO: move flow information inside the VPN profiles. 336 | mkAnySrcFlow = proto: ports: { 337 | from = "*"; 338 | to = ports; 339 | protos = [ proto ]; 340 | }; 341 | defaultFlows = [ 342 | (mkAnySrcFlow "tcp" [ 343 | 22 344 | 80 345 | 443 346 | ]) 347 | ]; 348 | mkFlows = 349 | subnets: 350 | concatMap ( 351 | cidr: 352 | map (flow: { 353 | inherit cidr; 354 | inherit (flow) from to protos; 355 | }) defaultFlows 356 | ) subnets; 357 | in 358 | pkgs.writeText "bastions.md" '' 359 | # Documentation des flux 360 | 361 | ${concatStringsSep "\n\n" ( 362 | map (vpn: '' 363 | # ${vpn} 364 | 365 | ${mkMarkdownNetworkMatrixTable (mkFlows vpn-profiles.${vpn}.remoteSubnets)} 366 | '') (builtins.attrNames vpn-profiles) 367 | )} 368 | ''; 369 | inventory = 370 | let 371 | configs = mapAttrs (username: { system, ... }: system.config) terminals; 372 | mkUserReport = user: config: '' 373 | ## Inventaire de `${user}` 374 | 375 | Email: ${config.securix.self.email} 376 | Machine: ${config.securix.self.hardwareSKU} 377 | Numéro: ${toString config.securix.self.inventoryId} 378 | ''; 379 | in 380 | pkgs.writeText "inventory.md" '' 381 | # Inventaire des terminaux en circulation 382 | 383 | ${concatStringsSep "\n" (mapAttrsToList mkUserReport configs)} 384 | ''; 385 | }; 386 | } 387 | -------------------------------------------------------------------------------- /modules/auditd.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | cfg = config.securix.audit; 8 | inherit (lib) 9 | mkEnableOption 10 | mkIf 11 | types 12 | mkOption 13 | ; 14 | in 15 | { 16 | options.securix.audit = { 17 | enable = mkEnableOption "la journalisation des évenements à des fins d'audit"; 18 | 19 | adminEmail = mkOption { 20 | type = types.str; 21 | description = "Email à qui envoyer les alertes d'espace disque"; 22 | }; 23 | }; 24 | 25 | config = mkIf cfg.enable { 26 | # R33 ANSSI 27 | security.auditd.enable = true; 28 | environment.etc."audit/auditd.conf".text = '' 29 | space_left = 10% 30 | space_left_action = ignore 31 | admin_space_left = 5% 32 | admin_space_left_action = email 33 | action_mail_acct = ${cfg.adminEmail} 34 | num_logs = 10 35 | max_log_file = 100 36 | max_log_file_action = rotate 37 | ''; 38 | security.audit = { 39 | enable = true; 40 | rules = [ 41 | # TODO: 42 | # track audit itself accesses 43 | # track shm accesses 44 | # track mount/unmount 45 | # track usb keys accesses 46 | # track kernel module loading 47 | # track kexec operations 48 | # track network cards changes 49 | # track thunderbolt changes 50 | # This tracks only all execve for now, which is not that bad. 51 | "-a exit,always -F arch=b64 -S execve" 52 | ]; 53 | }; 54 | }; 55 | } 56 | -------------------------------------------------------------------------------- /modules/authorized-users.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # The list of authorized users to manipulate an admin laptop. 6 | # Basically, the inventory. 7 | { 8 | operators, 9 | config, 10 | lib, 11 | ... 12 | }: 13 | let 14 | cfg = config.securix.users; 15 | self = config.securix.self; 16 | mkOperator = 17 | { developerMode, hashedPassword }: 18 | { 19 | isNormalUser = true; 20 | inherit hashedPassword; 21 | extraGroups = 22 | # In developer mode, you are allowed to use `sudo`. 23 | optional developerMode "wheel" ++ [ 24 | "networkmanager" 25 | "video" # webcam? 26 | "dialout" # console série 27 | "wireshark" # debuggage trames 28 | "tss" # tpm2 29 | "operator" # can upgrade the system permissionlessly 30 | ]; 31 | }; 32 | inherit (lib) 33 | mkMerge 34 | mkIf 35 | mkEnableOption 36 | optional 37 | filterAttrs 38 | mapAttrs 39 | ; 40 | in 41 | { 42 | options.securix.users = { 43 | allowAnyOperator = mkEnableOption "the possibility for any operator to log in on this machine."; 44 | }; 45 | 46 | config = mkMerge [ 47 | { 48 | users.mutableUsers = false; 49 | users.groups.operator = { }; 50 | security.tpm2.enable = true; 51 | users.users.${self.username} = mkOperator { 52 | developerMode = self.developer or false; 53 | inherit (self) hashedPassword; 54 | }; 55 | } 56 | # We need to add all the other users then 57 | # and enable a user to decrypt the partition. 58 | (mkIf cfg.allowAnyOperator { 59 | users.users = 60 | mapAttrs 61 | ( 62 | username: config: 63 | mkOperator { 64 | developerMode = config.developer or false; 65 | inherit (config) hashedPassword; 66 | } 67 | ) 68 | # We need to filter out ourselves. 69 | (filterAttrs (username: _: username != self.username) operators); 70 | }) 71 | ]; 72 | } 73 | -------------------------------------------------------------------------------- /modules/bastion/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | inherit (lib) 8 | mkEnableOption 9 | mkOption 10 | mkIf 11 | types 12 | mapAttrs 13 | filterAttrs 14 | listToAttrs 15 | concatStringsSep 16 | nameValuePair 17 | optionalString 18 | ; 19 | cfg = config.securix.bastions; 20 | entrypointOpts = _: { 21 | options = { 22 | name = mkOption { 23 | type = types.str; 24 | description = "Préfixe du FQDN pour ce bastion"; 25 | }; 26 | 27 | address = mkOption { 28 | type = types.str; 29 | description = "IPv4 ou IPv6 vers le Bastion"; 30 | }; 31 | 32 | publicSSHKey = mkOption { 33 | type = types.nullOr types.str; 34 | default = null; 35 | description = "Clef SSH publique dudit bastion"; 36 | }; 37 | 38 | proxyJumps = mkOption { 39 | type = types.listOf types.str; 40 | default = [ ]; 41 | description = "Liste (dans l'ordre) des jumps à appliquer pour atteindre la cible."; 42 | }; 43 | }; 44 | }; 45 | 46 | entrypointsPerFQDN = listToAttrs ( 47 | map (entry: nameValuePair "${entry.name}.${cfg.domainSuffix}" entry) cfg.entrypoints 48 | ); 49 | mkKnownHostEntry = fqdn: value: { 50 | publicKey = value.publicSSHKey; 51 | extraHostNames = [ value.address ]; 52 | }; 53 | mkSshHostEntry = 54 | { 55 | name, 56 | proxyJumps, 57 | address, 58 | ... 59 | }: 60 | let 61 | translateEntry = e: builtins.replaceStrings [ "." ] [ "-" ] e; 62 | translatedProxyJumps = map translateEntry proxyJumps; 63 | fullName = translateEntry "${name}.${cfg.domainSuffix}"; 64 | shortName = translateEntry name; 65 | in 66 | '' 67 | Host ${shortName} ${fullName} 68 | HostName ${address} 69 | IdentitiesOnly yes 70 | ${optionalString (proxyJumps != [ ]) "ProxyJump ${concatStringsSep ", " translatedProxyJumps}"} 71 | ''; 72 | in 73 | { 74 | options.securix.bastions = { 75 | enable = mkEnableOption "génère les entrées statiques pour nos bastions"; 76 | domainSuffix = mkOption { 77 | type = types.str; 78 | description = "Suffixe de domaine des bastions"; 79 | }; 80 | 81 | entrypoints = mkOption { type = types.listOf (types.submodule entrypointOpts); }; 82 | }; 83 | 84 | config = mkIf cfg.enable { 85 | # Register the known SSH key 86 | programs.ssh.knownHosts = mapAttrs mkKnownHostEntry ( 87 | filterAttrs (n: v: v.publicSSHKey != null) entrypointsPerFQDN 88 | ); 89 | # Register the /etc/hosts entry 90 | networking.extraHosts = '' 91 | ${concatStringsSep "\n" ( 92 | map (entry: "${entry.address}\t${entry.name}.${cfg.domainSuffix}") cfg.entrypoints 93 | )} 94 | ''; 95 | # Register the .ssh entry 96 | programs.ssh.extraConfig = '' 97 | ${concatStringsSep "\n" (map mkSshHostEntry cfg.entrypoints)} 98 | ''; 99 | # TODO: register the Teleport entry? 100 | }; 101 | } 102 | -------------------------------------------------------------------------------- /modules/bootloader.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { pkgs, lib, ... }: 6 | { 7 | boot.initrd.systemd.enable = true; 8 | 9 | boot.loader.systemd-boot.enable = lib.mkForce false; 10 | 11 | boot.lanzaboote = { 12 | enable = true; 13 | pkiBundle = "/etc/secureboot"; 14 | }; 15 | 16 | environment.systemPackages = [ pkgs.sbctl ]; 17 | } 18 | -------------------------------------------------------------------------------- /modules/console.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | # Sécurix is not meant to be used outside of France. 7 | time.timeZone = "Europe/Paris"; 8 | i18n.defaultLocale = "en_US.UTF-8"; 9 | console = { 10 | # Let the kernel be smart. 11 | font = null; 12 | keyMap = "fr"; 13 | }; 14 | services.xserver.xkb.layout = "fr"; 15 | } 16 | -------------------------------------------------------------------------------- /modules/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | imports = [ 7 | ./journal.nix 8 | ./console.nix 9 | ./distribution.nix 10 | ./bootloader.nix 11 | ./filesystems.nix 12 | ./networking.nix 13 | ./power-saving.nix 14 | ./authorized-users.nix 15 | ./package-manager.nix 16 | # Automatic setup of SSH tunnels 17 | ./ssh-forward.nix 18 | # Autoconfiguration of OpenStack 19 | ./openstack-client.nix 20 | # The management of our entrypoints for our static bastions. 21 | ./bastion 22 | # Known hosts for our clouds. 23 | ./known-hosts.nix 24 | # SOCKS5 proxy for API and documentation access 25 | ./http-proxy.nix 26 | # Our Root CAs 27 | ./pki.nix 28 | ./shells.nix 29 | # Allow SSH keys from the TPM to be exposed through the agent 30 | ./ssh-tpm-agent.nix 31 | # Audit logs 32 | ./auditd.nix 33 | # Data-only pertaining to the system 34 | ./self.nix 35 | # All the VPN code 36 | ./vpn 37 | # Superadmins options 38 | ./superadmins 39 | # All the administration tools 40 | ./tools 41 | # Graphical interfaces 42 | ./graphical-interface 43 | # Security keys configuration. 44 | ./security-keys.nix 45 | # Automatic update system 46 | ./updates 47 | # For observability of Securix 48 | ./o11y 49 | ]; 50 | } 51 | -------------------------------------------------------------------------------- /modules/developer-mode/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | _: { 6 | config = { 7 | services.openssh.enable = true; 8 | # TODO: when we will have build capacity, we can re-enable it. 9 | documentation.man.man-db.enable = false; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /modules/disko.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, ... }: 6 | let 7 | disk = config.securix.self.mainDisk; 8 | mountOptions = [ "noatime" ]; 9 | in 10 | { 11 | disko.devices = { 12 | disk = { 13 | ${disk} = { 14 | device = "${disk}"; 15 | type = "disk"; 16 | content = { 17 | type = "gpt"; 18 | partitions = { 19 | ESP = { 20 | end = "1G"; 21 | type = "EF00"; 22 | content = { 23 | type = "filesystem"; 24 | format = "vfat"; 25 | mountpoint = "/boot"; 26 | }; 27 | }; 28 | Recovery = { 29 | end = "+2G"; 30 | type = "EF00"; 31 | content = { 32 | type = "filesystem"; 33 | format = "vfat"; 34 | mountpoint = "/recovery"; 35 | }; 36 | }; 37 | luks = { 38 | size = "100%"; 39 | content = { 40 | type = "luks"; 41 | name = "croot"; 42 | settings = { 43 | allowDiscards = true; 44 | }; 45 | content = { 46 | type = "btrfs"; 47 | mountpoint = "/"; 48 | subvolumes = { 49 | "/home" = { 50 | mountpoint = "/home"; 51 | mountOptions = [ 52 | "compress=zstd" 53 | "noatime" 54 | ]; 55 | }; 56 | "/nix" = { 57 | mountpoint = "/nix"; 58 | mountOptions = [ 59 | "compress=zstd" 60 | "noatime" 61 | ]; 62 | }; 63 | }; 64 | }; 65 | }; 66 | }; 67 | }; 68 | }; 69 | }; 70 | }; 71 | }; 72 | } 73 | -------------------------------------------------------------------------------- /modules/distribution.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { lib, ... }: 6 | { 7 | system.nixos.distroId = lib.mkDefault "securix"; 8 | system.nixos.distroName = lib.mkDefault "Sécurix"; 9 | system.stateVersion = "24.11"; 10 | } 11 | -------------------------------------------------------------------------------- /modules/filesystems.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { lib, ... }: 6 | { 7 | imports = [ 8 | "${(import ../npins).disko}/module.nix" 9 | ./disko.nix 10 | ]; 11 | } 12 | -------------------------------------------------------------------------------- /modules/graphical-interface/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | inherit (lib) mkIf; 8 | cfg = config.securix.graphical-interface; 9 | in 10 | { 11 | options.securix.graphical-interface = { 12 | enable = lib.mkEnableOption "the WM/DE interfaces"; 13 | variant = lib.mkOption { 14 | type = lib.types.enum [ 15 | "kde" 16 | "sway" 17 | ]; 18 | example = "kde"; 19 | }; 20 | 21 | terminalVariant = lib.mkOption { 22 | type = lib.types.enum [ 23 | "default" 24 | "kitty" 25 | "alacritty" 26 | ]; 27 | default = "default"; 28 | }; 29 | }; 30 | 31 | imports = [ 32 | ./plasma.nix 33 | ./sway 34 | ./fonts.nix 35 | ]; 36 | 37 | config = mkIf cfg.enable { services.libinput.enable = true; }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/graphical-interface/fonts.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | config, 7 | lib, 8 | pkgs, 9 | ... 10 | }: 11 | let 12 | cfg = config.securix.graphical-interface; 13 | inherit (lib) mkIf; 14 | in 15 | { 16 | config = mkIf cfg.enable { 17 | fonts = { 18 | packages = with pkgs; [ 19 | hermit 20 | source-code-pro 21 | terminus_font 22 | font-awesome 23 | font-awesome_4 24 | dejavu_fonts 25 | hack-font 26 | noto-fonts 27 | cantarell-fonts 28 | powerline-fonts 29 | roboto 30 | roboto-slab 31 | eb-garamond 32 | liberation_ttf 33 | fira-code 34 | fira-code-symbols 35 | mplus-outline-fonts.githubRelease 36 | dina-font 37 | proggyfonts 38 | ]; 39 | fontconfig = { 40 | enable = true; 41 | defaultFonts = { 42 | monospace = [ 43 | "Source Code Pro for Powerline" 44 | "Roboto Mono for Powerline" 45 | ]; 46 | sansSerif = [ "Roboto" ]; 47 | serif = [ "Roboto Slab" ]; 48 | }; 49 | }; 50 | }; 51 | }; 52 | } 53 | -------------------------------------------------------------------------------- /modules/graphical-interface/plasma.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | inherit (lib) mkIf; 8 | cfg = config.securix.graphical-interface; 9 | in 10 | { 11 | config = mkIf (cfg.variant == "kde") { 12 | services.xserver.enable = true; 13 | services.displayManager.sddm.enable = true; 14 | services.desktopManager.plasma6.enable = true; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /modules/graphical-interface/sway/bar-bottom.toml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | [theme] 6 | theme = "gruvbox-dark" 7 | [icons] 8 | icons = "awesome5" 9 | 10 | [[block]] 11 | block = "disk_space" 12 | path = "/" 13 | info_type = "available" 14 | alert_unit = "GB" 15 | interval = 20 16 | warning = 30.0 17 | alert = 20.0 18 | 19 | [[block]] 20 | block = "disk_space" 21 | path = "/nix" 22 | info_type = "used" 23 | alert_unit = "GB" 24 | interval = 60 25 | warning = 40.0 26 | alert = 50.0 27 | 28 | [[block]] 29 | block = "memory" 30 | 31 | [[block]] 32 | block = "temperature" 33 | interval = 10 34 | chip = "*-isa-*" 35 | 36 | [[block]] 37 | block = "cpu" 38 | format = " $icon $utilization ({$boost|}$frequency) " 39 | interval = 1 40 | 41 | [[block]] 42 | block = "load" 43 | interval = 1 44 | 45 | [[block]] 46 | block = "battery" 47 | driver = "upower" 48 | device = "DisplayDevice" 49 | format = " $icon $percentage $time " 50 | 51 | [[block]] 52 | block = "time" 53 | interval = 60 54 | format = " $icon $timestamp.datetime(f:'%a %d/%m %R') " 55 | -------------------------------------------------------------------------------- /modules/graphical-interface/sway/bar-top.toml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | [theme] 6 | theme = "gruvbox-dark" 7 | [icons] 8 | icons = "awesome5" 9 | 10 | [[block]] 11 | block = "uptime" 12 | 13 | [[block]] 14 | block = "net" 15 | device = "^wlp.*" 16 | format = "$icon $signal_strength $ssid $frequency via $device " 17 | format_alt = "$ssid $ipv4 $speed_down.eng(prefix:M) $speed_up.eng(prefix:M)" 18 | interval = 20 19 | 20 | [[block]] 21 | block = "net" 22 | device = "^enp.*" 23 | format = " $icon {$ipv4|$ipv6} via $device " 24 | format_alt = "$speed_up.eng(prefix:M) $speed_down.eng(prefix:M) " 25 | interval = 20 26 | missing_format = "" 27 | -------------------------------------------------------------------------------- /modules/graphical-interface/sway/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | config, 8 | lib, 9 | ... 10 | }: 11 | let 12 | inherit (lib) mkIf; 13 | cfg = config.securix.graphical-interface; 14 | in 15 | { 16 | imports = [ ./sway-config.nix ]; 17 | 18 | config = mkIf (cfg.variant == "sway") { 19 | environment.systemPackages = with pkgs; [ 20 | grim # screenshot functionality 21 | slurp # screenshot functionality 22 | wl-clipboard # wl-copy and wl-paste for copy/paste from stdin / stdout 23 | mako # notification system developed by swaywm maintainer 24 | swaylock # a locker 25 | wofi # a simple dmenu 26 | i3status-rust # a resource efficient status bar 27 | networkmanagerapplet # for nm-connection-editor 28 | ]; 29 | 30 | programs.gnupg.agent.pinentryPackage = pkgs.pinentry-curses; 31 | programs.nm-applet.enable = true; 32 | 33 | # Enable the gnome-keyring secrets vault. 34 | # Will be exposed through DBus to programs willing to store secrets. 35 | services.gnome.gnome-keyring.enable = true; 36 | 37 | # enable Sway window manager 38 | programs.sway = { 39 | enable = true; 40 | wrapperFeatures.gtk = true; 41 | }; 42 | 43 | services.greetd = { 44 | enable = true; 45 | settings = { 46 | default_session = { 47 | command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway"; 48 | user = "greeter"; 49 | }; 50 | }; 51 | }; 52 | }; 53 | } 54 | -------------------------------------------------------------------------------- /modules/graphical-interface/sway/sway-config.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | config, 8 | lib, 9 | ... 10 | }: 11 | let 12 | inherit (lib) mkIf; 13 | cfg = config.securix.graphical-interface; 14 | terminal = if cfg.terminalVariant == "default" then "foot" else cfg.terminalVariant; 15 | in 16 | { 17 | config = mkIf (cfg.variant == "sway") { 18 | environment.etc."sway/config".source = pkgs.writeText "sway.config" '' 19 | # Default config for sway 20 | # 21 | # Copy this to ~/.config/sway/config and edit it to your liking. 22 | # 23 | # Read `man 5 sway` for a complete reference. 24 | # It is preconfigured for sane defaults for our usecases. 25 | 26 | ### Variables 27 | # 28 | # Logo key. Use Mod1 for Alt. 29 | set $mod Mod4 30 | # Home row direction keys, like vim 31 | set $left h 32 | set $down j 33 | set $up k 34 | set $right l 35 | # Your preferred terminal emulator 36 | set $term ${terminal} 37 | # Your preferred application launcher 38 | # Note: pass the final command to swaymsg so that the resulting window can be opened 39 | # on the original workspace that the command was run on. 40 | set $menu wofi --show run | xargs swaymsg exec -- 41 | 42 | font pango:Fira Mono for Powerline 9 43 | 44 | # No window titles 45 | default_border pixel 1 46 | default_floating_border pixel 1 47 | 48 | ### Output configuration 49 | # 50 | # Default wallpaper 51 | # TODO 52 | # output * bg fill 53 | 54 | ### Idle configuration 55 | # 56 | # Example configuration: 57 | # 58 | exec swayidle -w \ 59 | timeout 300 'swaylock -f -c 000000' \ 60 | timeout 600 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' \ 61 | before-sleep 'swaylock -f -c 000000' 62 | 63 | # This will lock your screen after 300 seconds of inactivity, then turn off 64 | # your displays after another 300 seconds, and turn your screens back on when 65 | # resumed. It will also lock your screen before your computer goes to sleep. 66 | 67 | ### Input configuration 68 | # 69 | # Example configuration: 70 | # 71 | # input "2:14:SynPS/2_Synaptics_TouchPad" { 72 | # dwt enabled 73 | # tap enabled 74 | # natural_scroll enabled 75 | # middle_emulation enabled 76 | # } 77 | # 78 | # You can get the names of your inputs by running: swaymsg -t get_inputs 79 | # Read `man 5 sway-input` for more information about this section. 80 | 81 | # By default, FR layout. 82 | input type:keyboard { 83 | xkb_layout fr 84 | xkb_model pc105 85 | xkb_variant oss 86 | # Should make it specific to Ryan Lahfa. 87 | repeat_delay 250 88 | repeat_rate 60 89 | } 90 | 91 | ### Key bindings 92 | # 93 | # Basics: 94 | # 95 | # Start a terminal 96 | bindsym $mod+Return exec $term 97 | 98 | # Kill focused window 99 | bindsym $mod+Shift+q kill 100 | 101 | # Start your launcher 102 | bindsym $mod+d exec $menu 103 | 104 | # Lock the session 105 | bindsym $mod+Control+l exec --no-startup-id swaylock -c 000000 -e 106 | 107 | # Drag floating windows by holding down $mod and left mouse button. 108 | # Resize them with right mouse button + $mod. 109 | # Despite the name, also works for non-floating windows. 110 | # Change normal to inverse to use left mouse button for resizing and right 111 | # mouse button for dragging. 112 | floating_modifier $mod normal 113 | 114 | # Reload the configuration file 115 | bindsym $mod+Shift+c reload 116 | 117 | # Exit sway (logs you out of your Wayland session) 118 | bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit' 119 | # 120 | # Moving around: 121 | # 122 | # Move your focus around 123 | bindsym $mod+$left focus left 124 | bindsym $mod+$down focus down 125 | bindsym $mod+$up focus up 126 | bindsym $mod+$right focus right 127 | # Or use $mod+[up|down|left|right] 128 | bindsym $mod+Left focus left 129 | bindsym $mod+Down focus down 130 | bindsym $mod+Up focus up 131 | bindsym $mod+Right focus right 132 | 133 | # Move the focused window with the same, but add Shift 134 | bindsym $mod+Shift+$left move left 135 | bindsym $mod+Shift+$down move down 136 | bindsym $mod+Shift+$up move up 137 | bindsym $mod+Shift+$right move right 138 | # Ditto, with arrow keys 139 | bindsym $mod+Shift+Left move left 140 | bindsym $mod+Shift+Down move down 141 | bindsym $mod+Shift+Up move up 142 | bindsym $mod+Shift+Right move right 143 | # 144 | # Workspaces: 145 | # 146 | # Switch to workspace 147 | bindsym $mod+ampersand workspace number 1 148 | bindsym $mod+eacute workspace number 2 149 | bindsym $mod+quotedbl workspace number 3 150 | bindsym $mod+apostrophe workspace number 4 151 | bindsym $mod+parenleft workspace number 5 152 | bindsym $mod+minus workspace number 6 # +section on Apple keyboards 153 | bindsym $mod+egrave workspace number 7 154 | bindsym $mod+underscore workspace number 8 # +exclam on Apple keyboards 155 | bindsym $mod+ccedilla workspace number 9 156 | bindsym $mod+agrave workspace number 10 157 | # Move focused container to workspace 158 | bindsym $mod+Shift+ampersand move container to workspace number 1 159 | bindsym $mod+Shift+eacute move container to workspace number 2 160 | bindsym $mod+Shift+quotedbl move container to workspace number 3 161 | bindsym $mod+Shift+apostrophe move container to workspace number 4 162 | bindsym $mod+Shift+parenleft move container to workspace number 5 163 | bindsym $mod+Shift+minus move container to workspace number 6 164 | bindsym $mod+Shift+egrave move container to workspace number 7 165 | bindsym $mod+Shift+underscore move container to workspace number 8 166 | bindsym $mod+Shift+ccedilla move container to workspace number 9 167 | bindsym $mod+Shift+agrave move container to workspace number 10 168 | # Note: workspaces can have any name you want, not just numbers. 169 | # We just use 1-10 as the default. 170 | # For multi-screens. 171 | bindsym $mod+m move workspace to output left 172 | # 173 | # Layout stuff: 174 | # 175 | # You can "split" the current object of your focus with 176 | # $mod+b or $mod+v, for horizontal and vertical splits 177 | # respectively. 178 | bindsym $mod+b splith 179 | bindsym $mod+v splitv 180 | 181 | # Switch the current container between different layout styles 182 | bindsym $mod+s layout stacking 183 | bindsym $mod+w layout tabbed 184 | bindsym $mod+e layout toggle split 185 | 186 | # Make the current focus fullscreen 187 | bindsym $mod+f fullscreen 188 | 189 | # Toggle the current focus between tiling and floating mode 190 | bindsym $mod+Shift+space floating toggle 191 | 192 | # Swap focus between the tiling area and the floating area 193 | bindsym $mod+space focus mode_toggle 194 | 195 | # Move focus to the parent container 196 | bindsym $mod+a focus parent 197 | # 198 | # Scratchpad: 199 | # 200 | # Sway has a "scratchpad", which is a bag of holding for windows. 201 | # You can send windows there and get them back later. 202 | 203 | # Move the currently focused window to the scratchpad 204 | bindsym $mod+Shift+s move scratchpad 205 | 206 | # Show the next scratchpad window or hide the focused scratchpad window. 207 | # If there are multiple scratchpad windows, this command cycles through them. 208 | bindsym $mod+s scratchpad show 209 | # 210 | # Resizing containers: 211 | # 212 | mode "resize" { 213 | # left will shrink the containers width 214 | # right will grow the containers width 215 | # up will shrink the containers height 216 | # down will grow the containers height 217 | bindsym $left resize shrink width 10px 218 | bindsym $down resize grow height 10px 219 | bindsym $up resize shrink height 10px 220 | bindsym $right resize grow width 10px 221 | 222 | # Ditto, with arrow keys 223 | bindsym Left resize shrink width 10px 224 | bindsym Down resize grow height 10px 225 | bindsym Up resize shrink height 10px 226 | bindsym Right resize grow width 10px 227 | 228 | # Return to default mode 229 | bindsym Return mode "default" 230 | bindsym Escape mode "default" 231 | } 232 | bindsym $mod+r mode "resize" 233 | 234 | # 235 | # Status Bar: 236 | # 237 | # Read `man 5 sway-bar` for more information about this section. 238 | bar { 239 | font pango:DejaVu Sans Mono, FontAwesome 12 240 | position top 241 | status_command i3status-rs ${./bar-top.toml} 242 | colors { 243 | separator #666666 244 | background #222222 245 | statusline #dddddd 246 | focused_workspace #0088CC #0088CC #ffffff 247 | active_workspace #333333 #333333 #ffffff 248 | inactive_workspace #333333 #333333 #888888 249 | urgent_workspace #2f343a #900000 #ffffff 250 | } 251 | } 252 | bar { 253 | font pango:DejaVu Sans Mono, FontAwesome 12 254 | position bottom 255 | workspace_buttons no 256 | status_command i3status-rs ${./bar-bottom.toml} 257 | colors { 258 | separator #666666 259 | background #222222 260 | statusline #dddddd 261 | focused_workspace #0088CC #0088CC #ffffff 262 | active_workspace #333333 #333333 #ffffff 263 | inactive_workspace #333333 #333333 #888888 264 | urgent_workspace #2f343a #900000 #ffffff 265 | } 266 | } 267 | ''; 268 | }; 269 | } 270 | -------------------------------------------------------------------------------- /modules/http-proxy.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { lib, config, ... }: 7 | let 8 | inherit (lib) 9 | mkEnableOption 10 | mkOption 11 | mkIf 12 | types 13 | concatStringsSep 14 | ; 15 | cfg = config.securix.http-proxy; 16 | in 17 | { 18 | options.securix.http-proxy = { 19 | enable = mkEnableOption "configure un proxy HTTP client SOCKS5 globalement"; 20 | 21 | availableProxies = mkOption { 22 | type = types.attrsOf types.str; 23 | description = "Liste des proxies SOCKS5 disponibles"; 24 | }; 25 | 26 | usedProxy = mkOption { 27 | type = types.str; 28 | description = "Proxy sélectionné"; 29 | }; 30 | 31 | exceptions = mkOption { 32 | type = types.listOf types.str; 33 | # Exclude localhost and its IP variants for now. 34 | default = [ 35 | "localhost" 36 | "127.0.0.1" 37 | "[::1]" 38 | ]; 39 | description = "Liste de domaines exclus du proxy"; 40 | }; 41 | 42 | usedProxyAddress = mkOption { 43 | type = types.str; 44 | readOnly = true; 45 | internal = true; 46 | description = "Adresse du proxy séléctionné"; 47 | }; 48 | }; 49 | 50 | config = mkIf cfg.enable { 51 | securix.http-proxy.usedProxyAddress = cfg.availableProxies.${cfg.usedProxy}; 52 | environment.sessionVariables = { 53 | all_proxy = cfg.usedProxyAddress; 54 | http_proxy = cfg.usedProxyAddress; 55 | https_proxy = cfg.usedProxyAddress; 56 | no_proxy = concatStringsSep "," cfg.exceptions; 57 | }; 58 | }; 59 | } 60 | -------------------------------------------------------------------------------- /modules/journal.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | services.journald.extraConfig = '' 7 | SystemMaxUse=5G 8 | ''; 9 | } 10 | -------------------------------------------------------------------------------- /modules/known-hosts.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { pkgs, ... }: 6 | { 7 | # GitHub SSH public keys to avoid TOFU during first repository synchronization. 8 | programs.ssh.knownHostsFiles = [ 9 | (pkgs.writeText "github.keys" '' 10 | github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 11 | github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 12 | github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 13 | '') 14 | ]; 15 | } 16 | -------------------------------------------------------------------------------- /modules/networking.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | networking.useDHCP = false; 7 | networking.networkmanager.enable = true; 8 | } 9 | -------------------------------------------------------------------------------- /modules/o11y/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | imports = [ 7 | ./logs.nix 8 | ./metrics.nix 9 | ]; 10 | } 11 | -------------------------------------------------------------------------------- /modules/o11y/logs.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | cfg = config.securix.o11y.logs; 8 | inherit (lib) 9 | mkEnableOption 10 | mkOption 11 | types 12 | mkIf 13 | ; 14 | in 15 | { 16 | options.securix.o11y.logs = { 17 | enable = mkEnableOption "shipment of logs to remote servers"; 18 | serverUrl = mkOption { type = types.str; }; 19 | }; 20 | 21 | config = mkIf cfg.enable { 22 | services.journald.upload = { 23 | enable = true; 24 | settings.Upload.URL = cfg.serverUrl; 25 | }; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /modules/o11y/metrics.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | cfg = config.securix.o11y.metrics; 8 | inherit (lib) 9 | mkEnableOption 10 | mkOption 11 | types 12 | mkIf 13 | mapAttrsToList 14 | filterAttrs 15 | ; 16 | in 17 | { 18 | options.securix.o11y.metrics = { 19 | enable = mkEnableOption "shipment of metrics to remote servers"; 20 | serverUrl = mkOption { type = types.str; }; 21 | }; 22 | 23 | config = mkIf cfg.enable { 24 | # This will ship node_exporter-like metrics to the remote servers. 25 | services.prometheus.exporters.node = { 26 | enable = true; 27 | enabledCollectors = [ 28 | "systemd" 29 | "processes" 30 | ]; 31 | }; 32 | 33 | # This will ship electricity metrics to the remote servers. 34 | services.prometheus.exporters.scaphandre = { 35 | enable = true; 36 | }; 37 | 38 | services.vmagent = { 39 | enable = true; 40 | remoteWrite.url = cfg.serverUrl; 41 | prometheusConfig = { 42 | scrape_configs = 43 | mapAttrsToList 44 | (job_name: cfg: { 45 | inherit job_name; 46 | static_configs = [ { targets = [ "127.0.0.1:${builtins.toString cfg.port}" ]; } ]; 47 | metrics_path = if job_name == "scaphandre" then "//metrics" else "/metrics"; 48 | }) 49 | ( 50 | filterAttrs ( 51 | name: cfg: 52 | # these are not working Prometheus Exporters 53 | !(builtins.elem name [ 54 | "assertions" 55 | "warnings" 56 | "blackbox" 57 | "unifi-poller" 58 | "domain" 59 | "minio" 60 | "idrac" 61 | "pve" 62 | "tor" 63 | ]) 64 | && cfg.enable 65 | ) config.services.prometheus.exporters 66 | ); 67 | global = { 68 | scrape_interval = "15s"; 69 | external_labels.hostname = config.networking.hostName; 70 | # TODO: devrait-on-mettre un label supplémentaire d'appartenance d'équipe au niveau des time series exportés? 71 | }; 72 | }; 73 | }; 74 | }; 75 | } 76 | -------------------------------------------------------------------------------- /modules/openstack-client.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { 7 | operators, 8 | pkgs, 9 | lib, 10 | config, 11 | ... 12 | }: 13 | let 14 | inherit (lib) 15 | mkEnableOption 16 | mkIf 17 | mkOption 18 | types 19 | mapAttrs 20 | ; 21 | cfg = config.securix.cloud.openstack-client; 22 | yaml = pkgs.formats.yaml { }; 23 | cloudOpts = { 24 | freeformType = yaml.type; 25 | }; 26 | 27 | cloudsNames = builtins.attrNames cfg.clouds; 28 | in 29 | { 30 | options.securix.cloud.openstack-client = { 31 | enable = mkEnableOption "the automatic configuration of the OpenStack client"; 32 | defaults = mkOption { type = types.attrsOf types.unspecified; }; 33 | clouds = mkOption { type = types.attrsOf (types.submodule cloudOpts); }; 34 | projects = mkOption { type = types.listOf types.str; }; 35 | }; 36 | 37 | config = mkIf cfg.enable { 38 | environment.etc."openstack/clouds.yaml".source = yaml.generate "clouds.yaml" { 39 | clouds = mapAttrs (_: cloudConfig: cfg.defaults // cloudConfig) cfg.clouds; 40 | }; 41 | 42 | users.users = mapAttrs (username: config: { 43 | packages = [ 44 | # Helper to do openstack work. 45 | (pkgs.writeShellScriptBin "os-run" '' 46 | usage() { 47 | echo "usage: os-run -- [...]" 48 | echo "Run in the context of a certain cloud any OpenStack-related command, including Terraform" 49 | echo "This expects that your Goldwarden is configured correctly." 50 | echo "Furthermore, it also expects that `$${cloud}_horizon_password` is configured to your Horizon portal password." 51 | } 52 | 53 | # Check if sufficient arguments are provided. 54 | if [ "$#" -lt 3 ] || [ "$2" != "--" ]; then 55 | usage 56 | exit 1 57 | fi 58 | 59 | # Parse the cloud argument. 60 | CLOUD="$1" 61 | shift # Remove the first argument. 62 | shift # Remove the '--' separator. 63 | 64 | case "$CLOUD" in 65 | ${lib.concatStringsSep "|" cloudsNames}) 66 | ;; 67 | *) 68 | echo "Invalid cloud name: $CLOUD" 69 | usage 70 | exit 1 71 | ;; 72 | esac 73 | 74 | # Configure environment variables. 75 | export OS_CLOUD="$CLOUD" 76 | export OS_USERNAME="${config.email}" 77 | 78 | # Retrieve the password from Goldwarden. 79 | export OS_PASSWORD=$(goldwarden logins get --name "''${CLOUD}_horizon_password") 80 | if [ -z "$OS_PASSWORD" ]; then 81 | echo "Failed to retrieve password for $CLOUD." 82 | exit 1 83 | fi 84 | 85 | # Execute the command. 86 | exec "$@" 87 | '') 88 | ]; 89 | }) operators; 90 | # Wrap `os` to fetch the `OS_PASSWORD` from the Vault. 91 | }; 92 | } 93 | -------------------------------------------------------------------------------- /modules/package-manager.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { 7 | lib, 8 | config, 9 | pkgs, 10 | ... 11 | }: 12 | let 13 | proxyCfg = config.securix.http-proxy; 14 | in 15 | { 16 | config = { 17 | nix = 18 | { 19 | package = pkgs.lix; 20 | nixPath = [ 21 | # Always point to the authorized sources. 22 | "nixpkgs=${pkgs.path}" 23 | ]; 24 | } 25 | // (lib.optionalAttrs proxyCfg.enable { 26 | envVars = { 27 | http_proxy = proxyCfg.usedProxyAddress; 28 | https_proxy = proxyCfg.usedProxyAddress; 29 | all_proxy = proxyCfg.usedProxyAddress; 30 | no_proxy = lib.concatStringsSep "," proxyCfg.exceptions; 31 | }; 32 | }); 33 | }; 34 | } 35 | -------------------------------------------------------------------------------- /modules/pki.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { operators, lib, ... }: 6 | let 7 | inherit (lib) mapAttrs' filterAttrs nameValuePair; 8 | in 9 | { } 10 | -------------------------------------------------------------------------------- /modules/power-saving.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | _: { 6 | powerManagement.enable = true; 7 | services.upower.enable = true; 8 | services.power-profiles-daemon.enable = true; 9 | } 10 | -------------------------------------------------------------------------------- /modules/security-keys.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # We mostly use Yubikeys. 6 | { pkgs, ... }: 7 | { 8 | environment.systemPackages = [ 9 | pkgs.yubikey-personalization 10 | pkgs.yubikey-manager 11 | ]; 12 | services.udev.packages = [ 13 | pkgs.yubikey-personalization 14 | pkgs.yubikey-manager 15 | ]; 16 | 17 | # GPG support. 18 | # TODO: we don't have a need for GPG keys yet. 19 | programs.gnupg.agent.enable = false; 20 | 21 | # Smart card support. 22 | services.pcscd.enable = true; 23 | 24 | # For user SSH via Yubikey. 25 | services.yubikey-agent.enable = true; 26 | } 27 | -------------------------------------------------------------------------------- /modules/self.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | vpnProfiles, 7 | pkgs, 8 | config, 9 | lib, 10 | ... 11 | }: 12 | let 13 | cfg = config.securix.self; 14 | inherit (lib) 15 | mkOption 16 | types 17 | optional 18 | elemAt 19 | splitString 20 | substring 21 | mkDefault 22 | ; 23 | deriveUsernameFromEmail = 24 | email: 25 | let 26 | parts = splitString "." email; 27 | firstName = elemAt 0 parts; 28 | lastName = elemAt 1 parts; 29 | firstLetter = substring 0 1 firstName; 30 | usernameLimit = 32; 31 | in 32 | substring 0 usernameLimit "${firstLetter}${lastName}"; 33 | in 34 | { 35 | options.securix.self = { 36 | mainDisk = mkOption { 37 | type = types.str; 38 | description = "Disque du système"; 39 | example = "/dev/nvme0n1"; 40 | }; 41 | 42 | edition = mkOption { 43 | type = types.str; 44 | description = "Édition du système Sécurix"; 45 | example = "acme-corp"; 46 | }; 47 | 48 | email = mkOption { 49 | type = types.str; 50 | description = "Adresse email de l'agent"; 51 | }; 52 | 53 | username = mkOption { 54 | type = types.str; 55 | default = deriveUsernameFromEmail cfg.email; 56 | defaultText = '' tronqué à 32 caractères''; 57 | description = '' 58 | Nom d'utilisateur de la session PAM, dérivé par l'email en calculant: 59 | 60 | 61 | 62 | Tronqué à 32 caractères, limite de PAM. 63 | ''; 64 | example = "rlahfa"; 65 | }; 66 | 67 | inventoryId = mkOption { 68 | type = types.int; 69 | description = "Numéro d'inventaire du système"; 70 | example = 123456; 71 | }; 72 | 73 | hardwareSKU = mkOption { 74 | type = types.enum [ "x280" ]; 75 | description = "Identifiant de configuration du matériel"; 76 | example = "x280"; 77 | }; 78 | 79 | developer = mkOption { 80 | type = types.bool; 81 | default = false; 82 | description = '' 83 | Mode développeur pour cet opérateur. 84 | 85 | Le mode développeur permet de développer l'OS sécurisé sans les bridages. 86 | Il n'est pas conçu pour *développer* d'autres choses en meme temps. 87 | 88 | ATTENTION: Le mode développeur N'EST PAS CONFORME aux règles de sécurité 89 | de l'ANSSI en matière de poste d'administration. Celui-ci doit etre utilisé 90 | avec parcimonie. 91 | ''; 92 | }; 93 | 94 | hashedPassword = mkOption { 95 | type = types.str; 96 | description = "Mot de passe hachée en ycrypt pour la session utilisateur."; 97 | }; 98 | 99 | defaultLoginShell = mkOption { 100 | type = types.package; 101 | default = pkgs.bashInteractive; 102 | description = "Shell par défaut de connexion pour la session utilisateur."; 103 | }; 104 | 105 | identifier = mkOption { 106 | type = types.str; 107 | internal = true; 108 | description = "Identifiant de customization de la machine"; 109 | example = "ryan_lahfa"; 110 | }; 111 | 112 | bit = mkOption { 113 | type = types.nullOr types.int; 114 | default = null; 115 | description = "Octet pour l'adresse IPv4 publique dans le VPN"; 116 | example = 1; 117 | }; 118 | 119 | infraRepositoryPath = mkOption { 120 | type = types.path; 121 | default = "/etc/infrastructure"; 122 | description = "Chemin vers le référentiel d'infrastructure"; 123 | }; 124 | 125 | infraRepositorySubdir = mkOption { 126 | type = types.str; 127 | default = "securix"; 128 | description = "Chemin vers la souche Sécurix utilisé dans le référentiel d'infrastructure"; 129 | example = "securix-security-team"; 130 | }; 131 | 132 | allowedVPNs = mkOption { 133 | type = types.listOf (types.enum (builtins.attrNames vpnProfiles)); 134 | default = [ ]; 135 | description = "Liste des VPNs provisionnés pour l'utilisateur"; 136 | example = [ "vpn-01" ]; 137 | }; 138 | 139 | teams = mkOption { 140 | type = types.listOf types.str; 141 | description = "Liste des équipes dans lequel l'utilisateur est"; 142 | example = [ 143 | "product-01" 144 | "product-02" 145 | "financial-dpt" 146 | "security-team" 147 | ]; 148 | }; 149 | }; 150 | 151 | config = { 152 | warnings = optional cfg.developer '' 153 | Le mode développeur est activé pour ${cfg.email}, cette image n'est pas conforme aux règles de l'ANSSI. 154 | ''; 155 | 156 | services.getty.helpLine = '' 157 | Bienvenue sur Sécurix (identifiant ${toString cfg.inventoryId}), utilisateur principal: ${toString cfg.email}. 158 | ''; 159 | 160 | networking.hostName = mkDefault "securix-${cfg.edition}-${toString cfg.inventoryId}"; 161 | users.users.${cfg.username}.shell = cfg.defaultLoginShell; 162 | }; 163 | } 164 | -------------------------------------------------------------------------------- /modules/shells.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | programs = { 7 | zsh.enable = true; 8 | fish.enable = true; 9 | }; 10 | } 11 | -------------------------------------------------------------------------------- /modules/spiffe.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # Machine identity for laptops 6 | # Based on https://spiffe.io/ 7 | { 8 | 9 | } 10 | -------------------------------------------------------------------------------- /modules/ssh-forward.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | config, 8 | lib, 9 | ... 10 | }: 11 | let 12 | inherit (lib) 13 | types 14 | mkOption 15 | mkEnableOption 16 | filterAttrs 17 | mapAttrs' 18 | nameValuePair 19 | ; 20 | tunnels = config.securix.ssh-tunnels; 21 | tunnelOpts = _: { 22 | options = { 23 | enable = mkEnableOption "this tunnel"; 24 | vpn = mkOption { 25 | type = types.str; 26 | description = "VPN requis pour ce tunnel"; 27 | }; 28 | description = mkOption { type = types.str; }; 29 | target = mkOption { type = types.str; }; 30 | localPort = mkOption { type = types.int; }; 31 | remoteAddress = mkOption { 32 | type = types.str; 33 | default = "localhost"; 34 | }; 35 | remotePort = mkOption { type = types.int; }; 36 | }; 37 | }; 38 | 39 | mkTunnelService = 40 | name: 41 | { 42 | description, 43 | vpn, 44 | target, 45 | localPort, 46 | remoteAddress, 47 | remotePort, 48 | ... 49 | }: 50 | nameValuePair "ssh-tunnel-to-${name}" { 51 | inherit description; 52 | after = [ "network.target" ]; 53 | 54 | path = [ 55 | pkgs.libnotify 56 | pkgs.networkmanager 57 | ]; 58 | # TODO: this is largely inefficient. 59 | # Diconnection of the SSH tunnel will be performed after 3 seconds of inactivity. 60 | script = '' 61 | if ! nmcli connection show --active | grep -q ${vpn}; then 62 | exit 1 63 | fi 64 | 65 | if ! ${pkgs.openssh}/bin/ssh -NT -o ServerAliveInterval=1 -o ExitOnForwardFailure=yes -L 127.0.0.1:${toString localPort}:${remoteAddress}:${toString remotePort} ${target}; then 66 | notify-send "[HTTP Proxy] Échec" "Échec de l'établissement du tunnel vers ${name} depuis ${target} ; est-ce que le VPN ou Internet est opérationnel ? si vous utilisez un yubikey, est-ce qu'elle est branché ?" 67 | else 68 | notify-send "[HTTP Proxy] Coupé" "La connexion via SSH vers le proxy HTTP ${name} a été stoppé." 69 | fi 70 | ''; 71 | 72 | serviceConfig = { 73 | RestartSec = "5"; 74 | Restart = "always"; 75 | }; 76 | }; 77 | in 78 | { 79 | options.securix.ssh-tunnels = mkOption { 80 | type = types.attrsOf (types.submodule tunnelOpts); 81 | default = { }; 82 | }; 83 | 84 | config = { 85 | # One per operator. 86 | systemd.user.services = mapAttrs' mkTunnelService ( 87 | filterAttrs (_: { enable, ... }: enable) tunnels 88 | ); 89 | }; 90 | } 91 | -------------------------------------------------------------------------------- /modules/ssh-tpm-agent.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { 7 | config, 8 | lib, 9 | pkgs, 10 | ... 11 | }: 12 | let 13 | cfg = config.securix.ssh.tpm-agent; 14 | inherit (lib) mkEnableOption mkIf mkMerge; 15 | in 16 | { 17 | options.securix.ssh.tpm-agent = { 18 | hostKeys = mkEnableOption "the sealing of SSH host keys in the TPM"; 19 | sshKeys = mkEnableOption "the sealing of SSH keys in the TPM"; 20 | }; 21 | 22 | config = mkMerge [ 23 | (mkIf cfg.sshKeys { 24 | systemd.user.services.ssh-tpm-agent = { 25 | unitConfig = { 26 | Description = "SSH TPM agent service"; 27 | Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; 28 | Requires = "ssh-tpm-agent.socket"; 29 | ConditionEnvironment = "!SSH_AGENT_PID"; 30 | }; 31 | serviceConfig = { 32 | Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket"; 33 | ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent"; 34 | PassEnvironment = "SSH_AGENT_PID"; 35 | SuccessExitStatus = 2; 36 | Type = "simple"; 37 | }; 38 | }; 39 | 40 | systemd.user.sockets.ssh-tpm-agent = { 41 | unitConfig = { 42 | Description = "SSH TPM agent socket"; 43 | Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; 44 | }; 45 | 46 | socketConfig = { 47 | ListenStream = "%t/ssh-tpm-agent.sock"; 48 | SocketMode = "0600"; 49 | Service = "ssh-tpm-agent.service"; 50 | }; 51 | 52 | wantedBy = [ "sockets.target" ]; 53 | }; 54 | }) 55 | (mkIf cfg.hostKeys { 56 | # TODO: figure out how to use properly TPM keys when unlocking the PSK at boot. 57 | systemd.services.ssh-genkeys = { 58 | description = "SSH keys generation"; 59 | 60 | unitConfig.ConditionPathExists = [ 61 | "|!/etc/ssh/ssh_host_rsa_key.pub" 62 | "|!/etc/ssh/ssh_host_rsa_key" 63 | ]; 64 | 65 | serviceConfig = { 66 | ExecStart = "${pkgs.openssh}/bin/ssh-keygen -A"; 67 | Type = "oneshot"; 68 | RemainAfterExit = "yes"; 69 | }; 70 | 71 | wantedBy = [ "network.target" ]; 72 | }; 73 | 74 | systemd.services.ssh-tpm-genkeys = { 75 | description = "SSH TPM Key Generation"; 76 | 77 | unitConfig = { 78 | ConditionPathExists = [ 79 | "|!/etc/ssh/ssh_tpm_host_ecdsa_key.pub" 80 | "|!/etc/ssh/ssh_tpm_host_ecdsa_key.tpm" 81 | ]; 82 | }; 83 | 84 | serviceConfig = { 85 | ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-keygen -A"; 86 | Type = "oneshot"; 87 | RemainAfterExit = "yes"; 88 | }; 89 | 90 | wantedBy = [ "network.target" ]; 91 | }; 92 | 93 | systemd.sockets.ssh-tpm-agent = { 94 | unitConfig = { 95 | Description = "SSH TPM agent socket"; 96 | Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; 97 | }; 98 | 99 | socketConfig = { 100 | ListenStream = "/var/tmp/ssh-tpm-agent.sock"; 101 | SocketMode = "0600"; 102 | Service = "ssh-tpm-agent.service"; 103 | }; 104 | 105 | wantedBy = [ "sockets.target" ]; 106 | }; 107 | 108 | systemd.services.ssh-tpm-agent = { 109 | unitConfig = { 110 | ConditionEnvironment = "!SSH_AGENT_PID"; 111 | Description = "ssh-tpm-agent system service"; 112 | Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; 113 | Wants = [ "ssh-tpm-genkeys.service" ]; 114 | After = [ 115 | "ssh-tpm-genkeys.service" 116 | "network.target" 117 | "sshd.target" 118 | ]; 119 | 120 | Requires = [ "ssh-tpm-agent.socket" ]; 121 | }; 122 | 123 | serviceConfig = { 124 | ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent --key-dir /etc/ssh"; 125 | PassEnvironment = "SSH_AGENT_PID"; 126 | KillMode = "process"; 127 | Restart = "always"; 128 | }; 129 | 130 | wantedBy = [ "multi-user.target" ]; 131 | }; 132 | services.openssh.hostKeys = [ ]; 133 | services.openssh.extraConfig = lib.mkAfter '' 134 | HostKeyAgent /var/tmp/ssh-tpm-agent.sock 135 | HostKey /etc/ssh/ssh_tpm_host_ecdsa_key 136 | ''; 137 | }) 138 | ]; 139 | } 140 | -------------------------------------------------------------------------------- /modules/superadmins/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { config, lib, ... }: 6 | let 7 | inherit (lib) 8 | mkEnableOption 9 | mkOption 10 | types 11 | mkIf 12 | ; 13 | cfg = config.securix.superadmins; 14 | in 15 | { 16 | options.securix.superadmins = { 17 | enable = mkEnableOption "l'administration à distance par les super-administrateurs"; 18 | 19 | keys = mkOption { 20 | type = types.listOf types.str; 21 | description = "Liste de clefs SSH autorisés à se connecter à root@"; 22 | }; 23 | }; 24 | config = mkIf cfg.enable { 25 | services.openssh.enable = true; 26 | users.users.root.openssh.authorizedKeys.keys = cfg.keys; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/tools/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { pkgs, ... }: 6 | { 7 | imports = [ 8 | ./password-manager.nix 9 | ./firefox.nix 10 | ]; 11 | 12 | programs.mtr.enable = true; 13 | 14 | environment.systemPackages = with pkgs; [ 15 | # Text editors 16 | neovim 17 | emacs 18 | vscodium 19 | vim 20 | # TPM2 21 | tpm2-tools 22 | # Terraform operations 23 | opentofu 24 | # Vault-like operations 25 | # Uncomment when we have upgraded to NixOS 25.05. 26 | # openbao 27 | # AWS S3 operations 28 | rclone 29 | awscli2 30 | s3cmd 31 | restic 32 | # Bastion 33 | teleport_16 34 | # OpenStack CLI - contient: heat, designate, barbican, etc. 35 | openstackclient-full 36 | # A TPM-backed agent for SSH keys 37 | ssh-tpm-agent 38 | # VNC remoting 39 | tigervnc 40 | # Some good terminals. 41 | alacritty 42 | # Uncomment when NixOS 25.05 is used. 43 | # ghostty 44 | kitty 45 | tmux # Multiplexer 46 | screen # Multiplexer 47 | # Scripting 48 | python3 49 | gum # TUI scripting 50 | # PKI 51 | certstrap # Certificate bootstrap for CAs 52 | openssl # Generic purpose certificate tooling 53 | step-ca # CA tooling 54 | opensc # PKCS#11 tooling 55 | # Misc 56 | termdown # Time counter 57 | fd # `find` alternative. 58 | ripgrep # super fast `grep` 59 | ripgrep-all # multi-format fast `grep` 60 | pwgen # Password generator. 61 | bitwarden-cli # Bitwarden CLI. 62 | rbw # Caching Bitwarden CLI. 63 | rofi-rbw-wayland # Rofi menu for rbw. 64 | tree # Tree display 65 | gnupg # PGP 66 | connect # for using ssh with a proxy 67 | # Git, the full tooling. 68 | gitAndTools.gitFull 69 | git-lfs 70 | git-absorb 71 | git-gr 72 | lazygit 73 | jujutsu 74 | # Serial console work. 75 | minicom 76 | picocom 77 | # To send files securly to another endpoint. 78 | magic-wormhole-rs 79 | # iPXE / PXE operations 80 | pixiecore 81 | # Unzipping 82 | unzip 83 | # To calculate things 84 | libqalculate 85 | # Troubleshooting 86 | iperf3 87 | tcpdump 88 | tshark 89 | wireshark 90 | dnsutils 91 | conntrack-tools 92 | pwru # Packet, where are you? - eBPF tooling 93 | strace 94 | gdb 95 | # Network calculators 96 | sipcalc 97 | ipv6calc 98 | # D-Bus debugging 99 | d-spy 100 | # Offline documentation 101 | linux-manual 102 | glibcInfo 103 | man-pages 104 | man-pages-posix 105 | # Browser 106 | firefox 107 | ]; 108 | } 109 | -------------------------------------------------------------------------------- /modules/tools/firefox.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { 7 | config, 8 | pkgs, 9 | lib, 10 | ... 11 | }: 12 | let 13 | inherit (lib) listToAttrs mkOption; 14 | inherit (lib.types) attrsOf submodule str; 15 | 16 | cfg = config.securix.firefox; 17 | 18 | bookmarkType = submodule { 19 | options = { 20 | icon = mkOption { 21 | type = str; 22 | default = ""; 23 | description = '' 24 | Name of the icon of the bookmark. 25 | ''; 26 | }; 27 | 28 | href = mkOption { 29 | type = str; 30 | description = '' 31 | URL of the website that the bookmark points to. 32 | ''; 33 | }; 34 | 35 | description = mkOption { 36 | type = str; 37 | default = ""; 38 | description = '' 39 | Description of the website that the bookmark points to. 40 | ''; 41 | }; 42 | }; 43 | }; 44 | in 45 | { 46 | options.securix.firefox.bookmarks = mkOption { 47 | type = attrsOf (attrsOf bookmarkType); 48 | default = { }; 49 | example = '' 50 | { 51 | Productivity = { 52 | Github = { 53 | href = "https://github.com"; 54 | icon = "github.png"; 55 | }; 56 | }; 57 | 58 | Entertainment = { 59 | Youtube = { 60 | href = "https://youtube.com"; 61 | icon = "si-youtube"; 62 | }; 63 | }; 64 | } 65 | ''; 66 | description = '' 67 | Bookmarks to show to homepage and firefox bookmarks. 68 | ''; 69 | }; 70 | 71 | config = { 72 | # This spawns the dashboard on 127.0.0.1:8082. 73 | services.homepage-dashboard = { 74 | enable = true; 75 | 76 | bookmarks = map ( 77 | { name, value }: 78 | { 79 | ${name} = map ( 80 | { name, value }: 81 | { 82 | ${name} = [ value ]; 83 | } 84 | ) (lib.attrsToList value); 85 | } 86 | ) (lib.attrsToList cfg.bookmarks); 87 | # TODO: add services and automatically ping all our seed-bastions & bastions for workers. 88 | 89 | # TODO: kubernetes, etc. 90 | }; 91 | 92 | programs.firefox = { 93 | enable = true; 94 | languagePacks = [ 95 | "fr" 96 | "en-US" 97 | ]; 98 | 99 | nativeMessagingHosts.packages = [ pkgs.tridactyl-native ]; 100 | 101 | policies = { 102 | Homepage = { 103 | # Connect to the local dashboard. 104 | URL = "http://127.0.0.1:8082"; 105 | # The user cannot change the homepage. All changes should go via Sécurix. 106 | Locked = true; 107 | # homepage-locked will prevent the user from restoring session, that's bad UX! 108 | StartPage = "homepage"; 109 | }; 110 | 111 | Bookmarks = lib.flatten ( 112 | map ( 113 | folder: 114 | map ( 115 | { name, value }: 116 | { 117 | Title = name; 118 | URL = value.href; 119 | Folder = folder.name; 120 | } 121 | ) (lib.attrsToList folder.value) 122 | ) (lib.attrsToList cfg.bookmarks) 123 | ); 124 | DisplayBookmarksToolbar = "always"; 125 | DisableProfileImport = true; 126 | NoDefaultBookmarks = true; 127 | NewTabPage = false; 128 | 129 | # Don't save password on Firefox to avoid data losses 130 | PasswordManagerEnabled = false; 131 | OfferToSaveLogins = false; 132 | 133 | # Unnecessary. 134 | DontCheckDefaultBrowser = true; 135 | # Firefox version is managed by Sécurix 136 | AppAutoUpdate = false; 137 | DisableAppUpdate = true; 138 | 139 | # You are not supposed to watch Netflix on Sécurix. 140 | EncryptedMediaExtensions = { 141 | Enabled = false; 142 | }; 143 | 144 | ExtensionSettings = 145 | let 146 | extension = shortId: uuid: { 147 | name = uuid; 148 | value = { 149 | install_url = "https://addons.mozilla.org/en-US/firefox/downloads/latest/${shortId}/latest.xpi"; 150 | installation_mode = "normal_installed"; 151 | }; 152 | }; 153 | in 154 | { 155 | # Block all manual extension install. You NEED to propose your extension to the Sécurix repository. 156 | "*".installation_mode = "blocked"; 157 | } 158 | // (listToAttrs [ 159 | (extension "ublock-origin" "uBlock0@raymondhill.net") 160 | (extension "umatrix" "uMatrix@raymondhill.net") 161 | (extension "tree-style-tab" "treestyletab@piro.sakura.ne.jp") 162 | (extension "bitwarden-password-manager" "{446900e4-71c2-419f-a6a7-df9c091e268b}") 163 | ]); 164 | 165 | DisablePocket = true; 166 | DisableFirefoxAccounts = true; 167 | DisableTelemetry = true; 168 | DisableFirefoxStudies = true; 169 | 170 | UserMessaging = { 171 | ExtensionRecommendations = false; 172 | UrlbarInterventions = false; 173 | MoreFromMozilla = false; 174 | FirefoxLabs = false; 175 | # If people wants to get spammed by Firefox… They can. 176 | Locked = false; 177 | }; 178 | }; 179 | 180 | # Let the user override the default. 181 | preferencesStatus = "default"; 182 | }; 183 | }; 184 | } 185 | -------------------------------------------------------------------------------- /modules/tools/password-manager.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | lib, 8 | config, 9 | ... 10 | }: 11 | let 12 | cfg = config.securix.password-manager.bitwarden; 13 | inherit (lib) 14 | types 15 | mkOption 16 | mkEnableOption 17 | mkIf 18 | ; 19 | in 20 | { 21 | options.securix.password-manager.bitwarden = { 22 | enable = mkEnableOption "l'intégration fine à un serveur Bitwarden d'équipe"; 23 | 24 | baseUri = mkOption { 25 | type = types.str; 26 | example = "https://vaultwarden.acme.corp"; 27 | }; 28 | }; 29 | 30 | config = mkIf cfg.enable { 31 | programs.goldwarden.enable = true; 32 | 33 | systemd.user.services.goldwarden.serviceConfig.ExecStartPost = pkgs.writeShellScript "preconfigure-goldwarden" '' 34 | ${lib.getExe config.programs.goldwarden.package} config set-api-url ${cfg.baseUri}/api 35 | ${lib.getExe config.programs.goldwarden.package} config set-identity-url ${cfg.baseUri}/identity 36 | ${lib.getExe config.programs.goldwarden.package} config set-notifications-url ${cfg.baseUri}/notifications 37 | echo "Goldwarden preconfigured for ${cfg.baseUri} instance" 38 | ''; 39 | }; 40 | } 41 | -------------------------------------------------------------------------------- /modules/updates/automatic-pull.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | lib, 8 | config, 9 | ... 10 | }: 11 | let 12 | cfg = config.securix.auto-updates; 13 | inherit (lib) 14 | mkEnableOption 15 | mkIf 16 | mkOption 17 | types 18 | ; 19 | in 20 | { 21 | options.securix.auto-updates = { 22 | enable = mkEnableOption "la mise à jour automatique du code d'infrastructure de Sécurix"; 23 | enableRebuild = mkEnableOption "la reconstruction automatique du système"; 24 | 25 | repoUrl = mkOption { 26 | type = types.str; 27 | description = "URL de clonage du repo d'infrastructure Sécurix"; 28 | }; 29 | 30 | branch = mkOption { 31 | type = types.str; 32 | default = "main"; 33 | description = "Branche du dépôt d'infrastructure Sécurix à mettre à jour"; 34 | }; 35 | 36 | repoSubdir = mkOption { 37 | type = types.str; 38 | default = "securix"; 39 | description = "Sous-répertoire de la souche Sécurix"; 40 | }; 41 | }; 42 | 43 | config = mkIf cfg.enable { 44 | systemd.services.system-infrastructure-sync = { 45 | description = "Synchronization of the system infrastructure repository"; 46 | wantedBy = [ "multi-user.target" ]; 47 | wants = [ "network-online.target" ]; 48 | after = [ "network-online.target" ]; 49 | path = [ 50 | pkgs.networkmanager 51 | pkgs.git 52 | pkgs.openssh 53 | pkgs.util-linux 54 | pkgs.gawk 55 | pkgs.libnotify 56 | pkgs.sudo 57 | pkgs.nixos-rebuild 58 | ]; 59 | script = '' 60 | _notify_current_user() { 61 | local title="$1" 62 | local message="$2" 63 | 64 | # Get all active sessions with a valid user 65 | mapfile -t sessions < <(loginctl list-sessions --no-legend | awk '{print $1, $2, $3}' | grep -v '^ ') 66 | 67 | # Check if there are active sessions 68 | if [[ ''${#sessions[@]} -eq 0 ]]; then 69 | echo "No active sessions found." >&2 70 | return 1 71 | fi 72 | 73 | for session in "''${sessions[@]}"; do 74 | # Extract session details: ID, user, and display 75 | local session_id user display 76 | session_id=$(echo "$session" | awk '{print $1}') 77 | uid=$(echo "$session" | awk '{print $2}') 78 | user=$(echo "$session" | awk '{print $3}') 79 | 80 | # Notify each user/session 81 | if [[ -n "$user" ]]; then 82 | # Graphical notification for GUI sessions 83 | sudo -u "$user" DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$uid/bus" \ 84 | notify-send "$title" "$message" || true 85 | else 86 | # Terminal notification for non-GUI sessions 87 | sudo -u "$user" echo "$title: $message" | wall 88 | fi 89 | done 90 | } 91 | 92 | nm-online -q --timeout=30 || { echo "No Internet, skipping synchronization..."; exit 100; } 93 | if ssh-add -L &>/dev/null; then 94 | echo "SSH identities are loaded:" 95 | ssh-add -L 96 | else 97 | echo "No system SSH identities loaded, is the TPM2 broken or the onboarding was insufficient?" 98 | exit 101 99 | fi 100 | if [ -d "$REPO_DIR/.git" ]; then 101 | echo "Repository exists, pulling latest changes..." 102 | cd "$REPO_DIR/$REPO_SUBDIR" || exit 1 103 | 104 | git remote set-url origin "${cfg.repoUrl}" 105 | git fetch origin || exit 1 106 | git branch --set-upstream-to="origin/${cfg.branch}" "${cfg.branch}" 107 | 108 | UPSTREAM='${cfg.branch}@{u}' 109 | LOCAL=$(git rev-parse @) 110 | REMOTE=$(git rev-parse "$UPSTREAM") 111 | BASE=$(git merge-base @ "$UPSTREAM") 112 | 113 | if [ $LOCAL = $REMOTE ]; then 114 | echo "Up-to-date. Skipping." 115 | exit 0 116 | elif [ $LOCAL = $BASE ]; then 117 | _notify_current_user "[Sécurix] Mises à jour" "Une mise à jour est disponible du système et sera téléchargé." 118 | elif [ $REMOTE = $BASE ]; then 119 | _notify_current_user "[Sécurix] Mises à jour" "Votre système diverge du dépot de code à cause de changements locaux." 120 | exit 102 121 | else 122 | _notify_current_user "[Sécurix] Mises à jour" "Votre système diverge du dépot de code et ne peut etre synchronisé automatiquement." 123 | exit 103 124 | fi 125 | 126 | git pull || exit 1 127 | 128 | _notify_current_user "[Sécurix] Mises à jour" "Le code de votre système a été mis à jour. La reconstruction de votre système en arrière plan va commencer." 129 | nixos-rebuild boot --attr terminals."${config.securix.self.identifier}".system 130 | _notify_current_user "[Sécurix] Mises à jour" "La reconstruction du système est complète, au prochain redémarrage, votre système sera mis à jour." 131 | else 132 | echo "Repository does not exist, cloning..." 133 | mkdir -p "$REPO_DIR" || exit 1 134 | 135 | _notify_current_user "[Sécurix] Mises à jour" "Initialisation du code d'infrastructure..." 136 | git clone "$REPO_URL" "$REPO_DIR" -b "${cfg.branch}" || (_notify_current_user "[Sécurix] Mises à jour" "Initialisation échoué; est-ce que votre TPM2 est correctement onboardé?"; exit 1) && _notify_current_user "[Sécurix] Mises à jour" "Initialisation réussie. Reconstruction du système..." 137 | 138 | cd "$REPO_DIR/$REPO_SUBDIR" || exit 1 139 | nixos-rebuild boot --attr terminals."${config.securix.self.identifier}".system 140 | _notify_current_user "[Sécurix] Mises à jour" "La reconstruction du système est complète, au prochain redémarrage, votre système sera mis à jour." 141 | fi 142 | ''; 143 | serviceConfig = { 144 | Restart = "on-failure"; 145 | RestartPreventExitStatus = [ 146 | 100 147 | 101 148 | 102 149 | ]; 150 | Environment = [ 151 | "SSH_AUTH_SOCK=/var/tmp/ssh-tpm-agent.sock" 152 | "REPO_DIR=${config.securix.self.infraRepositoryPath}" 153 | "REPO_URL=${cfg.repoUrl}" 154 | "REPO_SUBDIR=${cfg.repoSubdir}" 155 | ]; 156 | }; 157 | }; 158 | 159 | systemd.timers.system-infrastructure-sync = { 160 | description = "Timer for synchronization of the system infrastructure repository"; 161 | timerConfig = { 162 | OnBootSec = "10m"; # Delay before the first execution (10 minutes after boot) 163 | OnUnitActiveSec = "1h"; # Set the interval to 1 hour (adjust as needed) 164 | Persistent = true; 165 | }; 166 | wantedBy = [ "timer.target" ]; 167 | }; 168 | }; 169 | } 170 | -------------------------------------------------------------------------------- /modules/updates/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | imports = [ 7 | # This enables any operator to upgrade their system without compromising the security. 8 | ./permissionless-upgrade.nix 9 | # This continuously pulls as long as we have Internet the newest code for our infrastructure repository. 10 | ./automatic-pull.nix 11 | ]; 12 | } 13 | -------------------------------------------------------------------------------- /modules/updates/permissionless-upgrade.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # SPDX-FileContributor: Elias Coppens 3 | # 4 | # SPDX-License-Identifier: MIT 5 | 6 | { 7 | lib, 8 | pkgs, 9 | config, 10 | ... 11 | }: 12 | let 13 | inherit (lib) mkIf mkEnableOption optionalString; 14 | self = config.securix.self; 15 | cfg = config.securix.manual-upgrades; 16 | upgradeScript = pkgs.writeShellApplication { 17 | name = "upgrade"; 18 | 19 | text = '' 20 | # Ensure the script runs as root 21 | if [ "$(id -u)" -ne 0 ]; then 22 | echo "This script must be run as root. Exiting." 23 | exit 1 24 | fi 25 | 26 | # Default values 27 | BRANCH="${config.securix.auto-updates.branch}" 28 | SUBDIR="${self.infraRepositorySubdir}" 29 | REMOTE_PULL=true 30 | 31 | # Parse arguments 32 | while [[ "$#" -gt 0 ]]; do 33 | case "$1" in 34 | --branch) 35 | BRANCH="$2" 36 | shift 2 37 | ;; 38 | --subdir) 39 | SUBDIR="$2" 40 | shift 2 41 | ;; 42 | --do-not-pull) 43 | REMOTE_PULL=false 44 | shift 1 45 | ;; 46 | --) 47 | shift 48 | break 49 | ;; 50 | *) 51 | break 52 | ;; 53 | esac 54 | done 55 | 56 | # Ensure an upgrade verb is provided 57 | if [ -z "$1" ]; then 58 | echo "No upgrade verb provided. Available options: 59 | - switch: Activate the new system right now. Warning: this can break your session. 60 | - boot: Activate the new system on the next reboot. 61 | - test: Activate the new system now but doesn't add it to the bootloader. If anything goes wrong, a reboot will revert to the old version. 62 | - dry-activate: Perform a dry activation - builds the system and explains what the activation will cause in terms of systemd service restarts and other actions. Helps you decide whether to switch or boot." 63 | exit 1 64 | fi 65 | 66 | # Remove all HTTP proxies 67 | unset all_proxy http_proxy https_proxy no_proxy 68 | # Set the TPM2 SSH agent to retrieve the repository. 69 | export SSH_AUTH_SOCK=/var/tmp/ssh-tpm-agent.sock 70 | 71 | # Ensure that the origin is the right URL. 72 | git -C "${self.infraRepositoryPath}" remote set-url origin "${config.securix.auto-updates.repoUrl}" 73 | 74 | if [ "$REMOTE_PULL" = true ]; then 75 | git -C "${self.infraRepositoryPath}" fetch origin 76 | if [ "$BRANCH" == "${config.securix.auto-updates.branch}" ]; then 77 | REPO_PATH="${self.infraRepositoryPath}" 78 | 79 | # Update the repo. 80 | # On main branch, it's ABSOLUTELY forbidden to do anything else than --ff-only. 81 | git -C "${self.infraRepositoryPath}" switch "${config.securix.auto-updates.branch}" 82 | git -C "$REPO_PATH" pull --ff-only || exit 1 83 | else 84 | ${ 85 | optionalString ( 86 | !cfg.enableAnyBranch 87 | ) ''echo "Branch $BRANCH is not eligible for manual upgrade." && exit 1'' 88 | } 89 | # Create a secure temporary directory 90 | TEMP_DIR=$(mktemp -d) 91 | trap 'git -C "${self.infraRepositoryPath}" worktree remove "$TEMP_DIR"; rm -rf "$TEMP_DIR"' EXIT 92 | 93 | # Extract a worktree for the specified branch in the temporary directory 94 | git -C "${self.infraRepositoryPath}" worktree add "$TEMP_DIR" "$BRANCH" || exit 1 95 | REPO_PATH="$TEMP_DIR" 96 | 97 | # Update the worktree. 98 | # When it's not main, accept force pushes. 99 | git -C "$REPO_PATH" pull --rebase || exit 1 100 | fi 101 | fi 102 | 103 | # Run nixos-rebuild with the given verb 104 | nixos-rebuild "$1" --file "$REPO_PATH/$SUBDIR" --attr terminals."${self.identifier}".system 105 | ''; 106 | }; 107 | in 108 | { 109 | options.securix.manual-upgrades = { 110 | enable = mkEnableOption "manual upgrade script"; 111 | enableAnyBranch = mkEnableOption "any branch to be targetted"; 112 | }; 113 | 114 | config = mkIf cfg.enable { 115 | environment.systemPackages = [ upgradeScript ]; 116 | security.sudo = { 117 | enable = true; 118 | extraRules = [ 119 | { 120 | groups = [ "operator" ]; 121 | commands = [ 122 | { 123 | command = "${upgradeScript}/bin/upgrade"; 124 | options = [ "NOPASSWD" ]; 125 | } 126 | { 127 | command = "/run/current-system/sw/bin/upgrade"; 128 | options = [ "NOPASSWD" ]; 129 | } 130 | ]; 131 | } 132 | ]; 133 | }; 134 | }; 135 | } 136 | -------------------------------------------------------------------------------- /modules/vpn/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | imports = [ 7 | ./ipsec 8 | ./netbird 9 | ./wireguard 10 | ]; 11 | } 12 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | imports = [ 7 | # IPsec tunnel 8 | # System-level StrongSwan. 9 | ./networkmanager.nix 10 | # Firewall rules to go always to the IPsec tunnel 11 | ./firewall.nix 12 | ]; 13 | } 14 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/firewall.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | config, 7 | pkgs, 8 | lib, 9 | ... 10 | }: 11 | let 12 | inherit (lib) 13 | mkIf 14 | mkEnableOption 15 | splitString 16 | concatStringsSep 17 | types 18 | mkOption 19 | ; 20 | cfg = config.securix.vpn.firewall; 21 | in 22 | { 23 | options.securix.vpn.firewall = { 24 | enable = mkEnableOption "the firewall that guides all packets into the IPsec tunnel only"; 25 | genericRulesetFile = mkOption { 26 | type = types.path; 27 | description = "Chemin vers le fichier générique des règles de pare-feu"; 28 | }; 29 | }; 30 | 31 | config = mkIf cfg.enable { 32 | services.resolved = { 33 | enable = true; 34 | dnssec = "false"; 35 | }; 36 | networking.firewall.enable = false; 37 | networking.nftables = { 38 | enable = true; 39 | rulesetFile = pkgs.substituteAll { 40 | src = cfg.genericRulesetFile; 41 | github_ips = concatStringsSep ",\n" ( 42 | map (l: "\t\t${l}") (splitString "\n" (builtins.readFile ./github-ipv4.txt)) 43 | ); 44 | }; 45 | checkRuleset = false; 46 | }; 47 | 48 | # This is a developer-only feature. 49 | environment.systemPackages = mkIf config.securix.self.developer [ 50 | # Dynamic firewall control tool. 51 | (pkgs.writeShellApplication { 52 | name = "firewall"; 53 | 54 | runtimeInputs = [ 55 | pkgs.nftables 56 | pkgs.gum 57 | ]; 58 | 59 | text = '' 60 | # Check if running as root 61 | if [[ $EUID -ne 0 ]]; then 62 | echo "This script must be run as root" 63 | exit 1 64 | fi 65 | 66 | # Display usage 67 | function usage() { 68 | echo "Usage: $0 {enable|disable|status}" 69 | exit 1 70 | } 71 | 72 | disable_ruleset() { 73 | echo "Disabling nftables ruleset..." 74 | 75 | # Flush all tables 76 | nft flush ruleset 77 | echo "All nftables rules flushed. Firewall is disabled." 78 | } 79 | 80 | enable_ruleset() { 81 | echo "Enabling nftables ruleset..." 82 | 83 | # Restore rules from the configuration. 84 | systemctl restart nftables.service 85 | echo "nftables ruleset re-enabled." 86 | } 87 | 88 | # Function to check the current status 89 | check_status() { 90 | if nft list ruleset | grep -q "chain"; then 91 | echo "nftables ruleset is currently ENABLED." 92 | else 93 | echo "nftables ruleset is currently DISABLED." 94 | fi 95 | } 96 | 97 | # Main script logic 98 | case "$1" in 99 | disable) 100 | disable_ruleset 101 | ;; 102 | enable) 103 | enable_ruleset 104 | ;; 105 | status) 106 | check_status 107 | ;; 108 | *) 109 | usage 110 | ;; 111 | esac 112 | ''; 113 | }) 114 | ]; 115 | }; 116 | } 117 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/github-ipv4.txt: -------------------------------------------------------------------------------- 1 | 3.217.79.163/32 2 | 3.217.93.44/32 3 | 4.147.189.192/28 4 | 4.148.0.0/14 5 | 4.152.0.0/14 6 | 4.156.0.0/15 7 | 4.175.0.0/16 8 | 4.180.0.0/16 9 | 4.196.143.240/28 10 | 4.196.180.176/28 11 | 4.196.181.112/28 12 | 4.196.181.128/28 13 | 4.196.181.192/28 14 | 4.196.182.32/28 15 | 4.196.182.112/28 16 | 4.196.182.128/28 17 | 4.196.182.160/28 18 | 4.197.69.64/28 19 | 4.207.0.0/16 20 | 4.208.0.0/15 21 | 4.210.0.0/16 22 | 4.225.11.192/32 23 | 4.225.11.196/32 24 | 4.225.11.198/32 25 | 4.225.11.200/31 26 | 4.227.0.0/16 27 | 4.231.0.0/16 28 | 4.234.134.160/27 29 | 4.234.135.0/28 30 | 4.234.135.48/28 31 | 4.234.135.112/28 32 | 4.234.135.128/27 33 | 4.234.135.160/28 34 | 4.234.197.192/28 35 | 4.234.199.224/28 36 | 4.236.0.0/16 37 | 4.237.22.32/32 38 | 4.237.22.34/32 39 | 4.237.22.38/32 40 | 4.237.22.40/31 41 | 4.240.18.224/28 42 | 4.240.19.128/28 43 | 4.240.20.128/28 44 | 4.240.20.160/27 45 | 4.240.20.192/26 46 | 4.240.21.0/27 47 | 4.240.21.64/28 48 | 4.240.37.96/28 49 | 4.240.39.192/28 50 | 4.240.39.240/28 51 | 4.242.0.0/16 52 | 4.245.0.0/16 53 | 4.246.0.0/16 54 | 4.249.0.0/16 55 | 4.255.0.0/17 56 | 9.163.0.0/16 57 | 9.169.0.0/16 58 | 13.64.0.0/15 59 | 13.66.0.0/16 60 | 13.67.128.0/20 61 | 13.67.144.0/21 62 | 13.67.152.0/24 63 | 13.67.153.0/28 64 | 13.67.153.32/27 65 | 13.67.153.64/26 66 | 13.67.153.128/25 67 | 13.67.155.0/24 68 | 13.67.156.0/22 69 | 13.67.160.0/19 70 | 13.67.192.0/18 71 | 13.68.0.0/15 72 | 13.70.192.0/18 73 | 13.71.3.96/28 74 | 13.72.64.0/18 75 | 13.73.32.0/19 76 | 13.73.128.0/18 77 | 13.73.224.0/21 78 | 13.73.240.0/20 79 | 13.74.0.0/16 80 | 13.76.118.16/28 81 | 13.76.118.32/27 82 | 13.76.118.64/27 83 | 13.76.118.112/28 84 | 13.76.118.128/28 85 | 13.76.118.176/28 86 | 13.76.118.192/27 87 | 13.76.118.224/28 88 | 13.76.217.32/28 89 | 13.77.64.0/18 90 | 13.77.128.0/18 91 | 13.79.0.0/16 92 | 13.80.0.0/14 93 | 13.84.0.0/15 94 | 13.86.0.0/16 95 | 13.87.112.0/21 96 | 13.87.128.0/17 97 | 13.88.0.0/17 98 | 13.88.128.0/18 99 | 13.88.200.0/21 100 | 13.89.0.0/16 101 | 13.90.0.0/15 102 | 13.92.0.0/15 103 | 13.94.64.0/18 104 | 13.94.128.0/17 105 | 13.95.0.0/16 106 | 13.104.129.64/26 107 | 13.104.144.64/27 108 | 13.104.144.128/27 109 | 13.104.144.192/27 110 | 13.104.145.0/26 111 | 13.104.145.192/26 112 | 13.104.146.0/26 113 | 13.104.146.128/25 114 | 13.104.147.0/24 115 | 13.104.148.0/25 116 | 13.104.149.128/25 117 | 13.104.150.0/25 118 | 13.104.152.128/25 119 | 13.104.158.16/28 120 | 13.104.158.64/26 121 | 13.104.158.176/28 122 | 13.104.192.0/21 123 | 13.104.208.64/26 124 | 13.104.208.128/27 125 | 13.104.208.160/28 126 | 13.104.208.192/26 127 | 13.104.209.0/24 128 | 13.104.210.0/24 129 | 13.104.211.0/25 130 | 13.104.213.0/25 131 | 13.104.214.0/24 132 | 13.104.215.0/25 133 | 13.104.217.0/25 134 | 13.104.218.128/25 135 | 13.104.219.128/25 136 | 13.104.220.0/24 137 | 13.104.222.0/24 138 | 13.104.223.0/25 139 | 13.105.14.0/25 140 | 13.105.14.128/26 141 | 13.105.17.0/24 142 | 13.105.18.0/26 143 | 13.105.18.160/27 144 | 13.105.18.192/26 145 | 13.105.19.0/24 146 | 13.105.20.192/26 147 | 13.105.21.0/24 148 | 13.105.22.0/23 149 | 13.105.24.0/23 150 | 13.105.26.0/24 151 | 13.105.27.0/25 152 | 13.105.27.192/27 153 | 13.105.28.0/26 154 | 13.105.28.128/25 155 | 13.105.29.0/24 156 | 13.105.31.96/28 157 | 13.105.36.0/27 158 | 13.105.36.32/28 159 | 13.105.36.64/27 160 | 13.105.36.128/25 161 | 13.105.37.0/24 162 | 13.105.49.0/24 163 | 13.105.53.0/25 164 | 13.105.53.192/26 165 | 13.105.60.0/25 166 | 13.105.60.128/27 167 | 13.105.60.192/26 168 | 13.105.66.32/27 169 | 13.105.66.64/26 170 | 13.105.66.128/25 171 | 13.105.67.0/24 172 | 13.105.74.0/26 173 | 13.105.74.64/27 174 | 13.105.74.128/26 175 | 13.105.75.0/27 176 | 13.105.75.32/28 177 | 13.105.75.64/27 178 | 13.105.96.64/27 179 | 13.105.96.96/28 180 | 13.105.96.128/25 181 | 13.105.97.0/27 182 | 13.105.98.48/28 183 | 13.105.98.96/27 184 | 13.105.98.128/26 185 | 13.105.98.192/28 186 | 13.105.98.224/27 187 | 13.105.101.32/27 188 | 13.105.101.64/26 189 | 13.105.101.176/28 190 | 13.105.102.16/28 191 | 13.105.102.64/26 192 | 13.105.102.224/27 193 | 13.105.103.0/28 194 | 13.105.103.32/27 195 | 13.105.103.128/27 196 | 13.105.103.160/28 197 | 13.105.103.192/27 198 | 13.105.104.32/27 199 | 13.105.104.64/28 200 | 13.105.104.96/27 201 | 13.105.104.240/28 202 | 13.105.105.32/27 203 | 13.105.105.64/26 204 | 13.105.105.128/28 205 | 13.105.105.160/27 206 | 13.105.106.0/27 207 | 13.105.106.32/28 208 | 13.105.106.64/27 209 | 13.105.107.112/28 210 | 13.105.107.160/27 211 | 13.105.107.192/27 212 | 13.105.117.0/24 213 | 13.105.220.0/26 214 | 13.105.220.64/27 215 | 13.105.220.96/29 216 | 13.105.220.104/30 217 | 13.105.220.108/31 218 | 13.107.5.93/32 219 | 18.213.123.130/32 220 | 20.1.128.0/17 221 | 20.3.0.0/16 222 | 20.4.0.0/16 223 | 20.7.0.0/16 224 | 20.8.0.0/15 225 | 20.10.0.0/16 226 | 20.12.0.0/14 227 | 20.16.0.0/16 228 | 20.17.72.0/21 229 | 20.18.184.0/21 230 | 20.20.76.0/26 231 | 20.20.76.64/28 232 | 20.20.76.80/29 233 | 20.20.76.88/31 234 | 20.20.130.0/23 235 | 20.20.132.0/23 236 | 20.20.135.0/24 237 | 20.22.0.0/15 238 | 20.25.0.0/16 239 | 20.26.156.210/31 240 | 20.26.156.214/31 241 | 20.27.177.113/32 242 | 20.27.177.116/31 243 | 20.27.177.118/32 244 | 20.29.0.0/16 245 | 20.31.0.0/16 246 | 20.33.0.0/22 247 | 20.33.4.0/24 248 | 20.33.6.0/24 249 | 20.33.8.0/24 250 | 20.33.12.0/22 251 | 20.33.17.0/24 252 | 20.33.20.0/23 253 | 20.33.22.0/24 254 | 20.33.25.0/24 255 | 20.33.26.0/23 256 | 20.33.29.0/24 257 | 20.33.30.0/23 258 | 20.33.32.0/23 259 | 20.33.36.0/23 260 | 20.33.39.0/24 261 | 20.33.40.0/23 262 | 20.33.42.0/24 263 | 20.33.44.0/23 264 | 20.33.46.0/24 265 | 20.33.48.0/23 266 | 20.33.51.0/24 267 | 20.33.53.0/24 268 | 20.33.55.0/24 269 | 20.33.57.0/24 270 | 20.33.59.0/24 271 | 20.33.61.0/24 272 | 20.33.66.0/23 273 | 20.33.68.0/23 274 | 20.33.72.0/23 275 | 20.33.75.0/24 276 | 20.33.76.0/22 277 | 20.33.81.0/24 278 | 20.33.86.0/24 279 | 20.33.88.0/24 280 | 20.33.92.0/24 281 | 20.33.104.0/23 282 | 20.33.110.0/24 283 | 20.33.115.0/24 284 | 20.33.116.0/24 285 | 20.33.123.0/24 286 | 20.33.126.0/23 287 | 20.33.135.0/24 288 | 20.33.138.0/24 289 | 20.33.143.0/24 290 | 20.33.144.0/23 291 | 20.33.147.0/24 292 | 20.33.149.0/24 293 | 20.33.150.0/24 294 | 20.33.156.0/23 295 | 20.33.159.0/24 296 | 20.33.160.0/24 297 | 20.33.163.0/24 298 | 20.33.164.0/23 299 | 20.33.167.0/24 300 | 20.33.178.0/24 301 | 20.33.185.0/24 302 | 20.33.186.0/24 303 | 20.33.189.0/24 304 | 20.33.191.0/24 305 | 20.33.197.0/24 306 | 20.33.198.0/24 307 | 20.33.201.0/24 308 | 20.33.205.0/24 309 | 20.33.206.0/23 310 | 20.33.208.0/23 311 | 20.33.216.0/23 312 | 20.33.218.0/24 313 | 20.33.222.0/23 314 | 20.33.224.0/22 315 | 20.33.228.0/23 316 | 20.33.230.0/24 317 | 20.33.232.0/24 318 | 20.33.241.0/24 319 | 20.33.243.0/24 320 | 20.33.244.0/24 321 | 20.33.246.0/23 322 | 20.33.248.0/21 323 | 20.36.0.0/19 324 | 20.36.96.0/21 325 | 20.36.128.0/17 326 | 20.37.128.0/18 327 | 20.38.0.0/20 328 | 20.38.32.0/20 329 | 20.38.64.0/19 330 | 20.38.96.0/21 331 | 20.38.104.0/23 332 | 20.38.108.0/23 333 | 20.38.122.0/23 334 | 20.38.160.0/20 335 | 20.38.176.0/21 336 | 20.38.200.0/22 337 | 20.38.208.0/22 338 | 20.39.32.0/19 339 | 20.40.24.0/21 340 | 20.40.192.0/18 341 | 20.41.0.0/18 342 | 20.41.128.0/18 343 | 20.42.0.0/17 344 | 20.42.128.0/19 345 | 20.42.160.0/23 346 | 20.42.168.0/21 347 | 20.42.176.0/20 348 | 20.43.192.0/18 349 | 20.44.8.0/21 350 | 20.44.16.0/21 351 | 20.44.64.0/18 352 | 20.45.0.0/18 353 | 20.45.120.0/21 354 | 20.46.224.0/19 355 | 20.47.0.0/22 356 | 20.47.7.0/24 357 | 20.47.8.0/24 358 | 20.47.15.0/24 359 | 20.47.16.0/21 360 | 20.47.24.0/23 361 | 20.47.29.0/24 362 | 20.47.30.0/23 363 | 20.47.32.0/24 364 | 20.47.58.0/23 365 | 20.47.60.0/22 366 | 20.47.69.0/24 367 | 20.47.76.0/22 368 | 20.47.96.0/23 369 | 20.47.100.0/24 370 | 20.47.107.0/24 371 | 20.47.108.0/22 372 | 20.47.113.0/24 373 | 20.47.115.0/24 374 | 20.47.116.0/22 375 | 20.47.120.0/23 376 | 20.49.0.0/18 377 | 20.49.88.0/21 378 | 20.49.96.0/19 379 | 20.50.0.0/18 380 | 20.50.64.0/19 381 | 20.50.128.0/17 382 | 20.51.0.0/20 383 | 20.51.64.0/18 384 | 20.51.128.0/17 385 | 20.54.0.0/16 386 | 20.55.0.0/17 387 | 20.55.192.0/18 388 | 20.56.0.0/16 389 | 20.57.0.0/17 390 | 20.57.128.0/18 391 | 20.57.192.0/19 392 | 20.59.0.0/17 393 | 20.59.192.0/18 394 | 20.60.0.0/22 395 | 20.60.6.0/23 396 | 20.60.14.0/24 397 | 20.60.18.0/23 398 | 20.60.20.0/24 399 | 20.60.26.0/23 400 | 20.60.28.0/22 401 | 20.60.34.0/23 402 | 20.60.38.0/23 403 | 20.60.40.0/23 404 | 20.60.44.128/25 405 | 20.60.48.0/22 406 | 20.60.52.0/23 407 | 20.60.56.0/21 408 | 20.60.64.0/21 409 | 20.60.80.0/22 410 | 20.60.88.0/22 411 | 20.60.128.0/23 412 | 20.60.130.0/24 413 | 20.60.132.0/22 414 | 20.60.137.0/24 415 | 20.60.140.0/23 416 | 20.60.144.0/21 417 | 20.60.152.0/23 418 | 20.60.160.0/22 419 | 20.60.168.0/23 420 | 20.60.178.0/23 421 | 20.60.180.0/23 422 | 20.60.194.0/23 423 | 20.60.196.0/23 424 | 20.60.204.0/23 425 | 20.60.220.0/22 426 | 20.60.224.0/23 427 | 20.60.228.0/22 428 | 20.60.232.0/23 429 | 20.60.236.0/23 430 | 20.60.240.0/23 431 | 20.60.244.0/22 432 | 20.60.250.0/23 433 | 20.61.0.0/16 434 | 20.62.0.0/16 435 | 20.64.0.0/14 436 | 20.69.64.0/18 437 | 20.69.128.0/17 438 | 20.71.0.0/16 439 | 20.72.32.0/19 440 | 20.72.64.0/18 441 | 20.72.128.0/17 442 | 20.73.0.0/16 443 | 20.75.0.0/16 444 | 20.76.0.0/16 445 | 20.77.127.144/28 446 | 20.80.0.0/14 447 | 20.84.0.0/15 448 | 20.86.0.0/16 449 | 20.87.245.0/31 450 | 20.87.245.4/32 451 | 20.87.245.6/32 452 | 20.88.0.0/18 453 | 20.88.96.0/19 454 | 20.88.128.0/17 455 | 20.93.0.0/16 456 | 20.94.0.0/16 457 | 20.95.0.0/20 458 | 20.95.16.0/24 459 | 20.95.18.0/23 460 | 20.95.21.0/24 461 | 20.95.22.0/23 462 | 20.95.25.0/24 463 | 20.95.26.0/23 464 | 20.95.28.0/24 465 | 20.95.30.0/23 466 | 20.95.32.0/21 467 | 20.95.48.0/24 468 | 20.95.51.0/24 469 | 20.95.52.0/22 470 | 20.95.56.0/22 471 | 20.95.60.0/23 472 | 20.95.63.0/24 473 | 20.95.64.0/24 474 | 20.95.66.0/24 475 | 20.95.68.0/23 476 | 20.95.72.0/23 477 | 20.95.76.0/23 478 | 20.95.81.0/24 479 | 20.95.88.0/21 480 | 20.95.98.0/24 481 | 20.95.103.0/24 482 | 20.95.107.0/24 483 | 20.95.249.0/24 484 | 20.95.255.0/29 485 | 20.96.0.0/15 486 | 20.98.0.0/16 487 | 20.99.128.0/17 488 | 20.101.0.0/16 489 | 20.102.0.0/17 490 | 20.102.192.0/18 491 | 20.103.0.0/16 492 | 20.105.0.0/16 493 | 20.106.0.0/15 494 | 20.109.0.0/16 495 | 20.110.0.0/16 496 | 20.112.0.0/17 497 | 20.112.160.0/19 498 | 20.112.192.0/18 499 | 20.114.0.0/15 500 | 20.118.0.0/15 501 | 20.120.0.0/13 502 | 20.135.0.0/20 503 | 20.135.16.0/22 504 | 20.135.20.0/23 505 | 20.135.24.0/23 506 | 20.135.70.0/23 507 | 20.135.74.0/23 508 | 20.135.134.0/23 509 | 20.135.136.0/21 510 | 20.135.144.0/23 511 | 20.135.188.0/22 512 | 20.135.192.0/21 513 | 20.135.200.0/22 514 | 20.135.204.0/23 515 | 20.135.216.0/21 516 | 20.135.224.0/21 517 | 20.135.232.0/23 518 | 20.135.254.0/23 519 | 20.136.0.0/22 520 | 20.136.4.0/23 521 | 20.136.6.0/24 522 | 20.136.7.0/25 523 | 20.143.0.0/22 524 | 20.143.4.0/23 525 | 20.143.8.0/22 526 | 20.143.12.0/23 527 | 20.143.32.0/22 528 | 20.143.38.0/23 529 | 20.143.46.0/23 530 | 20.143.50.0/23 531 | 20.143.52.0/23 532 | 20.143.64.0/23 533 | 20.143.68.0/22 534 | 20.143.72.0/21 535 | 20.143.80.0/21 536 | 20.143.88.0/22 537 | 20.150.8.0/23 538 | 20.150.17.0/25 539 | 20.150.20.128/25 540 | 20.150.25.0/24 541 | 20.150.26.0/24 542 | 20.150.29.0/24 543 | 20.150.30.0/24 544 | 20.150.32.0/21 545 | 20.150.42.0/24 546 | 20.150.43.128/25 547 | 20.150.47.128/25 548 | 20.150.48.0/22 549 | 20.150.58.0/24 550 | 20.150.63.0/24 551 | 20.150.67.0/24 552 | 20.150.68.0/24 553 | 20.150.70.0/24 554 | 20.150.72.0/24 555 | 20.150.74.0/23 556 | 20.150.76.0/22 557 | 20.150.82.0/23 558 | 20.150.84.0/24 559 | 20.150.87.0/24 560 | 20.150.88.0/22 561 | 20.150.93.0/24 562 | 20.150.94.0/23 563 | 20.150.102.0/24 564 | 20.150.104.0/24 565 | 20.150.107.0/24 566 | 20.150.122.0/24 567 | 20.150.126.0/24 568 | 20.150.128.0/17 569 | 20.152.0.0/21 570 | 20.152.28.0/23 571 | 20.152.36.0/22 572 | 20.152.40.0/21 573 | 20.153.0.0/22 574 | 20.153.4.0/23 575 | 20.153.12.0/23 576 | 20.153.17.0/24 577 | 20.153.18.0/24 578 | 20.153.22.0/24 579 | 20.153.24.0/23 580 | 20.153.29.0/24 581 | 20.153.30.0/23 582 | 20.153.32.0/24 583 | 20.153.130.0/24 584 | 20.157.6.0/23 585 | 20.157.17.0/24 586 | 20.157.18.0/23 587 | 20.157.21.0/24 588 | 20.157.22.0/24 589 | 20.157.24.0/23 590 | 20.157.27.0/24 591 | 20.157.29.0/24 592 | 20.157.30.0/24 593 | 20.157.32.0/22 594 | 20.157.36.0/23 595 | 20.157.39.0/24 596 | 20.157.40.0/24 597 | 20.157.43.0/24 598 | 20.157.47.0/24 599 | 20.157.48.0/22 600 | 20.157.54.0/24 601 | 20.157.57.0/24 602 | 20.157.59.0/24 603 | 20.157.60.0/22 604 | 20.157.64.0/21 605 | 20.157.72.0/23 606 | 20.157.76.0/22 607 | 20.157.80.0/22 608 | 20.157.84.0/24 609 | 20.157.86.0/23 610 | 20.157.88.0/24 611 | 20.157.90.0/23 612 | 20.157.93.0/24 613 | 20.157.95.0/24 614 | 20.157.97.0/24 615 | 20.157.99.0/24 616 | 20.157.100.0/24 617 | 20.157.104.0/23 618 | 20.157.106.0/24 619 | 20.157.109.0/24 620 | 20.157.110.0/23 621 | 20.157.114.0/23 622 | 20.157.116.0/24 623 | 20.157.118.0/23 624 | 20.157.122.0/23 625 | 20.157.124.0/23 626 | 20.157.127.0/24 627 | 20.157.130.0/24 628 | 20.157.132.0/24 629 | 20.157.134.0/24 630 | 20.157.142.0/23 631 | 20.157.145.0/24 632 | 20.157.146.0/23 633 | 20.157.158.0/23 634 | 20.157.163.0/24 635 | 20.157.164.0/24 636 | 20.157.166.0/23 637 | 20.157.170.0/23 638 | 20.157.172.0/24 639 | 20.157.179.0/24 640 | 20.157.180.0/23 641 | 20.157.184.0/23 642 | 20.157.186.0/24 643 | 20.157.191.0/24 644 | 20.157.194.0/24 645 | 20.157.209.0/24 646 | 20.157.212.0/24 647 | 20.157.215.0/24 648 | 20.157.216.0/23 649 | 20.157.221.0/24 650 | 20.157.223.0/24 651 | 20.157.230.0/23 652 | 20.157.236.0/24 653 | 20.157.239.0/24 654 | 20.157.240.0/24 655 | 20.157.244.0/23 656 | 20.157.247.0/24 657 | 20.157.248.0/22 658 | 20.157.252.0/23 659 | 20.160.0.0/15 660 | 20.162.254.128/28 661 | 20.162.255.0/28 662 | 20.162.255.224/28 663 | 20.163.0.0/16 664 | 20.165.0.0/17 665 | 20.166.0.0/16 666 | 20.168.0.0/17 667 | 20.168.128.0/19 668 | 20.168.160.0/21 669 | 20.168.192.0/18 670 | 20.169.0.0/16 671 | 20.171.0.0/16 672 | 20.172.0.0/16 673 | 20.175.192.146/31 674 | 20.175.192.149/32 675 | 20.175.192.150/32 676 | 20.184.64.0/18 677 | 20.184.128.0/17 678 | 20.185.0.0/16 679 | 20.186.0.0/16 680 | 20.187.0.0/18 681 | 20.188.64.0/19 682 | 20.189.0.0/18 683 | 20.189.128.0/18 684 | 20.190.0.0/18 685 | 20.190.128.0/21 686 | 20.190.137.0/24 687 | 20.190.151.0/24 688 | 20.190.152.0/22 689 | 20.190.156.0/23 690 | 20.190.159.0/24 691 | 20.190.160.0/24 692 | 20.190.190.128/25 693 | 20.190.192.0/18 694 | 20.191.0.0/17 695 | 20.192.21.48/28 696 | 20.199.39.224/32 697 | 20.199.39.227/32 698 | 20.199.39.228/32 699 | 20.199.39.231/32 700 | 20.199.39.232/32 701 | 20.200.245.241/32 702 | 20.200.245.245/32 703 | 20.200.245.247/32 704 | 20.200.245.248/32 705 | 20.201.28.144/32 706 | 20.201.28.148/32 707 | 20.201.28.151/32 708 | 20.201.28.152/32 709 | 20.201.135.0/24 710 | 20.201.136.0/24 711 | 20.201.147.0/24 712 | 20.201.148.0/24 713 | 20.201.165.0/24 714 | 20.201.192.0/21 715 | 20.201.200.0/22 716 | 20.201.204.0/23 717 | 20.201.206.0/24 718 | 20.201.216.0/23 719 | 20.201.220.0/23 720 | 20.201.223.0/24 721 | 20.201.224.0/22 722 | 20.201.228.0/23 723 | 20.201.231.0/24 724 | 20.202.1.0/24 725 | 20.202.2.0/24 726 | 20.202.12.0/22 727 | 20.202.16.0/20 728 | 20.202.32.0/21 729 | 20.202.84.0/23 730 | 20.202.89.0/24 731 | 20.202.90.0/24 732 | 20.202.93.0/24 733 | 20.202.94.0/24 734 | 20.202.97.0/24 735 | 20.202.98.0/24 736 | 20.202.105.0/24 737 | 20.202.106.0/24 738 | 20.202.109.0/24 739 | 20.202.110.0/24 740 | 20.202.113.0/24 741 | 20.202.114.0/24 742 | 20.202.117.0/24 743 | 20.202.118.0/23 744 | 20.202.120.0/22 745 | 20.202.124.0/23 746 | 20.202.126.0/24 747 | 20.202.129.0/24 748 | 20.202.130.0/24 749 | 20.202.133.0/24 750 | 20.202.134.0/24 751 | 20.202.137.0/24 752 | 20.202.138.0/24 753 | 20.202.140.0/22 754 | 20.202.144.0/20 755 | 20.202.160.0/21 756 | 20.202.168.0/24 757 | 20.202.184.0/21 758 | 20.202.192.0/20 759 | 20.202.208.0/23 760 | 20.202.210.0/24 761 | 20.202.226.0/23 762 | 20.202.228.0/24 763 | 20.202.236.0/24 764 | 20.202.248.0/22 765 | 20.205.243.160/32 766 | 20.205.243.164/32 767 | 20.205.243.166/32 768 | 20.205.243.168/32 769 | 20.207.73.82/31 770 | 20.207.73.85/32 771 | 20.207.73.86/32 772 | 20.209.0.0/23 773 | 20.209.4.0/23 774 | 20.209.10.0/23 775 | 20.209.14.0/23 776 | 20.209.18.0/23 777 | 20.209.26.0/23 778 | 20.209.34.0/23 779 | 20.209.36.0/22 780 | 20.209.40.0/23 781 | 20.209.48.0/23 782 | 20.209.52.0/23 783 | 20.209.58.0/23 784 | 20.209.62.0/23 785 | 20.209.68.0/23 786 | 20.209.72.0/22 787 | 20.209.76.0/23 788 | 20.209.84.0/23 789 | 20.209.90.0/23 790 | 20.209.92.0/23 791 | 20.209.96.0/20 792 | 20.209.112.0/22 793 | 20.209.116.0/23 794 | 20.209.138.0/23 795 | 20.209.142.0/23 796 | 20.209.146.0/23 797 | 20.209.154.0/23 798 | 20.209.160.0/22 799 | 20.209.178.0/23 800 | 20.209.180.0/23 801 | 20.209.184.0/22 802 | 20.209.190.0/23 803 | 20.209.192.0/22 804 | 20.209.196.0/23 805 | 20.209.218.0/24 806 | 20.209.220.0/23 807 | 20.209.226.0/23 808 | 20.209.230.0/23 809 | 20.209.244.0/23 810 | 20.217.135.0/31 811 | 20.217.135.4/31 812 | 20.221.0.0/17 813 | 20.221.192.0/18 814 | 20.223.0.0/16 815 | 20.224.0.0/15 816 | 20.227.135.112/28 817 | 20.227.135.160/28 818 | 20.227.140.176/28 819 | 20.227.141.208/28 820 | 20.227.144.160/27 821 | 20.227.145.64/28 822 | 20.227.145.144/28 823 | 20.227.146.16/28 824 | 20.227.146.224/27 825 | 20.227.147.64/28 826 | 20.228.64.0/18 827 | 20.228.128.0/17 828 | 20.229.0.0/16 829 | 20.230.0.0/16 830 | 20.231.0.0/17 831 | 20.231.192.0/18 832 | 20.232.0.0/16 833 | 20.233.83.145/32 834 | 20.233.83.146/31 835 | 20.233.83.149/32 836 | 20.234.0.0/16 837 | 20.236.0.0/15 838 | 20.238.0.0/16 839 | 20.241.0.0/16 840 | 20.242.0.0/16 841 | 20.245.0.0/16 842 | 20.246.0.0/16 843 | 20.250.119.64/32 844 | 20.252.0.0/17 845 | 20.253.0.0/16 846 | 23.96.0.0/16 847 | 23.97.62.112/28 848 | 23.97.62.128/27 849 | 23.97.62.240/28 850 | 23.97.128.0/17 851 | 23.98.45.0/24 852 | 23.98.46.0/23 853 | 23.98.48.0/21 854 | 23.98.128.0/17 855 | 23.99.0.0/18 856 | 23.99.64.0/19 857 | 23.99.128.0/17 858 | 23.100.0.0/18 859 | 23.100.64.0/20 860 | 23.100.80.0/21 861 | 23.100.120.0/21 862 | 23.100.128.0/18 863 | 23.100.224.0/19 864 | 23.101.32.0/21 865 | 23.101.48.0/20 866 | 23.101.64.0/20 867 | 23.101.80.0/21 868 | 23.101.112.0/20 869 | 23.101.128.0/18 870 | 23.101.192.0/20 871 | 23.102.0.0/18 872 | 23.102.96.0/19 873 | 23.102.128.0/18 874 | 23.102.192.0/21 875 | 23.102.202.0/23 876 | 23.102.204.0/22 877 | 23.102.208.0/20 878 | 23.103.64.32/27 879 | 23.103.64.64/27 880 | 40.64.64.0/18 881 | 40.64.128.0/21 882 | 40.64.144.0/26 883 | 40.64.144.64/27 884 | 40.64.144.192/29 885 | 40.64.145.0/28 886 | 40.64.145.160/27 887 | 40.64.146.80/28 888 | 40.64.146.96/28 889 | 40.64.146.176/28 890 | 40.64.146.192/28 891 | 40.64.163.0/25 892 | 40.64.164.128/25 893 | 40.64.165.0/25 894 | 40.64.168.128/25 895 | 40.64.169.0/24 896 | 40.64.172.128/25 897 | 40.64.173.128/25 898 | 40.64.174.0/25 899 | 40.64.184.0/25 900 | 40.65.0.0/17 901 | 40.65.192.0/18 902 | 40.67.128.0/17 903 | 40.68.0.0/16 904 | 40.69.0.0/18 905 | 40.69.64.0/19 906 | 40.69.128.0/18 907 | 40.69.192.0/19 908 | 40.70.0.0/18 909 | 40.70.64.0/20 910 | 40.70.80.0/21 911 | 40.70.128.0/17 912 | 40.71.0.0/16 913 | 40.74.0.0/18 914 | 40.74.160.0/19 915 | 40.74.192.0/18 916 | 40.75.0.0/19 917 | 40.75.64.0/18 918 | 40.75.128.0/17 919 | 40.76.0.0/16 920 | 40.77.0.0/17 921 | 40.77.128.128/25 922 | 40.77.129.0/24 923 | 40.77.130.0/24 924 | 40.77.131.0/25 925 | 40.77.131.128/26 926 | 40.77.131.224/28 927 | 40.77.132.0/23 928 | 40.77.136.0/28 929 | 40.77.136.32/27 930 | 40.77.136.64/27 931 | 40.77.136.96/28 932 | 40.77.137.0/25 933 | 40.77.137.128/26 934 | 40.77.137.192/27 935 | 40.77.138.0/23 936 | 40.77.160.0/27 937 | 40.77.161.64/26 938 | 40.77.162.0/23 939 | 40.77.164.0/23 940 | 40.77.166.160/27 941 | 40.77.166.192/26 942 | 40.77.167.0/24 943 | 40.77.168.0/22 944 | 40.77.172.0/24 945 | 40.77.174.0/24 946 | 40.77.175.0/27 947 | 40.77.175.64/26 948 | 40.77.175.160/27 949 | 40.77.175.192/27 950 | 40.77.175.240/28 951 | 40.77.176.0/22 952 | 40.77.180.0/23 953 | 40.77.182.0/25 954 | 40.77.182.128/27 955 | 40.77.182.192/26 956 | 40.77.183.0/24 957 | 40.77.184.0/24 958 | 40.77.185.128/25 959 | 40.77.186.0/23 960 | 40.77.188.0/22 961 | 40.77.196.0/22 962 | 40.77.200.0/24 963 | 40.77.202.0/24 964 | 40.77.224.0/28 965 | 40.77.224.32/27 966 | 40.77.224.96/27 967 | 40.77.224.128/25 968 | 40.77.225.0/24 969 | 40.77.226.128/25 970 | 40.77.228.0/22 971 | 40.77.232.128/25 972 | 40.77.233.0/24 973 | 40.77.234.0/25 974 | 40.77.234.160/27 975 | 40.77.234.192/26 976 | 40.77.236.0/26 977 | 40.77.236.80/28 978 | 40.77.236.128/26 979 | 40.77.237.0/25 980 | 40.77.240.0/22 981 | 40.77.244.0/25 982 | 40.77.245.0/24 983 | 40.77.247.0/24 984 | 40.77.248.0/22 985 | 40.77.254.0/26 986 | 40.77.254.128/25 987 | 40.77.255.0/24 988 | 40.78.0.0/17 989 | 40.78.128.0/18 990 | 40.78.208.32/30 991 | 40.78.208.48/28 992 | 40.78.208.64/28 993 | 40.78.210.0/23 994 | 40.78.214.0/24 995 | 40.78.216.0/23 996 | 40.78.219.0/24 997 | 40.78.220.0/23 998 | 40.78.222.0/24 999 | 40.78.224.0/21 1000 | 40.78.240.0/20 1001 | 40.79.0.0/21 1002 | 40.79.8.0/27 1003 | 40.79.8.32/28 1004 | 40.79.8.64/27 1005 | 40.79.8.96/28 1006 | 40.79.9.0/24 1007 | 40.79.16.0/20 1008 | 40.79.32.0/20 1009 | 40.79.48.0/27 1010 | 40.79.48.32/28 1011 | 40.79.49.0/24 1012 | 40.79.56.0/21 1013 | 40.79.64.0/20 1014 | 40.79.80.0/21 1015 | 40.79.90.0/24 1016 | 40.79.91.0/28 1017 | 40.79.92.0/24 1018 | 40.79.93.0/28 1019 | 40.79.94.0/24 1020 | 40.79.95.0/28 1021 | 40.79.152.0/21 1022 | 40.79.204.0/25 1023 | 40.79.204.128/26 1024 | 40.79.205.64/28 1025 | 40.79.205.96/27 1026 | 40.79.205.192/27 1027 | 40.79.205.224/28 1028 | 40.79.206.0/27 1029 | 40.79.206.64/27 1030 | 40.79.206.128/26 1031 | 40.79.206.192/27 1032 | 40.79.207.80/28 1033 | 40.79.207.128/25 1034 | 40.79.240.0/20 1035 | 40.80.144.0/20 1036 | 40.80.160.0/24 1037 | 40.80.184.0/21 1038 | 40.80.192.0/19 1039 | 40.81.0.0/20 1040 | 40.81.32.0/20 1041 | 40.82.4.0/22 1042 | 40.82.16.0/22 1043 | 40.82.24.0/22 1044 | 40.82.36.0/22 1045 | 40.82.44.0/22 1046 | 40.82.60.0/22 1047 | 40.82.92.0/22 1048 | 40.82.96.0/22 1049 | 40.82.248.0/21 1050 | 40.83.0.0/20 1051 | 40.83.16.0/21 1052 | 40.83.24.0/26 1053 | 40.83.24.64/27 1054 | 40.83.24.128/25 1055 | 40.83.25.0/24 1056 | 40.83.26.0/23 1057 | 40.83.28.0/22 1058 | 40.83.32.0/19 1059 | 40.83.128.0/17 1060 | 40.84.0.0/16 1061 | 40.85.0.0/17 1062 | 40.85.128.0/18 1063 | 40.86.0.0/17 1064 | 40.86.128.0/18 1065 | 40.87.0.0/17 1066 | 40.87.128.0/19 1067 | 40.87.160.0/21 1068 | 40.87.168.0/30 1069 | 40.87.168.8/29 1070 | 40.87.168.16/28 1071 | 40.87.168.32/29 1072 | 40.87.168.48/28 1073 | 40.87.168.64/30 1074 | 40.87.168.70/31 1075 | 40.87.168.72/29 1076 | 40.87.168.80/28 1077 | 40.87.168.96/27 1078 | 40.87.168.128/26 1079 | 40.87.168.192/28 1080 | 40.87.168.210/31 1081 | 40.87.168.212/30 1082 | 40.87.168.216/29 1083 | 40.87.168.224/27 1084 | 40.87.169.0/27 1085 | 40.87.169.32/29 1086 | 40.87.169.44/30 1087 | 40.87.169.48/29 1088 | 40.87.169.56/31 1089 | 40.87.169.60/30 1090 | 40.87.169.64/27 1091 | 40.87.169.96/31 1092 | 40.87.169.102/31 1093 | 40.87.169.104/29 1094 | 40.87.169.112/28 1095 | 40.87.169.128/29 1096 | 40.87.169.136/31 1097 | 40.87.169.140/30 1098 | 40.87.169.160/27 1099 | 40.87.169.192/26 1100 | 40.87.170.0/25 1101 | 40.87.170.128/28 1102 | 40.87.170.144/31 1103 | 40.87.170.152/29 1104 | 40.87.170.160/28 1105 | 40.87.170.176/29 1106 | 40.87.170.184/30 1107 | 40.87.170.194/31 1108 | 40.87.170.196/30 1109 | 40.87.170.214/31 1110 | 40.87.170.216/30 1111 | 40.87.170.228/30 1112 | 40.87.170.232/29 1113 | 40.87.170.240/29 1114 | 40.87.170.248/30 1115 | 40.87.171.2/31 1116 | 40.87.171.4/30 1117 | 40.87.171.8/29 1118 | 40.87.171.16/28 1119 | 40.87.171.36/30 1120 | 40.87.171.40/31 1121 | 40.87.171.72/29 1122 | 40.87.171.80/28 1123 | 40.87.171.96/27 1124 | 40.87.171.128/27 1125 | 40.87.171.160/31 1126 | 40.87.171.166/31 1127 | 40.87.171.168/29 1128 | 40.87.171.176/28 1129 | 40.87.171.192/27 1130 | 40.87.171.224/28 1131 | 40.87.171.240/29 1132 | 40.87.171.248/31 1133 | 40.87.172.0/22 1134 | 40.87.176.0/25 1135 | 40.87.176.128/27 1136 | 40.87.176.160/29 1137 | 40.87.176.174/31 1138 | 40.87.176.184/30 1139 | 40.87.176.192/28 1140 | 40.87.176.216/29 1141 | 40.87.176.224/29 1142 | 40.87.176.232/31 1143 | 40.87.176.240/28 1144 | 40.87.177.16/28 1145 | 40.87.177.32/27 1146 | 40.87.177.64/27 1147 | 40.87.177.96/28 1148 | 40.87.177.112/29 1149 | 40.87.177.120/31 1150 | 40.87.177.124/30 1151 | 40.87.177.128/28 1152 | 40.87.177.144/29 1153 | 40.87.177.152/31 1154 | 40.87.177.156/30 1155 | 40.87.177.160/27 1156 | 40.87.177.192/29 1157 | 40.87.177.200/30 1158 | 40.87.177.212/30 1159 | 40.87.177.216/29 1160 | 40.87.177.224/27 1161 | 40.87.178.0/24 1162 | 40.87.179.0/25 1163 | 40.87.179.128/26 1164 | 40.87.179.192/31 1165 | 40.87.179.202/31 1166 | 40.87.179.204/30 1167 | 40.87.179.208/28 1168 | 40.87.179.224/27 1169 | 40.87.180.0/30 1170 | 40.87.180.4/31 1171 | 40.87.180.14/31 1172 | 40.87.180.16/30 1173 | 40.87.180.20/31 1174 | 40.87.180.28/30 1175 | 40.87.180.32/29 1176 | 40.87.180.42/31 1177 | 40.87.180.44/30 1178 | 40.87.180.48/28 1179 | 40.87.180.64/30 1180 | 40.87.180.74/31 1181 | 40.87.180.76/30 1182 | 40.87.180.80/28 1183 | 40.87.180.96/27 1184 | 40.87.180.128/26 1185 | 40.87.180.192/30 1186 | 40.87.180.202/31 1187 | 40.87.180.204/30 1188 | 40.87.180.208/28 1189 | 40.87.180.224/28 1190 | 40.87.180.240/29 1191 | 40.87.180.248/30 1192 | 40.87.181.4/30 1193 | 40.87.181.8/29 1194 | 40.87.181.16/28 1195 | 40.87.181.32/27 1196 | 40.87.181.64/26 1197 | 40.87.181.128/28 1198 | 40.87.181.144/29 1199 | 40.87.181.152/31 1200 | 40.87.181.162/31 1201 | 40.87.181.164/30 1202 | 40.87.181.168/29 1203 | 40.87.181.176/28 1204 | 40.87.181.192/26 1205 | 40.87.182.4/30 1206 | 40.87.182.8/29 1207 | 40.87.182.24/29 1208 | 40.87.182.32/28 1209 | 40.87.182.48/29 1210 | 40.87.182.56/30 1211 | 40.87.182.62/31 1212 | 40.87.182.64/26 1213 | 40.87.182.128/25 1214 | 40.87.183.0/28 1215 | 40.87.183.16/29 1216 | 40.87.183.24/30 1217 | 40.87.183.34/31 1218 | 40.87.183.36/30 1219 | 40.87.183.42/31 1220 | 40.87.183.44/30 1221 | 40.87.183.54/31 1222 | 40.87.183.56/29 1223 | 40.87.183.64/26 1224 | 40.87.183.144/28 1225 | 40.87.183.160/27 1226 | 40.87.183.192/27 1227 | 40.87.183.224/29 1228 | 40.87.183.232/30 1229 | 40.87.183.236/31 1230 | 40.87.183.244/30 1231 | 40.87.183.248/29 1232 | 40.87.184.0/21 1233 | 40.87.232.0/21 1234 | 40.88.0.0/16 1235 | 40.89.224.0/19 1236 | 40.90.8.0/21 1237 | 40.90.16.0/27 1238 | 40.90.16.128/27 1239 | 40.90.16.192/26 1240 | 40.90.17.64/26 1241 | 40.90.17.192/27 1242 | 40.90.18.64/26 1243 | 40.90.18.128/25 1244 | 40.90.19.64/26 1245 | 40.90.19.128/25 1246 | 40.90.20.0/22 1247 | 40.90.24.128/25 1248 | 40.90.25.0/24 1249 | 40.90.26.128/25 1250 | 40.90.27.64/26 1251 | 40.90.27.128/26 1252 | 40.90.28.64/26 1253 | 40.90.28.128/26 1254 | 40.90.30.160/27 1255 | 40.90.30.192/26 1256 | 40.90.31.128/25 1257 | 40.90.128.16/28 1258 | 40.90.128.128/28 1259 | 40.90.128.224/28 1260 | 40.90.129.128/25 1261 | 40.90.130.0/27 1262 | 40.90.130.64/28 1263 | 40.90.130.96/28 1264 | 40.90.130.160/27 1265 | 40.90.130.192/28 1266 | 40.90.130.224/28 1267 | 40.90.131.32/27 1268 | 40.90.131.192/26 1269 | 40.90.132.48/28 1270 | 40.90.132.96/27 1271 | 40.90.132.128/25 1272 | 40.90.133.0/27 1273 | 40.90.133.64/26 1274 | 40.90.133.128/28 1275 | 40.90.134.64/26 1276 | 40.90.134.128/25 1277 | 40.90.135.0/24 1278 | 40.90.136.0/26 1279 | 40.90.136.160/27 1280 | 40.90.136.224/27 1281 | 40.90.137.96/27 1282 | 40.90.137.192/26 1283 | 40.90.138.0/27 1284 | 40.90.138.160/27 1285 | 40.90.138.208/28 1286 | 40.90.139.32/27 1287 | 40.90.139.192/26 1288 | 40.90.140.64/26 1289 | 40.90.140.128/25 1290 | 40.90.141.0/26 1291 | 40.90.141.96/27 1292 | 40.90.141.128/26 1293 | 40.90.142.128/27 1294 | 40.90.142.224/27 1295 | 40.90.143.0/27 1296 | 40.90.143.192/26 1297 | 40.90.144.0/25 1298 | 40.90.144.128/26 1299 | 40.90.144.192/27 1300 | 40.90.145.0/26 1301 | 40.90.145.64/27 1302 | 40.90.145.160/27 1303 | 40.90.145.192/26 1304 | 40.90.146.0/25 1305 | 40.90.146.128/27 1306 | 40.90.147.0/27 1307 | 40.90.147.96/27 1308 | 40.90.148.0/25 1309 | 40.90.148.128/26 1310 | 40.90.148.192/27 1311 | 40.90.149.96/27 1312 | 40.90.149.128/25 1313 | 40.90.150.32/27 1314 | 40.90.150.128/25 1315 | 40.90.151.144/28 1316 | 40.90.152.160/27 1317 | 40.90.153.0/26 1318 | 40.90.153.96/27 1319 | 40.90.153.128/25 1320 | 40.90.154.64/26 1321 | 40.90.155.0/26 1322 | 40.90.155.128/25 1323 | 40.90.156.128/25 1324 | 40.90.157.64/26 1325 | 40.90.157.128/26 1326 | 40.90.158.64/26 1327 | 40.90.158.128/25 1328 | 40.90.159.0/24 1329 | 40.90.192.0/18 1330 | 40.91.0.0/21 1331 | 40.91.12.16/28 1332 | 40.91.12.48/28 1333 | 40.91.12.64/26 1334 | 40.91.12.128/28 1335 | 40.91.12.160/27 1336 | 40.91.12.208/28 1337 | 40.91.12.240/28 1338 | 40.91.13.64/27 1339 | 40.91.13.96/28 1340 | 40.91.13.128/27 1341 | 40.91.13.240/28 1342 | 40.91.14.0/24 1343 | 40.91.16.0/20 1344 | 40.91.32.0/22 1345 | 40.91.64.0/18 1346 | 40.91.160.0/19 1347 | 40.91.192.0/18 1348 | 40.93.0.0/22 1349 | 40.93.4.0/23 1350 | 40.93.7.0/24 1351 | 40.93.8.0/22 1352 | 40.93.12.0/23 1353 | 40.93.14.0/24 1354 | 40.93.20.0/24 1355 | 40.93.23.0/24 1356 | 40.93.64.0/23 1357 | 40.93.192.0/22 1358 | 40.93.196.0/23 1359 | 40.96.50.0/24 1360 | 40.96.61.0/24 1361 | 40.96.63.0/24 1362 | 40.97.4.0/22 1363 | 40.97.12.0/24 1364 | 40.97.14.0/26 1365 | 40.97.20.0/24 1366 | 40.97.22.0/23 1367 | 40.97.32.0/22 1368 | 40.97.44.0/22 1369 | 40.97.52.0/26 1370 | 40.97.53.0/24 1371 | 40.97.54.0/25 1372 | 40.97.55.64/26 1373 | 40.97.55.128/25 1374 | 40.97.63.128/25 1375 | 40.97.72.0/26 1376 | 40.101.2.0/24 1377 | 40.101.3.0/25 1378 | 40.101.20.64/26 1379 | 40.101.20.128/25 1380 | 40.101.21.0/25 1381 | 40.101.21.128/26 1382 | 40.107.199.0/24 1383 | 40.107.200.0/23 1384 | 40.107.208.0/23 1385 | 40.107.210.0/24 1386 | 40.112.36.0/24 1387 | 40.112.37.0/25 1388 | 40.112.38.192/26 1389 | 40.112.48.0/20 1390 | 40.112.64.0/18 1391 | 40.112.128.0/17 1392 | 40.113.0.0/16 1393 | 40.114.0.0/16 1394 | 40.115.0.0/18 1395 | 40.115.96.0/19 1396 | 40.116.0.0/16 1397 | 40.117.32.0/19 1398 | 40.117.64.0/18 1399 | 40.117.128.0/17 1400 | 40.118.0.0/16 1401 | 40.119.0.0/18 1402 | 40.119.88.0/22 1403 | 40.119.128.0/19 1404 | 40.120.148.0/23 1405 | 40.120.150.0/24 1406 | 40.120.151.0/25 1407 | 40.120.151.128/26 1408 | 40.120.151.192/27 1409 | 40.120.151.224/29 1410 | 40.120.151.232/30 1411 | 40.120.152.0/23 1412 | 40.120.154.0/25 1413 | 40.120.154.128/27 1414 | 40.120.154.160/28 1415 | 40.120.154.176/30 1416 | 40.120.154.180/31 1417 | 40.120.156.0/28 1418 | 40.120.156.16/29 1419 | 40.120.156.24/30 1420 | 40.120.156.28/31 1421 | 40.120.156.40/31 1422 | 40.120.156.56/30 1423 | 40.120.156.72/29 1424 | 40.120.156.80/28 1425 | 40.120.156.96/31 1426 | 40.120.156.102/31 1427 | 40.120.156.104/29 1428 | 40.120.156.112/30 1429 | 40.120.156.116/31 1430 | 40.120.156.120/31 1431 | 40.120.156.130/31 1432 | 40.120.156.132/30 1433 | 40.120.156.136/29 1434 | 40.120.156.144/28 1435 | 40.120.156.160/27 1436 | 40.120.156.192/26 1437 | 40.120.157.0/25 1438 | 40.120.157.128/28 1439 | 40.120.157.144/29 1440 | 40.120.157.152/30 1441 | 40.120.157.172/30 1442 | 40.120.157.176/28 1443 | 40.120.157.192/26 1444 | 40.120.158.0/26 1445 | 40.120.158.64/28 1446 | 40.120.158.80/30 1447 | 40.120.158.86/31 1448 | 40.120.158.88/29 1449 | 40.120.158.96/31 1450 | 40.120.158.100/30 1451 | 40.120.158.104/30 1452 | 40.120.158.124/30 1453 | 40.120.158.128/26 1454 | 40.120.158.192/27 1455 | 40.120.158.224/28 1456 | 40.120.158.240/29 1457 | 40.120.158.248/30 1458 | 40.120.158.254/31 1459 | 40.120.159.0/29 1460 | 40.120.159.10/31 1461 | 40.120.159.12/30 1462 | 40.120.159.18/31 1463 | 40.120.159.20/30 1464 | 40.120.159.24/29 1465 | 40.120.159.32/27 1466 | 40.120.159.64/29 1467 | 40.120.159.74/31 1468 | 40.120.159.76/30 1469 | 40.120.159.80/28 1470 | 40.120.159.96/31 1471 | 40.120.159.106/31 1472 | 40.120.159.108/30 1473 | 40.120.159.112/28 1474 | 40.120.159.128/27 1475 | 40.120.159.160/31 1476 | 40.120.160.0/22 1477 | 40.120.164.2/31 1478 | 40.120.164.4/30 1479 | 40.120.164.8/29 1480 | 40.120.164.16/29 1481 | 40.120.164.24/30 1482 | 40.120.164.36/30 1483 | 40.120.164.40/29 1484 | 40.120.164.48/29 1485 | 40.120.164.56/31 1486 | 40.120.164.66/31 1487 | 40.120.164.68/30 1488 | 40.120.164.72/30 1489 | 40.120.164.76/31 1490 | 40.120.164.80/28 1491 | 40.120.164.100/30 1492 | 40.120.164.104/29 1493 | 40.120.164.112/31 1494 | 40.120.164.118/31 1495 | 40.120.164.120/29 1496 | 40.120.164.128/27 1497 | 40.120.164.160/28 1498 | 40.120.164.176/31 1499 | 40.120.164.180/30 1500 | 40.120.164.184/30 1501 | 40.120.164.188/31 1502 | 40.120.164.196/30 1503 | 40.120.164.200/29 1504 | 40.120.164.208/28 1505 | 40.120.164.224/31 1506 | 40.120.164.228/30 1507 | 40.120.164.232/30 1508 | 40.120.164.236/31 1509 | 40.120.164.240/29 1510 | 40.120.164.250/31 1511 | 40.120.164.252/30 1512 | 40.120.165.0/25 1513 | 40.120.165.128/26 1514 | 40.120.165.192/27 1515 | 40.120.165.224/28 1516 | 40.120.165.240/31 1517 | 40.120.165.244/30 1518 | 40.120.165.248/29 1519 | 40.120.166.0/27 1520 | 40.120.166.32/30 1521 | 40.120.166.40/29 1522 | 40.120.166.48/28 1523 | 40.120.166.64/31 1524 | 40.120.166.68/30 1525 | 40.120.166.72/29 1526 | 40.120.166.80/28 1527 | 40.120.166.96/27 1528 | 40.120.166.128/26 1529 | 40.120.166.192/27 1530 | 40.120.166.224/30 1531 | 40.120.166.230/31 1532 | 40.120.166.232/29 1533 | 40.120.166.240/28 1534 | 40.120.167.0/26 1535 | 40.120.167.64/30 1536 | 40.120.188.0/25 1537 | 40.120.188.128/27 1538 | 40.121.0.0/16 1539 | 40.122.16.0/20 1540 | 40.122.32.0/19 1541 | 40.122.64.0/18 1542 | 40.122.128.0/17 1543 | 40.123.0.0/17 1544 | 40.123.132.0/22 1545 | 40.123.140.0/22 1546 | 40.123.144.0/26 1547 | 40.123.144.64/29 1548 | 40.123.144.104/29 1549 | 40.123.144.112/28 1550 | 40.123.144.128/28 1551 | 40.123.144.144/29 1552 | 40.123.144.156/30 1553 | 40.123.144.160/27 1554 | 40.123.144.192/27 1555 | 40.123.144.224/28 1556 | 40.123.144.240/29 1557 | 40.123.144.248/30 1558 | 40.123.144.252/31 1559 | 40.123.145.6/31 1560 | 40.123.145.8/30 1561 | 40.123.145.12/31 1562 | 40.123.145.22/31 1563 | 40.123.145.24/29 1564 | 40.123.145.32/28 1565 | 40.123.145.48/29 1566 | 40.123.145.56/30 1567 | 40.123.145.68/30 1568 | 40.123.145.72/29 1569 | 40.123.145.80/28 1570 | 40.123.145.96/27 1571 | 40.123.145.128/27 1572 | 40.123.145.160/30 1573 | 40.123.145.166/31 1574 | 40.123.145.168/29 1575 | 40.123.145.176/28 1576 | 40.123.145.192/28 1577 | 40.123.145.208/30 1578 | 40.123.145.212/31 1579 | 40.123.145.222/31 1580 | 40.123.145.224/27 1581 | 40.123.146.0/28 1582 | 40.123.146.16/29 1583 | 40.123.146.24/30 1584 | 40.123.146.28/31 1585 | 40.123.146.42/31 1586 | 40.123.146.44/30 1587 | 40.123.146.48/31 1588 | 40.123.146.54/31 1589 | 40.123.146.56/29 1590 | 40.123.146.64/26 1591 | 40.123.146.128/27 1592 | 40.123.146.160/30 1593 | 40.123.146.164/31 1594 | 40.123.146.182/31 1595 | 40.123.146.184/29 1596 | 40.123.146.192/29 1597 | 40.123.146.200/30 1598 | 40.123.146.204/31 1599 | 40.123.146.210/31 1600 | 40.123.146.212/30 1601 | 40.123.146.216/29 1602 | 40.123.146.224/27 1603 | 40.123.147.0/27 1604 | 40.123.147.32/31 1605 | 40.123.147.38/31 1606 | 40.123.147.40/29 1607 | 40.123.147.48/28 1608 | 40.123.147.64/28 1609 | 40.123.147.80/30 1610 | 40.123.147.84/31 1611 | 40.123.147.104/29 1612 | 40.123.147.112/29 1613 | 40.123.147.138/31 1614 | 40.123.147.140/30 1615 | 40.123.147.144/31 1616 | 40.123.147.148/30 1617 | 40.123.147.152/29 1618 | 40.123.147.160/28 1619 | 40.123.147.176/30 1620 | 40.123.147.180/31 1621 | 40.123.147.184/29 1622 | 40.123.147.192/26 1623 | 40.123.152.0/21 1624 | 40.123.160.0/22 1625 | 40.123.164.0/25 1626 | 40.123.164.128/29 1627 | 40.123.164.136/31 1628 | 40.123.164.150/31 1629 | 40.123.164.152/29 1630 | 40.123.164.160/27 1631 | 40.123.164.192/26 1632 | 40.123.165.4/30 1633 | 40.123.165.8/29 1634 | 40.123.165.16/29 1635 | 40.123.165.24/30 1636 | 40.123.165.30/31 1637 | 40.123.165.32/28 1638 | 40.123.165.48/29 1639 | 40.123.165.56/30 1640 | 40.123.165.60/31 1641 | 40.123.165.68/30 1642 | 40.123.165.72/30 1643 | 40.123.165.78/31 1644 | 40.123.165.80/28 1645 | 40.123.165.96/27 1646 | 40.123.165.128/28 1647 | 40.123.165.144/29 1648 | 40.123.165.154/31 1649 | 40.123.165.156/30 1650 | 40.123.165.160/27 1651 | 40.123.165.192/26 1652 | 40.123.166.0/25 1653 | 40.123.166.128/28 1654 | 40.123.166.144/30 1655 | 40.123.166.150/31 1656 | 40.123.166.152/29 1657 | 40.123.166.160/27 1658 | 40.123.166.192/26 1659 | 40.123.167.0/25 1660 | 40.123.167.128/26 1661 | 40.123.167.192/27 1662 | 40.123.167.224/29 1663 | 40.123.167.232/31 1664 | 40.123.168.0/24 1665 | 40.123.169.0/30 1666 | 40.123.169.6/31 1667 | 40.123.169.8/29 1668 | 40.123.169.16/28 1669 | 40.123.169.32/27 1670 | 40.123.169.64/27 1671 | 40.123.169.96/29 1672 | 40.123.169.104/31 1673 | 40.123.169.108/30 1674 | 40.123.169.112/28 1675 | 40.123.169.140/30 1676 | 40.123.169.144/28 1677 | 40.123.169.160/27 1678 | 40.123.169.192/26 1679 | 40.123.170.0/29 1680 | 40.123.170.8/30 1681 | 40.123.170.12/31 1682 | 40.123.170.22/31 1683 | 40.123.170.24/29 1684 | 40.123.170.32/28 1685 | 40.123.170.52/30 1686 | 40.123.170.86/31 1687 | 40.123.170.88/29 1688 | 40.123.170.96/29 1689 | 40.123.170.104/30 1690 | 40.123.170.108/31 1691 | 40.123.170.116/30 1692 | 40.123.170.120/29 1693 | 40.123.170.130/31 1694 | 40.123.170.132/30 1695 | 40.123.170.136/29 1696 | 40.123.170.144/28 1697 | 40.123.170.160/28 1698 | 40.123.170.176/29 1699 | 40.123.170.184/31 1700 | 40.123.170.192/31 1701 | 40.123.170.196/30 1702 | 40.123.170.200/29 1703 | 40.123.170.208/29 1704 | 40.123.170.216/30 1705 | 40.123.170.220/31 1706 | 40.123.170.224/27 1707 | 40.123.171.0/24 1708 | 40.123.176.0/21 1709 | 40.123.184.0/26 1710 | 40.123.184.64/28 1711 | 40.123.184.80/29 1712 | 40.123.184.88/31 1713 | 40.123.184.98/31 1714 | 40.123.184.100/30 1715 | 40.123.184.104/29 1716 | 40.123.184.112/28 1717 | 40.123.184.128/27 1718 | 40.123.184.168/29 1719 | 40.123.184.176/29 1720 | 40.123.184.184/31 1721 | 40.123.184.194/31 1722 | 40.123.184.196/30 1723 | 40.123.184.200/30 1724 | 40.123.184.204/31 1725 | 40.123.184.208/29 1726 | 40.123.184.230/31 1727 | 40.123.184.232/29 1728 | 40.123.185.8/29 1729 | 40.123.185.16/28 1730 | 40.123.185.32/27 1731 | 40.123.185.64/30 1732 | 40.123.185.100/30 1733 | 40.123.185.104/30 1734 | 40.123.185.110/31 1735 | 40.123.185.112/28 1736 | 40.123.185.128/27 1737 | 40.123.185.192/27 1738 | 40.123.185.224/28 1739 | 40.123.185.240/29 1740 | 40.123.185.250/31 1741 | 40.123.185.254/31 1742 | 40.123.186.0/29 1743 | 40.123.186.8/31 1744 | 40.123.186.28/31 1745 | 40.123.186.42/31 1746 | 40.123.186.44/30 1747 | 40.123.186.48/31 1748 | 40.123.186.52/31 1749 | 40.123.186.56/29 1750 | 40.123.186.64/26 1751 | 40.123.186.128/25 1752 | 40.123.187.0/25 1753 | 40.123.187.128/27 1754 | 40.123.187.160/31 1755 | 40.123.187.170/31 1756 | 40.123.187.172/30 1757 | 40.123.187.176/29 1758 | 40.123.187.188/30 1759 | 40.123.187.192/29 1760 | 40.123.187.200/31 1761 | 40.123.187.204/30 1762 | 40.123.187.208/28 1763 | 40.123.187.226/31 1764 | 40.123.187.228/30 1765 | 40.123.187.232/29 1766 | 40.123.187.244/30 1767 | 40.123.187.248/29 1768 | 40.124.0.0/16 1769 | 40.125.32.0/19 1770 | 40.125.64.0/18 1771 | 40.126.0.0/21 1772 | 40.126.9.0/24 1773 | 40.126.23.0/24 1774 | 40.126.24.0/22 1775 | 40.126.28.0/23 1776 | 40.126.31.0/24 1777 | 40.126.32.0/24 1778 | 40.126.62.128/25 1779 | 40.126.202.0/24 1780 | 40.127.96.0/20 1781 | 40.127.128.0/17 1782 | 48.208.3.0/24 1783 | 48.208.4.0/22 1784 | 48.208.8.0/21 1785 | 48.208.16.0/21 1786 | 48.208.24.0/23 1787 | 48.208.26.0/24 1788 | 48.208.47.0/24 1789 | 48.208.53.0/24 1790 | 48.208.54.0/23 1791 | 48.208.56.0/23 1792 | 48.208.58.0/24 1793 | 48.208.67.0/24 1794 | 48.208.72.0/21 1795 | 48.208.80.0/24 1796 | 48.208.128.0/19 1797 | 48.208.160.0/24 1798 | 48.208.169.0/24 1799 | 48.208.170.0/23 1800 | 48.208.172.0/22 1801 | 48.208.176.0/22 1802 | 48.208.180.0/23 1803 | 48.208.182.0/24 1804 | 48.208.216.0/24 1805 | 48.209.0.0/16 1806 | 48.211.0.0/16 1807 | 48.214.0.0/16 1808 | 48.216.128.0/17 1809 | 48.217.0.0/16 1810 | 48.219.240.0/21 1811 | 50.85.0.0/16 1812 | 51.5.0.0/22 1813 | 51.5.11.0/24 1814 | 51.5.12.0/24 1815 | 51.5.20.0/24 1816 | 51.5.23.0/24 1817 | 51.5.24.0/24 1818 | 51.5.38.0/23 1819 | 51.5.40.0/23 1820 | 51.5.46.0/23 1821 | 51.5.255.224/27 1822 | 51.8.0.0/16 1823 | 51.104.64.0/18 1824 | 51.104.128.0/18 1825 | 51.105.96.0/19 1826 | 51.105.128.0/17 1827 | 51.124.0.0/16 1828 | 51.136.0.0/16 1829 | 51.137.0.0/17 1830 | 51.137.192.0/18 1831 | 51.138.0.0/17 1832 | 51.138.176.0/20 1833 | 51.138.224.0/20 1834 | 51.141.160.0/19 1835 | 51.143.0.0/17 1836 | 51.144.0.0/16 1837 | 51.145.53.144/28 1838 | 51.145.128.0/17 1839 | 52.0.228.224/32 1840 | 52.22.155.48/32 1841 | 52.23.85.212/32 1842 | 52.96.11.0/24 1843 | 52.101.0.0/20 1844 | 52.101.16.0/21 1845 | 52.101.28.0/22 1846 | 52.101.32.0/21 1847 | 52.101.41.0/24 1848 | 52.101.42.0/23 1849 | 52.101.44.0/22 1850 | 52.101.48.0/20 1851 | 52.101.64.0/21 1852 | 52.101.72.0/23 1853 | 52.101.84.0/22 1854 | 52.101.193.0/24 1855 | 52.101.194.0/24 1856 | 52.101.201.0/24 1857 | 52.101.202.0/24 1858 | 52.102.128.0/22 1859 | 52.102.132.0/24 1860 | 52.102.134.0/23 1861 | 52.102.136.0/22 1862 | 52.102.140.0/24 1863 | 52.102.146.0/24 1864 | 52.102.149.0/24 1865 | 52.102.158.0/23 1866 | 52.102.160.0/23 1867 | 52.103.0.0/22 1868 | 52.103.4.0/23 1869 | 52.103.6.0/24 1870 | 52.103.8.0/22 1871 | 52.103.12.0/23 1872 | 52.103.14.0/24 1873 | 52.103.20.0/24 1874 | 52.103.23.0/24 1875 | 52.103.32.0/23 1876 | 52.103.128.0/22 1877 | 52.103.132.0/24 1878 | 52.103.134.0/24 1879 | 52.103.136.0/22 1880 | 52.103.140.0/24 1881 | 52.103.145.0/24 1882 | 52.103.148.0/24 1883 | 52.103.160.0/23 1884 | 52.106.0.0/24 1885 | 52.106.2.0/23 1886 | 52.106.4.0/23 1887 | 52.106.7.0/24 1888 | 52.106.8.0/23 1889 | 52.108.0.0/21 1890 | 52.108.16.0/20 1891 | 52.108.56.0/21 1892 | 52.108.72.0/24 1893 | 52.108.78.0/23 1894 | 52.108.80.0/24 1895 | 52.108.93.0/24 1896 | 52.108.102.0/23 1897 | 52.108.104.0/22 1898 | 52.108.108.0/23 1899 | 52.108.110.0/24 1900 | 52.108.139.0/24 1901 | 52.108.165.0/24 1902 | 52.108.166.0/23 1903 | 52.108.174.0/23 1904 | 52.108.176.0/24 1905 | 52.108.182.0/24 1906 | 52.108.185.0/24 1907 | 52.108.186.0/24 1908 | 52.108.196.0/23 1909 | 52.108.203.0/24 1910 | 52.108.208.0/21 1911 | 52.108.216.0/22 1912 | 52.108.240.0/20 1913 | 52.109.0.0/20 1914 | 52.109.16.0/21 1915 | 52.109.24.0/22 1916 | 52.109.76.0/22 1917 | 52.109.88.0/22 1918 | 52.111.211.0/24 1919 | 52.111.227.0/24 1920 | 52.111.229.0/24 1921 | 52.111.230.0/24 1922 | 52.111.235.0/24 1923 | 52.111.236.0/24 1924 | 52.111.239.0/24 1925 | 52.111.243.0/24 1926 | 52.111.245.0/24 1927 | 52.111.246.0/24 1928 | 52.112.14.0/23 1929 | 52.112.17.0/24 1930 | 52.112.18.0/23 1931 | 52.112.22.0/23 1932 | 52.112.24.0/21 1933 | 52.112.38.0/23 1934 | 52.112.53.0/24 1935 | 52.112.72.0/24 1936 | 52.112.76.0/22 1937 | 52.112.83.0/24 1938 | 52.112.84.0/22 1939 | 52.112.92.0/24 1940 | 52.112.94.0/23 1941 | 52.112.97.0/24 1942 | 52.112.98.0/23 1943 | 52.112.101.0/24 1944 | 52.112.102.0/24 1945 | 52.112.104.0/22 1946 | 52.112.108.0/23 1947 | 52.112.110.0/24 1948 | 52.112.112.0/22 1949 | 52.112.116.0/23 1950 | 52.112.123.0/24 1951 | 52.112.124.0/24 1952 | 52.112.127.0/24 1953 | 52.112.128.0/24 1954 | 52.112.133.0/24 1955 | 52.112.138.0/24 1956 | 52.112.144.0/20 1957 | 52.112.191.0/24 1958 | 52.112.197.0/24 1959 | 52.112.216.0/21 1960 | 52.112.228.128/25 1961 | 52.112.229.0/24 1962 | 52.112.232.0/23 1963 | 52.112.236.0/23 1964 | 52.112.238.0/24 1965 | 52.113.9.0/24 1966 | 52.113.12.0/24 1967 | 52.113.16.0/20 1968 | 52.113.37.0/24 1969 | 52.113.38.0/23 1970 | 52.113.40.0/21 1971 | 52.113.48.0/20 1972 | 52.113.69.0/24 1973 | 52.113.83.0/24 1974 | 52.113.85.0/24 1975 | 52.113.86.0/24 1976 | 52.113.112.0/20 1977 | 52.113.129.0/24 1978 | 52.113.130.0/24 1979 | 52.113.135.0/24 1980 | 52.113.136.0/21 1981 | 52.113.144.0/21 1982 | 52.113.160.0/19 1983 | 52.113.198.0/23 1984 | 52.113.205.0/24 1985 | 52.113.206.0/24 1986 | 52.113.208.0/20 1987 | 52.114.72.0/21 1988 | 52.114.128.0/19 1989 | 52.114.168.0/21 1990 | 52.114.180.0/22 1991 | 52.114.184.0/22 1992 | 52.114.206.0/23 1993 | 52.114.208.0/24 1994 | 52.114.210.0/23 1995 | 52.114.212.0/23 1996 | 52.114.231.0/24 1997 | 52.114.233.0/24 1998 | 52.114.241.0/24 1999 | 52.114.242.0/24 2000 | 52.114.248.0/21 2001 | 52.115.54.0/23 2002 | 52.115.62.0/23 2003 | 52.115.68.0/22 2004 | 52.115.76.0/22 2005 | 52.115.84.0/22 2006 | 52.115.88.0/22 2007 | 52.115.92.0/23 2008 | 52.115.140.0/22 2009 | 52.115.144.0/20 2010 | 52.115.160.0/19 2011 | 52.115.192.0/19 2012 | 52.115.224.0/21 2013 | 52.115.232.0/23 2014 | 52.115.234.0/24 2015 | 52.115.242.0/23 2016 | 52.120.0.0/17 2017 | 52.120.128.0/20 2018 | 52.120.152.0/22 2019 | 52.120.192.0/19 2020 | 52.120.224.0/20 2021 | 52.121.0.0/21 2022 | 52.121.16.0/20 2023 | 52.121.32.0/21 2024 | 52.121.48.0/20 2025 | 52.121.64.0/20 2026 | 52.121.166.0/24 2027 | 52.121.224.0/24 2028 | 52.122.0.0/20 2029 | 52.122.16.0/21 2030 | 52.122.24.0/22 2031 | 52.122.56.0/21 2032 | 52.122.64.0/19 2033 | 52.122.96.0/20 2034 | 52.122.112.0/21 2035 | 52.122.148.0/22 2036 | 52.122.152.0/21 2037 | 52.122.160.0/19 2038 | 52.122.192.0/22 2039 | 52.123.0.0/21 2040 | 52.123.10.0/23 2041 | 52.123.12.0/23 2042 | 52.123.16.0/22 2043 | 52.123.41.0/24 2044 | 52.123.57.0/24 2045 | 52.123.133.0/24 2046 | 52.123.134.0/23 2047 | 52.123.136.0/22 2048 | 52.123.140.0/24 2049 | 52.123.185.0/24 2050 | 52.123.186.0/23 2051 | 52.123.188.0/22 2052 | 52.123.195.0/24 2053 | 52.125.128.0/21 2054 | 52.125.136.0/22 2055 | 52.125.140.0/23 2056 | 52.136.0.0/22 2057 | 52.136.29.0/24 2058 | 52.136.30.0/24 2059 | 52.136.64.0/18 2060 | 52.136.192.0/18 2061 | 52.137.0.0/16 2062 | 52.138.80.0/21 2063 | 52.138.96.0/19 2064 | 52.138.128.0/17 2065 | 52.141.64.0/18 2066 | 52.141.128.0/18 2067 | 52.141.192.0/19 2068 | 52.141.240.0/20 2069 | 52.142.0.0/17 2070 | 52.142.192.0/18 2071 | 52.143.0.0/17 2072 | 52.143.192.0/22 2073 | 52.143.197.0/24 2074 | 52.143.207.0/24 2075 | 52.143.208.0/23 2076 | 52.143.211.0/24 2077 | 52.143.224.0/19 2078 | 52.146.0.0/16 2079 | 52.147.160.0/19 2080 | 52.147.192.0/18 2081 | 52.148.128.0/17 2082 | 52.149.0.0/16 2083 | 52.150.0.0/17 2084 | 52.151.0.0/18 2085 | 52.151.128.0/17 2086 | 52.152.0.0/16 2087 | 52.153.0.0/17 2088 | 52.153.192.0/18 2089 | 52.154.0.0/16 2090 | 52.155.32.0/19 2091 | 52.155.64.0/19 2092 | 52.155.128.0/17 2093 | 52.156.64.0/18 2094 | 52.156.128.0/19 2095 | 52.156.192.0/18 2096 | 52.157.0.0/16 2097 | 52.158.0.0/17 2098 | 52.158.160.0/20 2099 | 52.158.192.0/18 2100 | 52.159.64.0/18 2101 | 52.159.128.0/17 2102 | 52.160.0.0/16 2103 | 52.162.0.0/16 2104 | 52.164.0.0/16 2105 | 52.165.0.0/19 2106 | 52.165.32.0/20 2107 | 52.165.48.0/28 2108 | 52.165.49.0/24 2109 | 52.165.56.0/21 2110 | 52.165.64.0/19 2111 | 52.165.96.0/21 2112 | 52.165.104.0/25 2113 | 52.165.128.0/17 2114 | 52.166.0.0/15 2115 | 52.168.0.0/14 2116 | 52.172.130.176/28 2117 | 52.173.0.0/16 2118 | 52.174.0.0/16 2119 | 52.175.140.176/32 2120 | 52.175.192.0/18 2121 | 52.176.0.0/17 2122 | 52.176.128.0/19 2123 | 52.176.160.0/21 2124 | 52.176.176.0/20 2125 | 52.176.192.0/19 2126 | 52.176.224.0/24 2127 | 52.177.0.0/16 2128 | 52.178.0.0/15 2129 | 52.180.0.0/17 2130 | 52.180.128.0/19 2131 | 52.180.184.0/27 2132 | 52.180.184.32/28 2133 | 52.180.185.0/24 2134 | 52.182.128.0/17 2135 | 52.183.0.0/17 2136 | 52.183.192.0/18 2137 | 52.184.128.0/19 2138 | 52.184.160.0/21 2139 | 52.184.168.0/28 2140 | 52.184.168.80/28 2141 | 52.184.168.96/27 2142 | 52.184.168.128/28 2143 | 52.184.169.0/24 2144 | 52.184.170.0/24 2145 | 52.184.176.0/20 2146 | 52.184.192.0/18 2147 | 52.185.0.0/19 2148 | 52.185.32.0/20 2149 | 52.185.48.0/21 2150 | 52.185.56.0/26 2151 | 52.185.56.64/27 2152 | 52.185.56.96/28 2153 | 52.185.56.128/27 2154 | 52.185.56.160/28 2155 | 52.185.64.0/19 2156 | 52.185.96.0/20 2157 | 52.185.112.0/26 2158 | 52.185.112.96/27 2159 | 52.185.120.0/21 2160 | 52.185.192.0/18 2161 | 52.186.0.0/16 2162 | 52.188.0.0/16 2163 | 52.189.0.0/17 2164 | 52.189.128.0/18 2165 | 52.190.0.0/15 2166 | 52.224.0.0/16 2167 | 52.225.0.0/17 2168 | 52.225.128.0/21 2169 | 52.225.136.0/27 2170 | 52.225.136.32/28 2171 | 52.225.136.64/28 2172 | 52.225.137.0/24 2173 | 52.225.192.0/18 2174 | 52.226.0.0/16 2175 | 52.228.128.0/17 2176 | 52.229.0.0/18 2177 | 52.230.128.0/17 2178 | 52.232.0.0/17 2179 | 52.232.146.0/23 2180 | 52.232.148.0/23 2181 | 52.232.151.0/24 2182 | 52.232.152.0/24 2183 | 52.232.156.0/23 2184 | 52.232.159.0/24 2185 | 52.232.160.0/19 2186 | 52.232.192.0/18 2187 | 52.233.64.0/18 2188 | 52.233.128.0/17 2189 | 52.234.0.0/16 2190 | 52.235.64.0/18 2191 | 52.236.0.0/16 2192 | 52.237.128.0/18 2193 | 52.238.0.0/18 2194 | 52.238.192.0/18 2195 | 52.239.0.0/17 2196 | 52.239.136.0/21 2197 | 52.239.148.32/27 2198 | 52.239.148.128/25 2199 | 52.239.149.0/24 2200 | 52.239.150.0/23 2201 | 52.239.152.0/22 2202 | 52.239.156.0/24 2203 | 52.239.157.0/25 2204 | 52.239.157.128/26 2205 | 52.239.157.192/27 2206 | 52.239.158.0/23 2207 | 52.239.160.0/22 2208 | 52.239.165.64/26 2209 | 52.239.165.128/27 2210 | 52.239.168.0/21 2211 | 52.239.176.128/25 2212 | 52.239.177.32/27 2213 | 52.239.177.64/26 2214 | 52.239.177.128/25 2215 | 52.239.178.0/23 2216 | 52.239.180.0/22 2217 | 52.239.184.0/25 2218 | 52.239.184.160/28 2219 | 52.239.184.192/27 2220 | 52.239.185.32/27 2221 | 52.239.186.0/24 2222 | 52.239.192.0/26 2223 | 52.239.192.64/28 2224 | 52.239.192.96/27 2225 | 52.239.192.160/27 2226 | 52.239.192.192/26 2227 | 52.239.193.0/24 2228 | 52.239.195.0/24 2229 | 52.239.198.0/25 2230 | 52.239.198.192/26 2231 | 52.239.199.0/24 2232 | 52.239.200.0/23 2233 | 52.239.203.0/24 2234 | 52.239.205.0/24 2235 | 52.239.206.0/24 2236 | 52.239.207.32/28 2237 | 52.239.207.64/26 2238 | 52.239.207.128/27 2239 | 52.239.207.192/26 2240 | 52.239.208.0/21 2241 | 52.239.220.0/22 2242 | 52.239.228.0/23 2243 | 52.239.234.0/23 2244 | 52.239.236.0/23 2245 | 52.239.242.0/23 2246 | 52.239.246.0/23 2247 | 52.239.248.0/24 2248 | 52.239.252.0/22 2249 | 52.240.0.0/15 2250 | 52.242.64.0/18 2251 | 52.242.128.0/17 2252 | 52.245.8.0/21 2253 | 52.245.24.0/22 2254 | 52.245.40.0/22 2255 | 52.245.44.0/24 2256 | 52.245.45.0/25 2257 | 52.245.45.128/28 2258 | 52.245.45.160/27 2259 | 52.245.45.192/26 2260 | 52.245.46.0/27 2261 | 52.245.46.48/28 2262 | 52.245.46.64/28 2263 | 52.245.46.112/28 2264 | 52.245.46.128/28 2265 | 52.245.46.160/27 2266 | 52.245.46.192/26 2267 | 52.245.48.0/21 2268 | 52.245.68.0/24 2269 | 52.245.69.32/27 2270 | 52.245.69.64/27 2271 | 52.245.69.96/28 2272 | 52.245.69.144/28 2273 | 52.245.69.160/27 2274 | 52.245.69.192/26 2275 | 52.245.70.0/23 2276 | 52.245.72.0/22 2277 | 52.245.88.0/22 2278 | 52.245.104.0/21 2279 | 52.245.124.0/22 2280 | 52.246.0.0/17 2281 | 52.246.192.0/18 2282 | 52.247.0.0/17 2283 | 52.247.192.0/18 2284 | 52.248.0.0/16 2285 | 52.249.0.0/18 2286 | 52.249.128.0/17 2287 | 52.250.0.0/16 2288 | 52.251.0.0/17 2289 | 52.252.0.0/16 2290 | 52.253.0.0/18 2291 | 52.253.64.0/20 2292 | 52.253.148.0/23 2293 | 52.253.154.0/23 2294 | 52.253.160.0/24 2295 | 52.253.179.0/24 2296 | 52.253.180.0/24 2297 | 52.253.182.0/23 2298 | 52.253.184.0/24 2299 | 52.254.0.0/18 2300 | 52.254.64.0/19 2301 | 52.254.96.0/20 2302 | 52.254.112.0/21 2303 | 52.254.128.0/17 2304 | 52.255.0.0/19 2305 | 52.255.64.0/18 2306 | 52.255.128.0/17 2307 | 57.150.0.0/22 2308 | 57.150.4.0/23 2309 | 57.150.8.0/22 2310 | 57.150.12.0/25 2311 | 57.150.12.128/28 2312 | 57.150.13.128/25 2313 | 57.150.14.0/23 2314 | 57.150.16.0/24 2315 | 57.150.18.0/24 2316 | 57.150.19.0/25 2317 | 57.150.19.128/27 2318 | 57.150.19.160/28 2319 | 57.150.20.0/24 2320 | 57.150.26.0/23 2321 | 57.150.28.0/22 2322 | 57.150.32.0/23 2323 | 57.150.38.0/23 2324 | 57.150.42.0/23 2325 | 57.150.48.0/23 2326 | 57.150.52.0/23 2327 | 57.150.56.0/23 2328 | 57.150.60.0/22 2329 | 57.150.66.0/23 2330 | 57.150.68.0/22 2331 | 57.150.72.0/22 2332 | 57.150.78.0/23 2333 | 57.150.80.0/21 2334 | 57.150.90.0/23 2335 | 57.150.96.0/22 2336 | 57.150.102.0/23 2337 | 57.150.104.0/21 2338 | 57.150.118.0/23 2339 | 57.150.124.0/23 2340 | 57.150.128.0/23 2341 | 57.150.132.0/22 2342 | 57.150.140.0/22 2343 | 57.150.144.0/20 2344 | 57.150.160.0/21 2345 | 57.150.168.0/23 2346 | 57.150.178.0/23 2347 | 57.150.182.0/23 2348 | 57.150.188.0/22 2349 | 57.150.192.0/23 2350 | 57.150.204.0/23 2351 | 57.150.220.0/22 2352 | 57.150.224.0/23 2353 | 57.150.228.0/23 2354 | 57.151.0.0/17 2355 | 57.152.0.0/17 2356 | 57.153.0.0/16 2357 | 57.154.0.0/16 2358 | 57.157.8.0/31 2359 | 64.236.0.0/16 2360 | 65.52.0.0/19 2361 | 65.52.32.0/21 2362 | 65.52.48.0/20 2363 | 65.52.64.0/20 2364 | 65.52.104.0/24 2365 | 65.52.106.0/24 2366 | 65.52.108.0/22 2367 | 65.52.112.0/20 2368 | 65.52.128.0/19 2369 | 65.52.192.0/19 2370 | 65.52.224.0/20 2371 | 65.52.240.0/21 2372 | 65.54.19.128/27 2373 | 65.55.32.128/28 2374 | 65.55.32.193/32 2375 | 65.55.32.194/31 2376 | 65.55.32.196/32 2377 | 65.55.32.209/32 2378 | 65.55.32.210/31 2379 | 65.55.44.8/29 2380 | 65.55.44.16/28 2381 | 65.55.44.32/27 2382 | 65.55.44.64/26 2383 | 65.55.44.128/27 2384 | 65.55.51.0/24 2385 | 65.55.60.176/29 2386 | 65.55.60.188/30 2387 | 65.55.105.0/26 2388 | 65.55.105.96/27 2389 | 65.55.105.160/27 2390 | 65.55.105.192/26 2391 | 65.55.106.0/26 2392 | 65.55.106.64/27 2393 | 65.55.106.128/25 2394 | 65.55.107.0/28 2395 | 65.55.107.48/28 2396 | 65.55.107.64/26 2397 | 65.55.108.0/23 2398 | 65.55.110.0/24 2399 | 65.55.120.0/24 2400 | 65.55.144.0/23 2401 | 65.55.146.0/24 2402 | 65.55.207.0/24 2403 | 65.55.209.0/25 2404 | 65.55.209.128/26 2405 | 65.55.210.0/24 2406 | 65.55.211.0/26 2407 | 65.55.212.0/27 2408 | 65.55.212.128/25 2409 | 65.55.213.0/27 2410 | 65.55.213.64/26 2411 | 65.55.213.128/26 2412 | 65.55.217.0/24 2413 | 65.55.218.0/23 2414 | 65.55.250.0/24 2415 | 65.55.252.0/24 2416 | 68.154.0.0/17 2417 | 68.218.39.192/28 2418 | 68.219.0.0/16 2419 | 68.220.0.0/18 2420 | 68.220.88.0/21 2421 | 68.220.128.0/17 2422 | 70.37.0.0/21 2423 | 70.37.8.0/22 2424 | 70.37.16.0/20 2425 | 70.37.32.0/19 2426 | 70.37.64.0/18 2427 | 70.37.160.0/21 2428 | 70.152.7.0/24 2429 | 70.152.8.0/23 2430 | 70.152.18.0/23 2431 | 70.152.24.0/24 2432 | 70.152.36.0/24 2433 | 70.152.38.0/23 2434 | 70.152.40.0/24 2435 | 70.152.55.0/24 2436 | 70.152.56.0/23 2437 | 70.152.64.0/22 2438 | 70.152.68.0/23 2439 | 70.152.91.0/24 2440 | 70.152.92.0/22 2441 | 70.152.96.0/19 2442 | 70.152.128.0/18 2443 | 70.152.192.0/20 2444 | 70.152.208.0/23 2445 | 70.152.210.0/24 2446 | 72.145.0.0/17 2447 | 72.145.128.0/18 2448 | 72.147.128.0/17 2449 | 72.152.0.0/15 2450 | 72.154.0.0/16 2451 | 74.178.0.0/15 2452 | 74.234.0.0/15 2453 | 74.249.0.0/16 2454 | 94.245.88.0/21 2455 | 94.245.104.0/21 2456 | 94.245.117.96/27 2457 | 94.245.118.0/25 2458 | 94.245.120.128/27 2459 | 94.245.122.0/24 2460 | 94.245.123.144/28 2461 | 94.245.123.176/28 2462 | 98.64.0.0/16 2463 | 98.71.0.0/16 2464 | 104.40.0.0/16 2465 | 104.41.64.0/18 2466 | 104.41.128.0/19 2467 | 104.41.192.0/18 2468 | 104.42.0.0/16 2469 | 104.43.128.0/17 2470 | 104.44.88.0/25 2471 | 104.44.88.128/26 2472 | 104.44.89.0/27 2473 | 104.44.89.64/27 2474 | 104.44.89.128/26 2475 | 104.44.89.192/27 2476 | 104.44.90.192/27 2477 | 104.44.91.0/25 2478 | 104.44.91.128/26 2479 | 104.44.92.64/26 2480 | 104.44.92.192/26 2481 | 104.44.93.0/27 2482 | 104.44.93.160/27 2483 | 104.44.93.192/27 2484 | 104.44.94.0/26 2485 | 104.44.94.64/27 2486 | 104.44.94.160/27 2487 | 104.44.95.0/28 2488 | 104.44.95.80/28 2489 | 104.44.95.96/28 2490 | 104.44.95.128/26 2491 | 104.44.95.240/28 2492 | 104.44.128.0/18 2493 | 104.45.0.0/16 2494 | 104.46.0.0/20 2495 | 104.46.32.0/19 2496 | 104.46.64.0/18 2497 | 104.46.192.0/20 2498 | 104.47.128.0/18 2499 | 104.47.200.0/21 2500 | 104.47.208.0/23 2501 | 104.47.216.64/26 2502 | 104.47.218.0/23 2503 | 104.47.220.0/22 2504 | 104.208.0.0/19 2505 | 104.208.32.0/20 2506 | 104.208.128.0/17 2507 | 104.209.0.0/18 2508 | 104.209.128.0/17 2509 | 104.210.0.0/20 2510 | 104.210.32.0/19 2511 | 104.210.128.0/19 2512 | 104.210.176.0/20 2513 | 104.210.192.0/19 2514 | 104.211.0.0/18 2515 | 104.214.0.0/17 2516 | 104.214.192.0/18 2517 | 104.215.64.0/18 2518 | 104.215.250.48/28 2519 | 104.215.251.96/28 2520 | 104.215.252.144/28 2521 | 104.215.255.144/28 2522 | 104.215.255.224/28 2523 | 108.141.0.0/16 2524 | 108.142.0.0/15 2525 | 128.24.0.0/17 2526 | 128.85.0.0/16 2527 | 128.203.0.0/16 2528 | 128.251.0.0/16 2529 | 131.253.12.16/28 2530 | 131.253.12.40/29 2531 | 131.253.12.48/29 2532 | 131.253.12.160/28 2533 | 131.253.12.192/27 2534 | 131.253.12.224/29 2535 | 131.253.12.248/29 2536 | 131.253.13.0/26 2537 | 131.253.13.72/29 2538 | 131.253.13.80/29 2539 | 131.253.13.88/30 2540 | 131.253.13.96/30 2541 | 131.253.13.128/27 2542 | 131.253.14.4/30 2543 | 131.253.14.8/31 2544 | 131.253.14.16/28 2545 | 131.253.14.32/27 2546 | 131.253.14.96/27 2547 | 131.253.14.128/26 2548 | 131.253.14.192/29 2549 | 131.253.14.208/28 2550 | 131.253.14.224/28 2551 | 131.253.14.248/29 2552 | 131.253.15.8/29 2553 | 131.253.15.16/28 2554 | 131.253.15.32/27 2555 | 131.253.15.192/26 2556 | 131.253.24.0/28 2557 | 131.253.24.192/26 2558 | 131.253.25.0/24 2559 | 131.253.27.0/24 2560 | 131.253.34.224/27 2561 | 131.253.35.128/26 2562 | 131.253.36.128/26 2563 | 131.253.36.224/27 2564 | 131.253.38.0/26 2565 | 131.253.38.128/26 2566 | 131.253.38.224/27 2567 | 131.253.40.0/27 2568 | 131.253.40.32/28 2569 | 131.253.40.64/26 2570 | 131.253.40.128/27 2571 | 131.253.40.192/26 2572 | 131.253.41.0/24 2573 | 134.170.220.0/23 2574 | 134.170.222.0/24 2575 | 135.224.0.0/16 2576 | 135.232.0.0/15 2577 | 135.234.0.0/16 2578 | 135.236.0.0/15 2579 | 137.116.0.0/18 2580 | 137.116.64.0/19 2581 | 137.116.96.0/22 2582 | 137.116.112.0/20 2583 | 137.116.176.0/20 2584 | 137.116.192.0/18 2585 | 137.117.0.0/16 2586 | 137.135.0.0/16 2587 | 138.91.48.0/20 2588 | 138.91.64.0/18 2589 | 138.91.128.0/17 2590 | 140.82.112.0/20 2591 | 143.55.64.0/20 2592 | 151.206.71.0/24 2593 | 151.206.72.0/23 2594 | 151.206.74.0/24 2595 | 151.206.79.0/24 2596 | 151.206.80.0/22 2597 | 151.206.84.0/23 2598 | 151.206.86.0/24 2599 | 151.206.129.0/24 2600 | 151.206.130.0/23 2601 | 151.206.132.0/24 2602 | 151.206.134.0/23 2603 | 151.206.139.0/24 2604 | 157.55.2.128/26 2605 | 157.55.7.128/26 2606 | 157.55.8.64/26 2607 | 157.55.8.144/28 2608 | 157.55.10.160/29 2609 | 157.55.10.176/28 2610 | 157.55.10.192/26 2611 | 157.55.11.128/25 2612 | 157.55.12.64/26 2613 | 157.55.13.64/26 2614 | 157.55.13.128/26 2615 | 157.55.37.0/24 2616 | 157.55.38.0/23 2617 | 157.55.48.0/24 2618 | 157.55.50.0/25 2619 | 157.55.55.0/27 2620 | 157.55.55.32/28 2621 | 157.55.55.100/30 2622 | 157.55.55.104/29 2623 | 157.55.55.136/29 2624 | 157.55.55.144/28 2625 | 157.55.55.160/28 2626 | 157.55.55.176/29 2627 | 157.55.55.200/29 2628 | 157.55.55.216/29 2629 | 157.55.55.228/30 2630 | 157.55.55.232/29 2631 | 157.55.55.240/28 2632 | 157.55.60.224/27 2633 | 157.55.64.0/19 2634 | 157.55.103.32/27 2635 | 157.55.106.0/26 2636 | 157.55.106.128/25 2637 | 157.55.107.0/24 2638 | 157.55.108.0/22 2639 | 157.55.136.0/21 2640 | 157.55.153.224/28 2641 | 157.55.154.128/25 2642 | 157.55.160.0/19 2643 | 157.55.192.0/21 2644 | 157.55.200.0/22 2645 | 157.55.204.1/32 2646 | 157.55.204.2/31 2647 | 157.55.204.33/32 2648 | 157.55.204.34/31 2649 | 157.55.204.128/25 2650 | 157.55.208.0/21 2651 | 157.55.248.0/21 2652 | 157.56.2.0/23 2653 | 157.56.8.0/21 2654 | 157.56.24.160/27 2655 | 157.56.24.192/27 2656 | 157.56.28.0/22 2657 | 157.56.80.0/25 2658 | 157.56.160.0/21 2659 | 157.56.176.0/21 2660 | 157.56.216.0/26 2661 | 168.61.0.0/17 2662 | 168.61.128.0/25 2663 | 168.61.128.128/28 2664 | 168.61.128.160/27 2665 | 168.61.128.192/26 2666 | 168.61.129.0/25 2667 | 168.61.129.128/26 2668 | 168.61.129.208/28 2669 | 168.61.129.224/27 2670 | 168.61.130.64/26 2671 | 168.61.130.128/25 2672 | 168.61.131.0/26 2673 | 168.61.131.128/25 2674 | 168.61.132.0/26 2675 | 168.61.144.0/20 2676 | 168.61.160.0/19 2677 | 168.61.208.0/20 2678 | 168.62.0.0/16 2679 | 168.63.0.0/18 2680 | 168.63.64.0/20 2681 | 168.63.80.0/21 2682 | 168.63.88.0/23 2683 | 168.63.92.0/22 2684 | 168.63.96.0/19 2685 | 172.166.151.112/28 2686 | 172.166.156.96/28 2687 | 172.166.156.160/28 2688 | 172.168.0.0/14 2689 | 172.172.0.0/16 2690 | 172.173.8.0/21 2691 | 172.173.16.0/20 2692 | 172.173.64.0/18 2693 | 172.173.128.0/17 2694 | 172.174.0.0/15 2695 | 172.176.0.0/13 2696 | 172.184.0.0/15 2697 | 172.190.0.0/15 2698 | 172.200.0.0/14 2699 | 172.205.0.0/16 2700 | 172.206.0.0/16 2701 | 172.208.0.0/17 2702 | 172.210.0.0/15 2703 | 172.212.0.0/16 2704 | 172.214.0.0/16 2705 | 172.215.128.0/18 2706 | 185.199.108.0/22 2707 | 191.233.64.0/18 2708 | 191.233.144.0/20 2709 | 191.234.32.0/19 2710 | 191.235.128.0/18 2711 | 191.235.192.0/22 2712 | 191.235.208.0/20 2713 | 191.235.255.0/24 2714 | 191.236.0.0/16 2715 | 191.237.0.0/17 2716 | 191.237.128.0/18 2717 | 191.237.192.0/23 2718 | 191.237.194.0/24 2719 | 191.237.196.0/24 2720 | 191.237.208.0/20 2721 | 191.237.232.0/22 2722 | 191.238.0.0/18 2723 | 191.238.70.0/23 2724 | 191.238.96.0/19 2725 | 191.238.144.0/20 2726 | 191.238.160.0/19 2727 | 191.238.224.0/19 2728 | 191.239.0.0/18 2729 | 191.239.200.0/22 2730 | 191.239.208.0/20 2731 | 191.239.224.0/20 2732 | 192.30.252.0/22 2733 | 193.149.64.0/19 2734 | 199.30.16.0/24 2735 | 199.30.18.0/23 2736 | 199.30.20.0/24 2737 | 199.30.22.0/24 2738 | 199.30.24.0/23 2739 | 199.30.27.0/25 2740 | 199.30.27.144/28 2741 | 199.30.27.160/27 2742 | 199.30.28.64/26 2743 | 199.30.28.128/25 2744 | 199.30.29.0/24 2745 | 199.30.31.0/25 2746 | 199.30.31.192/26 2747 | 204.79.180.0/24 2748 | 204.152.18.0/31 2749 | 204.152.18.8/29 2750 | 204.152.18.32/27 2751 | 204.152.18.64/26 2752 | 204.152.19.0/24 2753 | 207.46.13.0/24 2754 | 207.46.193.192/28 2755 | 207.46.200.96/27 2756 | 207.46.200.176/28 2757 | 207.46.202.128/28 2758 | 207.46.205.0/24 2759 | 207.46.224.80/28 2760 | 207.46.227.144/28 2761 | 207.46.230.240/28 2762 | 207.68.174.40/29 2763 | 207.68.174.184/29 2764 | 209.199.17.80/28 2765 | 209.199.17.192/26 2766 | 209.199.18.0/26 2767 | 209.199.21.128/25 2768 | 209.240.212.0/23 2769 | 213.199.128.0/20 2770 | 213.199.180.32/28 2771 | 213.199.180.96/27 2772 | 213.199.180.192/27 2773 | 213.199.183.0/24 2774 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/github-ipv4.txt.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 GitHub 2 | 3 | SPDX-License-Identifier: MIT 4 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/networkmanager.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | pkgs, 7 | vpnProfiles, 8 | operators, 9 | config, 10 | lib, 11 | ... 12 | }: 13 | let 14 | cfg = config.securix.vpn.ipsec; 15 | inherit (lib) 16 | mkIf 17 | mkEnableOption 18 | mkOption 19 | types 20 | nameValuePair 21 | concatMapAttrs 22 | concatStringsSep 23 | listToAttrs 24 | mapAttrs 25 | mapAttrs' 26 | mapAttrsToList 27 | filter 28 | hasAttr 29 | ; 30 | mkIPsecConnectionProfile = 31 | operatorName: 32 | { 33 | username, 34 | email, 35 | bit, 36 | ... 37 | }: 38 | profileName: 39 | { 40 | endpoint, 41 | remote-identity, 42 | method, 43 | ike, 44 | esp, 45 | remoteSubnets, 46 | localSubnet, 47 | gateway ? null, 48 | mkPasswordVariable ? null, 49 | mkAddress ? null, 50 | ... 51 | }: 52 | assert lib.assertMsg (bit != null) 53 | "Il n'est pas possible de générer un profil IPsec si le paramètre `bit` n'est pas rempli pour l'administrateur ${operatorName}"; 54 | assert lib.assertMsg (mkPasswordVariable == null -> method != "psk") 55 | "Si la méthode PSK est spécifié pour le tunnel `${profileName}`, une façon de récupérer le mot de passe via une variable d'environnement doit etre spécifié."; 56 | assert lib.assertMsg (mkAddress == null -> localSubnet == "%any") 57 | "Si aucune méthode de construction d'adresse IP dans le tunnel `${profileName}` n'est spécifié, alors le mode config d'IPsec doit etre configuré pour la configuration IP automatique."; 58 | assert lib.assertMsg (gateway == null -> localSubnet == "%any") 59 | "Si aucune gateway dans le tunnel `${profileName}` n'est spécifié, alors le mode config d'IPsec doit etre configuré pour la configuration IP automatique."; 60 | { 61 | connection = { 62 | id = "VPN ${profileName} for ${operatorName}"; 63 | autoconnect = true; 64 | # This locks down this VPN entry only for that user. 65 | permissions = "user:${username};"; 66 | type = "vpn"; 67 | }; 68 | 69 | vpn = 70 | { 71 | address = endpoint; 72 | remote-identity = mkIf (remote-identity != null) remote-identity; 73 | encap = "yes"; 74 | ipcomp = "no"; 75 | # It's automatically derived when the cert is on the smartcard. 76 | local-identity = mkIf (method != "cert-on-security-token") email; 77 | proposal = "yes"; 78 | inherit ike esp; 79 | remote-ts = concatStringsSep ";" remoteSubnets; 80 | local-ts = mkIf (mkAddress != null) (mkAddress bit); 81 | virtual = if (localSubnet == "%any") then "yes" else "no"; 82 | service-type = "org.freedesktop.NetworkManager.strongswan"; 83 | } 84 | // ( 85 | if method == "cert-on-security-token" then 86 | { 87 | method = "smartcard"; 88 | cert-source = "smartcard"; 89 | password-flags = 1; # Ask the agent for the PIN. 90 | } 91 | else 92 | { 93 | method = "psk"; 94 | password-flags = 0; 95 | } 96 | ); 97 | 98 | vpn-secrets = mkIf (method == "psk") { password = mkPasswordVariable operatorName; }; 99 | 100 | ipv4 = { 101 | method = if localSubnet == "%any" then "disabled" else "auto"; 102 | address1 = mkIf (localSubnet != "%any") "${mkAddress bit},${gateway}"; 103 | ignore-auto-dns = true; 104 | }; 105 | 106 | ipv6 = { 107 | method = "disabled"; 108 | }; 109 | }; 110 | 111 | mkCertificateAuthorityFile = certName: path: { 112 | name = "${certName}.crt"; 113 | value.file = path; 114 | }; 115 | in 116 | { 117 | options.securix.vpn.ipsec = { 118 | enable = mkEnableOption "the IPsec connection"; 119 | 120 | certificateAuthorityFiles = mkOption { 121 | type = types.attrsOf types.path; 122 | default = { }; 123 | description = '' 124 | When IPsec is used with a security key, a mutual authentication is performed between the client and the server. 125 | StrongSwan do NOT use the system-wide trust store to assess server identity. 126 | 127 | It makes use of a custom path that needs to collect every certificate as a flat file. 128 | 129 | To make this simple on operators, you can pass an attribute set of certificate files in this list and those will be 130 | added to the IPsec trust store under the name they are passed. 131 | ''; 132 | }; 133 | 134 | pskSecretsPaths = mkOption { 135 | type = types.attrsOf types.path; 136 | default = { }; 137 | description = "Chemin vers toutes les PSKs, non nécessaire en mode certificats."; 138 | }; 139 | }; 140 | 141 | config = mkIf cfg.enable { 142 | age.secrets = mapAttrs (_: path: { file = path; }) cfg.pskSecretsPaths; 143 | 144 | # This is an extra rule to allow any user to do `sudo pkill charon-nm` to reset the VPN state. 145 | # Sometimes, when you suspend your system while having the VPN enabled and you get out of suspend state. 146 | # The `charon-nm` process which stands for Charon NetworkManager is still running even though your VPN is down due to getting out of suspend and having lost Internet. 147 | # When you try to bring up the VPN again, your VPN will not come up because `charon-nm` blocks the spawn of a new `charon-nm` process, displaying a weird 148 | # "Cannot activate VPN due to missing secrets" error message. 149 | # This is clearly a Strongswan bug but we do not have the resources and time to perform root cause analysis on this bug and submit a patch or bug report to Strongswan. 150 | # FIXME: Find the time to do it. 151 | security.sudo.extraRules = [ 152 | { 153 | groups = [ "operator" ]; 154 | commands = [ 155 | { 156 | command = "/run/current-system/sw/bin/pkill charon-nm"; 157 | options = [ "NOPASSWD" ]; 158 | } 159 | ]; 160 | } 161 | ]; 162 | 163 | environment.etc = { 164 | "strongswan.conf".text = '' 165 | charon-nm { 166 | ca_dir = /etc/ipsec.d/certs 167 | plugins { 168 | pkcs11 { 169 | modules { 170 | opensc { 171 | path = ${pkgs.opensc}/lib/opensc-pkcs11.so 172 | } 173 | } 174 | } 175 | } 176 | } 177 | ''; 178 | } // mapAttrs' mkCertificateAuthorityFile cfg.certificateAuthorityFiles; 179 | 180 | nixpkgs.overlays = [ 181 | (self: super: { 182 | strongswan = super.strongswan.overrideAttrs (old: { 183 | patches = (old.patches or [ ]) ++ [ ./support-local-ts.patch ]; 184 | }); 185 | }) 186 | ]; 187 | 188 | systemd.services.NetworkManager.serviceConfig.Environment = [ 189 | "STRONGSWAN_CONF=/etc/strongswan.conf" 190 | ]; 191 | 192 | networking.networkmanager.enableStrongSwan = true; 193 | networking.networkmanager.ensureProfiles.environmentFiles = mapAttrsToList ( 194 | name: _: config.age.secrets.${name}.path 195 | ) cfg.pskSecretsPaths; 196 | networking.networkmanager.ensureProfiles.profiles = concatMapAttrs ( 197 | op: opCfg: 198 | listToAttrs ( 199 | map 200 | ( 201 | profileName: 202 | nameValuePair "${op}-${profileName}" ( 203 | mkIPsecConnectionProfile op opCfg profileName vpnProfiles.${profileName} 204 | ) 205 | ) 206 | ( 207 | filter ( 208 | profileName: hasAttr profileName vpnProfiles && vpnProfiles.${profileName}.type == "ipsec" 209 | ) opCfg.allowedVPNs 210 | ) 211 | ) 212 | ) operators; 213 | }; 214 | } 215 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/support-local-ts.patch: -------------------------------------------------------------------------------- 1 | diff --git c/src/charon-nm/nm/nm_service.c i/src/charon-nm/nm/nm_service.c 2 | index 8570ef0e3..11c595082 100644 3 | --- c/src/charon-nm/nm/nm_service.c 4 | +++ i/src/charon-nm/nm/nm_service.c 5 | @@ -946,8 +946,31 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, 6 | child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); 7 | child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); 8 | } 9 | - ts = traffic_selector_create_dynamic(0, 0, 65535); 10 | - child_cfg->add_traffic_selector(child_cfg, TRUE, ts); 11 | + 12 | + str = nm_setting_vpn_get_data_item(vpn, "local-ts"); 13 | + if (str && strlen(str)) { 14 | + enumerator = enumerator_create_token(str, ";", ""); 15 | + while (enumerator->enumerate(enumerator, &str)) 16 | + { 17 | + ts = traffic_selector_create_from_cidr((char*)str, 0, 0, 65535); 18 | + if (!ts) 19 | + { 20 | + g_set_error(err, NM_VPN_PLUGIN_ERROR, 21 | + NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, 22 | + "Invalid local traffic selector."); 23 | + enumerator->destroy(enumerator); 24 | + child_cfg->destroy(child_cfg); 25 | + peer_cfg->destroy(peer_cfg); 26 | + return FALSE; 27 | + } 28 | + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); 29 | + } 30 | + enumerator->destroy(enumerator); 31 | + } else { 32 | + ts = traffic_selector_create_dynamic(0, 0, 65535); 33 | + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); 34 | + } 35 | + 36 | str = nm_setting_vpn_get_data_item(vpn, "remote-ts"); 37 | if (str && strlen(str)) 38 | { 39 | -------------------------------------------------------------------------------- /modules/vpn/ipsec/support-local-ts.patch.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | 3 | SPDX-License-Identifier: GPL-2.0-only 4 | -------------------------------------------------------------------------------- /modules/vpn/netbird/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | vpnProfiles, 7 | operators, 8 | pkgs, 9 | lib, 10 | config, 11 | ... 12 | }: 13 | let 14 | cfg = config.securix.vpn.netbird; 15 | inherit (lib) 16 | mkIf 17 | mkEnableOption 18 | listToAttrs 19 | concatMapAttrs 20 | filter 21 | hasAttr 22 | ; 23 | selectNetbirdVpns = 24 | list: 25 | filter (vpnName: hasAttr vpnName vpnProfiles && vpnProfiles.${vpnName}.type == "netbird") list; 26 | in 27 | { 28 | options.securix.vpn.netbird = { 29 | enable = mkEnableOption "the Netbird VPN subsystem"; 30 | 31 | enablePostQuantumCryptography = mkEnableOption "the post-quantum cryptography in WireGuard with Rosenpass"; 32 | }; 33 | 34 | config = mkIf cfg.enable { 35 | environment.systemPackages = with pkgs; [ 36 | netbird 37 | netbird-ui 38 | ]; 39 | 40 | services.resolved.enable = true; 41 | 42 | services.netbird = { 43 | enable = lib.mkForce false; 44 | clients = concatMapAttrs ( 45 | operatorName: 46 | { username, allowedVPNs, ... }: 47 | listToAttrs ( 48 | map ( 49 | vpnName: 50 | let 51 | vpnProfile = vpnProfiles.${vpnName}; 52 | in 53 | { 54 | name = "${operatorName}-${vpnName}"; 55 | value = { 56 | ui.enable = true; 57 | interface = "nb-${vpnName}"; 58 | port = 51820; 59 | hardened = false; 60 | config = { 61 | ManagementURL = vpnProfile.management-url; 62 | AdminURL = vpnProfile.admin-url; 63 | RosenpassEnabled = cfg.enablePostQuantumCryptography; 64 | }; 65 | }; 66 | } 67 | ) (selectNetbirdVpns allowedVPNs) 68 | ) 69 | ) operators; 70 | }; 71 | }; 72 | } 73 | -------------------------------------------------------------------------------- /modules/vpn/wireguard/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # WireGuard(R) VPN module for Sécurix 9 | 10 | ## How it works 11 | 12 | The WireGuard VPN module supports the YubiKey Series 5 (other security keys have not yet been tested). 13 | 14 | It securely stores the WireGuard private key using the following approach: 15 | 16 | - An **age key pair** is generated and stored on a PIV certificate slot of the YubiKey. The **private key never leaves the YubiKey**: data is encrypted using the public key and decrypted directly on the device. 17 | - A **WireGuard private key** is generated, **encrypted with the YubiKey’s age public key**, and stored in a PIV object slot on the YubiKey. 18 | 19 | When the VPN is enabled, the encrypted WireGuard private key is read from the YubiKey, **decrypted on the device**, and passed to the WireGuard process. 20 | 21 | Since the decrypted WireGuard key must be available in memory for WireGuard to function, **regular key rotation is recommended** for enhanced security. 22 | 23 | Here's a reworked, clearer version of your documentation: 24 | 25 | ## Using WireGuard VPN Profiles 26 | 27 | Sécurix provides a system for managing VPN profiles. To configure a WireGuard VPN, add a profile like this: 28 | 29 | ```nix 30 | { 31 | = { 32 | type = "wireguard"; 33 | interface = "wg0"; 34 | 35 | # List of internal VPN addresses used by the Sécurix client 36 | addresses = [ 37 | 38 | ]; 39 | 40 | # WARNING: This will erase any existing data in the selected object PIV slot 41 | wireguardPivSlot = "5f0000"; # Choose any PIV object slot (hex string) 42 | 43 | # WARNING: This will erase any existing data in the selected certificate PIV slot 44 | agePivSlot = 14; # Must be an integer between 1 and 20 45 | 46 | listenPort = 58120; 47 | 48 | peers = [ 49 | { 50 | publicKey = ""; 51 | endpoint = ":"; 52 | ips = [ 53 | 54 | ]; 55 | } 56 | ]; 57 | }; 58 | } 59 | ``` 60 | 61 | ## Managing the WireGuard VPN 62 | 63 | Once your VPN profile is installed, use the following commands to manage it: 64 | 65 | - `wireguard--genkey` 66 | Generates and encrypts the WireGuard private key using your YubiKey. 67 | This must be done once to set up the profile. 68 | 69 | - `wireguard--pubkey` 70 | Computes the corresponding public key from the generated private key. 71 | Useful for sharing with VPN peers. 72 | 73 | - `wireguard- up` 74 | Activates the VPN using the private key decrypted by the YubiKey. 75 | 76 | - `wireguard- down` 77 | Deactivates the VPN. 78 | -------------------------------------------------------------------------------- /modules/vpn/wireguard/default.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Elias Coppens 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | { 6 | vpnProfiles, 7 | operators, 8 | pkgs, 9 | lib, 10 | config, 11 | ... 12 | }: 13 | let 14 | cfg = config.securix.vpn.wireguard; 15 | 16 | inherit (lib) 17 | attrValues 18 | concatMap 19 | concatMapStringsSep 20 | concatStringsSep 21 | elem 22 | filter 23 | hasAttr 24 | listToAttrs 25 | map 26 | mkIf 27 | mkEnableOption 28 | nameValuePair 29 | unique 30 | mapAttrs 31 | ; 32 | 33 | selectWireguardVpns = 34 | list: 35 | filter (vpnName: hasAttr vpnName vpnProfiles && vpnProfiles.${vpnName}.type == "wireguard") list; 36 | 37 | # Utilities commands 38 | wg = "${pkgs.wireguard-tools}/bin/wg"; 39 | ip = "${pkgs.iproute2}/bin/ip"; 40 | ykman = "${pkgs.yubikey-manager}/bin/ykman"; 41 | age = "${pkgs.age}/bin/age"; 42 | age-yubikey = "${pkgs.age-plugin-yubikey}/bin/age-plugin-yubikey"; 43 | 44 | # Create users scripts to run 45 | mkWireGuardScripts = 46 | { 47 | wireguardName, 48 | username, 49 | bit, 50 | }: 51 | let 52 | wireguard = vpnProfiles.${wireguardName}; 53 | itf = wireguard.interface; 54 | address = wireguard.mkAddress bit; 55 | wgPiv = wireguard.wireguardPivSlot; 56 | agePiv = toString wireguard.agePivSlot; 57 | port = toString wireguard.listenPort; 58 | peers = wireguard.peers; 59 | 60 | private-key = "${ykman} piv objects export ${wgPiv} - | ${age} -d -i <(${age-yubikey} -i --slot ${agePiv}) -"; 61 | 62 | mkPeerString = 63 | peer: 64 | ''peer "${peer.publicKey}" endpoint "${peer.endpoint}" allowed-ips "${concatStringsSep "," peer.ips}"''; 65 | 66 | # TODO: maybe use Network namespace ? 67 | upScript = pkgs.writeShellScript "wireguard-${wireguardName}-up" '' 68 | ${ip} link add dev "${itf}" type wireguard 69 | ${ip} address add ${address} dev ${itf} 70 | 71 | ${wg} set "${itf}" listen-port ${port} \ 72 | private-key <(${private-key}) \ 73 | ${concatMapStringsSep " " mkPeerString peers} 74 | 75 | ${ip} link set up dev "${itf}" 76 | ${concatStringsSep "\n" ( 77 | concatMap (peer: map (allowedCidr: "${ip} route add ${allowedCidr} dev ${itf}") peer.ips) peers 78 | )} 79 | ''; 80 | 81 | downScript = pkgs.writeShellScript "wireguard-${wireguardName}-down" '' 82 | ${ip} link del dev "${itf}" 83 | ''; 84 | in 85 | rec { 86 | management = pkgs.writeShellScriptBin "wireguard-${wireguardName}" '' 87 | # ${username} 88 | verb=$1 89 | 90 | if [[ "$verb" = "up" ]]; then 91 | ${upScript} 92 | elif [[ "$verb" = "down" ]]; then 93 | ${downScript} 94 | else 95 | echo "Unrecognized option $verb: please choose between up or down" 96 | fi 97 | ''; 98 | 99 | genkey = pkgs.writeShellScriptBin "wireguard-${wireguardName}-genkey" '' 100 | ${importkey}/bin/wireguard-${wireguardName}-importkey <(${wg} genkey) 101 | ''; 102 | 103 | pubkey = pkgs.writeShellScriptBin "wireguard-${wireguardName}-pubkey" '' 104 | echo "The wireguard public key is: $(${private-key} | ${wg} pubkey)" 105 | ''; 106 | 107 | importkey = pkgs.writeShellScriptBin "wireguard-${wireguardName}-importkey" '' 108 | ${age-yubikey} --list --slot ${agePiv} > /dev/null 109 | 110 | if [[ $? -ne 0 ]]; then 111 | echo "Age certificate is not created, will create it:" 112 | 113 | ${age-yubikey} --generate \ 114 | --slot ${agePiv} --pin-policy once --touch-policy always 115 | fi 116 | 117 | ${ykman} piv objects import ${wgPiv} \ 118 | <(cat $1 | ${age} -e -r $(${age-yubikey} --list --slot ${agePiv} | tail -n 1) -a -) 119 | 120 | ${pubkey}/bin/wireguard-${wireguardName}-pubkey 121 | 122 | ''; 123 | }; 124 | in 125 | { 126 | options.securix.vpn.wireguard = { 127 | enable = mkEnableOption "the Wireguard VPN subsystem"; 128 | }; 129 | 130 | config = mkIf cfg.enable { 131 | environment.systemPackages = [ 132 | pkgs.wireguard-tools 133 | pkgs.age 134 | pkgs.age-plugin-yubikey 135 | ]; 136 | 137 | users.users = mapAttrs (username: config: { 138 | packages = concatMap ( 139 | wireguardName: 140 | attrValues (mkWireGuardScripts { 141 | inherit wireguardName username; 142 | inherit (config) bit; 143 | }) 144 | ) (selectWireguardVpns config.allowedVPNs); 145 | }) operators; 146 | 147 | security.sudo = { 148 | enable = true; 149 | extraRules = concatMap ( 150 | username: 151 | map (wg: { 152 | users = [ username ]; 153 | commands = [ 154 | { 155 | # User-specific binaries. 156 | command = "/etc/profiles/per-user/${username}/bin/wireguard-${wg}"; 157 | options = [ "NOPASSWD" ]; 158 | } 159 | ]; 160 | }) (selectWireguardVpns operators.${username}.allowedVPNs) 161 | ) (builtins.attrNames operators); 162 | }; 163 | }; 164 | } 165 | -------------------------------------------------------------------------------- /npins.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 The npins author 2 | 3 | SPDX-License-Identifier: EUPL-1.2 4 | -------------------------------------------------------------------------------- /npins/default.nix: -------------------------------------------------------------------------------- 1 | # Generated by npins. Do not modify; will be overwritten regularly 2 | let 3 | data = builtins.fromJSON (builtins.readFile ./sources.json); 4 | version = data.version; 5 | 6 | mkSource = 7 | spec: 8 | assert spec ? type; 9 | let 10 | path = 11 | if spec.type == "Git" then 12 | mkGitSource spec 13 | else if spec.type == "GitRelease" then 14 | mkGitSource spec 15 | else if spec.type == "PyPi" then 16 | mkPyPiSource spec 17 | else if spec.type == "Channel" then 18 | mkChannelSource spec 19 | else 20 | builtins.throw "Unknown source type ${spec.type}"; 21 | in 22 | spec // { outPath = path; }; 23 | 24 | mkGitSource = 25 | { 26 | repository, 27 | revision, 28 | url ? null, 29 | hash, 30 | branch ? null, 31 | ... 32 | }: 33 | assert repository ? type; 34 | # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository 35 | # In the latter case, there we will always be an url to the tarball 36 | if url != null then 37 | (builtins.fetchTarball { 38 | inherit url; 39 | sha256 = hash; # FIXME: check nix version & use SRI hashes 40 | }) 41 | else 42 | assert repository.type == "Git"; 43 | let 44 | urlToName = 45 | url: rev: 46 | let 47 | matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url; 48 | 49 | short = builtins.substring 0 7 rev; 50 | 51 | appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; 52 | in 53 | "${if matched == null then "source" else builtins.head matched}${appendShort}"; 54 | name = urlToName repository.url revision; 55 | in 56 | builtins.fetchGit { 57 | url = repository.url; 58 | rev = revision; 59 | inherit name; 60 | # hash = hash; 61 | }; 62 | 63 | mkPyPiSource = 64 | { url, hash, ... }: 65 | builtins.fetchurl { 66 | inherit url; 67 | sha256 = hash; 68 | }; 69 | 70 | mkChannelSource = 71 | { url, hash, ... }: 72 | builtins.fetchTarball { 73 | inherit url; 74 | sha256 = hash; 75 | }; 76 | in 77 | if version == 3 then 78 | builtins.mapAttrs (_: mkSource) data.pins 79 | else 80 | throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" 81 | -------------------------------------------------------------------------------- /npins/default.nix.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 The npins author 2 | 3 | SPDX-License-Identifier: MIT 4 | -------------------------------------------------------------------------------- /npins/sources.json: -------------------------------------------------------------------------------- 1 | { 2 | "pins": { 3 | "agenix": { 4 | "type": "GitRelease", 5 | "repository": { 6 | "type": "GitHub", 7 | "owner": "ryantm", 8 | "repo": "agenix" 9 | }, 10 | "pre_releases": false, 11 | "version_upper_bound": null, 12 | "release_prefix": null, 13 | "version": "0.15.0", 14 | "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d", 15 | "url": "https://api.github.com/repos/ryantm/agenix/tarball/0.15.0", 16 | "hash": "01dhrghwa7zw93cybvx4gnrskqk97b004nfxgsys0736823956la" 17 | }, 18 | "disko": { 19 | "type": "GitRelease", 20 | "repository": { 21 | "type": "GitHub", 22 | "owner": "nix-community", 23 | "repo": "disko" 24 | }, 25 | "pre_releases": false, 26 | "version_upper_bound": null, 27 | "release_prefix": null, 28 | "version": "v1.9.0", 29 | "revision": "49a4936cee640e27d74baee6fd1278285d29b100", 30 | "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0", 31 | "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388" 32 | }, 33 | "git-hooks": { 34 | "type": "Git", 35 | "repository": { 36 | "type": "GitHub", 37 | "owner": "cachix", 38 | "repo": "git-hooks.nix" 39 | }, 40 | "branch": "master", 41 | "revision": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17", 42 | "url": "https://github.com/cachix/git-hooks.nix/archive/9364dc02281ce2d37a1f55b6e51f7c0f65a75f17.tar.gz", 43 | "hash": "1n2qlj5l8c4g7gm5v6rvc4hff3ka8ljv7y62inybli093bd2ypa7" 44 | }, 45 | "lanzaboote": { 46 | "type": "GitRelease", 47 | "repository": { 48 | "type": "GitHub", 49 | "owner": "nix-community", 50 | "repo": "lanzaboote" 51 | }, 52 | "pre_releases": false, 53 | "version_upper_bound": null, 54 | "release_prefix": null, 55 | "version": "v0.4.2", 56 | "revision": "f0212638a2ec787a7841882f4477d40ae24f0a5d", 57 | "url": "https://api.github.com/repos/nix-community/lanzaboote/tarball/v0.4.2", 58 | "hash": "0xc1wawnb0297h5khxblmf9pd1fry950xkcm7mwlck19s2906h80" 59 | }, 60 | "nixpkgs": { 61 | "type": "Channel", 62 | "name": "nixpkgs-unstable", 63 | "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre697431.86e78d3d2084/nixexprs.tar.xz", 64 | "hash": "0wbmh3jc25xan6x6nndfidgkfigip49zqp0rivi6lsdv18sx9mvx" 65 | } 66 | }, 67 | "version": 3 68 | } -------------------------------------------------------------------------------- /npins/sources.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: 2025 The npins author 2 | 3 | SPDX-License-Identifier: MIT 4 | -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | (import ./. { }).shell 6 | -------------------------------------------------------------------------------- /statix.toml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Elias Coppens 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | disabled = [ 6 | "manual_inherit", 7 | "manual_inherit_from", 8 | "repeated_keys" 9 | ] 10 | ignore = [ 11 | "**/npins" 12 | ] 13 | -------------------------------------------------------------------------------- /workflows/check-licensing.nix: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2025 Ryan Lahfa 2 | # 3 | # SPDX-License-Identifier: MIT 4 | 5 | # On vérifie que la conformité en licence de Sécurix reste valide. 6 | { runs-on, commonSteps, ... }: 7 | { 8 | name = "[Sécurix] REUSE Licensing conformance"; 9 | 10 | on = { 11 | pull_request = { }; 12 | push = { 13 | branches = [ "main" ]; 14 | }; 15 | }; 16 | 17 | jobs = { 18 | reuse_lint = { 19 | inherit runs-on; 20 | steps = [ 21 | commonSteps.checkout 22 | commonSteps.install-nix 23 | commonSteps.setup-nix-cache 24 | { 25 | name = "Check for REUSE compliance"; 26 | run = "nix-shell --run 'reuse --root . lint'"; 27 | } 28 | ]; 29 | }; 30 | }; 31 | } 32 | --------------------------------------------------------------------------------