darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

dns use tailscale #164

Merged
DarkKirb merged 6 commits from dns-use-tailscale into main 2023-02-03 19:57:01 +00:00
Conversation 1 Commits 6 Files changed 11 +166 -95
11 changed files with 166 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/default.nix
View file

@ -50,7 +50,7 @@
"systemd"
"tcpstat"
];
listenAddress = (import ../utils/getInternalIP.nix config).listenIP;
listenAddress = "0.0.0.0";
};
networking.firewall.interfaces."wg0".allowedTCPPorts = [config.services.prometheus.exporters.node.port];

3
config/services/dovecot.nix
View file

@ -3,7 +3,6 @@
config,
...
}: let
inherit ((import ../../utils/getInternalIP.nix config)) listenIP;
sieves = import ../../packages/sieves.nix pkgs;
in {
nixpkgs.overlays = [
@ -135,7 +134,7 @@ in {
};
services.prometheus.exporters.dovecot = {
enable = true;
listenAddress = listenIP;
listenAddress = "0.0.0.0";
};
sops.secrets."services/dovecot/rspamd_password" = {owner = "dovecot";};
sops.secrets."services/dovecot/dovecot-sql.conf.ext" = {owner = "dovecot";};

6
config/services/drone.nix
View file

@ -4,12 +4,6 @@
lib,
...
}: let
inherit ((import ../../utils/getInternalIP.nix config)) listenIPs;
listenStatements =
lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs)
+ ''
add_header Alt-Svc 'h3=":443"';
'';
split-system = pkgs.lib.strings.splitString "-" pkgs.system;
in {
systemd.services.drone-server = {

9
config/services/grafana.nix
View file

@ -3,14 +3,7 @@
config,
pkgs,
...
}: let
inherit ((import ../../utils/getInternalIP.nix config)) listenIPs;
listenStatements =
lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs)
+ ''
add_header Alt-Svc 'h3=":443"';
'';
in {
}: {
imports = [
./prometheus.nix
];

6
config/services/hydra.nix
View file

@ -6,12 +6,6 @@
pkgs,
...
}: let
inherit ((import ../../utils/getInternalIP.nix config)) listenIPs;
listenStatements =
lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs)
+ ''
add_header Alt-Svc 'h3=":443"';
'';
clean-cache = nix-packages.packages.${system}.clean-s3-cache;
machines = pkgs.writeText "machines" ''
localhost armv7l-linux,powerpc-linux,powerpc64-linux,powerpc64le-linux,riscv32-linux,riscv64-linux,wasm32-wasi,x86_64-linux,i686-linux - 12 1 kvm,nixos-test,big-parallel,benchmark,gccarch-znver1,gccarch-skylake,ca-derivations -

13
config/services/named-submissive.nix
View file

@ -5,12 +5,9 @@
hosts-list,
...
}: let
internalIP = import ../../utils/getInternalIP.nix config;
createListenEntry = ip: "inet ${ip} port 8653 allow { any; };";
listenEntries = builtins.map createListenEntry internalIP.listenIPsBare;
mkZone = name: {
master = false;
masters = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
masters = ["100.119.226.33" "fd7a:115c:a1e0:ab12:4843:cd96:6277:e221"];
file = "/var/lib/named/${name}";
};
in {
@ -25,7 +22,7 @@ in {
};
extraConfig = ''
statistics-channels {
${toString listenEntries}
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
'';
extraOptions = ''
@ -33,10 +30,11 @@ in {
127.0.0.1;
::1;
fc00::/7;
100.0.0.0/8;
};
recursion yes;
dnssec-validation yes;
allow-notify { 130.162.60.127; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; 138.201.155.128; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49; };
allow-notify { 130.162.60.127; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; 138.201.155.128; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49; 100.119.226.33; fd7a:115c:a1e0:ab12:4843:cd96:6277:e221; };
response-policy {zone "rpz.int.chir.rs";};
'';
};
@ -45,8 +43,7 @@ in {
services.prometheus.exporters.bind = {
enable = true;
bindGroups = ["server" "view" "tasks"];
bindURI = "http://${internalIP.listenIP}:8653/";
listenAddress = internalIP.listenIP;
bindURI = "http://127.0.0.1:8653/";
};
systemd.tmpfiles.rules = [

31
config/services/named.nix
View file

@ -5,9 +5,6 @@
hosts-list,
...
}: let
internalIP = import ../../utils/getInternalIP.nix config;
createListenEntry = ip: "inet ${ip} port 8653 allow { any; };";
listenEntries = builtins.map createListenEntry internalIP.listenIPsBare;
darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;};
chir-rs = import ../../zones/chir.rs.nix {inherit dns;};
int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};
@ -52,8 +49,8 @@ in {
"darkkirb.de" = {
master = true;
file = "/var/lib/named/darkkirb.de";
slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
};
"_acme-challenge.darkkirb.de" = {
master = true;
@ -67,8 +64,8 @@ in {
"chir.rs" = {
master = true;
file = "/var/lib/named/chir.rs";
slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
};
"_acme-challenge.chir.rs" = {
master = true;
@ -82,8 +79,8 @@ in {
"int.chir.rs" = {
master = true;
file = "/var/lib/named/int.chir.rs";
slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
};
"_acme-challenge.int.chir.rs" = {
master = true;
@ -97,8 +94,8 @@ in {
"shitallover.me" = {
master = true;
file = "/var/lib/named/shitallover.me";
slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
};
"_acme-challenge.shitallover.me" = {
master = true;
@ -112,13 +109,13 @@ in {
"rpz.int.chir.rs" = {
master = true;
file = "${rpz-int-chir-rs}";
slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
};
};
extraConfig = ''
statistics-channels {
${toString listenEntries}
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
include "/run/secrets/services/dns/named-keys";
'';
@ -127,10 +124,11 @@ in {
127.0.0.1;
::1;
fc00::/7;
100.0.0.0/8;
};
recursion yes;
dnssec-validation yes;
allow-transfer { fd0d:a262:1fa6:e621:746d:4523:5c04:1453; };
also-transfer {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};
notify-delay 0;
response-policy {zone "rpz.int.chir.rs";};
'';
@ -140,8 +138,7 @@ in {
services.prometheus.exporters.bind = {
enable = true;
bindGroups = ["server" "view" "tasks"];
bindURI = "http://${internalIP.listenIP}:8653/";
listenAddress = internalIP.listenIP;
bindURI = "http://127.0.0.1:8653/";
};
sops.secrets."services/dns/named-keys" = {owner = "named";};
}

2
config/services/postgres.nix
View file

@ -19,7 +19,7 @@
services.prometheus.exporters.postgres = {
enable = true;
user = "postgres";
listenAddress = (import ../../utils/getInternalIP.nix config).listenIP;
listenAddress = "0.0.0.0";
};
networking.firewall.interfaces."wg0".allowedTCPPorts = [9187 5432];
}

96
config/tailscale.hujson
View file

@ -7,8 +7,96 @@
// Access control lists.
"acls": [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{ "action": "accept", "users": ["*"], "ports": ["*:*"] }
]
// Allow DNS access to the DNS servers
{
"action": "accept",
"src": ["*"],
"dst": ["tag:dnsserver:53"]
},
// Allow ssh access to build devices
{
"action": "accept",
"src": ["autogroup:members"],
"dst": ["tag:buildserver:22"]
},
// Allow all development devices to connect via ssh
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["*:22"]
},
// http servers running on the servers can be accessed
{
"action": "accept",
"src": ["*"],
"dst": ["tag:server:80", "tag:server:443"]
},
// members can access email server
{
"action": "accept",
"src": ["autogroup:members"],
"dst": [
"tag:nixos-8gb-fsn1-1:25", // SMTP
"tag:nixos-8gb-fsn1-1:110", // POP3
"tag:nixos-8gb-fsn1-1:143", // IMAP
"tag:nixos-8gb-fsn1-1:465", // Submission
"tag:nixos-8gb-fsn1-1:587", // SMTPS
"tag:nixos-8gb-fsn1-1:993", // IMAPS
"tag:nixos-8gb-fsn1-1:995" // POP3S
]
},
// Prometheus scrapers
{
"action": "accept",
"src": ["tag:nixos-8gb-fsn1-1"],
"dst": [
"*:9100", // node exporter
"*:28183",
":41115", // promtail
"tag:dnsserver:9119", // bind
"tag:nixos-8gb-fsn1-1:9000", // matrix mediaa repo
"tag:nas:9102", // statsd-exporter
"tag:nixos-8gb-fsn1-1:3100", // loki
"tag:server:9187", // postgres
"tag:nutty-noon:9187"
]
},
// postgres and redis
{
"action": "accept",
"src": ["tag:instance-20221213-1915"],
"dst": ["tag:nixos-8gb-fsn1-1:5432", "tag:nixos-8gb-fsn1-1:53538"]
},
// syncthing
{
"action": "accept",
"src": ["tag:syncthing"],
"dst": ["tag:syncthing:22000"]
},
// syncthing admin panel, cups
{
"action": "accept",
"src": ["tag:devDevice"],
"dst": ["tag:nas:8384", "tag:nas:631"]
}
],
"tagOwners": {
"tag:instance-20221213-1915": ["DarkKirb@github"],
"tag:nixos-8gb-fsn1-1": ["DarkKirb@github"],
"tag:nas": ["DarkKirb@github"],
"tag:moto-g82-5g": ["DarkKirb@github"],
"tag:nutty-noon": ["DarkKirb@github"],
"tag:thinkrac": ["DarkKirb@github"],
"tag:dnsserver": ["DarkKirb@github"],
"tag:buildserver": ["DarkKirb@github"],
"tag:devDevice": ["DarkKirb@github"],
"tag:server": ["DarkKirb@github"],
"tag:syncthing": ["DarkKirb@github"]
}
}

9
utils/getInternalIP.nix
View file

@ -1,9 +0,0 @@
config: let
removeCIDR = cidr: builtins.elemAt (builtins.split "/" cidr) 0;
filterIPsBare = builtins.map removeCIDR;
filterIPs = builtins.map (f: "[${removeCIDR f}]");
in rec {
listenIPs = filterIPs config.networking.wireguard.interfaces."wg0".ips;
listenIPsBare = filterIPsBare config.networking.wireguard.interfaces."wg0".ips;
listenIP = builtins.elemAt listenIPs 0;
}

84
zones/int.chir.rs.nix
View file

@ -15,7 +15,7 @@ in {
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 20;
serial = 21;
};
NS = [
"ns1.chir.rs."
@ -52,8 +52,11 @@ in {
];
};
nixos-8gb-fsn1-1 = {
A = [
(ttl zoneTTL (a "100.119.226.33"))
];
AAAA = [
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"))
(ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:6277:e221"))
];
SSHFP = [
{
@ -82,33 +85,34 @@ in {
}
];
/*
subdomains = {
_tcp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
_udp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
};
*/
subdomains = {
_tcp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
_udp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
};
*/
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv6hint = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
ipv4hint = ["100.119.226.33"];
ipv6hint = ["fd7a:115c:a1e0:ab12:4843:cd96:6277:e221"];
ttl = zoneTTL;
}
];
@ -134,8 +138,11 @@ in {
];
};
nutty-noon = {
A = [
(ttl zoneTTL (a "100.105.131.79"))
];
AAAA = [
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437"))
(ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:6269:834f"))
];
SSHFP = [
{
@ -169,7 +176,8 @@ in {
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv6hint = ["fd0d:a262:1fa6:e621:47e6:24d4:2acb:9437"];
ipv4hint = ["100.105.131.79"];
ipv6hint = ["fd7a:115c:a1e0:ab12:4843:cd96:6269:834f"];
ttl = zoneTTL;
}
];
@ -194,12 +202,16 @@ in {
}
];
};
thinkrac.AAAA = [
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:f45a:db9f:eb7c:1a3f"))
];
nas = {
thinkrac = {
A = [(ttl zoneTTL (a "100.75.9.4"))];
AAAA = [
(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b"))
(ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:624b:904"))
];
};
nas = {
A = [(ttl zoneTTL (a "100.99.129.7"))];
AAAA = [
(ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:6263:8107"))
];
SSHFP = [
{
@ -233,7 +245,8 @@ in {
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv6hint = ["fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b"];
ipv4hint = ["100.99.129.7"];
ipv6hint = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:8107"];
ttl = zoneTTL;
}
];
@ -258,7 +271,12 @@ in {
}
];
};
instance-20221213-1915.AAAA = [(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"))];
instance-20221213-1915 = {
A = [(ttl zoneTTL (a "100.99.173.107"))];
AAAA = [
(ttl zoneTTL (aaaa "fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b"))
];
};
grafana.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))];
minio.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))];