From 0086448efa58ca6902a753428ea8b4385662d457 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Mon, 6 Feb 2023 16:00:56 +0800 Subject: [PATCH] hosts/plover: add internal DNS server --- hosts/plover/default.nix | 5 --- .../modules/hardware/hetzner-cloud-cx21.nix | 29 +++++++++++--- hosts/plover/modules/services/atuin.nix | 7 +++- hosts/plover/modules/services/keycloak.nix | 40 ++++++++++++------- 4 files changed, 54 insertions(+), 27 deletions(-) diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 69c18390..8b3a0e33 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -114,11 +114,6 @@ in }; }; - services.resolved = { - enable = true; - dnssec = "true"; - }; - # All of the keys required to deploy the secrets. sops.age.keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix index d7e5b5c0..e18da6e9 100644 --- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix +++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix @@ -5,11 +5,15 @@ # from nixos-generators. let inherit (builtins) toString; - inherit (import ./networks.nix) interfaces privateIPv6Prefix; + inherit (import ./networks.nix) interfaces preferredInternalTLD privateIPv6Prefix; # This is just referring to the same interface just with alternative names. mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; internalEthernetInterfaceNames = [ "ens10" "enp0s10" ]; + + internalDomains = [ + "~${config.networking.domain}.${preferredInternalTLD}" + ]; in { imports = [ @@ -50,6 +54,19 @@ in dhcpcd.enable = false; }; + # The internal DNS server of choice. + services.dnsmasq = { + enable = true; + settings.listen-address = with interfaces.internal; [ IPv4.address IPv6.address ]; + }; + + # The main DNS server (not exactly by choice). + services.resolved = { + enable = true; + dnssec = "true"; + domains = internalDomains; + }; + # The interface configuration is based from the following discussion: # https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/ systemd.network = { @@ -68,7 +85,6 @@ in networkConfig = { DHCP = "yes"; IPForward = true; - IPMasquerade = "ipv4"; }; }; @@ -85,11 +101,12 @@ in IPv4.gateway IPv6.gateway ]; + + networkConfig = { + DNS = [ interfaces.internal.IPv4.address ]; + Domains = lib.concatStringsSep " " internalDomains; + }; }; }; }; - - # This is to look out for any errors that will occur for my networking setup - # which is always a possibility. - systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info"; } diff --git a/hosts/plover/modules/services/atuin.nix b/hosts/plover/modules/services/atuin.nix index 3ee80bbf..e7a26d4e 100644 --- a/hosts/plover/modules/services/atuin.nix +++ b/hosts/plover/modules/services/atuin.nix @@ -6,7 +6,7 @@ let inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; - atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; + atuinInternalDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; host = interfaces.internal.IPv4.address; in { @@ -31,8 +31,11 @@ in ''; }; + # Attaching the domain name to the DNS server. + services.dnsmasq.settings.address = [ "/${atuinInternalDomain}/${host}" ]; + # Putting it altogether in the reverse proxy of choice. - services.nginx.virtualHosts."${atuinDomain}" = { + services.nginx.virtualHosts."${atuinInternalDomain}" = { locations."/" = { proxyPass = "http://${host}:${toString config.services.atuin.port}"; }; diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix index 9caaa429..9aff1924 100644 --- a/hosts/plover/modules/services/keycloak.nix +++ b/hosts/plover/modules/services/keycloak.nix @@ -2,9 +2,10 @@ { config, lib, pkgs, ... }: let - inherit (import ../hardware/networks.nix) interfaces; + inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; authDomain = "auth.${config.networking.domain}"; + authInternalDomain = "auth.${config.networking.domain}.${preferredInternalTLD}"; # This is also set on our own. keycloakUser = config.services.keycloak.database.username; @@ -68,20 +69,31 @@ in ]; }; - # Attaching it to the reverse proxy of choice. - services.nginx.virtualHosts."${authDomain}" = { - forceSSL = true; - enableACME = true; + # Attach an domain name to the DNS server. + services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ]; - # This is based from the reverse proxy guide from the official - # documentation at https://www.keycloak.org/server/reverseproxy. - locations = let - keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}"; - in - lib.listToAttrs - (lib.lists.map - (appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; }) - [ "/js/" "/realms/" "/resources/" "/robots.txt" ]); + # Attaching it to the reverse proxy of choice. + services.nginx.virtualHosts = { + "${authDomain}" = { + forceSSL = true; + enableACME = true; + + # This is based from the reverse proxy guide from the official + # documentation at https://www.keycloak.org/server/reverseproxy. + locations = let + keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}"; + in + lib.listToAttrs + (lib.lists.map + (appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; }) + [ "/js/" "/realms/" "/resources/" "/robots.txt" ]); + }; + + "${authInternalDomain}" = { + locations."/" = { + proxyPass = "http://${host}:${toString config.services.keycloak.settings.http-port}"; + }; + }; }; # Configuring fail2ban for this services which is only present as a neat