diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix deleted file mode 100644 index 67e1168..0000000 --- a/home/modules/seven/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, ... }: - -let - cfg = config.custom.seven; -in -{ - imports = [ ./seven-ntfy.nix ]; - - options = { - custom.seven = { - enable = lib.mkEnableOption (lib.mdDoc "Seven"); - ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH"); - }; - }; - - config = lib.mkIf cfg.enable { - programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable '' - Host *.factory.secunet.com - User fschroeter - ''; - }; -} diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix deleted file mode 100644 index d4b54a9..0000000 --- a/home/modules/seven/ntfy.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: - -let - cfg = config.custom.seven.ntfy; -in -{ - options = { - custom.seven.ntfy = { - enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven"); - }; - }; - - config = lib.mkIf cfg.enable { - systemd.user = { - services.ntfy = { - Unit = { - Description = "ntfy alert scubscription"; - After = "network-online.target"; - PartOf = [ "graphical-session.target" ]; - }; - Service = - let - topic = "https://grafana.factory.secunet.com/ntfy/alerts"; - notify-send = lib.getExe pkgs.libnotify; - in - { - Environment = "PATH=${pkgs.bash}/bin:\${PATH}"; - ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'"; - Restart = "always"; - }; - Install.WantedBy = [ "default.target" ]; - }; - }; - }; -} diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix index 3080828..a5a4471 100644 --- a/hosts/home-server/default.nix +++ b/hosts/home-server/default.nix @@ -24,7 +24,6 @@ in ../../virtualisation/containers.nix ../../virtualisation/podman.nix ../../modules/inadyn.nix - ../../services/adguardhome.nix ../../modules/systemdNotify.nix ../../services/postgres ../../services/mail.nix @@ -88,7 +87,6 @@ in ''}"; services.inadyn.domains = [ "felschr.com" - "dns.felschr.com" "openpgpkey.felschr.com" "ldap.felschr.com" "auth.felschr.com" diff --git a/modules/wg0.nix b/modules/wg0.nix deleted file mode 100644 index 1ebcdfe..0000000 --- a/modules/wg0.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, ... }: - -let - cfg = config.custom.wg0; -in -{ - options = { - custom.wg0 = { - enable = lib.mkEnableOption (lib.mdDoc "Wireguard config"); - - addresses = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "IP addresses for this machine within VPN."; - }; - - privateKeyFile = lib.mkOption { - type = lib.types.str; - example = "/path/to/secret.key"; - description = "Private key file."; - }; - }; - }; - - config = lib.mkIf cfg.enable { - age.secrets.wireguard-home-pc-key = { - file = ../secrets/wireguard/home-pc.key.age; - owner = "systemd-network"; - }; - age.secrets.wireguard-cmdframe-key = { - file = ../secrets/wireguard/cmdframe.key.age; - owner = "systemd-network"; - }; - - systemd.network = { - enable = true; - # TODO cannot push this to public git like this - netdevs."40-wg0" = { - netdevConfig = { - Kind = "wireguard"; - Name = "wg0"; - MTUBytes = "1280"; - }; - wireguardConfig = { - PrivateKeyFile = cfg.privateKeyFile; - }; - wireguardPeers = [ - { - PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8="; - AllowedIPs = [ - "198.18.0.0/15" - "fd00:5ec::/48" - ]; - # TODO remove endpoint from config - Endpoint = "gateway.seven.secunet.com:51821"; - } - ]; - }; - networks."40-wg0" = { - matchConfig.Name = "wg0"; - address = cfg.addresses; - networkConfig = { - IPMasquerade = "ipv4"; - }; - }; - }; - }; -} diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age deleted file mode 100644 index 81f1bfa..0000000 --- a/secrets/wireguard/cmdframe.key.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY -71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo --> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38 -3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio ---- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU -?y)Sk*gz_E>| J׭*9 haI9p ?(JFx:;1yKP]VQ2J;Y \ No newline at end of file diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age deleted file mode 100644 index 3b761bd..0000000 Binary files a/secrets/wireguard/home-pc.key.age and /dev/null differ diff --git a/services/adguardhome.nix b/services/adguardhome.nix deleted file mode 100644 index 2cbe302..0000000 --- a/services/adguardhome.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, ... }: - -let - cfg = config.services.adguardhome; - host = "dns.felschr.com"; -in -{ - services.adguardhome = { - enable = true; - settings = { - dns = { - upstream_dns = [ - "https://dns.mullvad.net/dns-query" - ]; - fallback_dns = [ - "https://1.1.1.1/dns-query" - ]; - enable_dnssec = true; - }; - # encryption - tls = { - enabled = true; - server_name = host; - port_https = 0; - port_dns_over_tls = 853; - port_dns_over_quic = 853; - port_dnscrypt = 0; - force_https = false; # handled by nginx - allow_unencrypted_doh = true; - strict_sni_check = false; - certificate_path = "/run/credentials/adguardhome.service/fullchain.pem"; - private_key_path = "/run/credentials/adguardhome.service/key.pem"; - }; - # HINT: users needs to be set up manually: - # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset - # users = [ { name = "felschr"; } ]; - querylog = { - enabled = true; - interval = "24h"; - }; - statistics = { - enabled = true; - interval = "24h"; - }; - filtering = { - protection_enabled = true; - filtering_enabled = true; - safe_search.enabled = true; - rewrites = [ - { - domain = "felschr.com"; - answer = "home-server.tail05275.ts.net"; - } - { - domain = "*.felschr.com"; - answer = "home-server.tail05275.ts.net"; - } - ]; - }; - filters = [ - { - name = "HaGeZi Multi Pro"; - url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt"; - enabled = true; - } - { - name = "OISD (Big)"; - url = "https://big.oisd.nl"; - enabled = false; - } - { - name = "AdGuard DNS filter"; - url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; - enabled = false; - } - ]; - whitelist_filters = [ - { - name = "HaGeZi Whitelist-Referral"; - url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt"; - enabled = true; - } - { - name = "Hagezi Whitelist-UrlShortener"; - url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt"; - enabled = true; - } - ]; - }; - }; - - systemd.services.adguardhome.serviceConfig = { - LoadCredential = [ - "fullchain.pem:/var/lib/acme/${host}/fullchain.pem" - "key.pem:/var/lib/acme/${host}/key.pem" - ]; - }; - - services.nginx.virtualHosts."${host}" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://localhost:${toString cfg.port}"; - }; - - networking.firewall.allowedTCPPorts = [ 853 ]; - networking.firewall.allowedUDPPorts = [ 853 ]; -} diff --git a/system/networking.nix b/system/networking.nix index 3c50fc7..24e8003 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -1,49 +1,24 @@ -{ config, lib, ... }: +{ config, ... }: -let - isAdguardHost = config.services.adguardhome.enable; - nameservers = { - local = [ - "127.0.0.1" - "::1" - ]; - remote = [ - # LAN - "192.168.1.102#dns.felschr.com" - "fd1c:ca95:d74d::102#dns.felschr.com" - - # Tailnet - "100.97.32.60#dns.felschr.com" - "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com" - ]; - }; -in { - networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote; - - networking.nftables.enable = true; - networking.networkmanager = { - enable = true; - dns = "systemd-resolved"; - }; - - systemd.network = { - enable = true; - wait-online.ignoredInterfaces = [ "tailscale0" ]; - }; + networking.nameservers = [ + "127.0.0.1" + "::1" + ]; + networking.networkmanager.dns = "systemd-resolved"; services.dnsmasq.enable = false; services.resolved = { enable = true; - dnsovertls = if isAdguardHost then "opportunistic" else "true"; - fallbackDns = [ - "194.242.2.2#dns.mullvad.net" - "194.242.2.4#base.dns.mullvad.net" - "1.1.1.1#one.one.one.one" - "1.0.0.1#one.one.one.one" + # don't use fallback resolvers + fallbackDns = [ ]; + }; + + services.nextdns = { + enable = true; + arguments = [ + "-config" + "b8e2f7" ]; - extraConfig = lib.mkIf isAdguardHost '' - DNSStubListener=no - ''; }; } diff --git a/system/server.nix b/system/server.nix index f4cfa1a..2d466a8 100644 --- a/system/server.nix +++ b/system/server.nix @@ -15,14 +15,14 @@ table inet allow-incoming-traffic { chain allow-incoming { type filter hook input priority -100; policy accept; - tcp dport {80, 443, 853, 2222} meta mark set 0x80000; - udp dport {80, 443, 853, 2222} meta mark set 0x80000; + tcp dport {80, 443, 2222} meta mark set 0x80000; + udp dport {80, 443, 2222} meta mark set 0x80000; } chain allow-outgoing { type route hook output priority -100; policy accept; - tcp sport {80, 443, 853, 2222} meta mark set 0x80000; - udp sport {80, 443, 853, 2222} meta mark set 0x80000; + tcp sport {80, 443, 2222} meta mark set 0x80000; + udp sport {80, 443, 2222} meta mark set 0x80000; } } '';