torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Improve ns stuff

Browse Source
This commit is contained in:
Torjus Håkestad 2024-03-11 18:23:01 +01:00
parent e40c987cd0
commit 5b838771e3
12 changed files with 226 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -1,12 +1,14 @@
keys: keys:
- &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
- &server_ns3 age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw - &server_ns3 age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw
- &server_ns4 age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini) - path_regex: secrets/[^/]+\.(yaml|json|env|ini)
key_groups: key_groups:
- age: - age:
- *admin_torjus - *admin_torjus
- *server_ns3 - *server_ns3
- *server_ns4
- path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini) - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
key_groups: key_groups:
- age: - age:

9
flake.nix
View File

@ -28,6 +28,15 @@
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
]; ];
}; };
ns4 = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs self sops-nix; };
modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/ns4
sops-nix.nixosModules.sops
];
};
template1 = nixpkgs.lib.nixosSystem { template1 = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit inputs self sops-nix; }; specialArgs = { inherit inputs self sops-nix; };

3
hosts/ns3/configuration.nix
View File

@ -7,6 +7,7 @@
../../system ../../system
../../services/ns/master-authorative.nix ../../services/ns/master-authorative.nix
../../services/ns/resolver.nix
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -18,7 +19,7 @@
networking.domain = "home.2rjus.net"; networking.domain = "home.2rjus.net";
networking.useNetworkd = true; networking.useNetworkd = true;
networking.useDHCP = false; networking.useDHCP = false;
services.resolved.enable = true; services.resolved.enable = false;
networking.nameservers = [ networking.nameservers = [
"10.69.13.5" "10.69.13.5"
"10.69.13.6" "10.69.13.6"

1
hosts/ns3/default.nix
View File

@ -1,6 +1,5 @@
{ ... }: { { ... }: {
imports = [ imports = [
./hardware-configuration.nix
./configuration.nix ./configuration.nix
]; ];
} }

56
hosts/ns4/configuration.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
{
imports =
[
../template/hardware-configuration.nix
../../system
../../services/ns/secondary-authorative.nix
../../services/ns/resolver.nix
];
nixpkgs.config.allowUnfree = true;
# Use the systemd-boot EFI boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "ns4";
networking.domain = "home.2rjus.net";
networking.useNetworkd = true;
networking.useDHCP = false;
services.resolved.enable = false;
networking.nameservers = [
"10.69.13.5"
"10.69.13.6"
];
systemd.network.enable = true;
systemd.network.networks."ens18" = {
matchConfig.Name = "ens18";
address = [
"10.69.13.8/24"
];
routes = [
{ routeConfig.Gateway = "10.69.13.1"; }
];
linkConfig.RequiredForOnline = "routable";
};
time.timeZone = "Europe/Oslo";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
environment.systemPackages = with pkgs; [
vim
wget
git
];
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
system.stateVersion = "23.11"; # Did you read the comment?
}

5
hosts/ns4/default.nix Normal file
View File

@ -0,0 +1,5 @@
{ ... }: {
imports = [
./configuration.nix
];
}

36
hosts/ns4/hardware-configuration.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
# boot.kernelModules = [ ];
# boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d";
fsType = "xfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/BC07-3B7A";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

34
secrets/secrets.yaml
View File

@ -1,4 +1,5 @@
root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str] root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str]
ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -8,23 +9,32 @@ sops:
- recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV0NVK0gxOWo4SktsODZq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabWxBVlVRaXMyWkM1bVBx
ZzFSMlhyUHlrOVVZdENBWHR6SVBmRGt2U1hJCjd2dGo4R0t4dTdYL3ZVVnRSWHcz RGZCSmxweEpHNk5rUGlYVk1zaFdSS1hOVmpzCnNLbUhNU3JhdEpITnRGV2JCUE1X
V01EM2NqaGdZQzNIZkpHOFB5bEZSMmMKLS0tIGs3Z1kwbjVkcW1vYkxPYlI1Vmw5 dmt0SEhKbm1QYzAzUGU0c1JJTmZKbXcKLS0tIFZ4RktSNzhDY213M2Qyd2lYK2xq
WklXUTZ1VVRTRG1SeFNDclpMWWtYSTAKV/Z6aiXi630U6FOzaiEZ2QDAUD+xL8ss d3BTZHFjUVpHZGdKaS9NTHNDK1BYSUkKizI6eoZu0fuUQSYtq+nDIwXU6vdpgGR3
o8syuZqRA6c9yIs9hgzO8PeeJJ4/FuAp6ZCqv/U0goU3cd1WAyvjSw== qYXF3ktzONvuVL6LL6fLnIUeAuHJPEM2AXCw8z8PraznlxCbhv9VYw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw - recipient: age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUStBemVxNEhYQnUzK0dM YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSempjdm9MOXQyWVlEYU5q
enJIbCtjcmowbDRQTkE4Z2UyUkd0RXVkdm44CjNrYzM1YjhpTVpVQWlKUUk5ZFdm WGZGaG5kWk1jZzRpdDZqMXBlUXAyWUNxeVhnCmo4TGIvN3UwY0lpWFpCNktjQW9a
dkNNT3prRTlIR2RsVmpEMlh0U1E4Z1UKLS0tIDdpcU9CRGdrbEM5MGZuYkh1TFIr UlQ0NHBKZkdqUGlZbDdHbkhUeWVoblkKLS0tIDhWUXkvZnR5SXBTTDRXcnVlcHRy
R0QzMkQwcWhOUXRmcXUrK0FkbDJ4S3cK8hbGg8uyRSpW1TcyAnP9yesh1tTyIVph Tmp0RGtkNUZwR0NxS0d1c0ttWmY2a0kKKDDQTKhKv5zJy9gNbtdCWJuV3slQWNSr
wiZJeM1/kDBmVhN0RMsXDsleC2GAYTRUxoAHUBjQSjsi81zy/zZnAw== T7plMHETUOkUIomRqFntN3u8Yn3dtV5BxhJcsA16jJJBDWAJwb35BQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-07T21:44:19Z" - recipient: age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj
mac: ENC[AES256_GCM,data:iyDz5zhOf4sQ2js+azNz3hP8W8YcIVRA4xglcRkvPSEmj2EzLm3Zv8XLHXFNIIYDBo2oQasYXaQSOW6rdHt0qwRv7mwTGHKreimTUi0eUAzXLhE8Pfwxk7V3XyuevGWgQc4UnAmmy0FOKaP+Rb74LoVUrXBT/2/Jq2U1pA+IZCA=,iv:LrhI0KWR3YovkjWBltPTA1JFFO2CJMLfdilAWC9V0Wo=,tag:xafFJVGY1zFYnCnr4M0Xvw==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBES09qM3p1TzhZdG1jNHY5
Z1hYRWQ3d3dTNGxoM2xRZTRpSEZqU1pMb1JBCkkxVHhoREluVWFteFM1eEI4ZG91
Z016TGRwM2hadzVqSzFaaEFQRTMvK1UKLS0tIC90bXYwa0NkRmZ5TVBYcWEwelRN
T3BlN0NpK2JqK2wzVFAxZFVoYi9zSnMKaK0XaN4eQ22ucQPXXnQzBT1c/9dViLHe
nFVDm4gsUJFdb3DifhaEQXW0o9XanGiPQEaOGO6WbAQL8Pf09SLsSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-11T19:25:54Z"
mac: ENC[AES256_GCM,data:GbbdzjkjicbNPoiKXpeAXzkrmQlgLUg90B0ynYfbB9JX0m4W7hfogVJ4Fcx5t+iUeG2LPkCxq7vYnD1+uFJkND1xF0rc9dGi43SBtz74giQTJck8/mK/iWyDdgDlWxtO78ghHMS5OxyapOvk+K2+Ga9zJ1f3S64lc2xqhyVSFfk=,iv:jRDgu1lSuFRv8VeVbiyx+DfywaLlZJ0Xla++M277SBg=,tag:aV757MJJUNg77//tON7h1A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

26
services/ns/master-authorative.nix
View File

@ -1,11 +1,31 @@
{ ... }: { { ... }:
{
sops.secrets.ns_xfer_key = {
path = "/etc/nsd/xfer.key";
};
networking.firewall.allowedTCPPorts = [ 8053 ];
networking.firewall.allowedUDPPorts = [ 8053 ];
services.nsd = { services.nsd = {
enable = true; enable = true;
port = 8053; port = 8053;
ipv6 = false;
verbosity = 2;
identity = "test.2rjus.net server";
interfaces = [ "0.0.0.0" ];
keys = {
"xferkey" = {
algorithm = "hmac-sha256";
keyFile = "/etc/nsd/xfer.key";
};
};
zones = { zones = {
"test.2rjus.net." = { "test.2rjus.net" = {
provideXFR = [ "10.69.0.0/16 NOKEY" ]; provideXFR = [ "10.69.13.8 xferkey" ];
notify = [ "10.69.13.8@8053 xferkey" ];
data = builtins.readFile ./zones-test-2rjus-net.conf; data = builtins.readFile ./zones-test-2rjus-net.conf;
}; };
}; };

38
services/ns/resolver.nix Normal file
View File

@ -0,0 +1,38 @@
{ pkgs, ... }: {
networking.firewall.allowedTCPPorts = [
53
];
networking.firewall.allowedUDPPorts = [
53
];
services.unbound = {
enable = true;
settings = {
server = {
access-control = [
"127.0.0.0/8 allow"
"0.0.0.0/0 allow"
];
local-zone = "test.2rjus.net nodefault";
domain-insecure = "test.2rjus.net";
interface = "0.0.0.0";
do-not-query-localhost = "no";
port = "53";
do-ip4 = "yes";
do-ip6 = "no";
do-udp = "yes";
do-tcp = "yes";
};
stub-zone = {
name = "test.2rjus.net";
stub-addr = "127.0.0.1@8053";
};
forward-zone = {
name = ".";
forward-tls-upstream = "yes";
forward-addr = "1.1.1.1@853#cloudflare-dns.com";
};
};
};
}

31
services/ns/secondary-authorative.nix Normal file
View File

@ -0,0 +1,31 @@
{ ... }:
{
sops.secrets.ns_xfer_key = {
path = "/etc/nsd/xfer.key";
};
networking.firewall.allowedTCPPorts = [ 8053 ];
networking.firewall.allowedUDPPorts = [ 8053 ];
services.nsd = {
enable = true;
port = 8053;
ipv6 = false;
verbosity = 2;
identity = "test.2rjus.net server";
interfaces = [ "0.0.0.0" ];
keys = {
"xferkey" = {
algorithm = "hmac-sha256";
keyFile = "/etc/nsd/xfer.key";
};
};
zones = {
"test.2rjus.net" = {
allowNotify = [ "10.69.13.7 xferkey" ];
requestXFR = [ "AXFR 10.69.13.7@8053 xferkey" ];
data = builtins.readFile ./zones-test-2rjus-net.conf;
};
};
};
}

4
services/ns/zones-test-2rjus-net.conf
View File

@ -1,7 +1,7 @@
$ORIGIN test.2rjus.net. $ORIGIN test.2rjus.net.
$TTL 1800 $TTL 1800
@ IN SOA ns1.test.2rjus.net. admin.test.2rjus.net. ( @ IN SOA ns1.test.2rjus.net. admin.test.2rjus.net. (
2023 ; serial number 2024 ; serial number
3600 ; refresh 3600 ; refresh
900 ; retry 900 ; retry
1209600 ; expire 1209600 ; expire
@ -36,4 +36,4 @@ media IN A 10.69.31.50
; 99_MGMT ; 99_MGMT
sw1 IN A 10.69.99.2 sw1 IN A 10.69.99.2
testing IN A 10.69.33.33