diff --git a/.sops.yaml b/.sops.yaml index abff5a4..7a98d12 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,14 @@ keys: - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - &server_ns3 age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw + - &server_ns4 age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini) key_groups: - age: - *admin_torjus - *server_ns3 + - *server_ns4 - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini) key_groups: - age: diff --git a/flake.nix b/flake.nix index 60f6351..f676248 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,15 @@ sops-nix.nixosModules.sops ]; }; + ns4 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs self sops-nix; }; + modules = [ + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + ./hosts/ns4 + sops-nix.nixosModules.sops + ]; + }; template1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { inherit inputs self sops-nix; }; diff --git a/hosts/ns3/configuration.nix b/hosts/ns3/configuration.nix index 2a14ebf..ac704f5 100644 --- a/hosts/ns3/configuration.nix +++ b/hosts/ns3/configuration.nix @@ -7,6 +7,7 @@ ../../system ../../services/ns/master-authorative.nix + ../../services/ns/resolver.nix ]; nixpkgs.config.allowUnfree = true; @@ -18,7 +19,7 @@ networking.domain = "home.2rjus.net"; networking.useNetworkd = true; networking.useDHCP = false; - services.resolved.enable = true; + services.resolved.enable = false; networking.nameservers = [ "10.69.13.5" "10.69.13.6" diff --git a/hosts/ns3/default.nix b/hosts/ns3/default.nix index 3010802..4cd684a 100644 --- a/hosts/ns3/default.nix +++ b/hosts/ns3/default.nix @@ -1,6 +1,5 @@ { ... }: { imports = [ - ./hardware-configuration.nix ./configuration.nix ]; } diff --git a/hosts/ns4/configuration.nix b/hosts/ns4/configuration.nix new file mode 100644 index 0000000..c1b5942 --- /dev/null +++ b/hosts/ns4/configuration.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ../template/hardware-configuration.nix + + ../../system + ../../services/ns/secondary-authorative.nix + ../../services/ns/resolver.nix + ]; + + nixpkgs.config.allowUnfree = true; + # Use the systemd-boot EFI boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking.hostName = "ns4"; + networking.domain = "home.2rjus.net"; + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = false; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.13.8/24" + ]; + routes = [ + { routeConfig.Gateway = "10.69.13.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + environment.systemPackages = with pkgs; [ + vim + wget + git + ]; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + system.stateVersion = "23.11"; # Did you read the comment? +} + diff --git a/hosts/ns4/default.nix b/hosts/ns4/default.nix new file mode 100644 index 0000000..4cd684a --- /dev/null +++ b/hosts/ns4/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ./configuration.nix + ]; +} diff --git a/hosts/ns4/hardware-configuration.nix b/hosts/ns4/hardware-configuration.nix new file mode 100644 index 0000000..881ea3c --- /dev/null +++ b/hosts/ns4/hardware-configuration.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + # boot.kernelModules = [ ]; + # boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/BC07-3B7A"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 89588f4..6bc2992 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,4 +1,5 @@ root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str] +ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str] sops: kms: [] gcp_kms: [] @@ -8,23 +9,32 @@ sops: - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV0NVK0gxOWo4SktsODZq - ZzFSMlhyUHlrOVVZdENBWHR6SVBmRGt2U1hJCjd2dGo4R0t4dTdYL3ZVVnRSWHcz - V01EM2NqaGdZQzNIZkpHOFB5bEZSMmMKLS0tIGs3Z1kwbjVkcW1vYkxPYlI1Vmw5 - WklXUTZ1VVRTRG1SeFNDclpMWWtYSTAKV/Z6aiXi630U6FOzaiEZ2QDAUD+xL8ss - o8syuZqRA6c9yIs9hgzO8PeeJJ4/FuAp6ZCqv/U0goU3cd1WAyvjSw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabWxBVlVRaXMyWkM1bVBx + RGZCSmxweEpHNk5rUGlYVk1zaFdSS1hOVmpzCnNLbUhNU3JhdEpITnRGV2JCUE1X + dmt0SEhKbm1QYzAzUGU0c1JJTmZKbXcKLS0tIFZ4RktSNzhDY213M2Qyd2lYK2xq + d3BTZHFjUVpHZGdKaS9NTHNDK1BYSUkKizI6eoZu0fuUQSYtq+nDIwXU6vdpgGR3 + qYXF3ktzONvuVL6LL6fLnIUeAuHJPEM2AXCw8z8PraznlxCbhv9VYw== -----END AGE ENCRYPTED FILE----- - recipient: age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUStBemVxNEhYQnUzK0dM - enJIbCtjcmowbDRQTkE4Z2UyUkd0RXVkdm44CjNrYzM1YjhpTVpVQWlKUUk5ZFdm - dkNNT3prRTlIR2RsVmpEMlh0U1E4Z1UKLS0tIDdpcU9CRGdrbEM5MGZuYkh1TFIr - R0QzMkQwcWhOUXRmcXUrK0FkbDJ4S3cK8hbGg8uyRSpW1TcyAnP9yesh1tTyIVph - wiZJeM1/kDBmVhN0RMsXDsleC2GAYTRUxoAHUBjQSjsi81zy/zZnAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSempjdm9MOXQyWVlEYU5q + WGZGaG5kWk1jZzRpdDZqMXBlUXAyWUNxeVhnCmo4TGIvN3UwY0lpWFpCNktjQW9a + UlQ0NHBKZkdqUGlZbDdHbkhUeWVoblkKLS0tIDhWUXkvZnR5SXBTTDRXcnVlcHRy + Tmp0RGtkNUZwR0NxS0d1c0ttWmY2a0kKKDDQTKhKv5zJy9gNbtdCWJuV3slQWNSr + T7plMHETUOkUIomRqFntN3u8Yn3dtV5BxhJcsA16jJJBDWAJwb35BQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-07T21:44:19Z" - mac: ENC[AES256_GCM,data:iyDz5zhOf4sQ2js+azNz3hP8W8YcIVRA4xglcRkvPSEmj2EzLm3Zv8XLHXFNIIYDBo2oQasYXaQSOW6rdHt0qwRv7mwTGHKreimTUi0eUAzXLhE8Pfwxk7V3XyuevGWgQc4UnAmmy0FOKaP+Rb74LoVUrXBT/2/Jq2U1pA+IZCA=,iv:LrhI0KWR3YovkjWBltPTA1JFFO2CJMLfdilAWC9V0Wo=,tag:xafFJVGY1zFYnCnr4M0Xvw==,type:str] + - recipient: age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBES09qM3p1TzhZdG1jNHY5 + Z1hYRWQ3d3dTNGxoM2xRZTRpSEZqU1pMb1JBCkkxVHhoREluVWFteFM1eEI4ZG91 + Z016TGRwM2hadzVqSzFaaEFQRTMvK1UKLS0tIC90bXYwa0NkRmZ5TVBYcWEwelRN + T3BlN0NpK2JqK2wzVFAxZFVoYi9zSnMKaK0XaN4eQ22ucQPXXnQzBT1c/9dViLHe + nFVDm4gsUJFdb3DifhaEQXW0o9XanGiPQEaOGO6WbAQL8Pf09SLsSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-11T19:25:54Z" + mac: ENC[AES256_GCM,data:GbbdzjkjicbNPoiKXpeAXzkrmQlgLUg90B0ynYfbB9JX0m4W7hfogVJ4Fcx5t+iUeG2LPkCxq7vYnD1+uFJkND1xF0rc9dGi43SBtz74giQTJck8/mK/iWyDdgDlWxtO78ghHMS5OxyapOvk+K2+Ga9zJ1f3S64lc2xqhyVSFfk=,iv:jRDgu1lSuFRv8VeVbiyx+DfywaLlZJ0Xla++M277SBg=,tag:aV757MJJUNg77//tON7h1A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/services/ns/master-authorative.nix b/services/ns/master-authorative.nix index 64ff986..b423719 100644 --- a/services/ns/master-authorative.nix +++ b/services/ns/master-authorative.nix @@ -1,11 +1,31 @@ -{ ... }: { +{ ... }: +{ + sops.secrets.ns_xfer_key = { + path = "/etc/nsd/xfer.key"; + }; + + networking.firewall.allowedTCPPorts = [ 8053 ]; + networking.firewall.allowedUDPPorts = [ 8053 ]; + services.nsd = { enable = true; port = 8053; + ipv6 = false; + verbosity = 2; + identity = "test.2rjus.net server"; + interfaces = [ "0.0.0.0" ]; + + keys = { + "xferkey" = { + algorithm = "hmac-sha256"; + keyFile = "/etc/nsd/xfer.key"; + }; + }; zones = { - "test.2rjus.net." = { - provideXFR = [ "10.69.0.0/16 NOKEY" ]; + "test.2rjus.net" = { + provideXFR = [ "10.69.13.8 xferkey" ]; + notify = [ "10.69.13.8@8053 xferkey" ]; data = builtins.readFile ./zones-test-2rjus-net.conf; }; }; diff --git a/services/ns/resolver.nix b/services/ns/resolver.nix new file mode 100644 index 0000000..25d9e5c --- /dev/null +++ b/services/ns/resolver.nix @@ -0,0 +1,38 @@ +{ pkgs, ... }: { + networking.firewall.allowedTCPPorts = [ + 53 + ]; + networking.firewall.allowedUDPPorts = [ + 53 + ]; + services.unbound = { + enable = true; + + settings = { + server = { + access-control = [ + "127.0.0.0/8 allow" + "0.0.0.0/0 allow" + ]; + local-zone = "test.2rjus.net nodefault"; + domain-insecure = "test.2rjus.net"; + interface = "0.0.0.0"; + do-not-query-localhost = "no"; + port = "53"; + do-ip4 = "yes"; + do-ip6 = "no"; + do-udp = "yes"; + do-tcp = "yes"; + }; + stub-zone = { + name = "test.2rjus.net"; + stub-addr = "127.0.0.1@8053"; + }; + forward-zone = { + name = "."; + forward-tls-upstream = "yes"; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + }; + }; + }; +} diff --git a/services/ns/secondary-authorative.nix b/services/ns/secondary-authorative.nix new file mode 100644 index 0000000..407145d --- /dev/null +++ b/services/ns/secondary-authorative.nix @@ -0,0 +1,31 @@ +{ ... }: +{ + sops.secrets.ns_xfer_key = { + path = "/etc/nsd/xfer.key"; + }; + networking.firewall.allowedTCPPorts = [ 8053 ]; + networking.firewall.allowedUDPPorts = [ 8053 ]; + services.nsd = { + enable = true; + port = 8053; + ipv6 = false; + verbosity = 2; + identity = "test.2rjus.net server"; + interfaces = [ "0.0.0.0" ]; + + keys = { + "xferkey" = { + algorithm = "hmac-sha256"; + keyFile = "/etc/nsd/xfer.key"; + }; + }; + + zones = { + "test.2rjus.net" = { + allowNotify = [ "10.69.13.7 xferkey" ]; + requestXFR = [ "AXFR 10.69.13.7@8053 xferkey" ]; + data = builtins.readFile ./zones-test-2rjus-net.conf; + }; + }; + }; +} diff --git a/services/ns/zones-test-2rjus-net.conf b/services/ns/zones-test-2rjus-net.conf index 4e32472..60f964f 100644 --- a/services/ns/zones-test-2rjus-net.conf +++ b/services/ns/zones-test-2rjus-net.conf @@ -1,7 +1,7 @@ $ORIGIN test.2rjus.net. $TTL 1800 @ IN SOA ns1.test.2rjus.net. admin.test.2rjus.net. ( - 2023 ; serial number + 2024 ; serial number 3600 ; refresh 900 ; retry 1209600 ; expire @@ -36,4 +36,4 @@ media IN A 10.69.31.50 ; 99_MGMT sw1 IN A 10.69.99.2 - +testing IN A 10.69.33.33