diff --git a/home/modules/seven/default.nix b/home/modules/seven/default.nix new file mode 100644 index 0000000..67e1168 --- /dev/null +++ b/home/modules/seven/default.nix @@ -0,0 +1,22 @@ +{ config, lib, ... }: + +let + cfg = config.custom.seven; +in +{ + imports = [ ./seven-ntfy.nix ]; + + options = { + custom.seven = { + enable = lib.mkEnableOption (lib.mdDoc "Seven"); + ssh.enable = lib.mkEnableOption (lib.mdDoc "Seven SSH"); + }; + }; + + config = lib.mkIf cfg.enable { + programs.ssh.extraConfig = lib.mkIf cfg.ssh.enable '' + Host *.factory.secunet.com + User fschroeter + ''; + }; +} diff --git a/home/modules/seven/ntfy.nix b/home/modules/seven/ntfy.nix new file mode 100644 index 0000000..d4b54a9 --- /dev/null +++ b/home/modules/seven/ntfy.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + cfg = config.custom.seven.ntfy; +in +{ + options = { + custom.seven.ntfy = { + enable = lib.mkEnableOption (lib.mdDoc "ntfy service for seven"); + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user = { + services.ntfy = { + Unit = { + Description = "ntfy alert scubscription"; + After = "network-online.target"; + PartOf = [ "graphical-session.target" ]; + }; + Service = + let + topic = "https://grafana.factory.secunet.com/ntfy/alerts"; + notify-send = lib.getExe pkgs.libnotify; + in + { + Environment = "PATH=${pkgs.bash}/bin:\${PATH}"; + ExecStart = "${pkgs.ntfy-sh}/bin/ntfy sub ${topic} '${notify-send} \"$t\" \"$m\"'"; + Restart = "always"; + }; + Install.WantedBy = [ "default.target" ]; + }; + }; + }; +} diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix index a5a4471..3080828 100644 --- a/hosts/home-server/default.nix +++ b/hosts/home-server/default.nix @@ -24,6 +24,7 @@ in ../../virtualisation/containers.nix ../../virtualisation/podman.nix ../../modules/inadyn.nix + ../../services/adguardhome.nix ../../modules/systemdNotify.nix ../../services/postgres ../../services/mail.nix @@ -87,6 +88,7 @@ in ''}"; services.inadyn.domains = [ "felschr.com" + "dns.felschr.com" "openpgpkey.felschr.com" "ldap.felschr.com" "auth.felschr.com" diff --git a/modules/wg0.nix b/modules/wg0.nix new file mode 100644 index 0000000..1ebcdfe --- /dev/null +++ b/modules/wg0.nix @@ -0,0 +1,67 @@ +{ config, lib, ... }: + +let + cfg = config.custom.wg0; +in +{ + options = { + custom.wg0 = { + enable = lib.mkEnableOption (lib.mdDoc "Wireguard config"); + + addresses = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "IP addresses for this machine within VPN."; + }; + + privateKeyFile = lib.mkOption { + type = lib.types.str; + example = "/path/to/secret.key"; + description = "Private key file."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + age.secrets.wireguard-home-pc-key = { + file = ../secrets/wireguard/home-pc.key.age; + owner = "systemd-network"; + }; + age.secrets.wireguard-cmdframe-key = { + file = ../secrets/wireguard/cmdframe.key.age; + owner = "systemd-network"; + }; + + systemd.network = { + enable = true; + # TODO cannot push this to public git like this + netdevs."40-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1280"; + }; + wireguardConfig = { + PrivateKeyFile = cfg.privateKeyFile; + }; + wireguardPeers = [ + { + PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8="; + AllowedIPs = [ + "198.18.0.0/15" + "fd00:5ec::/48" + ]; + # TODO remove endpoint from config + Endpoint = "gateway.seven.secunet.com:51821"; + } + ]; + }; + networks."40-wg0" = { + matchConfig.Name = "wg0"; + address = cfg.addresses; + networkConfig = { + IPMasquerade = "ipv4"; + }; + }; + }; + }; +} diff --git a/secrets/wireguard/cmdframe.key.age b/secrets/wireguard/cmdframe.key.age new file mode 100644 index 0000000..81f1bfa --- /dev/null +++ b/secrets/wireguard/cmdframe.key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 OAZQhA yHDlGU8tW/fiMocPl0nldeEEn7NvPDMNCqL9hO7B5VY +71ZALgVNzj0FJG4wW5qK+0rhF2hMMkkvqOl6wvpI1xo +-> ssh-ed25519 lJaKnA 32vsGauSIeEy8gMq3rOuJV5OOVR/qbNCaJ96gvaYc38 +3f8ZLzGFg4g2XNfUPS+ePMc9AZHMLUjh6y0q2gaRwio +--- PZeKDBBgibYk1Xl5Sd1S38kx322Gi6KnI0lj2NyhFUU +?�y)�Sk*����gz�_�E�>| J�*9� �h����aI�9p�?�(�J���F�x:;�1yKP�]VQ2�J;Y�� \ No newline at end of file diff --git a/secrets/wireguard/home-pc.key.age b/secrets/wireguard/home-pc.key.age new file mode 100644 index 0000000..3b761bd Binary files /dev/null and b/secrets/wireguard/home-pc.key.age differ diff --git a/services/adguardhome.nix b/services/adguardhome.nix new file mode 100644 index 0000000..2cbe302 --- /dev/null +++ b/services/adguardhome.nix @@ -0,0 +1,107 @@ +{ config, ... }: + +let + cfg = config.services.adguardhome; + host = "dns.felschr.com"; +in +{ + services.adguardhome = { + enable = true; + settings = { + dns = { + upstream_dns = [ + "https://dns.mullvad.net/dns-query" + ]; + fallback_dns = [ + "https://1.1.1.1/dns-query" + ]; + enable_dnssec = true; + }; + # encryption + tls = { + enabled = true; + server_name = host; + port_https = 0; + port_dns_over_tls = 853; + port_dns_over_quic = 853; + port_dnscrypt = 0; + force_https = false; # handled by nginx + allow_unencrypted_doh = true; + strict_sni_check = false; + certificate_path = "/run/credentials/adguardhome.service/fullchain.pem"; + private_key_path = "/run/credentials/adguardhome.service/key.pem"; + }; + # HINT: users needs to be set up manually: + # https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#password-reset + # users = [ { name = "felschr"; } ]; + querylog = { + enabled = true; + interval = "24h"; + }; + statistics = { + enabled = true; + interval = "24h"; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + safe_search.enabled = true; + rewrites = [ + { + domain = "felschr.com"; + answer = "home-server.tail05275.ts.net"; + } + { + domain = "*.felschr.com"; + answer = "home-server.tail05275.ts.net"; + } + ]; + }; + filters = [ + { + name = "HaGeZi Multi Pro"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt"; + enabled = true; + } + { + name = "OISD (Big)"; + url = "https://big.oisd.nl"; + enabled = false; + } + { + name = "AdGuard DNS filter"; + url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"; + enabled = false; + } + ]; + whitelist_filters = [ + { + name = "HaGeZi Whitelist-Referral"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral.txt"; + enabled = true; + } + { + name = "Hagezi Whitelist-UrlShortener"; + url = "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-urlshortener.txt"; + enabled = true; + } + ]; + }; + }; + + systemd.services.adguardhome.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/${host}/fullchain.pem" + "key.pem:/var/lib/acme/${host}/key.pem" + ]; + }; + + services.nginx.virtualHosts."${host}" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:${toString cfg.port}"; + }; + + networking.firewall.allowedTCPPorts = [ 853 ]; + networking.firewall.allowedUDPPorts = [ 853 ]; +} diff --git a/system/networking.nix b/system/networking.nix index 24e8003..3c50fc7 100644 --- a/system/networking.nix +++ b/system/networking.nix @@ -1,24 +1,49 @@ -{ config, ... }: +{ config, lib, ... }: +let + isAdguardHost = config.services.adguardhome.enable; + nameservers = { + local = [ + "127.0.0.1" + "::1" + ]; + remote = [ + # LAN + "192.168.1.102#dns.felschr.com" + "fd1c:ca95:d74d::102#dns.felschr.com" + + # Tailnet + "100.97.32.60#dns.felschr.com" + "fd7a:115c:a1e0::a0a1:203c#dns.felschr.com" + ]; + }; +in { - networking.nameservers = [ - "127.0.0.1" - "::1" - ]; - networking.networkmanager.dns = "systemd-resolved"; + networking.nameservers = if isAdguardHost then nameservers.local else nameservers.remote; + + networking.nftables.enable = true; + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + + systemd.network = { + enable = true; + wait-online.ignoredInterfaces = [ "tailscale0" ]; + }; services.dnsmasq.enable = false; services.resolved = { enable = true; - # don't use fallback resolvers - fallbackDns = [ ]; - }; - - services.nextdns = { - enable = true; - arguments = [ - "-config" - "b8e2f7" + dnsovertls = if isAdguardHost then "opportunistic" else "true"; + fallbackDns = [ + "194.242.2.2#dns.mullvad.net" + "194.242.2.4#base.dns.mullvad.net" + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" ]; + extraConfig = lib.mkIf isAdguardHost '' + DNSStubListener=no + ''; }; } diff --git a/system/server.nix b/system/server.nix index 2d466a8..f4cfa1a 100644 --- a/system/server.nix +++ b/system/server.nix @@ -15,14 +15,14 @@ table inet allow-incoming-traffic { chain allow-incoming { type filter hook input priority -100; policy accept; - tcp dport {80, 443, 2222} meta mark set 0x80000; - udp dport {80, 443, 2222} meta mark set 0x80000; + tcp dport {80, 443, 853, 2222} meta mark set 0x80000; + udp dport {80, 443, 853, 2222} meta mark set 0x80000; } chain allow-outgoing { type route hook output priority -100; policy accept; - tcp sport {80, 443, 2222} meta mark set 0x80000; - udp sport {80, 443, 2222} meta mark set 0x80000; + tcp sport {80, 443, 853, 2222} meta mark set 0x80000; + udp sport {80, 443, 853, 2222} meta mark set 0x80000; } } '';