Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

core-services: adjust to our changes in IPv4 network for MWAN/local net

Browse source
This commit is contained in:
Raito Bezarius 2021-12-19 14:51:12 +01:00
parent 916b06ad1f
commit 8ac5d2e4ab
4 changed files with 46 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
machines/core-services-01/dns.nix
View file

@ -12,13 +12,13 @@ in
settings = {
server = {
access-control = [ "127.0.0.0/8 allow" "::1/128 allow" ] ++ map (v: "${v} allow") my.privateRanges;
interface = [ "127.0.0.1" ] ++ my.ipv4;
interface = [ "127.0.0.1" ] ++ my.ipv4Internal;
};
};
};
services.nsd = {
enable = true;
interfaces = my.ipv6.standard;
interfaces = my.ipv6.standard ++ my.ipv4;
zones = {
${my.subZone} = {
data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; });

25
machines/core-services-01/my.nix
View file

@ -46,6 +46,20 @@ in
default = map (v: (mkAddress v).address) cfg.ipv4Full;
};
ipv4Internal = mkOption {
description = "Private IPv4 addresses without prefix";
type = listOf str;
example = [ "192.186.1.153" ];
default = map (v: (mkAddress v).address) cfg.ipv4InternalFull;
};
ipv4InternalFull = mkOption {
description = "Private IPv4 addresses with prefix";
type = listOf str;
default = [];
example = [ "192.168.1.153/24" ];
};
ipv4Full = mkOption {
description = "Public IPv4 addresses with prefix";
type = listOf str;
@ -67,7 +81,7 @@ in
};
ipv6.acme = mkOption {
description = "Public IPv6 address for ACME services (acme-dns) without prefi";
description = "Public IPv6 address for ACME services (acme-dns) without prefix";
type = str;
default = (mkAddress cfg.ipv6.acmeFull).address;
example = "2001:470:1f13:21d:f515:b348:cd48:e064/64";
@ -87,9 +101,16 @@ in
};
config = {
networking.interfaces.ens20 = {
ipv4.addresses = map mkAddress cfg.ipv4InternalFull;
};
networking.interfaces.ens19 = {
ipv4.addresses = map mkAddress cfg.ipv4Full;
ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]);
};
networking.interfaces.ens18 = {
ipv4.addresses = map mkAddress cfg.ipv4Full;
};
};
}

3
machines/core-services-01/rz.nix
View file

@ -11,7 +11,8 @@
"2001:470:1f13:187:fd34:80c3:a761:ff2/64"
];
ipv6.acmeFull = "2001:470:1f13:187:a039:c3ff:fe4f:8661/64";
ipv4Full = [ "10.1.1.20/24" ];
ipv4InternalFull = [ "10.1.1.20/22" ];
ipv4Full = [ "45.13.104.26/32" ];
privateRanges = [ "10.1.0.0/22 "];
};

35
machines/core-services-01/subZone.nix
View file

@ -1,7 +1,6 @@
{ config, lib, dns, ... }:
with dns.lib.combinators;
let
my = config.my;
upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz
@ -11,9 +10,12 @@ let
remoteBuilders = {
nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ];
};
dualstack = {
A = my.ipv4;
AAAA = my.ipv6.standard;
};
in
with my.ipv6; # contains { standard, acme }
{
dualstack // {
SOA = {
nameServer = "ns1.${my.subZone}.";
adminEmail = my.email;
@ -24,20 +26,17 @@ with my.ipv6; # contains { standard, acme }
"ns1.${my.subZone}."
];
AAAA = standard;
CAA = letsEncrypt my.email;
subdomains = {
git.AAAA = standard;
drone.AAAA = standard;
wiki.AAAA = standard;
monitoring.AAAA = standard;
auth.AAAA = standard;
push.AAAA = standard;
ns1.AAAA = standard;
beta.A = upstream-v4-proxies;
beta.AAAA = public-cof-ips;
git = dualstack;
drone = dualstack;
wiki = dualstack;
monitoring = dualstack;
auth = dualstack;
push = dualstack;
core01 = dualstack;
ns1 = dualstack;
builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders;
@ -49,10 +48,12 @@ with my.ipv6; # contains { standard, acme }
acme = {
NS = [ "acme.${my.subZone}." ];
AAAA = [ acme ];
AAAA = [ my.ipv6.acme ];
};
beta.subdomains = {
beta = {
AAAA = public-cof-ips;
subdomains = {
nuage.A = upstream-v4-proxies;
nuage.AAAA = public-cof-ips;
minecraft.AAAA = public-cof-ips;
@ -66,11 +67,13 @@ with my.ipv6; # contains { standard, acme }
sandbox.AAAA = public-cof-ips;
};
docs.AAAA = public-cof-ips;
docs.A = upstream-v4-proxies;
jurisprudens = {
AAAA = public-cof-ips;
A = upstream-v4-proxies;
};
};
};
internal.subdomains = {