add unbound+blocky to vps and fix wg keys

2023-06-26 00:20:25 +03:00 · 2023-06-26 00:20:25 +03:00 · d0259fed76
commit d0259fed76
parent f05ffe6404
5 changed files with 206 additions and 31 deletions
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@ -5,6 +5,7 @@
    inputs.disko.nixosModules.disko
    ./hardware
    ./dns.nix
    ./network.nix
    ./nix.nix
    ./wireguard.nix
--- a/machines/NixOS-VPS/dns.nix
+++ b/machines/NixOS-VPS/dns.nix
@ -0,0 +1,103 @@
 { config, lib, pkgs, ... }:
 let
  inherit (import ./hardware/networks.nix) interfaces;
  wgIfname = interfaces.wireguard0.ifname;
  brIfname = interfaces.main'.bridgeName;
 in {
  services.resolved.extraConfig = ''
    DNSStubListener=off
  '';
  systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
  systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
  networking.firewall = {
    allowedTCPPorts = [ 53 ];
    allowedUDPPorts = [ 53 ];
  };
  environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
  services.blocky = {
    enable = true;
    settings = {
      upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
      upstreamTimeout = "10s";
      bootstrapDns = [{ upstream = "9.9.9.9"; }];
      blocking = {
        blackLists.ads = [
          "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
        ];
        clientGroupsBlock.default = [ "ads" ];
      };
      port = 53;
      queryLog = {
        type = "console";
      };
    };
  };
  # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
  services.unbound = {
    enable = true;
    settings = {
      server = {
        root-hints = "${config.services.unbound.stateDir}/root.hints";
        port = "553";
        interface = [
          "127.0.0.1" "10.100.0.1"
          "::1" "fd3a:900e:8e74:ffff::1"
        ];
        access-control = [
          "0.0.0.0/0 refuse"
          "127.0.0.0/8 allow"
          "10.100.0.0/16 allow"
          "::0/0 refuse"
          "::1 allow"
          "fd3a:900e:8e74:ffff::0/64 allow"
        ];
        private-address = [
          "127.0.0.0/8"
          "10.100.0.0/16"
          "::1"
          "fd3a:900e:8e74:ffff::0/64"
        ];
 	      hide-version = "yes";
        aggressive-nsec = "yes";
        cache-max-ttl = "86400";
        cache-min-ttl = "600";
        deny-any = "yes";
        do-ip4 = "yes";
        do-ip6 = "yes";
        do-tcp = "yes";
        do-udp = "yes";
        harden-algo-downgrade = "yes";
        harden-dnssec-stripped = "yes";
        harden-glue = "yes";
        harden-large-queries = "yes";
        harden-referral-path = "yes";
        harden-short-bufsize = "yes";
        hide-identity = "yes";
        minimal-responses = "yes";
        msg-cache-size = "128m";
        neg-cache-size = "4m";
        prefer-ip6 = "no";
        prefetch = "yes";
        prefetch-key = "yes";
        qname-minimisation = "yes";
        rrset-cache-size = "256m";
        rrset-roundrobin = "yes";
        serve-expired = "yes";
        so-rcvbuf = "4m";
        so-reuseport = "yes";
        so-sndbuf = "4m";
        unwanted-reply-threshold = "100000";
        use-caps-for-id = "yes";
      };
    };
  };
  systemd.services.root-hints = {
    script = ''
      ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root
    '';
    serviceConfig.Type = "oneshot";
    startAt = "1 0 1 */1 *";
  };
 }
--- a/machines/NixOS-VPS/hardware/networks.nix
+++ b/machines/NixOS-VPS/hardware/networks.nix
@ -5,6 +5,7 @@ rec {
      # This is the public-facing interface. Any interface name with a prime
      # symbol means it's a public-facing interface.
      main' = {
        bridgeName = "br0";
        ifname = "enp0s18";
        IPv4 = {
          address = "193.219.97.142/26";
@ -81,5 +82,9 @@ rec {
      IPv4 = "${wireguardIPv4Prefix}.11";
      IPv6 = "${wireguardIPv6Prefix}:b";
    };
    dell = {
      IPv4 = "${wireguardIPv4Prefix}.12";
      IPv6 = "${wireguardIPv6Prefix}:c";
    };
  };
 }
--- a/machines/NixOS-VPS/network.nix
+++ b/machines/NixOS-VPS/network.nix
@ -2,10 +2,7 @@
 let
  inherit (import ./hardware/networks.nix) interfaces;
 in {
-  services.resolved = {
+  services.resolved.enable = true;
    enable = true;
    dnssec = "false";
  };
  networking = {
    enableIPv6 = true;
    usePredictableInterfaceNames = true;
@ -22,13 +19,13 @@ in {
      "10-wan" = {
        matchConfig.Name = ifname;
        linkConfig.RequiredForOnline = "enslaved";
-        networkConfig.Bridge = "br0";
+        networkConfig.Bridge = brIfname;
        networkConfig.DHCP = "no";
        networkConfig.LinkLocalAddressing = "no";
        networkConfig.IPv6AcceptRA = false;
      };
-      "20-br0" = {
+      "20-${brIfname}" = {
-        matchConfig.Name = "br0";
+        matchConfig.Name = brIfname;
        address = [
          IPv4.address IPv6.address
          "192.168.0.1/24" "fc00::1/64"
@ -57,10 +54,10 @@ in {
      };
    };
    netdevs = {
-      "20-br0" = {
+      "20-${brIfname}" = {
        netdevConfig = {
          Kind = "bridge";
-          Name = "br0";
+          Name = brIfname;
          MACAddress = "e6:95:b5:a6:28:c0";
        };
      };
--- a/machines/NixOS-VPS/wireguard.nix
+++ b/machines/NixOS-VPS/wireguard.nix
@ -15,26 +15,6 @@ in {
  systemd.network = {
    wait-online.ignoredInterfaces = [ wireguardIFName ];
    netdevs."90-${wireguardIFName}" = {
      netdevConfig = {
        Name = wireguardIFName;
        Kind = "wireguard";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard/private";
        ListenPort = wireguardPort;
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
            PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
            PresharedKeyFile = "/var/lib/wireguard/ataraxia-psk";
            AllowedIPs = lib.concatStringsSep "," ataraxiaPeerAddresses;
          };
        }
      ];
    };
    networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
      matchConfig.Name = wireguardIFName;
      address = [
@ -48,9 +28,98 @@ in {
      networkConfig = {
        IPForward = true;
        IPMasquerade = "both";
-        # Quad9 dns
+        DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns;
        DNS = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];
      };
    };
    netdevs."90-${wireguardIFName}" = {
      netdevConfig = {
        Name = wireguardIFName;
        Kind = "wireguard";
      };
      wireguardConfig = {
        PrivateKeyFile = "/var/lib/wireguard/private";
        ListenPort = wireguardPort;
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = with wireguardPeers.ataraxia; {
            PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
            PresharedKeyFile = "/var/lib/wireguard/ataraxia/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.hypervisor; {
            PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o=";
            PresharedKeyFile = "/var/lib/wireguard/hypervisor/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.mikrotik; {
            PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo=";
            PresharedKeyFile = "/var/lib/wireguard/mikrotik/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.poco; {
            PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34=";
            PresharedKeyFile = "/var/lib/wireguard/poco/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.kpoxa; {
            PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE=";
            PresharedKeyFile = "/var/lib/wireguard/kpoxa/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.kpoxa2; {
            PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI=";
            PresharedKeyFile = "/var/lib/wireguard/kpoxa2/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.faysss; {
            PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY=";
            PresharedKeyFile = "/var/lib/wireguard/faysss/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.faysss2; {
            PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8=";
            PresharedKeyFile = "/var/lib/wireguard/faysss2/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.faysss3; {
            PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4=";
            PresharedKeyFile = "/var/lib/wireguard/faysss3/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.doste; {
            PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0=";
            PresharedKeyFile = "/var/lib/wireguard/doste/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
        {
          wireguardPeerConfig = with wireguardPeers.dell; {
            PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc=";
            PresharedKeyFile = "/var/lib/wireguard/dell/preshared";
            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
          };
        }
      ];
    };
  };
 }