From 51fcf8609bfd3b9585fb0dc3aabfad2a2c623267 Mon Sep 17 00:00:00 2001 From: nostoromo root Date: Sat, 20 Jun 2020 15:36:00 -0700 Subject: [PATCH 1/3] Local changes --- fudo/sites/seattle.nix | 7 ++-- hosts/nostromo.nix | 75 ++++++++++++++++++------------------------ 2 files changed, 37 insertions(+), 45 deletions(-) diff --git a/fudo/sites/seattle.nix b/fudo/sites/seattle.nix index d284f29..83788cd 100644 --- a/fudo/sites/seattle.nix +++ b/fudo/sites/seattle.nix @@ -28,10 +28,13 @@ in { firewall.enable = false; nameservers = nameservers; - defaultGateway = gateway; + # Don't set the gateway if we ARE the gateway. + # This is the most generic way I can think of to do that. local-network is really + # about running all the local servers (DNS, DHCP, and providing gateway). + defaultGateway = optionalString (config.fudo.local-network.enable != true) gateway; # Until Comcast gets it's shit together... :( - enableIPv6 = false; + enableIPv6 = true; }; users.extraUsers = { diff --git a/hosts/nostromo.nix b/hosts/nostromo.nix index d2cd4ec..32d2831 100644 --- a/hosts/nostromo.nix +++ b/hosts/nostromo.nix @@ -3,7 +3,6 @@ let hostname = "nostromo.sea.fudo.org"; host-internal-ip = "10.0.0.1"; - local-gateway = "10.0.0.1"; inherit (lib.strings) concatStringsSep; in { @@ -30,7 +29,7 @@ in { enable = true; # See fudo/sites/seattle.nix for general settings dns-servers = [ host-internal-ip ]; - gateway = local-gateway; + gateway = host-internal-ip; dhcp-interfaces = [ "intif0" ]; dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ]; # Using a pihole running in docker, see below @@ -39,27 +38,21 @@ in { server-ip = host-internal-ip; }; + fudo.slynk = { + enable = true; + }; + networking = { hostName = hostname; - # defaultGateway = local-gateway; - nameservers = [ host-internal-ip ]; - # Turn off for hypervisor: dhcp by default everywhere is a fuckin pain. - #dhcpcd.enable = true; - # Create a bridge for VMs to use macvlans = { intif0 = { interface = "eno1"; mode = "bridge"; }; - - # extif0 = { - # interface = "eno2"; - # mode = "bridge"; - # }; }; interfaces = { @@ -73,7 +66,6 @@ in { eno2.useDHCP = true; - intif0 = { useDHCP = false; macAddress = "46:54:76:06:f1:10"; @@ -88,10 +80,6 @@ in { } ]; }; - - # extif0 = { - # useDHCP = true; - # }; }; nat = { @@ -121,6 +109,7 @@ in { }; environment.systemPackages = with pkgs; [ + dnsproxy libguestfs-with-appliance libvirt virtmanager @@ -159,9 +148,9 @@ in { "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" ]; # TODO: DNS-over-HTTPS via cloudflared - extraDockerOptions = [ - "--dns=1.1.1.1" - ]; + # extraDockerOptions = [ + # "--dns=1.1.1.1" + # ]; }; }; @@ -199,32 +188,32 @@ in { }; }; - ceph = { - enable = true; + # ceph = { + # enable = true; - global = { - clusterName = "sea-data"; - clusterNetwork = "10.0.10.0/24"; - fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3"; - monHost = "10.0.10.2"; - monInitialMembers = "mon-1"; - publicNetwork = "10.0.0.0/22"; - }; + # global = { + # clusterName = "sea-data"; + # clusterNetwork = "10.0.10.0/24"; + # fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3"; + # monHost = "10.0.10.2"; + # monInitialMembers = "mon-1"; + # publicNetwork = "10.0.0.0/22"; + # }; - mds = { - enable = true; - daemons = ["srv-2"]; - }; + # mds = { + # enable = true; + # daemons = ["srv-2"]; + # }; - mgr = { - enable = true; - daemons = ["srv-2"]; - }; + # mgr = { + # enable = true; + # daemons = ["srv-2"]; + # }; - mon = { - enable = true; - daemons = ["srv-2"]; - }; - }; + # mon = { + # enable = true; + # daemons = ["srv-2"]; + # }; + # }; }; } From 318579ff8aa64d9e668ae1fd8edd0da720ac6644 Mon Sep 17 00:00:00 2001 From: nostoromo root Date: Mon, 22 Jun 2020 11:10:36 -0700 Subject: [PATCH 2/3] Working DNS proxy over HTTPS --- config/fudo/secure-dns-proxy.nix | 62 ++++++++++++++++++++++++++++++++ config/local.nix | 3 +- hosts/nostromo.nix | 13 ++++--- 3 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 config/fudo/secure-dns-proxy.nix diff --git a/config/fudo/secure-dns-proxy.nix b/config/fudo/secure-dns-proxy.nix new file mode 100644 index 0000000..3f481e1 --- /dev/null +++ b/config/fudo/secure-dns-proxy.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, config, ... }: + +with lib; +let + cfg = config.fudo.secure-dns-proxy; + +in { + options.fudo.secure-dns-proxy = { + enable = mkEnableOption "Enable a DNS server using an encrypted upstream source."; + + port = mkOption { + type = types.port; + description = "Port on which to listen for DNS queries."; + default = 53; + }; + + upstream-dns = mkOption { + type = with types; listOf str; + description = '' + The upstream DNS services to use, in a format useable by dnsproxy. + + See: https://github.com/AdguardTeam/dnsproxy + ''; + default = ["https://cloudflare-dns.com/dns-query"]; + }; + + bootstrap-dns = mkOption { + type = types.str; + description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary."; + default = "1.1.1.1"; + }; + + listen-ips = mkOption { + type = with types; listOf str; + description = "A list of local IP addresses on which to listen."; + default = ["0.0.0.0"]; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + dnsproxy + ]; + + systemd.services.secure-dns-proxy = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "DNS Proxy for secure DNS lookups"; + serviceConfig = let + upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns; + upstream-line = concatStringsSep " " upstreams; + listen-line = concatStringsSep " " + (map (listen: "-l ${listen}") cfg.listen-ips); + cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}"; + + in { + ExecStart = cmd; + }; + }; + }; +} diff --git a/config/local.nix b/config/local.nix index 975917d..0cc9309 100644 --- a/config/local.nix +++ b/config/local.nix @@ -18,8 +18,9 @@ with lib; ./fudo/node-exporter.nix ./fudo/postgres.nix ./fudo/prometheus.nix - ./fudo/system.nix + ./fudo/secure-dns-proxy.nix ./fudo/slynk.nix + ./fudo/system.nix ./fudo/webmail.nix ../fudo/profiles diff --git a/hosts/nostromo.nix b/hosts/nostromo.nix index 32d2831..96277d3 100644 --- a/hosts/nostromo.nix +++ b/hosts/nostromo.nix @@ -102,10 +102,15 @@ in { ]; }; - # secure-dns = { - # enable = true; - # port = 9053; - # }; + secure-dns-proxy = { + enable = true; + port = 3535; + upstream-dns = [ + "https://cloudflare-dns.com/dns-query" + # "https://dns.adguard.com/dns-query" + ]; + bootstrap-dns = "1.1.1.1"; + }; }; environment.systemPackages = with pkgs; [ From acac0ef720870d9baf7a508bb5b8b6a76c43709b Mon Sep 17 00:00:00 2001 From: "root@procul" Date: Mon, 22 Jun 2020 15:29:33 -0500 Subject: [PATCH 3/3] Updated for procul --- fudo/sites/default.nix | 1 + fudo/sites/joes.nix | 57 +++++++++++++++++++++++++++ hosts/procul.nix | 89 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 fudo/sites/joes.nix create mode 100644 hosts/procul.nix diff --git a/fudo/sites/default.nix b/fudo/sites/default.nix index 6caa1b3..fd59359 100644 --- a/fudo/sites/default.nix +++ b/fudo/sites/default.nix @@ -2,6 +2,7 @@ { imports = [ + ./joes.nix ./portage.nix ./seattle.nix ]; diff --git a/fudo/sites/joes.nix b/fudo/sites/joes.nix new file mode 100644 index 0000000..ad2d576 --- /dev/null +++ b/fudo/sites/joes.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + admin = "admin@fudo.org"; + + nameservers = [ + "1.1.1.1" + "2606:4700:4700::1111" + ]; + + hostname = config.networking.hostName; + + gateway = "172.86.179.17"; + +in { + config = mkIf (config.fudo.common.site == "joes") { + time.timeZone = "America/Winnipeg"; + + services.cron = { + mailto = admin; + }; + + networking = { + domain = "fudo.org"; + search = ["fudo.org"]; + firewall.enable = false; + nameservers = nameservers; + + defaultGateway = gateway; + # defaultGateway6 = gateway6; + }; + + fudo.node-exporter = { + enable = true; + hostname = hostname; + }; + + security.acme.certs.${hostname} = { + email = "admin@fudo.org"; + # plugins = [ + # "fullchain.pem" + # "full.pem" + # "key.pem" + # "chain.pem" + # "cert.pem" + # ]; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + }; + }; +} diff --git a/hosts/procul.nix b/hosts/procul.nix new file mode 100644 index 0000000..ef15a4f --- /dev/null +++ b/hosts/procul.nix @@ -0,0 +1,89 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + hostname = "procul"; + mail-hostname = hostname; + host_ipv4 = "172.86.179.18"; + all-hostnames = []; + + acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; + acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem"; + acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem"; + + fudo-ca = "/etc/nixos/static/fudo_ca.pem"; + +in { + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sdb"; + }; + + imports = [ + ../hardware-configuration.nix + + ../defaults.nix + ]; + + fudo.common = { + # Sets some server-common settings. See /etc/nixos/fudo/profiles/... + profile = "server"; + + # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/... + site = "joes"; + + local-networks = [ + "172.86.179.18/29" + "208.81.1.128/28" + "208.81.3.112/28" + "172.17.0.0/16" + "127.0.0.0/8" + ]; + }; + + environment.systemPackages = with pkgs; [ + multipath-tools + ]; + + # Not all users need access to procul; don't allow LDAP-user access. + fudo.authentication.enable = false; + + # TODO: not used yet + fudo.acme.hostnames = all-hostnames; + + networking = { + hostName = hostname; + + dhcpcd.enable = false; + useDHCP = false; + + # TODO: fix IPv6 + enableIPv6 = true; + + # Create a bridge for VMs to use + macvlans = { + extif0 = { + interface = "enp0s25"; + mode = "bridge"; + }; + }; + + interfaces = { + extif0 = { + # result of: + # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:e2:b7:db:e8:af"; + ipv4.addresses = [ + { + address = host_ipv4; + prefixLength = 29; + } + ]; + }; + }; + }; + + hardware.bluetooth.enable = false; +}