enable bind dns and chrony ntp server and set them up in default.nix

default.nix

@@ -26,8 +26,8 @@ in
 {
 
   networking.nameservers = [
+    "141.56.51.1"
     "141.56.1.1"
-    "141.56.1.2"
   ];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -52,6 +52,14 @@ in
 
   time.timeZone = "Europe/Berlin";
 
+  # Use proxy as NTP server for time synchronization
+  # Disable in containers as they inherit time from the host
+  services.chrony = {
+    enable = !config.boot.isContainer;
+    servers = [ "141.56.51.1" ];
+    enableNTS = false;
+  };
+
   i18n.defaultLocale = "en_US.UTF-8";
   console = {
     font = "Lat2-Terminus16";
@@ -63,10 +71,9 @@ in
   services.nginx.recommendedOptimisation = true;
   services.nginx.recommendedGzipSettings = true;
   services.nginx.recommendedProxySettings = true;
-####    Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
+  ####    Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
   services.nginx.recommendedTlsSettings = true;
 
-
   users.users = {
     # erstmal nur mit root
     # administration = {

hosts/proxy/README.md

@@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
 - **Hostname**: proxy
 - **IP Address**: 141.56.51.1
 - **Type**: Full VM (not LXC)
-- **Services**: HAProxy, OpenSSH (ports 1005, 2142)
+- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142)
-- **Role**: Central traffic router for all StuRa HTW Dresden services
+- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services
 
 ## Architecture
 
@@ -45,6 +45,68 @@ HAProxy routes traffic using two methods:
 - Buffer size: 32,762 bytes
 - Timeouts: 5s connect, 30s client/server
 
+### BIND DNS Resolver
+
+The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
+
+**Configuration:**
+- **Service**: BIND9 recursive resolver
+- **Listen address**: 141.56.51.1
+- **Port**: 53 (UDP/TCP)
+- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
+- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
+- **IPv6**: Disabled
+
+**Usage:**
+All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
+
+Example configuration for other hosts:
+```nix
+networking.nameservers = [ "141.56.51.1" ];
+```
+
+**Why BIND?**
+- Provides caching for frequently accessed domains
+- Reduces external DNS queries and improves performance
+- Allows central control of DNS resolution policies
+- More reliable than relying solely on external DNS servers
+
+### Chrony NTP Server
+
+The proxy serves network time to all systems in the internal network.
+
+**Configuration:**
+- **Service**: chrony NTP server
+- **Port**: 123 (UDP)
+- **Allowed network**: 141.56.51.0/24
+- **Upstream servers**: pool.ntp.org
+- **Sync mode**: Fast initial sync (iburst)
+- **Fallback**: Serves time even if not synced (stratum 10)
+
+**Usage:**
+Other hosts can synchronize their system time with the proxy:
+
+```nix
+services.chrony = {
+  enable = true;
+  servers = [ "141.56.51.1" ];
+};
+```
+
+Or for systems using systemd-timesyncd:
+```nix
+services.timesyncd = {
+  enable = true;
+  servers = [ "141.56.51.1" ];
+};
+```
+
+**Benefits:**
+- Centralized time synchronization for all internal hosts
+- Reduced external NTP queries from HTW network
+- Consistent time across all StuRa infrastructure
+- Local fallback if upstream NTP servers are unreachable
+
 ### SSH Services
 
 **Port 1005: Admin SSH Access**
@@ -177,7 +239,8 @@ nix run .#proxy-update
 - **Gateway**: 141.56.51.254
 - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
 - **Firewall**: nftables enabled
-- **Open ports**: 22, 80, 443, 1005, 2142
+- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142
+- **Open UDP ports**: 53 (DNS), 123 (NTP)
 
 ## Adding New Services
 
@@ -379,6 +442,50 @@ telnet 141.56.51.2 80
 grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
 ```
 
+### DNS resolution not working
+
+```bash
+# Check BIND status
+systemctl status named
+
+# View BIND logs
+journalctl -u named -f
+
+# Test DNS resolution from proxy
+dig @127.0.0.1 google.com
+
+# Test DNS resolution from another host
+dig @141.56.51.1 google.com
+
+# Check BIND configuration
+named-checkconf /etc/bind/named.conf
+
+# Check allowed networks
+grep -i "allow-query" /etc/bind/named.conf
+```
+
+### NTP synchronization not working
+
+```bash
+# Check chrony status
+systemctl status chronyd
+
+# View chrony tracking information
+chronyc tracking
+
+# Check chrony sources
+chronyc sources -v
+
+# View chrony logs
+journalctl -u chronyd -f
+
+# Test NTP from another host
+chronyc -h 141.56.51.1 tracking
+
+# Check if NTP port is accessible
+nc -uv 141.56.51.1 123
+```
+
 ## Files and Directories
 
 - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)

hosts/proxy/default.nix

@@ -20,18 +20,19 @@
       }
     ];
     defaultGateway.address = "141.56.51.254";
-    nameservers = [
-      "9.9.9.9"
-      "1.1.1.1"
-    ];
     firewall = {
       allowedTCPPorts = [
         22
+        53 # DNS
         80
         443
         1005
         2142
       ];
+      allowedUDPPorts = [
+        53 # DNS
+        123 # NTP
+      ];
     };
     nftables = {
       enable = true;
@@ -206,6 +207,44 @@
       };
     in
     {
+      # BIND DNS recursive resolver for the internal network
+      bind = {
+        enable = true;
+        cacheNetworks = [
+          "127.0.0.0/8"
+          "141.56.51.0/24"
+        ];
+        forwarders = [
+          "9.9.9.9"
+          "1.1.1.1"
+        ];
+        listenOn = [
+          "141.56.51.1"
+          "127.0.0.1"
+        ];
+        listenOnIpv6 = [ ];
+      };
+
+      # Chrony NTP server for the internal network
+      chrony = {
+        enable = true;
+        enableNTS = false;
+        servers = [
+          "0.de.pool.ntp.org"
+          "1.de.pool.ntp.org"
+          "2.de.pool.ntp.org"
+          "3.de.pool.ntp.org"
+        ];
+        serverOption = "iburst";
+        extraConfig = ''
+          # Allow NTP client access from local network
+          allow 141.56.51.0/24
+
+          # Serve time even if not synced to a time source
+          local stratum 10
+        '';
+      };
+
       openssh = {
         # admin ssh access port
         listenAddresses = [