Skip to content

Commit

Permalink
Server setup fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@KubqoA
KubqoA committed Oct 25, 2024
1 parent dd32aa1 commit 3a5d75d
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 49 deletions.
10 changes: 5 additions & 5 deletions hosts/organ/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
++ lib._.moduleImports [
"common/nix"
"common/packages"
# "server/dns"
"server/dns"
"server/tailscale"
];

Expand All @@ -28,7 +28,7 @@
boot = {
loader = {
systemd-boot.enable = true;
systemd-boot.configurationLimit = 5;
systemd-boot.configurationLimit = 10;
efi.canTouchEfiVariables = true;
};
initrd.kernelModules = ["virtio_gpu"];
Expand All @@ -38,11 +38,11 @@
time.timeZone = "Europe/Prague";

server = {
# dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
tailscale = {
tailnet = "ide-vega.ts.net";
tailscaleIpv4 = "100.67.2.27";
tailscaleIpv6 = "fd7a:115c:a1e0::f101:21b";
tailscaleIpv4 = "100.71.111.38";
tailscaleIpv6 = "fd7a:115c:a1e0::2901:6f29";
authKeyFile = config.age.secrets.organ-tailscale-auth-key.path;
};
};
Expand Down
31 changes: 16 additions & 15 deletions hosts/organ/dns/jakubarbet.me.zone
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ $TTL 3600
1209600 ;expire
3600 ) ;minimum

@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
@ IN NS ns4.he.net.
@ IN NS ns3.he.net.
@ IN NS ns2.he.net.
@ IN NS ns1.he.net.

; Github pages hosting
@ IN A 185.199.108.153
Expand All @@ -23,19 +24,19 @@ $TTL 3600
www IN CNAME kubqoa.github.io.
_github-pages-challenge-kubqoa IN TXT 4594a706967b6a5dc0f2924da639ee

organ IN A 116.203.250.61
organ IN AAAA 2a01:4f8:c012:58f4::
git IN A 116.203.250.61
git IN AAAA 2a01:4f8:c012:58f4::
drive IN A 116.203.250.61
drive IN AAAA 2a01:4f8:c012:58f4::
organ IN A 116.202.110.124
organ IN AAAA 2a01:4f8:c013:5899::
git IN A 116.202.110.124
git IN AAAA 2a01:4f8:c013:5899::
drive IN A 116.202.110.124
drive IN AAAA 2a01:4f8:c013:5899::

@ IN CAA 0 iodef mailto:[email protected]
@ IN CAA 0 issue letsencrypt.org

; Mail related settings
mail IN A 116.203.250.61
mail IN AAAA 2a01:4f8:c012:58f4::
mail IN A 116.202.110.124
mail IN AAAA 2a01:4f8:c013:5899::
email IN CNAME eu.mailgun.org.
@ IN MX 10 mail.jakubarbet.me.
@ IN TXT "v=spf1 include:mailgun.org ~all"
Expand All @@ -47,10 +48,10 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "


; Mail autoconfig
autoconfig IN A 116.203.250.61
autoconfig IN AAAA 2a01:4f8:c012:58f4::
autodiscover IN A 116.203.250.61
autodiscover IN AAAA 2a01:4f8:c012:58f4::
autoconfig IN A 116.202.110.124
autoconfig IN AAAA 2a01:4f8:c013:5899::
autodiscover IN A 116.202.110.124
autodiscover IN AAAA 2a01:4f8:c013:5899::
_imap._tcp IN SRV 5 0 143 mail.jakubarbet.me.
_imaps._tcp IN SRV 5 0 993 mail.jakubarbet.me.
_submission._tcp IN SRV 5 0 587 mail.jakubarbet.me.
Expand Down
6 changes: 3 additions & 3 deletions modules/server/dns/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"dns-dnssec-${zoneName}".text = ''
mkdir -p /etc/named
# Generate DNSSEC key if it doesn't exist
if ls /etc/named/K${zoneName}*.key >/dev/null 2>/dev/null; then
if ! ls /etc/named/K${zoneName}*.key >/dev/null 2>/dev/null; then
echo "[dns-dnssec] Generating DNSSEC key for ${zoneName}"
${pkgs.bind}/bin/dnssec-keygen -a NSEC3RSASHA1 -b 2048 -K /etc/named -n ZONE "${zoneName}" 2>/dev/null
${pkgs.bind}/bin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/named -n ZONE "${zoneName}" 2>/dev/null
Expand All @@ -50,8 +50,8 @@
deps = ["dns-dnssec-${zoneName}"];
text =
builtins.replaceStrings
["cmp" "dnssec-signzone" "named-checkzone" "sed" "$ZONE" "$ZONE_PATH"]
["${pkgs.diffutils}/bin/cmp" "${pkgs.bind}/bin/dnssec-keygen" "${pkgs.bind}/bin/named-checkzone" "${pkgs.gnused}/bin/sed" "${zoneName}" "${zoneFile}"]
["cmp" "dnssec-signzone" "named-checkzone" "sed" "$ZONE_NAME" "$ZONE_FILE"]
["${pkgs.diffutils}/bin/cmp" "${pkgs.bind}/bin/dnssec-signzone" "${pkgs.bind}/bin/named-checkzone" "${pkgs.gnused}/bin/sed" "${zoneName}" "${zoneFile}"]
(builtins.readFile ./increment-and-sign-zone.sh);
};
};
Expand Down
50 changes: 25 additions & 25 deletions modules/server/dns/increment-and-sign-zone.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,30 +22,30 @@ increment_serial() {
echo $new_serial
}

if [ -f "/etc/named/$ZONE.zone.orig" ] && $(cmp -s "$ZONE_PATH" "/etc/named/$ZONE.zone.orig"); then
echo "[dnssec] Zone $ZONE not changed"
exit
fi

cd /etc/named
current_serial="0000000000"
if [ -f "/etc/named/$ZONE.zone" ]; then
current_serial=$(named-checkzone "$ZONE" "/etc/named/$ZONE.zone" | egrep -ho '[0-9]{10}')
if [ -f "/etc/named/$ZONE_NAME.zone.orig" ] && $(cmp -s "$ZONE_FILE" "/etc/named/$ZONE_NAME.zone.orig"); then
echo "[dnssec] Zone $ZONE_NAME not changed"
else
cd /etc/named
current_serial="0000000000"
if [ -f "/etc/named/$ZONE_NAME.zone" ]; then
current_serial=$(named-checkzone "$ZONE_NAME" "/etc/named/$ZONE_NAME.zone" | egrep -ho '[0-9]{10}')
fi
new_serial=$(increment_serial $current_serial)

cp "$ZONE_FILE" "/etc/named/$ZONE_NAME.zone"
cp "/etc/named/$ZONE_NAME.zone"{,.orig}
sed -i "s/\$SERIAL/$new_serial/" "$ZONE_NAME.zone"
echo "[dnssec] Zone $ZONE_NAME with serial $new_serial"

for key in `ls K$ZONE_NAME*.key`
do
echo "\$INCLUDE $key">> "$ZONE_NAME.zone"
done

echo "[dnssec] Signing zone"
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE_NAME" -t "$ZONE_NAME.zone" >/dev/null

echo "[dnssec] Please set the following DS records at the registrar"
cat "dsset-$ZONE_NAME."
fi
new_serial=$(increment_serial $current_serial)

cp "$ZONE_PATH" "/etc/named/$ZONE.zone"
cp "/etc/named/$ZONE.zone"{,.orig}
sed -i "s/\$SERIAL/$new_serial/" "$ZONE.zone"
echo "[dnssec] Zone $ZONE with serial $new_serial"

for key in `ls K$ZONE*.key`
do
echo "\$INCLUDE $key">> "$ZONE.zone"
done

echo "[dnssec] Signing zone"
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE" -t "$ZONE.zone" >/dev/null

echo "[dnssec] Please set the following DS records at the registrar"
cat "dsset-$ZONE."
2 changes: 1 addition & 1 deletion modules/server/tailscale.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,12 @@ with lib; {
authKeyFile = config.server.tailscale.authKeyFile;
useRoutingFeatures = "server";
openFirewall = true;
extraUpFlags = ["--advertiseTags tag:ssh"];
extraSetFlags = [
"--ssh"
"--advertise-exit-node" # offer to be exit node internet traffic for tailnet
"--advertise-connector" # offer to be app connector for domain specific internet traffic for tailnet
];
extraUpFlags = ["--ssh" "--advertise-exit-node" "--advertise-connector"];
};
};

Expand Down

0 comments on commit 3a5d75d

Please sign in to comment.