From d0259fed76d52ad3c8c16c85ef7a9cdb33cab521 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Mon, 26 Jun 2023 00:20:25 +0300 Subject: [PATCH] add unbound+blocky to vps and fix wg keys --- machines/NixOS-VPS/default.nix | 1 + machines/NixOS-VPS/dns.nix | 103 +++++++++++++++++++++ machines/NixOS-VPS/hardware/networks.nix | 5 + machines/NixOS-VPS/network.nix | 15 ++- machines/NixOS-VPS/wireguard.nix | 113 ++++++++++++++++++----- 5 files changed, 206 insertions(+), 31 deletions(-) create mode 100644 machines/NixOS-VPS/dns.nix diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix index ad0464c..fe6d503 100644 --- a/machines/NixOS-VPS/default.nix +++ b/machines/NixOS-VPS/default.nix @@ -5,6 +5,7 @@ inputs.disko.nixosModules.disko ./hardware + ./dns.nix ./network.nix ./nix.nix ./wireguard.nix diff --git a/machines/NixOS-VPS/dns.nix b/machines/NixOS-VPS/dns.nix new file mode 100644 index 0000000..60e52ac --- /dev/null +++ b/machines/NixOS-VPS/dns.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: +let + inherit (import ./hardware/networks.nix) interfaces; + wgIfname = interfaces.wireguard0.ifname; + brIfname = interfaces.main'.bridgeName; +in { + services.resolved.extraConfig = '' + DNSStubListener=off + ''; + systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; + systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + + environment.systemPackages = with pkgs; [ tcpdump dnsutils ]; + services.blocky = { + enable = true; + settings = { + upstream.default = [ "127.0.0.1:553" "[::1]:553" ]; + upstreamTimeout = "10s"; + bootstrapDns = [{ upstream = "9.9.9.9"; }]; + blocking = { + blackLists.ads = [ + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" + ]; + clientGroupsBlock.default = [ "ads" ]; + }; + port = 53; + queryLog = { + type = "console"; + }; + }; + }; + # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html) + services.unbound = { + enable = true; + settings = { + server = { + root-hints = "${config.services.unbound.stateDir}/root.hints"; + port = "553"; + interface = [ + "127.0.0.1" "10.100.0.1" + "::1" "fd3a:900e:8e74:ffff::1" + ]; + access-control = [ + "0.0.0.0/0 refuse" + "127.0.0.0/8 allow" + "10.100.0.0/16 allow" + "::0/0 refuse" + "::1 allow" + "fd3a:900e:8e74:ffff::0/64 allow" + ]; + private-address = [ + "127.0.0.0/8" + "10.100.0.0/16" + "::1" + "fd3a:900e:8e74:ffff::0/64" + ]; + hide-version = "yes"; + aggressive-nsec = "yes"; + cache-max-ttl = "86400"; + cache-min-ttl = "600"; + deny-any = "yes"; + do-ip4 = "yes"; + do-ip6 = "yes"; + do-tcp = "yes"; + do-udp = "yes"; + harden-algo-downgrade = "yes"; + harden-dnssec-stripped = "yes"; + harden-glue = "yes"; + harden-large-queries = "yes"; + harden-referral-path = "yes"; + harden-short-bufsize = "yes"; + hide-identity = "yes"; + minimal-responses = "yes"; + msg-cache-size = "128m"; + neg-cache-size = "4m"; + prefer-ip6 = "no"; + prefetch = "yes"; + prefetch-key = "yes"; + qname-minimisation = "yes"; + rrset-cache-size = "256m"; + rrset-roundrobin = "yes"; + serve-expired = "yes"; + so-rcvbuf = "4m"; + so-reuseport = "yes"; + so-sndbuf = "4m"; + unwanted-reply-threshold = "100000"; + use-caps-for-id = "yes"; + }; + }; + }; + systemd.services.root-hints = { + script = '' + ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root + ''; + serviceConfig.Type = "oneshot"; + startAt = "1 0 1 */1 *"; + }; +} \ No newline at end of file diff --git a/machines/NixOS-VPS/hardware/networks.nix b/machines/NixOS-VPS/hardware/networks.nix index fbbb241..5249454 100644 --- a/machines/NixOS-VPS/hardware/networks.nix +++ b/machines/NixOS-VPS/hardware/networks.nix @@ -5,6 +5,7 @@ rec { # This is the public-facing interface. Any interface name with a prime # symbol means it's a public-facing interface. main' = { + bridgeName = "br0"; ifname = "enp0s18"; IPv4 = { address = "193.219.97.142/26"; @@ -81,5 +82,9 @@ rec { IPv4 = "${wireguardIPv4Prefix}.11"; IPv6 = "${wireguardIPv6Prefix}:b"; }; + dell = { + IPv4 = "${wireguardIPv4Prefix}.12"; + IPv6 = "${wireguardIPv6Prefix}:c"; + }; }; } diff --git a/machines/NixOS-VPS/network.nix b/machines/NixOS-VPS/network.nix index 6428d2e..acfe00d 100644 --- a/machines/NixOS-VPS/network.nix +++ b/machines/NixOS-VPS/network.nix @@ -2,10 +2,7 @@ let inherit (import ./hardware/networks.nix) interfaces; in { - services.resolved = { - enable = true; - dnssec = "false"; - }; + services.resolved.enable = true; networking = { enableIPv6 = true; usePredictableInterfaceNames = true; @@ -22,13 +19,13 @@ in { "10-wan" = { matchConfig.Name = ifname; linkConfig.RequiredForOnline = "enslaved"; - networkConfig.Bridge = "br0"; + networkConfig.Bridge = brIfname; networkConfig.DHCP = "no"; networkConfig.LinkLocalAddressing = "no"; networkConfig.IPv6AcceptRA = false; }; - "20-br0" = { - matchConfig.Name = "br0"; + "20-${brIfname}" = { + matchConfig.Name = brIfname; address = [ IPv4.address IPv6.address "192.168.0.1/24" "fc00::1/64" @@ -57,10 +54,10 @@ in { }; }; netdevs = { - "20-br0" = { + "20-${brIfname}" = { netdevConfig = { Kind = "bridge"; - Name = "br0"; + Name = brIfname; MACAddress = "e6:95:b5:a6:28:c0"; }; }; diff --git a/machines/NixOS-VPS/wireguard.nix b/machines/NixOS-VPS/wireguard.nix index d390bde..36cfe66 100644 --- a/machines/NixOS-VPS/wireguard.nix +++ b/machines/NixOS-VPS/wireguard.nix @@ -15,26 +15,6 @@ in { systemd.network = { wait-online.ignoredInterfaces = [ wireguardIFName ]; - netdevs."90-${wireguardIFName}" = { - netdevConfig = { - Name = wireguardIFName; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/var/lib/wireguard/private"; - ListenPort = wireguardPort; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o="; - PresharedKeyFile = "/var/lib/wireguard/ataraxia-psk"; - AllowedIPs = lib.concatStringsSep "," ataraxiaPeerAddresses; - }; - } - ]; - }; - networks."90-${wireguardIFName}" = with interfaces.wireguard0; { matchConfig.Name = wireguardIFName; address = [ @@ -48,9 +28,98 @@ in { networkConfig = { IPForward = true; IPMasquerade = "both"; - # Quad9 dns - DNS = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ]; + DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns; }; }; + + netdevs."90-${wireguardIFName}" = { + netdevConfig = { + Name = wireguardIFName; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = "/var/lib/wireguard/private"; + ListenPort = wireguardPort; + }; + wireguardPeers = [ + { + wireguardPeerConfig = with wireguardPeers.ataraxia; { + PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o="; + PresharedKeyFile = "/var/lib/wireguard/ataraxia/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.hypervisor; { + PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o="; + PresharedKeyFile = "/var/lib/wireguard/hypervisor/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.mikrotik; { + PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo="; + PresharedKeyFile = "/var/lib/wireguard/mikrotik/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.poco; { + PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34="; + PresharedKeyFile = "/var/lib/wireguard/poco/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.kpoxa; { + PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE="; + PresharedKeyFile = "/var/lib/wireguard/kpoxa/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.kpoxa2; { + PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI="; + PresharedKeyFile = "/var/lib/wireguard/kpoxa2/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.faysss; { + PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY="; + PresharedKeyFile = "/var/lib/wireguard/faysss/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.faysss2; { + PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8="; + PresharedKeyFile = "/var/lib/wireguard/faysss2/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.faysss3; { + PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4="; + PresharedKeyFile = "/var/lib/wireguard/faysss3/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.doste; { + PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0="; + PresharedKeyFile = "/var/lib/wireguard/doste/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + { + wireguardPeerConfig = with wireguardPeers.dell; { + PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc="; + PresharedKeyFile = "/var/lib/wireguard/dell/preshared"; + AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; + }; + } + ]; + }; }; }