foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 06:19:11 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts/plover: add internal DNS server

Browse Source
This commit is contained in:
Gabriel Arazas 2023-02-06 16:00:56 +08:00
parent d2a272f16b
commit 0086448efa
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
4 changed files with 54 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/plover/default.nix
View File

@ -114,11 +114,6 @@ in
}; };
}; };
services.resolved = {
enable = true;
dnssec = "true";
};
# All of the keys required to deploy the secrets. # All of the keys required to deploy the secrets.
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";

29
hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
View File

@ -5,11 +5,15 @@
# from nixos-generators. # from nixos-generators.
let let
inherit (builtins) toString; inherit (builtins) toString;
inherit (import ./networks.nix) interfaces privateIPv6Prefix; inherit (import ./networks.nix) interfaces preferredInternalTLD privateIPv6Prefix;
# This is just referring to the same interface just with alternative names. # This is just referring to the same interface just with alternative names.
mainEthernetInterfaceNames = [ "ens3" "enp0s3" ]; mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
internalEthernetInterfaceNames = [ "ens10" "enp0s10" ]; internalEthernetInterfaceNames = [ "ens10" "enp0s10" ];
internalDomains = [
"~${config.networking.domain}.${preferredInternalTLD}"
];
in in
{ {
imports = [ imports = [
@ -50,6 +54,19 @@ in
dhcpcd.enable = false; dhcpcd.enable = false;
}; };
# The internal DNS server of choice.
services.dnsmasq = {
enable = true;
settings.listen-address = with interfaces.internal; [ IPv4.address IPv6.address ];
};
# The main DNS server (not exactly by choice).
services.resolved = {
enable = true;
dnssec = "true";
domains = internalDomains;
};
# The interface configuration is based from the following discussion: # The interface configuration is based from the following discussion:
# https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/ # https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/
systemd.network = { systemd.network = {
@ -68,7 +85,6 @@ in
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPForward = true; IPForward = true;
IPMasquerade = "ipv4";
}; };
}; };
@ -85,11 +101,12 @@ in
IPv4.gateway IPv4.gateway
IPv6.gateway IPv6.gateway
]; ];
networkConfig = {
DNS = [ interfaces.internal.IPv4.address ];
Domains = lib.concatStringsSep " " internalDomains;
};
}; };
}; };
}; };
# This is to look out for any errors that will occur for my networking setup
# which is always a possibility.
systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info";
} }

7
hosts/plover/modules/services/atuin.nix
View File

@ -6,7 +6,7 @@
let let
inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces; inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;
atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}"; atuinInternalDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
host = interfaces.internal.IPv4.address; host = interfaces.internal.IPv4.address;
in in
{ {
@ -31,8 +31,11 @@ in
''; '';
}; };
# Attaching the domain name to the DNS server.
services.dnsmasq.settings.address = [ "/${atuinInternalDomain}/${host}" ];
# Putting it altogether in the reverse proxy of choice. # Putting it altogether in the reverse proxy of choice.
services.nginx.virtualHosts."${atuinDomain}" = { services.nginx.virtualHosts."${atuinInternalDomain}" = {
locations."/" = { locations."/" = {
proxyPass = "http://${host}:${toString config.services.atuin.port}"; proxyPass = "http://${host}:${toString config.services.atuin.port}";
}; };

40
hosts/plover/modules/services/keycloak.nix
View File

@ -2,9 +2,10 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (import ../hardware/networks.nix) interfaces; inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;
authDomain = "auth.${config.networking.domain}"; authDomain = "auth.${config.networking.domain}";
authInternalDomain = "auth.${config.networking.domain}.${preferredInternalTLD}";
# This is also set on our own. # This is also set on our own.
keycloakUser = config.services.keycloak.database.username; keycloakUser = config.services.keycloak.database.username;
@ -68,20 +69,31 @@ in
]; ];
}; };
# Attaching it to the reverse proxy of choice. # Attach an domain name to the DNS server.
services.nginx.virtualHosts."${authDomain}" = { services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ];
forceSSL = true;
enableACME = true;
# This is based from the reverse proxy guide from the official # Attaching it to the reverse proxy of choice.
# documentation at https://www.keycloak.org/server/reverseproxy. services.nginx.virtualHosts = {
locations = let "${authDomain}" = {
keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}"; forceSSL = true;
in enableACME = true;
lib.listToAttrs
(lib.lists.map # This is based from the reverse proxy guide from the official
(appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; }) # documentation at https://www.keycloak.org/server/reverseproxy.
[ "/js/" "/realms/" "/resources/" "/robots.txt" ]); locations = let
keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}";
in
lib.listToAttrs
(lib.lists.map
(appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; })
[ "/js/" "/realms/" "/resources/" "/robots.txt" ]);
};
"${authInternalDomain}" = {
locations."/" = {
proxyPass = "http://${host}:${toString config.services.keycloak.settings.http-port}";
};
};
}; };
# Configuring fail2ban for this services which is only present as a neat # Configuring fail2ban for this services which is only present as a neat