StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: StuRa:982d984910362334dd3160a3122ce25bde6432b6
Branches Tags
StuRa:master
StuRa:new-mail
...
compare: StuRa:006c95424fa8b616447dcb7d1d6169173878d705
Branches Tags
StuRa:new-mail
StuRa:master

2 commits
982d984910 ... 006c95424f

Author SHA1 Message Date
goeranh
006c95424f
enable bind dns and chrony ntp server and set them up in default.nix 2026-03-13 22:14:45 +01:00
goeranh
7d01f35fd0
host dns and ntp server on proxy 2026-03-13 21:51:25 +01:00
3 changed files with 163 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

11
default.nix
View file

@ -26,8 +26,8 @@ in
{
networking.nameservers = [
"141.56.51.1"
"141.56.1.1"
"141.56.1.2"
];
boot.kernelPackages = pkgs.linuxPackages_latest;
@ -52,6 +52,14 @@ in
time.timeZone = "Europe/Berlin";
# Use proxy as NTP server for time synchronization
# Disable in containers as they inherit time from the host
services.chrony = {
enable = !config.boot.isContainer;
servers = [ "141.56.51.1" ];
enableNTS = false;
};
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
@ -66,7 +74,6 @@ in
#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
services.nginx.recommendedTlsSettings = true;
users.users = {
# erstmal nur mit root
# administration = {

113
hosts/proxy/README.md
View file

@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
- **Hostname**: proxy
- **IP Address**: 141.56.51.1
- **Type**: Full VM (not LXC)
- **Services**: HAProxy, OpenSSH (ports 1005, 2142)
- **Role**: Central traffic router for all StuRa HTW Dresden services
- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142)
- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services
## Architecture
@ -45,6 +45,68 @@ HAProxy routes traffic using two methods:
- Buffer size: 32,762 bytes
- Timeouts: 5s connect, 30s client/server
### BIND DNS Resolver
The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
**Configuration:**
- **Service**: BIND9 recursive resolver
- **Listen address**: 141.56.51.1
- **Port**: 53 (UDP/TCP)
- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
- **IPv6**: Disabled
**Usage:**
All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
Example configuration for other hosts:
```nix
networking.nameservers = [ "141.56.51.1" ];
```
**Why BIND?**
- Provides caching for frequently accessed domains
- Reduces external DNS queries and improves performance
- Allows central control of DNS resolution policies
- More reliable than relying solely on external DNS servers
### Chrony NTP Server
The proxy serves network time to all systems in the internal network.
**Configuration:**
- **Service**: chrony NTP server
- **Port**: 123 (UDP)
- **Allowed network**: 141.56.51.0/24
- **Upstream servers**: pool.ntp.org
- **Sync mode**: Fast initial sync (iburst)
- **Fallback**: Serves time even if not synced (stratum 10)
**Usage:**
Other hosts can synchronize their system time with the proxy:
```nix
services.chrony = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
Or for systems using systemd-timesyncd:
```nix
services.timesyncd = {
enable = true;
servers = [ "141.56.51.1" ];
};
```
**Benefits:**
- Centralized time synchronization for all internal hosts
- Reduced external NTP queries from HTW network
- Consistent time across all StuRa infrastructure
- Local fallback if upstream NTP servers are unreachable
### SSH Services
**Port 1005: Admin SSH Access**
@ -177,7 +239,8 @@ nix run .#proxy-update
- **Gateway**: 141.56.51.254
- **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
- **Firewall**: nftables enabled
- **Open ports**: 22, 80, 443, 1005, 2142
- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142
- **Open UDP ports**: 53 (DNS), 123 (NTP)
## Adding New Services
@ -379,6 +442,50 @@ telnet 141.56.51.2 80
grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
```
### DNS resolution not working
```bash
# Check BIND status
systemctl status named
# View BIND logs
journalctl -u named -f
# Test DNS resolution from proxy
dig @127.0.0.1 google.com
# Test DNS resolution from another host
dig @141.56.51.1 google.com
# Check BIND configuration
named-checkconf /etc/bind/named.conf
# Check allowed networks
grep -i "allow-query" /etc/bind/named.conf
```
### NTP synchronization not working
```bash
# Check chrony status
systemctl status chronyd
# View chrony tracking information
chronyc tracking
# Check chrony sources
chronyc sources -v
# View chrony logs
journalctl -u chronyd -f
# Test NTP from another host
chronyc -h 141.56.51.1 tracking
# Check if NTP port is accessible
nc -uv 141.56.51.1 123
```
## Files and Directories
- **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)

47
hosts/proxy/default.nix
View file

@ -20,18 +20,19 @@
}
];
defaultGateway.address = "141.56.51.254";
nameservers = [
"9.9.9.9"
"1.1.1.1"
];
firewall = {
allowedTCPPorts = [
22
53 # DNS
80
443
1005
2142
];
allowedUDPPorts = [
53 # DNS
123 # NTP
];
};
nftables = {
enable = true;
@ -206,6 +207,44 @@
};
in
{
# BIND DNS recursive resolver for the internal network
bind = {
enable = true;
cacheNetworks = [
"127.0.0.0/8"
"141.56.51.0/24"
];
forwarders = [
"9.9.9.9"
"1.1.1.1"
];
listenOn = [
"141.56.51.1"
"127.0.0.1"
];
listenOnIpv6 = [ ];
};
# Chrony NTP server for the internal network
chrony = {
enable = true;
enableNTS = false;
servers = [
"0.de.pool.ntp.org"
"1.de.pool.ntp.org"
"2.de.pool.ntp.org"
"3.de.pool.ntp.org"
];
serverOption = "iburst";
extraConfig = ''
# Allow NTP client access from local network
allow 141.56.51.0/24
# Serve time even if not synced to a time source
local stratum 10
'';
};
openssh = {
# admin ssh access port
listenAddresses = [