core-services: adjust to our changes in IPv4 network for MWAN/local net
This commit is contained in:
parent
916b06ad1f
commit
8ac5d2e4ab
4 changed files with 46 additions and 21 deletions
|
@ -12,13 +12,13 @@ in
|
|||
settings = {
|
||||
server = {
|
||||
access-control = [ "127.0.0.0/8 allow" "::1/128 allow" ] ++ map (v: "${v} allow") my.privateRanges;
|
||||
interface = [ "127.0.0.1" ] ++ my.ipv4;
|
||||
interface = [ "127.0.0.1" ] ++ my.ipv4Internal;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
interfaces = my.ipv6.standard;
|
||||
interfaces = my.ipv6.standard ++ my.ipv4;
|
||||
zones = {
|
||||
${my.subZone} = {
|
||||
data = dns.lib.toString my.subZone (import ./subZone.nix { inherit dns config lib; });
|
||||
|
|
|
@ -46,6 +46,20 @@ in
|
|||
default = map (v: (mkAddress v).address) cfg.ipv4Full;
|
||||
};
|
||||
|
||||
ipv4Internal = mkOption {
|
||||
description = "Private IPv4 addresses without prefix";
|
||||
type = listOf str;
|
||||
example = [ "192.186.1.153" ];
|
||||
default = map (v: (mkAddress v).address) cfg.ipv4InternalFull;
|
||||
};
|
||||
|
||||
ipv4InternalFull = mkOption {
|
||||
description = "Private IPv4 addresses with prefix";
|
||||
type = listOf str;
|
||||
default = [];
|
||||
example = [ "192.168.1.153/24" ];
|
||||
};
|
||||
|
||||
ipv4Full = mkOption {
|
||||
description = "Public IPv4 addresses with prefix";
|
||||
type = listOf str;
|
||||
|
@ -67,7 +81,7 @@ in
|
|||
};
|
||||
|
||||
ipv6.acme = mkOption {
|
||||
description = "Public IPv6 address for ACME services (acme-dns) without prefi";
|
||||
description = "Public IPv6 address for ACME services (acme-dns) without prefix";
|
||||
type = str;
|
||||
default = (mkAddress cfg.ipv6.acmeFull).address;
|
||||
example = "2001:470:1f13:21d:f515:b348:cd48:e064/64";
|
||||
|
@ -87,9 +101,16 @@ in
|
|||
};
|
||||
|
||||
config = {
|
||||
networking.interfaces.ens20 = {
|
||||
ipv4.addresses = map mkAddress cfg.ipv4InternalFull;
|
||||
};
|
||||
|
||||
networking.interfaces.ens19 = {
|
||||
ipv4.addresses = map mkAddress cfg.ipv4Full;
|
||||
ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]);
|
||||
};
|
||||
|
||||
networking.interfaces.ens18 = {
|
||||
ipv4.addresses = map mkAddress cfg.ipv4Full;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,7 +11,8 @@
|
|||
"2001:470:1f13:187:fd34:80c3:a761:ff2/64"
|
||||
];
|
||||
ipv6.acmeFull = "2001:470:1f13:187:a039:c3ff:fe4f:8661/64";
|
||||
ipv4Full = [ "10.1.1.20/24" ];
|
||||
ipv4InternalFull = [ "10.1.1.20/22" ];
|
||||
ipv4Full = [ "45.13.104.26/32" ];
|
||||
|
||||
privateRanges = [ "10.1.0.0/22 "];
|
||||
};
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, dns, ... }:
|
||||
|
||||
with dns.lib.combinators;
|
||||
|
||||
let
|
||||
my = config.my;
|
||||
upstream-v4-proxies = [ "51.15.7.181" ]; # kurisu.dual.lahfa.xyz
|
||||
|
@ -11,9 +10,12 @@ let
|
|||
remoteBuilders = {
|
||||
nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ];
|
||||
};
|
||||
dualstack = {
|
||||
A = my.ipv4;
|
||||
AAAA = my.ipv6.standard;
|
||||
};
|
||||
in
|
||||
with my.ipv6; # contains { standard, acme }
|
||||
{
|
||||
dualstack // {
|
||||
SOA = {
|
||||
nameServer = "ns1.${my.subZone}.";
|
||||
adminEmail = my.email;
|
||||
|
@ -24,20 +26,17 @@ with my.ipv6; # contains { standard, acme }
|
|||
"ns1.${my.subZone}."
|
||||
];
|
||||
|
||||
AAAA = standard;
|
||||
|
||||
CAA = letsEncrypt my.email;
|
||||
|
||||
subdomains = {
|
||||
git.AAAA = standard;
|
||||
drone.AAAA = standard;
|
||||
wiki.AAAA = standard;
|
||||
monitoring.AAAA = standard;
|
||||
auth.AAAA = standard;
|
||||
push.AAAA = standard;
|
||||
ns1.AAAA = standard;
|
||||
beta.A = upstream-v4-proxies;
|
||||
beta.AAAA = public-cof-ips;
|
||||
git = dualstack;
|
||||
drone = dualstack;
|
||||
wiki = dualstack;
|
||||
monitoring = dualstack;
|
||||
auth = dualstack;
|
||||
push = dualstack;
|
||||
core01 = dualstack;
|
||||
ns1 = dualstack;
|
||||
|
||||
builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders;
|
||||
|
||||
|
@ -49,10 +48,12 @@ with my.ipv6; # contains { standard, acme }
|
|||
|
||||
acme = {
|
||||
NS = [ "acme.${my.subZone}." ];
|
||||
AAAA = [ acme ];
|
||||
AAAA = [ my.ipv6.acme ];
|
||||
};
|
||||
|
||||
beta.subdomains = {
|
||||
beta = {
|
||||
AAAA = public-cof-ips;
|
||||
subdomains = {
|
||||
nuage.A = upstream-v4-proxies;
|
||||
nuage.AAAA = public-cof-ips;
|
||||
minecraft.AAAA = public-cof-ips;
|
||||
|
@ -66,11 +67,13 @@ with my.ipv6; # contains { standard, acme }
|
|||
sandbox.AAAA = public-cof-ips;
|
||||
};
|
||||
docs.AAAA = public-cof-ips;
|
||||
docs.A = upstream-v4-proxies;
|
||||
jurisprudens = {
|
||||
AAAA = public-cof-ips;
|
||||
A = upstream-v4-proxies;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
internal.subdomains = {
|
||||
|
|
Loading…
Reference in a new issue