Should work locally for sea.fudo.org (gateway, kerberos fixes)

2020-06-25 20:51:43 -07:00 · 2020-06-25 20:51:43 -07:00 · 705fa12391
commit 705fa12391
parent c534e786cc acac0ef720
7 changed files with 258 additions and 52 deletions
--- a/config/fudo/secure-dns-proxy.nix
+++ b/config/fudo/secure-dns-proxy.nix
@ -0,0 +1,62 @@
 { lib, pkgs, config, ... }:
 with lib;
 let
  cfg = config.fudo.secure-dns-proxy;
 in {
  options.fudo.secure-dns-proxy = {
    enable = mkEnableOption "Enable a DNS server using an encrypted upstream source.";
    port = mkOption {
      type = types.port;
      description = "Port on which to listen for DNS queries.";
      default = 53;
    };
    upstream-dns = mkOption {
      type = with types; listOf str;
      description = ''
        The upstream DNS services to use, in a format useable by dnsproxy.
        See: https://github.com/AdguardTeam/dnsproxy
      '';
      default = ["https://cloudflare-dns.com/dns-query"];
    };
    bootstrap-dns = mkOption {
      type = types.str;
      description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
      default = "1.1.1.1";
    };
    listen-ips = mkOption {
      type = with types; listOf str;
      description = "A list of local IP addresses on which to listen.";
      default = ["0.0.0.0"];
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      dnsproxy
    ];
    systemd.services.secure-dns-proxy = {
      enable = true;
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      description = "DNS Proxy for secure DNS lookups";
      serviceConfig = let
        upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
        upstream-line = concatStringsSep " " upstreams;
        listen-line = concatStringsSep " "
          (map (listen: "-l ${listen}") cfg.listen-ips);
        cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
      in {
        ExecStart = cmd;
      };
    };
  };
 }
--- a/config/local.nix
+++ b/config/local.nix
@ -18,8 +18,9 @@ with lib;
    ./fudo/node-exporter.nix
    ./fudo/postgres.nix
    ./fudo/prometheus.nix
-    ./fudo/system.nix
+    ./fudo/secure-dns-proxy.nix
    ./fudo/slynk.nix
    ./fudo/system.nix
    ./fudo/webmail.nix
    ../fudo/profiles
--- a/fudo/sites/default.nix
+++ b/fudo/sites/default.nix
@ -2,6 +2,7 @@
 {
  imports = [
    ./joes.nix
    ./portage.nix
    ./seattle.nix
  ];
--- a/fudo/sites/joes.nix
+++ b/fudo/sites/joes.nix
@ -0,0 +1,57 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  admin = "admin@fudo.org";
  nameservers = [
    "1.1.1.1"
    "2606:4700:4700::1111"
  ];
  hostname = config.networking.hostName;
  gateway = "172.86.179.17";
 in {
  config = mkIf (config.fudo.common.site == "joes") {
    time.timeZone = "America/Winnipeg";
    services.cron = {
      mailto = admin;
    };
    networking = {
      domain = "fudo.org";
      search = ["fudo.org"];
      firewall.enable = false;
      nameservers = nameservers;
      defaultGateway = gateway;
      # defaultGateway6 = gateway6;
    };
    fudo.node-exporter = {
      enable = true;
      hostname = hostname;
    };
    security.acme.certs.${hostname} = {
      email = "admin@fudo.org";
      # plugins = [
      #   "fullchain.pem"
      #   "full.pem"
      #   "key.pem"
      #   "chain.pem"
      #   "cert.pem"
      # ];
    };
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
    };
  };
 }
--- a/fudo/sites/seattle.nix
+++ b/fudo/sites/seattle.nix
@ -28,10 +28,12 @@ in {
      firewall.enable = false;
      nameservers = nameservers;
-      defaultGateway = gateway;
+      # Don't set the gateway if we ARE the gateway.
      # This is the most generic way I can think of to do that. local-network is really
      # about running all the local servers (DNS, DHCP, and providing gateway).
      defaultGateway = optionalString (config.fudo.local-network.enable != true) gateway;
-      # Until Comcast gets it's shit together... :(
+      enableIPv6 = true;
      enableIPv6 = false;
      # Necessary to make sure than Kerberos and Avahi both work (the former
      # needs the full reverse-lookup name of the server, the latter wants
--- a/hosts/nostromo.nix
+++ b/hosts/nostromo.nix
@ -1,9 +1,8 @@
 { lib, config, pkgs, ... }:
 let
-  hostname = "nostromo.sea.fudo.org";
+  hostname = "nostromo";
  host-internal-ip = "10.0.0.1";
  local-gateway = "10.0.0.1";
  inherit (lib.strings) concatStringsSep;
 in {
@ -30,7 +29,7 @@ in {
    enable = true;
    # See fudo/sites/seattle.nix for general settings
    dns-servers = [ host-internal-ip ];
-    gateway = local-gateway;
+    gateway = host-internal-ip;
    dhcp-interfaces = [ "intif0" ];
    dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ];
    # Using a pihole running in docker, see below
@ -39,27 +38,21 @@ in {
    server-ip = host-internal-ip;
  };
  fudo.slynk = {
    enable = true;
  };
  networking = {
    hostName = hostname;
    # defaultGateway = local-gateway;
    nameservers = [ host-internal-ip ];
    # Turn off for hypervisor: dhcp by default everywhere is a fuckin pain.
    #dhcpcd.enable = true;
    # Create a bridge for VMs to use
    macvlans = {
      intif0 = {
        interface = "eno1";
        mode = "bridge";
      };
      # extif0 = {
      #   interface = "eno2";
      #   mode = "bridge";
      # };
    };
    interfaces = {
@ -73,7 +66,6 @@ in {
      eno2.useDHCP = true;
      intif0 = {
        useDHCP = false;
        macAddress = "46:54:76:06:f1:10";
@ -88,10 +80,6 @@ in {
          }
        ];
      };
      # extif0 = {
      #   useDHCP = true;
      # };
    };
    nat = {
@ -114,13 +102,19 @@ in {
      ];
    };
-    # secure-dns = {
+    secure-dns-proxy = {
-    #   enable = true;
+      enable = true;
-    #   port = 9053;
+      port = 3535;
-    # };
+      upstream-dns = [
        "https://cloudflare-dns.com/dns-query"
        # "https://dns.adguard.com/dns-query"
      ];
      bootstrap-dns = "1.1.1.1";
    };
  };
  environment.systemPackages = with pkgs; [
    dnsproxy
    libguestfs-with-appliance
    libvirt
    virtmanager
@ -159,9 +153,9 @@ in {
        "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
      ];
      # TODO: DNS-over-HTTPS via cloudflared
-      extraDockerOptions = [
+      # extraDockerOptions = [
-        "--dns=1.1.1.1"
+      #   "--dns=1.1.1.1"
-      ];
+      # ];
    };
  };
@ -199,32 +193,32 @@ in {
      };
    };
-    ceph = {
+    # ceph = {
-      enable = true;
+    #   enable = true;
-      global = {
+    #   global = {
-        clusterName = "sea-data";
+    #     clusterName = "sea-data";
-        clusterNetwork = "10.0.10.0/24";
+    #     clusterNetwork = "10.0.10.0/24";
-        fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3";
+    #     fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3";
-        monHost = "10.0.10.2";
+    #     monHost = "10.0.10.2";
-        monInitialMembers = "mon-1";
+    #     monInitialMembers = "mon-1";
-        publicNetwork = "10.0.0.0/22";
+    #     publicNetwork = "10.0.0.0/22";
-      };
+    #   };
-      mds = {
+    #   mds = {
-        enable = true;
+    #     enable = true;
-        daemons = ["srv-2"];
+    #     daemons = ["srv-2"];
-      };
+    #   };
-      mgr = {
+    #   mgr = {
-        enable = true;
+    #     enable = true;
-        daemons = ["srv-2"];
+    #     daemons = ["srv-2"];
-      };
+    #   };
-      mon = {
+    #   mon = {
-        enable = true;
+    #     enable = true;
-        daemons = ["srv-2"];
+    #     daemons = ["srv-2"];
-      };
+    #   };
-    };
+    # };
  };
 }
--- a/hosts/procul.nix
+++ b/hosts/procul.nix
@ -0,0 +1,89 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  hostname = "procul";
  mail-hostname = hostname;
  host_ipv4 = "172.86.179.18";
  all-hostnames = [];
  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
  acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
  acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
  fudo-ca = "/etc/nixos/static/fudo_ca.pem";
 in {
  boot.loader.grub = {
    enable = true;
    version = 2;
    device = "/dev/sdb";
  };
  imports = [
    ../hardware-configuration.nix
    ../defaults.nix
  ];
  fudo.common = {
    # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
    profile = "server";
    # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
    site = "joes";
    local-networks = [
      "172.86.179.18/29"
      "208.81.1.128/28"
      "208.81.3.112/28"
      "172.17.0.0/16"
      "127.0.0.0/8"
    ];
  };
  environment.systemPackages = with pkgs; [
    multipath-tools
  ];
  # Not all users need access to procul; don't allow LDAP-user access.
  fudo.authentication.enable = false;
  # TODO: not used yet
  fudo.acme.hostnames = all-hostnames;
  networking = {
    hostName = hostname;
    dhcpcd.enable = false;
    useDHCP = false;
    # TODO: fix IPv6
    enableIPv6 = true;
    # Create a bridge for VMs to use
    macvlans = {
      extif0 = {
        interface = "enp0s25";
        mode = "bridge";
      };
    };
    interfaces = {
      extif0 = {
        # result of:
        # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
        macAddress = "02:e2:b7:db:e8:af";
        ipv4.addresses = [
          {
            address = host_ipv4;
            prefixLength = 29;
          }
        ];
      };
    };
  };
  hardware.bluetooth.enable = false;
 }