From 7d01f35fd076133eef5aa0af024a4a812d68fa99 Mon Sep 17 00:00:00 2001
From: goeranh <goeranh@goeranh.de>
Date: Fri, 13 Mar 2026 21:51:25 +0100
Subject: [PATCH] host dns and ntp server on proxy

---
 hosts/proxy/README.md   | 113 ++++++++++++++++++++++++++++++++++++++--
 hosts/proxy/default.nix |  35 +++++++++++++
 2 files changed, 145 insertions(+), 3 deletions(-)

diff --git a/hosts/proxy/README.md b/hosts/proxy/README.md
index cb5957d..8fd0f28 100644
--- a/hosts/proxy/README.md
+++ b/hosts/proxy/README.md
@@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
 - **Hostname**: proxy
 - **IP Address**: 141.56.51.1
 - **Type**: Full VM (not LXC)
-- **Services**: HAProxy, OpenSSH (ports 1005, 2142)
-- **Role**: Central traffic router for all StuRa HTW Dresden services
+- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142)
+- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services
 
 ## Architecture
 
@@ -45,6 +45,68 @@ HAProxy routes traffic using two methods:
 - Buffer size: 32,762 bytes
 - Timeouts: 5s connect, 30s client/server
 
+### BIND DNS Resolver
+
+The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
+
+**Configuration:**
+- **Service**: BIND9 recursive resolver
+- **Listen address**: 141.56.51.1
+- **Port**: 53 (UDP/TCP)
+- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
+- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
+- **IPv6**: Disabled
+
+**Usage:**
+All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
+
+Example configuration for other hosts:
+```nix
+networking.nameservers = [ "141.56.51.1" ];
+```
+
+**Why BIND?**
+- Provides caching for frequently accessed domains
+- Reduces external DNS queries and improves performance
+- Allows central control of DNS resolution policies
+- More reliable than relying solely on external DNS servers
+
+### Chrony NTP Server
+
+The proxy serves network time to all systems in the internal network.
+
+**Configuration:**
+- **Service**: chrony NTP server
+- **Port**: 123 (UDP)
+- **Allowed network**: 141.56.51.0/24
+- **Upstream servers**: pool.ntp.org
+- **Sync mode**: Fast initial sync (iburst)
+- **Fallback**: Serves time even if not synced (stratum 10)
+
+**Usage:**
+Other hosts can synchronize their system time with the proxy:
+
+```nix
+services.chrony = {
+  enable = true;
+  servers = [ "141.56.51.1" ];
+};
+```
+
+Or for systems using systemd-timesyncd:
+```nix
+services.timesyncd = {
+  enable = true;
+  servers = [ "141.56.51.1" ];
+};
+```
+
+**Benefits:**
+- Centralized time synchronization for all internal hosts
+- Reduced external NTP queries from HTW network
+- Consistent time across all StuRa infrastructure
+- Local fallback if upstream NTP servers are unreachable
+
 ### SSH Services
 
 **Port 1005: Admin SSH Access**
@@ -177,7 +239,8 @@ nix run .#proxy-update
 - **Gateway**: 141.56.51.254
 - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
 - **Firewall**: nftables enabled
-- **Open ports**: 22, 80, 443, 1005, 2142
+- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142
+- **Open UDP ports**: 53 (DNS), 123 (NTP)
 
 ## Adding New Services
 
@@ -379,6 +442,50 @@ telnet 141.56.51.2 80
 grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
 ```
 
+### DNS resolution not working
+
+```bash
+# Check BIND status
+systemctl status named
+
+# View BIND logs
+journalctl -u named -f
+
+# Test DNS resolution from proxy
+dig @127.0.0.1 google.com
+
+# Test DNS resolution from another host
+dig @141.56.51.1 google.com
+
+# Check BIND configuration
+named-checkconf /etc/bind/named.conf
+
+# Check allowed networks
+grep -i "allow-query" /etc/bind/named.conf
+```
+
+### NTP synchronization not working
+
+```bash
+# Check chrony status
+systemctl status chronyd
+
+# View chrony tracking information
+chronyc tracking
+
+# Check chrony sources
+chronyc sources -v
+
+# View chrony logs
+journalctl -u chronyd -f
+
+# Test NTP from another host
+chronyc -h 141.56.51.1 tracking
+
+# Check if NTP port is accessible
+nc -uv 141.56.51.1 123
+```
+
 ## Files and Directories
 
 - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)
diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix
index 8ba30ff..048049f 100644
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@@ -27,11 +27,16 @@
     firewall = {
       allowedTCPPorts = [
         22
+        53 # DNS
         80
         443
         1005
         2142
       ];
+      allowedUDPPorts = [
+        53 # DNS
+        123 # NTP
+      ];
     };
     nftables = {
       enable = true;
@@ -206,6 +211,36 @@
       };
     in
     {
+      # BIND DNS recursive resolver for the internal network
+      bind = {
+        enable = true;
+        cacheNetworks = [
+          "127.0.0.0/8"
+          "141.56.51.0/24"
+        ];
+        forwarders = [
+          "9.9.9.9"
+          "1.1.1.1"
+        ];
+        listenOn = [ "141.56.51.1" ];
+        listenOnIpv6 = [ ];
+      };
+
+      # Chrony NTP server for the internal network
+      chrony = {
+        enable = true;
+        enableNTS = false;
+        servers = [ "pool.ntp.org" ];
+        serverOption = "iburst";
+        extraConfig = ''
+          # Allow NTP client access from local network
+          allow 141.56.51.0/24
+
+          # Serve time even if not synced to a time source
+          local stratum 10
+        '';
+      };
+
       openssh = {
         # admin ssh access port
         listenAddresses = [