From 6a0fd12cf07df4ee54643f64d34438ce03869a5e Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 15 Mar 2022 18:35:41 +0100 Subject: yggdrasil-wg: dns --- hosts/sif/default.nix | 5 +++++ hosts/vidhar/dns/default.nix | 4 ++++ hosts/vidhar/network/ruleset.nft | 4 ++-- modules/yggdrasil-wg/default.nix | 7 ++----- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 647021ca..96bb793a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -110,6 +110,11 @@ in { server=/cipmath.loc/10.153.88.9 ''; }; + environment.etc."NetworkManager/dnsmasq.d/yggdrasil.conf" = { + text = '' + server=/yggdrasil/2a03:4000:52:ada:1:1:: + ''; + }; environment.etc."systemd/networkd.conf" = { text = '' diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix index b1457a7a..caaa8e15 100644 --- a/hosts/vidhar/dns/default.nix +++ b/hosts/vidhar/dns/default.nix @@ -82,6 +82,10 @@ in { listen: 127.0.0.1@5353 listen: ::1@5353 + listen: 10.141.1.1@53 + listen: 10.141.2.1@53 + listen: 2a03:4000:52:ada:1:1::@53 + acl: - id: local_acl key: local_key diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0f591f24..4e8341e9 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -165,8 +165,8 @@ table inet filter { iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60001-61000 counter name mosh-rx accept - iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept - iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 82002a05..66d14c95 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -77,9 +77,6 @@ let sif = ["${batSubnet}:2::/${toString batHostLength}"]; }; routers = [ "surtr" ]; - hostNames = { - vidhar = [ "grafana.vidhar.yggdrasil" ]; - }; mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub"; mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv"; @@ -205,6 +202,8 @@ in { Name = "yggdrasil"; }; address = batHostIPs.${hostName}; + dns = ["[2a03:4000:52:ada:1:1::]"]; + domains = ["yggdrasil"]; routes = [ { routeConfig = { Destination = "${batSubnet}::/${toString batSubnetLength}"; @@ -247,8 +246,6 @@ in { sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); - networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) (["${name}.yggdrasil"] ++ (hostNames.${name} or []))) value) (mapAttrsToList nameValuePair batHostIPs))); - boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; environment.systemPackages = with pkgs; [ wireguard-tools batctl ]; networking.networkmanager.unmanaged = ["yggdrasil" "ip6gre0" "ip6tnl0"] ++ map (family: "yggdrasil-wg-${family}") hostFamilies ++ concatMap (family: map ({from, to, ...}: let other = if thisHost from then to else from; in "yggre-${other}-${family}") hostLinks.${family}) hostFamilies; -- cgit v1.2.3