diff options
| -rw-r--r-- | config/ap.nix | 186 | ||||
| -rw-r--r-- | config/dns.nix | 20 | ||||
| -rw-r--r-- | config/router.nix | 224 | ||||
| -rw-r--r-- | config/web-server.nix | 25 | ||||
| -rw-r--r-- | data/dns/db.kufieta.net.zone | 7 | ||||
| -rw-r--r-- | data/dns/db.orbekk.com.zone | 2 | ||||
| -rw-r--r-- | data/dns/db.orbekk.shared.zone | 21 | ||||
| -rw-r--r-- | data/dns/db.tommvo.com.zone | 11 | ||||
| -rw-r--r-- | machines/dragon.nix | 61 | ||||
| -rwxr-xr-x | tools/update-dns.sh | 13 |
10 files changed, 320 insertions, 250 deletions
diff --git a/config/ap.nix b/config/ap.nix deleted file mode 100644 index 4f3c634..0000000 --- a/config/ap.nix +++ /dev/null @@ -1,186 +0,0 @@ -{ config, lib, pkgs, ... }: -let - wan-dev = "enp37s0"; - lan-dev = "wlp39s0"; -in -{ - networking.networkmanager.enable = lib.mkForce false; - - # networking.vlans.lan = { - # id = 110; - # interface = wan-dev; - # }; - # networking.vlans.wan = { - # id = 100; - # interface = wan-dev; - # }; - - networking.firewall = { - enable = lib.mkForce false; - allowedTCPPorts = lib.mkForce [ ]; - allowedUDPPorts = lib.mkForce [ ]; - allowPing = true; - logRefusedConnections = false; - checkReversePath = false; - trustedInterfaces = [ "${lan-dev}" ]; - }; - - services.ferm = { - enable = true; - config = '' - @def $DEV_LAN = ${lan-dev}; - @def $DEV_WAN = ${wan-dev}; - @def $NET_LAN = 10.64.30.0/24; - - domain ip6 table filter chain INPUT { - proto ipv6-icmp ACCEPT; - proto udp dport (dhcpv6-client dhcpv6-server) ACCEPT; - } - - domain (ip ip6) table filter { - chain INPUT { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface lo ACCEPT; - proto icmp icmp-type echo-request ACCEPT; - - interface $DEV_WAN { - # RTMP - # proto (tcp udp) dport 1935 ACCEPT; - - # Factorio - proto udp dport 34197 ACCEPT; - } - - interface $DEV_LAN @subchain "services" { - # 1935 for rtmp testing - proto (tcp udp) dport (ssh domain bootps 1935 4317 5353) ACCEPT; - - # Chromecast - # proto udp dport 32768:61000 ACCEPT; - # proto udp dport (5353 1900) ACCEPT; - # proto tcp dport (8008 8009) ACCEPT; - - # chain logdrop { - # LOG log-level warning log-prefix "dropped-lan "; - # DROP; - # } - # jump logdrop; - } - } - - chain OUTPUT policy ACCEPT; - - chain FORWARD { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface $DEV_LAN ACCEPT; - } - } - - domain ip6 table filter chain INPUT { - chain logdrop { - LOG log-level warning log-prefix "dropped-6 "; - DROP; - } - jump logdrop; - } - - domain ip table nat { - chain POSTROUTING { - saddr $NET_LAN outerface $DEV_WAN MASQUERADE; - } - } - ''; - }; - - services = { - openssh.enable = lib.mkDefault true; - openssh.passwordAuthentication = false; - }; - - boot.kernel.sysctl = { - # Something wrong with Spectrum ipv6 :( - "net.ipv6.conf.all.disable_ipv6" = true; - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - }; - - services.hostapd = { - enable = true; - ssid = "2c"; - wpaPassphrase = "mintchip"; - interface = "${lan-dev}"; - hwMode = "g"; - channel = 11; - extraConfig = '' - country_code=US - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - ''; - }; - - networking.useDHCP = true; - networking.dhcpcd = { - enable = true; - denyInterfaces = [ lan-dev ]; - extraConfig = '' - # debug - noipv6rs - interface ${wan-dev} - dhcp - ipv6rs - ia_na 1 - ia_pd 1/::/56 ${lan-dev}/0/64 - ''; - wait = "background"; - }; - - services.dnsmasq = { - enable = true; - servers = [ "8.8.8.8" "8.8.4.4" ]; - extraConfig = '' - dhcp-authoritative - dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h - dhcp-option=option:router,10.64.30.1 - dhcp-option=option:dns-server,10.64.30.1 - dhcp-option=option:netmask,255.255.255.0 - - #dhcp-range=::,constructor:${lan-dev},slaac - ''; - }; - - networking.nat = { - enable = true; - externalInterface = "${wan-dev}"; - internalInterfaces = [ "${lan-dev}" ]; - # internalIPs = [ "10.0.0.0/24" ]; - }; - - # Error matching on link that was already renamed. - # systemd.network.links."40-enp37s0".matchConfig = { - # # OriginalName = lib.mkForce null; - # # MACAddress = "00:d8:61:c2:c6:6c"; - # }; - # systemd.services.dhcpcd.preStart = lib.mkAfter '' - # ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; - # ''; - # networking.interfaces.${wan-dev} = { - # macAddress = "3c:97:0e:19:7e:5c"; - # }; - - networking.interfaces."${lan-dev}" = { - ipv4.addresses = [ { - address = "10.64.30.1"; - prefixLength = 24; - } ]; - }; -} diff --git a/config/dns.nix b/config/dns.nix index 32d54a5..b0e52f6 100644 --- a/config/dns.nix +++ b/config/dns.nix @@ -2,7 +2,7 @@ # dnssec-keygen -K /secret/keys/example.net example.net { config, lib, pkgs, ... }: let - masterZones = [ "orbekk.com" "orbekk.no" "kufieta.net" ]; + masterZones = [ "tommvo.com" "orbekk.com" "orbekk.no" "kufieta.net" ]; zone-files = pkgs.callPackage ../pkgs/zone-files/default.nix { }; in { @@ -13,6 +13,11 @@ in services.bind = { enable = true; + cacheNetworks = [ + "::1/128" + "127.0.0.0/24" + "10.0.0.0/8" + ]; extraOptions = '' serial-update-method unixtime; ''; @@ -39,6 +44,7 @@ in 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 }; + notify-source-v6 2001:470:8e2e:20::d; notify explicit; }; '') masterZones} @@ -62,6 +68,7 @@ in 2a00:1b60:1011::6def:e868; // ns1 2001:67c:29f4::61; // ns2 }; + notify-source-v6 2001:470:8e2e:20::d; notify explicit; update-policy { grant dynamic.orbekk.com.key zonesub any; @@ -74,7 +81,16 @@ in preStart = lib.mkAfter '' #rm /var/run/named/*.jnl || true #rm /var/run/named/*.jbk || true - cp -f ${zone-files}/* /var/run/named/ + echo "Copy zone files" + for z in ${zone-files}/*; do + if [[ $z =~ .*dynamic.* && -e "/var/run/named/$(basename $z)" ]]; then + echo "Skip dynamic zone $z" + continue + fi + echo "Copy zone $z" + cp -f $z /var/run/named/ + done + echo "Done copying zone files" ''; }; } diff --git a/config/router.nix b/config/router.nix new file mode 100644 index 0000000..30cf32a --- /dev/null +++ b/config/router.nix @@ -0,0 +1,224 @@ +{ config, lib, pkgs, ... }: +let + wan-dev = "eno1"; + lan-dev = "eno2"; +in +{ + networking.networkmanager.enable = lib.mkForce false; + + networking.nameservers = [ "8.8.8.8" ]; + + networking.vlans = builtins.listToAttrs (map (id: { name = "${lan-dev}.${toString id}"; value = { inherit id; interface = lan-dev; }; } ) [30 100 255]); + + systemd.services.update-dynamic-dns = { + description = "Update dynamic dns records"; + path = with pkgs; [bash dnsutils nettools gawk iproute]; + startLimitIntervalSec = 5; + script = toString ../tools/update-dns.sh; + }; + + networking.dhcpcd.runHook = '' + systemctl restart update-dynamic-dns.service + ''; + + networking.firewall = { + enable = lib.mkForce false; + allowedTCPPorts = lib.mkForce [ ]; + allowedUDPPorts = lib.mkForce [ ]; + allowPing = true; + logRefusedConnections = false; + checkReversePath = false; + }; + + services.ddclient = { + enable = true; + configFile = "/opt/secret/he-ddclient.conf"; + }; + + services.ferm = { + enable = true; + config = '' + @def $DEV_LAN = (${lan-dev}.100 ${lan-dev}.255); + @def $DEV_WAN = (${wan-dev} he0); + @def $NET_LAN = 10.0.0.0/8; + + domain (ip ip6) table filter { + chain INPUT { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface lo ACCEPT; + proto icmp ACCEPT; + + proto (udp udp) dport dhcpv6-client ACCEPT; + + proto 41 ACCEPT; # IPv6 sit tunnel + + interface $DEV_WAN @subchain "wan_services" { + proto (tcp udp) dport (bootpc bootps) ACCEPT; + proto tcp dport ssh ACCEPT; + proto (tcp udp) dport domain ACCEPT; + proto tcp dport (http https) ACCEPT; + } + + interface $DEV_LAN @subchain "lan_services" { + proto (tcp udp) dport (ssh domain bootpc bootps) ACCEPT; + proto tcp dport (http https) ACCEPT; + + # Chromecast + # proto udp dport 32768:61000 ACCEPT; + # proto udp dport (5353 1900) ACCEPT; + # proto tcp dport (8008 8009) ACCEPT; + + # chain logdrop { + # LOG log-level warning log-prefix "dropped-lan "; + # DROP; + # } + # jump logdrop; + } + } + + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + interface $DEV_LAN ACCEPT; + } + } + + domain ip6 table filter chain INPUT { + proto ipv6-icmp ACCEPT; + } + + domain (ip ip6) table filter chain logdrop { + LOG log-level warning log-prefix "dropped "; + DROP; + } + + domain (ip ip6) table filter chain INPUT { + jump logdrop; + } + + domain ip table nat { + chain POSTROUTING { + saddr $NET_LAN outerface $DEV_WAN MASQUERADE; + } + } + ''; + }; + + services = { + openssh.enable = lib.mkDefault true; + openssh.passwordAuthentication = false; + }; + + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }; + + #services.hostapd = { + # enable = true; + # # driver = "iwlwifi"; + # ssid = "2c"; + # wpaPassphrase = "mintchip"; + # interface = "${lan-dev}"; + # hwMode = "g"; + # channel = 11; + # extraConfig = '' + # country_code=US + # wpa_key_mgmt=WPA-PSK + # rsn_pairwise=CCMP + # ''; + #}; + + networking.dhcpcd = { + # Wain for v4 and v6 addresses. + # wait = "both"; + extraConfig = '' + debug + noipv6rs + interface ${wan-dev} + dhcp + ipv6rs + ia_na 0 + # ia_pd 1/::/64 ${lan-dev}.100/0/64 + ''; + }; + systemd.services.dhcpcd.preStart = lib.mkAfter '' + ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${config.networking.interfaces.${wan-dev}.macAddress}; + ''; + + services.dnsmasq = { + enable = true; + servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; + extraConfig = '' + port=0 + dhcp-authoritative + dhcp-range=10.65.30.100,10.65.30.255,255.255.255.0,24h + dhcp-option=option:router,10.65.30.1 + dhcp-option=option:dns-server,1.1.1.1,8.8.8.8,8.8.4.4 + dhcp-option=option:netmask,255.255.255.0 + + dhcp-range=::,constructor:${lan-dev}.100,slaac,off-link + ''; + }; + + networking.sits.he0 = { + dev = wan-dev; + local = "74.73.86.185"; + remote = "209.51.161.14"; + }; + + networking.iproute2.enable = true; + networking.iproute2.rttablesExtraConfig = '' + 200 he + ''; + + networking.localCommands = '' + ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true + ip -6 route flush cache + ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he + ip -6 route flush cache + ''; + + # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; + + networking.interfaces.${wan-dev} = { + macAddress = "3c:97:0e:19:7e:5c"; + useDHCP = true; + }; + + networking.interfaces.he0.ipv6 = { + addresses = [ + { address = "2001:470:1f06:1195::2"; prefixLength = 64; } + { address = "2001:470:8e2e:20::d"; prefixLength = 64; } + ]; + # routes = [{ address = "::"; prefixLength = 0; }]; + }; + + networking.interfaces."${lan-dev}".useDHCP = false; + networking.interfaces."${lan-dev}.255".useDHCP = true; + networking.interfaces."${lan-dev}.100" = { + ipv4.addresses = [ { + address = "10.65.30.1"; + prefixLength = 24; + } ]; + useDHCP = false; + }; + networking.interfaces."${lan-dev}.30" = { + ipv4.addresses = [ { + address = "10.64.30.1"; + prefixLength = 24; + } ]; + useDHCP = false; + }; +} diff --git a/config/web-server.nix b/config/web-server.nix index 5f1ae53..fed0814 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -10,6 +10,10 @@ security.acme.email = "kj@orbekk.com"; networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # I'm storing web files in /home. + systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; + services.nginx = { enable = true; package = pkgs.nginxStable.override { @@ -27,6 +31,9 @@ forceSSL = true; }; in { + "tommvo.com" = template // { + root = "/storage/srv/tommvo.com"; + }; "orbekk.no" = template // { root = "/storage/srv/orbekk.com"; }; @@ -89,9 +96,9 @@ # auth_basic_user_file /opt/site/hledger-htpasswd; # ''; # }; - locations."/_matrix" = { - proxyPass = "http://10.0.20.15:11102"; - }; + #locations."/_matrix" = { + # proxyPass = "http://10.0.20.15:11102"; + #}; }; "ympd.orbekk.com" = template // { locations."/" = { @@ -99,13 +106,13 @@ }; }; "git.orbekk.com" = template // { - locations."/".proxyPass = "http://10.0.20.2:11103"; - }; - "hydra.orbekk.com" = template // { - locations."/" = { - proxyPass = "http://10.0.20.2:11101"; - }; + locations."/".proxyPass = "http://localhost:11103"; }; + # "hydra.orbekk.com" = template // { + # locations."/" = { + # proxyPass = "http://10.0.20.2:11101"; + # }; + # }; "kufieta.net" = template // { locations."/".proxyPass = "http://10.0.20.13:8080"; }; diff --git a/data/dns/db.kufieta.net.zone b/data/dns/db.kufieta.net.zone index 51a4dff..4551235 100644 --- a/data/dns/db.kufieta.net.zone +++ b/data/dns/db.kufieta.net.zone @@ -15,15 +15,14 @@ $TTL 3600 @ IN TXT "v=spf1 include:spf.messagingengine.com ?all" -@ IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:58f7 -@ IN A 74.73.86.185 +;@ IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:58f7 +;@ IN A 74.73.86.185 @ IN CAA 0 issue "buypass.com" @ IN CAA 0 issue "letsencrypt.org" @ IN CAA 0 issuewild "letsencrypt.org" -latdyr IN A 74.73.86.185 -latdyr IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:7a20 +latdyr IN CNAME dragon.orbekk.com. _acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com. diff --git a/data/dns/db.orbekk.com.zone b/data/dns/db.orbekk.com.zone index e8c9be8..ff699a1 100644 --- a/data/dns/db.orbekk.com.zone +++ b/data/dns/db.orbekk.com.zone @@ -8,7 +8,7 @@ fm3._domainkey IN CNAME fm3.orbekk.com.dkim.fmhosted.com. @ IN CAA 0 issue "letsencrypt.org" @ IN CAA 0 issuewild "letsencrypt.org" -_matrix._tcp IN SRV 10 0 8448 dragon.orbekk.com. +; _matrix._tcp IN SRV 10 0 8448 dragon.orbekk.com. dynamic IN NS kremkake.trygveandre.net. dynamic IN NS kakespade.trygveandre.net. diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone index 0e73abe..4640b8d 100644 --- a/data/dns/db.orbekk.shared.zone +++ b/data/dns/db.orbekk.shared.zone @@ -20,25 +20,18 @@ $TTL 600 _acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com. -smtp IN CNAME semeai - 38th IN CNAME orbekk.duckdns.org. -git IN CNAME dragon -hydra IN CNAME dragon -kj IN CNAME dragon -ympd IN CNAME dragon -journal IN CNAME dragon +git IN CNAME dragon.dynamic.orbekk.com. +hydra IN CNAME dragon.dynamic.orbekk.com. +kj IN CNAME dragon.dynamic.orbekk.com. +ympd IN CNAME dragon.dynamic.orbekk.com. +journal IN CNAME dragon.dynamic.orbekk.com. raigh IN AAAA 2001:67c:29f4:1008:216:3eff:fe33:4512 -gw IN AAAA 2001:470:8e2e:20::1 -gw IN A 74.73.86.185 - -dragon IN AAAA 2001:470:8e2e:20::d -dragon IN A 74.73.86.185 - -vpn6 IN AAAA 2001:470:8e2e:22:d2bf:9cff:fe45:a6ec +gw IN CNAME dragon.dynamic.orbekk.com. +dragon IN CNAME dragon.dynamic.orbekk.com. ;; Records for eo@orbekk.no. *.dev IN A 95.85.62.224 diff --git a/data/dns/db.tommvo.com.zone b/data/dns/db.tommvo.com.zone new file mode 100644 index 0000000..6302695 --- /dev/null +++ b/data/dns/db.tommvo.com.zone @@ -0,0 +1,11 @@ +$INCLUDE db.orbekk.shared.zone +$ORIGIN tommvo.com. + +; fm1._domainkey IN CNAME fm1.orbekk.no.dkim.fmhosted.com. +; fm2._domainkey IN CNAME fm2.orbekk.no.dkim.fmhosted.com. +; fm3._domainkey IN CNAME fm3.orbekk.no.dkim.fmhosted.com. + +@ IN CAA 128 issue "letsencrypt.org" +@ IN CAA 128 issue "buypass.com" +@ IN CAA 128 issue "buypass.no" +@ IN CAA 0 issuewild "letsencrypt.org" diff --git a/machines/dragon.nix b/machines/dragon.nix index 039a947..b613998 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -4,7 +4,8 @@ let in { imports = [ - ../config/minecraft.nix + ../config/router.nix + #../config/minecraft.nix ../config/acme-sh.nix ../config/mpd.nix ../config/borg-backup.nix @@ -15,19 +16,19 @@ in # ../config/hydra.nix ../config/web-server.nix ../config/cgit.nix - ../config/mail-server.nix + # ../config/mail-server.nix ../config/munin-node.nix ../config/munin-master.nix ../config/vpn-server.nix ../config/terraria.nix - ../config/pjournal.nix + # ../config/pjournal.nix ]; - services.pjournal = { - enable = true; - port = (import ../data/aliases.nix).services.pjournal.port; - base_url = "https://journal.orbekk.com"; - }; + # services.pjournal = { + # enable = true; + # port = (import ../data/aliases.nix).services.pjournal.port; + # base_url = "https://journal.orbekk.com"; + # }; environment.systemPackages = with pkgs; [ ipmitool ]; @@ -50,11 +51,11 @@ in boot = { kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ]; - kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.br0.accept_ra" = 2; - }; + #kernel.sysctl = { + # "net.ipv4.conf.all.forwarding" = true; + # "net.ipv6.conf.all.forwarding" = true; + # "net.ipv6.conf.br0.accept_ra" = 2; + #}; loader.grub.extraConfig = '' GRUB_TERMINAL="serial" @@ -75,24 +76,24 @@ in firewall.checkReversePath = "loose"; firewall.logRefusedConnections = false; - useDHCP = false; - interfaces.br0.useDHCP = true; - bridges = { - br0 = { - interfaces = ["eno2"]; - }; - }; + # useDHCP = false; + # interfaces.br0.useDHCP = true; + # bridges = { + # br0 = { + # interfaces = ["eno2"]; + # }; + # }; - dhcpcd.enable = true; - dhcpcd.extraConfig = '' - duid - ipv6ra_noautoconf - debug - interface br0 - clientid ${duid} - ipv6ra_noautoconf - dhcp6 - ''; + # dhcpcd.enable = true; + # dhcpcd.extraConfig = '' + # duid + # ipv6ra_noautoconf + # debug + # interface br0 + # clientid ${duid} + # ipv6ra_noautoconf + # dhcp6 + # ''; }; # Required to enable password authentication for one user. diff --git a/tools/update-dns.sh b/tools/update-dns.sh index bce4de4..4c0160c 100755 --- a/tools/update-dns.sh +++ b/tools/update-dns.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - keyfile=/opt/secret/bind/dynamic.orbekk.com/update/named.conf.key update() { @@ -12,7 +10,7 @@ update() { echo "Update $host to $ip ($type)" { - echo server dragon.orbekk.com + echo server 2001:470:8e2e:20::d echo update delete ${host}. ${type} echo update add ${host}. 300 ${type} ${ip} echo send @@ -20,4 +18,11 @@ update() { } ip_4="$(ip -br -4 addr list dev eno1 | awk -F' *|/' '{print $3}')" -update A $(hostname).dynamic.orbekk.com $ip_4 +if [[ -n "$ip_4" ]]; then + update A $(hostname).dynamic.orbekk.com $ip_4 +fi +# IPv6 currently broken on Spectrum :( +# ip_6="$(ip -br -6 addr list scope global dev eno1 | awk -F' *|/' '{print $3}')" +# if [[ -n "$ip_6" ]]; then +# update AAAA $(hostname).dynamic.orbekk.com $ip_6 +# fi |