StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: StuRa:006c95424fa8b616447dcb7d1d6169173878d705
Branches Tags
StuRa:master
StuRa:new-mail
..
compare: StuRa:982d984910362334dd3160a3122ce25bde6432b6
Branches Tags
StuRa:new-mail
StuRa:master

No commits in common. "006c95424fa8b616447dcb7d1d6169173878d705" and "982d984910362334dd3160a3122ce25bde6432b6" have entirely different histories.
006c95424f ... 982d984910

3 changed files with 10 additions and 163 deletions
Download patch file Download diff file Expand all files Collapse all files

13
default.nix
View file

@ -26,8 +26,8 @@ in
{ {
networking.nameservers = [ networking.nameservers = [
"141.56.51.1"
"141.56.1.1" "141.56.1.1"
"141.56.1.2"
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
@ -52,14 +52,6 @@ in
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# Use proxy as NTP server for time synchronization
# Disable in containers as they inherit time from the host
services.chrony = {
enable = !config.boot.isContainer;
servers = [ "141.56.51.1" ];
enableNTS = false;
};
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
console = { console = {
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
@ -71,9 +63,10 @@ in
services.nginx.recommendedOptimisation = true; services.nginx.recommendedOptimisation = true;
services.nginx.recommendedGzipSettings = true; services.nginx.recommendedGzipSettings = true;
services.nginx.recommendedProxySettings = true; services.nginx.recommendedProxySettings = true;
#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden. #### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
services.nginx.recommendedTlsSettings = true; services.nginx.recommendedTlsSettings = true;
users.users = { users.users = {
# erstmal nur mit root # erstmal nur mit root
# administration = { # administration = {

113
hosts/proxy/README.md
View file

@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
- **Hostname**: proxy - **Hostname**: proxy
- **IP Address**: 141.56.51.1 - **IP Address**: 141.56.51.1
- **Type**: Full VM (not LXC) - **Type**: Full VM (not LXC)
- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142) - **Services**: HAProxy, OpenSSH (ports 1005, 2142)
- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services - **Role**: Central traffic router for all StuRa HTW Dresden services
## Architecture ## Architecture
@ -45,68 +45,6 @@ HAProxy routes traffic using two methods:
- Buffer size: 32,762 bytes - Buffer size: 32,762 bytes
- Timeouts: 5s connect, 30s client/server - Timeouts: 5s connect, 30s client/server
### BIND DNS Resolver
The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
**Configuration:**
- **Service**: BIND9 recursive resolver
- **Listen address**: 141.56.51.1
- **Port**: 53 (UDP/TCP)
- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
- **IPv6**: Disabled
**Usage:**
All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
Example configuration for other hosts:
```nix
networking.nameservers = [ "141.56.51.1" ];
```
**Why BIND?**
- Provides caching for frequently accessed domains
- Reduces external DNS queries and improves performance
- Allows central control of DNS resolution policies
- More reliable than relying solely on external DNS servers
### Chrony NTP Server
The proxy serves network time to all systems in the internal network.
**Configuration:**
- **Service**: chrony NTP server
- **Port**: 123 (UDP)
- **Allowed network**: 141.56.51.0/24
- **Upstream servers**: pool.ntp.org
- **Sync mode**: Fast initial sync (iburst)
- **Fallback**: Serves time even if not synced (stratum 10)
**Usage:**
Other hosts can synchronize their system time with the proxy:
```nix
services.chrony = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
Or for systems using systemd-timesyncd:
```nix
services.timesyncd = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
**Benefits:**
- Centralized time synchronization for all internal hosts
- Reduced external NTP queries from HTW network
- Consistent time across all StuRa infrastructure
- Local fallback if upstream NTP servers are unreachable
### SSH Services ### SSH Services
**Port 1005: Admin SSH Access** **Port 1005: Admin SSH Access**
@ -239,8 +177,7 @@ nix run .#proxy-update
- **Gateway**: 141.56.51.254 - **Gateway**: 141.56.51.254
- **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal) - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
- **Firewall**: nftables enabled - **Firewall**: nftables enabled
- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142 - **Open ports**: 22, 80, 443, 1005, 2142
- **Open UDP ports**: 53 (DNS), 123 (NTP)
## Adding New Services ## Adding New Services
@ -442,50 +379,6 @@ telnet 141.56.51.2 80
grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
``` ```
### DNS resolution not working
```bash
# Check BIND status
systemctl status named
# View BIND logs
journalctl -u named -f
# Test DNS resolution from proxy
dig @127.0.0.1 google.com
# Test DNS resolution from another host
dig @141.56.51.1 google.com
# Check BIND configuration
named-checkconf /etc/bind/named.conf
# Check allowed networks
grep -i "allow-query" /etc/bind/named.conf
```
### NTP synchronization not working
```bash
# Check chrony status
systemctl status chronyd
# View chrony tracking information
chronyc tracking
# Check chrony sources
chronyc sources -v
# View chrony logs
journalctl -u chronyd -f
# Test NTP from another host
chronyc -h 141.56.51.1 tracking
# Check if NTP port is accessible
nc -uv 141.56.51.1 123
```
## Files and Directories ## Files and Directories
- **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix) - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)

47
hosts/proxy/default.nix
View file

@ -20,19 +20,18 @@
} }
]; ];
defaultGateway.address = "141.56.51.254"; defaultGateway.address = "141.56.51.254";
nameservers = [
"9.9.9.9"
"1.1.1.1"
];
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
22 22
53 # DNS
80 80
443 443
1005 1005
2142 2142
]; ];
allowedUDPPorts = [
53 # DNS
123 # NTP
];
}; };
nftables = { nftables = {
enable = true; enable = true;
@ -207,44 +206,6 @@
}; };
in in
{ {
# BIND DNS recursive resolver for the internal network
bind = {
enable = true;
cacheNetworks = [
"127.0.0.0/8"
"141.56.51.0/24"
];
forwarders = [
"9.9.9.9"
"1.1.1.1"
];
listenOn = [
"141.56.51.1"
"127.0.0.1"
];
listenOnIpv6 = [ ];
};
# Chrony NTP server for the internal network
chrony = {
enable = true;
enableNTS = false;
servers = [
"0.de.pool.ntp.org"
"1.de.pool.ntp.org"
"2.de.pool.ntp.org"
"3.de.pool.ntp.org"
];
serverOption = "iburst";
extraConfig = ''
# Allow NTP client access from local network
allow 141.56.51.0/24
# Serve time even if not synced to a time source
local stratum 10
'';
};
openssh = { openssh = {
# admin ssh access port # admin ssh access port
listenAddresses = [ listenAddresses = [