diff --git a/default.nix b/default.nix index 1a1f679..4eea8ff 100644 --- a/default.nix +++ b/default.nix @@ -26,8 +26,8 @@ in { networking.nameservers = [ - "141.56.51.1" "141.56.1.1" + "141.56.1.2" ]; boot.kernelPackages = pkgs.linuxPackages_latest; @@ -52,14 +52,6 @@ in time.timeZone = "Europe/Berlin"; - # Use proxy as NTP server for time synchronization - # Disable in containers as they inherit time from the host - services.chrony = { - enable = !config.boot.isContainer; - servers = [ "141.56.51.1" ]; - enableNTS = false; - }; - i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; @@ -71,9 +63,10 @@ in services.nginx.recommendedOptimisation = true; services.nginx.recommendedGzipSettings = true; services.nginx.recommendedProxySettings = true; - #### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden. +#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden. services.nginx.recommendedTlsSettings = true; + users.users = { # erstmal nur mit root # administration = { diff --git a/hosts/proxy/README.md b/hosts/proxy/README.md index 8fd0f28..cb5957d 100644 --- a/hosts/proxy/README.md +++ b/hosts/proxy/README.md @@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container). - **Hostname**: proxy - **IP Address**: 141.56.51.1 - **Type**: Full VM (not LXC) -- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142) -- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services +- **Services**: HAProxy, OpenSSH (ports 1005, 2142) +- **Role**: Central traffic router for all StuRa HTW Dresden services ## Architecture @@ -45,68 +45,6 @@ HAProxy routes traffic using two methods: - Buffer size: 32,762 bytes - Timeouts: 5s connect, 30s client/server -### BIND DNS Resolver - -The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24). - -**Configuration:** -- **Service**: BIND9 recursive resolver -- **Listen address**: 141.56.51.1 -- **Port**: 53 (UDP/TCP) -- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24 -- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare) -- **IPv6**: Disabled - -**Usage:** -All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution. - -Example configuration for other hosts: -```nix -networking.nameservers = [ "141.56.51.1" ]; -``` - -**Why BIND?** -- Provides caching for frequently accessed domains -- Reduces external DNS queries and improves performance -- Allows central control of DNS resolution policies -- More reliable than relying solely on external DNS servers - -### Chrony NTP Server - -The proxy serves network time to all systems in the internal network. - -**Configuration:** -- **Service**: chrony NTP server -- **Port**: 123 (UDP) -- **Allowed network**: 141.56.51.0/24 -- **Upstream servers**: pool.ntp.org -- **Sync mode**: Fast initial sync (iburst) -- **Fallback**: Serves time even if not synced (stratum 10) - -**Usage:** -Other hosts can synchronize their system time with the proxy: - -```nix -services.chrony = { - enable = true; - servers = [ "141.56.51.1" ]; -}; -``` - -Or for systems using systemd-timesyncd: -```nix -services.timesyncd = { - enable = true; - servers = [ "141.56.51.1" ]; -}; -``` - -**Benefits:** -- Centralized time synchronization for all internal hosts -- Reduced external NTP queries from HTW network -- Consistent time across all StuRa infrastructure -- Local fallback if upstream NTP servers are unreachable - ### SSH Services **Port 1005: Admin SSH Access** @@ -239,8 +177,7 @@ nix run .#proxy-update - **Gateway**: 141.56.51.254 - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal) - **Firewall**: nftables enabled -- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142 -- **Open UDP ports**: 53 (DNS), 123 (NTP) +- **Open ports**: 22, 80, 443, 1005, 2142 ## Adding New Services @@ -442,50 +379,6 @@ telnet 141.56.51.2 80 grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg ``` -### DNS resolution not working - -```bash -# Check BIND status -systemctl status named - -# View BIND logs -journalctl -u named -f - -# Test DNS resolution from proxy -dig @127.0.0.1 google.com - -# Test DNS resolution from another host -dig @141.56.51.1 google.com - -# Check BIND configuration -named-checkconf /etc/bind/named.conf - -# Check allowed networks -grep -i "allow-query" /etc/bind/named.conf -``` - -### NTP synchronization not working - -```bash -# Check chrony status -systemctl status chronyd - -# View chrony tracking information -chronyc tracking - -# Check chrony sources -chronyc sources -v - -# View chrony logs -journalctl -u chronyd -f - -# Test NTP from another host -chronyc -h 141.56.51.1 tracking - -# Check if NTP port is accessible -nc -uv 141.56.51.1 123 -``` - ## Files and Directories - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 8692b17..8ba30ff 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -20,19 +20,18 @@ } ]; defaultGateway.address = "141.56.51.254"; + nameservers = [ + "9.9.9.9" + "1.1.1.1" + ]; firewall = { allowedTCPPorts = [ 22 - 53 # DNS 80 443 1005 2142 ]; - allowedUDPPorts = [ - 53 # DNS - 123 # NTP - ]; }; nftables = { enable = true; @@ -207,44 +206,6 @@ }; in { - # BIND DNS recursive resolver for the internal network - bind = { - enable = true; - cacheNetworks = [ - "127.0.0.0/8" - "141.56.51.0/24" - ]; - forwarders = [ - "9.9.9.9" - "1.1.1.1" - ]; - listenOn = [ - "141.56.51.1" - "127.0.0.1" - ]; - listenOnIpv6 = [ ]; - }; - - # Chrony NTP server for the internal network - chrony = { - enable = true; - enableNTS = false; - servers = [ - "0.de.pool.ntp.org" - "1.de.pool.ntp.org" - "2.de.pool.ntp.org" - "3.de.pool.ntp.org" - ]; - serverOption = "iburst"; - extraConfig = '' - # Allow NTP client access from local network - allow 141.56.51.0/24 - - # Serve time even if not synced to a time source - local stratum 10 - ''; - }; - openssh = { # admin ssh access port listenAddresses = [