StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

host dns and ntp server on proxy

Browse source
This commit is contained in:
goeranh 2026-03-13 21:51:25 +01:00
parent 982d984910
commit 7d01f35fd0
No known key found for this signature in database
2 changed files with 145 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

113
hosts/proxy/README.md
View file

@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
- **Hostname**: proxy - **Hostname**: proxy
- **IP Address**: 141.56.51.1 - **IP Address**: 141.56.51.1
- **Type**: Full VM (not LXC) - **Type**: Full VM (not LXC)
- **Services**: HAProxy, OpenSSH (ports 1005, 2142) - **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142)
- **Role**: Central traffic router for all StuRa HTW Dresden services - **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services
## Architecture ## Architecture
@ -45,6 +45,68 @@ HAProxy routes traffic using two methods:
- Buffer size: 32,762 bytes - Buffer size: 32,762 bytes
- Timeouts: 5s connect, 30s client/server - Timeouts: 5s connect, 30s client/server
### BIND DNS Resolver
The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
**Configuration:**
- **Service**: BIND9 recursive resolver
- **Listen address**: 141.56.51.1
- **Port**: 53 (UDP/TCP)
- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
- **IPv6**: Disabled
**Usage:**
All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
Example configuration for other hosts:
```nix
networking.nameservers = [ "141.56.51.1" ];
```
**Why BIND?**
- Provides caching for frequently accessed domains
- Reduces external DNS queries and improves performance
- Allows central control of DNS resolution policies
- More reliable than relying solely on external DNS servers
### Chrony NTP Server
The proxy serves network time to all systems in the internal network.
**Configuration:**
- **Service**: chrony NTP server
- **Port**: 123 (UDP)
- **Allowed network**: 141.56.51.0/24
- **Upstream servers**: pool.ntp.org
- **Sync mode**: Fast initial sync (iburst)
- **Fallback**: Serves time even if not synced (stratum 10)
**Usage:**
Other hosts can synchronize their system time with the proxy:
```nix
services.chrony = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
Or for systems using systemd-timesyncd:
```nix
services.timesyncd = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
**Benefits:**
- Centralized time synchronization for all internal hosts
- Reduced external NTP queries from HTW network
- Consistent time across all StuRa infrastructure
- Local fallback if upstream NTP servers are unreachable
### SSH Services ### SSH Services
**Port 1005: Admin SSH Access** **Port 1005: Admin SSH Access**
@ -177,7 +239,8 @@ nix run .#proxy-update
- **Gateway**: 141.56.51.254 - **Gateway**: 141.56.51.254
- **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal) - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
- **Firewall**: nftables enabled - **Firewall**: nftables enabled
- **Open ports**: 22, 80, 443, 1005, 2142 - **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142
- **Open UDP ports**: 53 (DNS), 123 (NTP)
## Adding New Services ## Adding New Services
@ -379,6 +442,50 @@ telnet 141.56.51.2 80
grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
``` ```
### DNS resolution not working
```bash
# Check BIND status
systemctl status named
# View BIND logs
journalctl -u named -f
# Test DNS resolution from proxy
dig @127.0.0.1 google.com
# Test DNS resolution from another host
dig @141.56.51.1 google.com
# Check BIND configuration
named-checkconf /etc/bind/named.conf
# Check allowed networks
grep -i "allow-query" /etc/bind/named.conf
```
### NTP synchronization not working
```bash
# Check chrony status
systemctl status chronyd
# View chrony tracking information
chronyc tracking
# Check chrony sources
chronyc sources -v
# View chrony logs
journalctl -u chronyd -f
# Test NTP from another host
chronyc -h 141.56.51.1 tracking
# Check if NTP port is accessible
nc -uv 141.56.51.1 123
```
## Files and Directories ## Files and Directories
- **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix) - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)

35
hosts/proxy/default.nix
View file

@ -27,11 +27,16 @@
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
22 22
53 # DNS
80 80
443 443
1005 1005
2142 2142
]; ];
allowedUDPPorts = [
53 # DNS
123 # NTP
];
}; };
nftables = { nftables = {
enable = true; enable = true;
@ -206,6 +211,36 @@
}; };
in in
{ {
# BIND DNS recursive resolver for the internal network
bind = {
enable = true;
cacheNetworks = [
"127.0.0.0/8"
"141.56.51.0/24"
];
forwarders = [
"9.9.9.9"
"1.1.1.1"
];
listenOn = [ "141.56.51.1" ];
listenOnIpv6 = [ ];
};
# Chrony NTP server for the internal network
chrony = {
enable = true;
enableNTS = false;
servers = [ "pool.ntp.org" ];
serverOption = "iburst";
extraConfig = ''
# Allow NTP client access from local network
allow 141.56.51.0/24
# Serve time even if not synced to a time source
local stratum 10
'';
};
openssh = { openssh = {
# admin ssh access port # admin ssh access port
listenAddresses = [ listenAddresses = [