Compare commits
2 commits
982d984910
...
006c95424f
| Author | SHA1 | Date | |
|---|---|---|---|
|
006c95424f | ||
|
|
7d01f35fd0 |
3 changed files with 163 additions and 10 deletions
13
default.nix
13
default.nix
|
|
@ -26,8 +26,8 @@ in
|
|||
{
|
||||
|
||||
networking.nameservers = [
|
||||
"141.56.51.1"
|
||||
"141.56.1.1"
|
||||
"141.56.1.2"
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
|
@ -52,6 +52,14 @@ in
|
|||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# Use proxy as NTP server for time synchronization
|
||||
# Disable in containers as they inherit time from the host
|
||||
services.chrony = {
|
||||
enable = !config.boot.isContainer;
|
||||
servers = [ "141.56.51.1" ];
|
||||
enableNTS = false;
|
||||
};
|
||||
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
|
|
@ -63,10 +71,9 @@ in
|
|||
services.nginx.recommendedOptimisation = true;
|
||||
services.nginx.recommendedGzipSettings = true;
|
||||
services.nginx.recommendedProxySettings = true;
|
||||
#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
|
||||
#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden.
|
||||
services.nginx.recommendedTlsSettings = true;
|
||||
|
||||
|
||||
users.users = {
|
||||
# erstmal nur mit root
|
||||
# administration = {
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container).
|
|||
- **Hostname**: proxy
|
||||
- **IP Address**: 141.56.51.1
|
||||
- **Type**: Full VM (not LXC)
|
||||
- **Services**: HAProxy, OpenSSH (ports 1005, 2142)
|
||||
- **Role**: Central traffic router for all StuRa HTW Dresden services
|
||||
- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142)
|
||||
- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services
|
||||
|
||||
## Architecture
|
||||
|
||||
|
|
@ -45,6 +45,68 @@ HAProxy routes traffic using two methods:
|
|||
- Buffer size: 32,762 bytes
|
||||
- Timeouts: 5s connect, 30s client/server
|
||||
|
||||
### BIND DNS Resolver
|
||||
|
||||
The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24).
|
||||
|
||||
**Configuration:**
|
||||
- **Service**: BIND9 recursive resolver
|
||||
- **Listen address**: 141.56.51.1
|
||||
- **Port**: 53 (UDP/TCP)
|
||||
- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24
|
||||
- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare)
|
||||
- **IPv6**: Disabled
|
||||
|
||||
**Usage:**
|
||||
All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution.
|
||||
|
||||
Example configuration for other hosts:
|
||||
```nix
|
||||
networking.nameservers = [ "141.56.51.1" ];
|
||||
```
|
||||
|
||||
**Why BIND?**
|
||||
- Provides caching for frequently accessed domains
|
||||
- Reduces external DNS queries and improves performance
|
||||
- Allows central control of DNS resolution policies
|
||||
- More reliable than relying solely on external DNS servers
|
||||
|
||||
### Chrony NTP Server
|
||||
|
||||
The proxy serves network time to all systems in the internal network.
|
||||
|
||||
**Configuration:**
|
||||
- **Service**: chrony NTP server
|
||||
- **Port**: 123 (UDP)
|
||||
- **Allowed network**: 141.56.51.0/24
|
||||
- **Upstream servers**: pool.ntp.org
|
||||
- **Sync mode**: Fast initial sync (iburst)
|
||||
- **Fallback**: Serves time even if not synced (stratum 10)
|
||||
|
||||
**Usage:**
|
||||
Other hosts can synchronize their system time with the proxy:
|
||||
|
||||
```nix
|
||||
services.chrony = {
|
||||
enable = true;
|
||||
servers = [ "141.56.51.1" ];
|
||||
};
|
||||
```
|
||||
|
||||
Or for systems using systemd-timesyncd:
|
||||
```nix
|
||||
services.timesyncd = {
|
||||
enable = true;
|
||||
servers = [ "141.56.51.1" ];
|
||||
};
|
||||
```
|
||||
|
||||
**Benefits:**
|
||||
- Centralized time synchronization for all internal hosts
|
||||
- Reduced external NTP queries from HTW network
|
||||
- Consistent time across all StuRa infrastructure
|
||||
- Local fallback if upstream NTP servers are unreachable
|
||||
|
||||
### SSH Services
|
||||
|
||||
**Port 1005: Admin SSH Access**
|
||||
|
|
@ -177,7 +239,8 @@ nix run .#proxy-update
|
|||
- **Gateway**: 141.56.51.254
|
||||
- **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal)
|
||||
- **Firewall**: nftables enabled
|
||||
- **Open ports**: 22, 80, 443, 1005, 2142
|
||||
- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142
|
||||
- **Open UDP ports**: 53 (DNS), 123 (NTP)
|
||||
|
||||
## Adding New Services
|
||||
|
||||
|
|
@ -379,6 +442,50 @@ telnet 141.56.51.2 80
|
|||
grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg
|
||||
```
|
||||
|
||||
### DNS resolution not working
|
||||
|
||||
```bash
|
||||
# Check BIND status
|
||||
systemctl status named
|
||||
|
||||
# View BIND logs
|
||||
journalctl -u named -f
|
||||
|
||||
# Test DNS resolution from proxy
|
||||
dig @127.0.0.1 google.com
|
||||
|
||||
# Test DNS resolution from another host
|
||||
dig @141.56.51.1 google.com
|
||||
|
||||
# Check BIND configuration
|
||||
named-checkconf /etc/bind/named.conf
|
||||
|
||||
# Check allowed networks
|
||||
grep -i "allow-query" /etc/bind/named.conf
|
||||
```
|
||||
|
||||
### NTP synchronization not working
|
||||
|
||||
```bash
|
||||
# Check chrony status
|
||||
systemctl status chronyd
|
||||
|
||||
# View chrony tracking information
|
||||
chronyc tracking
|
||||
|
||||
# Check chrony sources
|
||||
chronyc sources -v
|
||||
|
||||
# View chrony logs
|
||||
journalctl -u chronyd -f
|
||||
|
||||
# Test NTP from another host
|
||||
chronyc -h 141.56.51.1 tracking
|
||||
|
||||
# Check if NTP port is accessible
|
||||
nc -uv 141.56.51.1 123
|
||||
```
|
||||
|
||||
## Files and Directories
|
||||
|
||||
- **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix)
|
||||
|
|
|
|||
|
|
@ -20,18 +20,19 @@
|
|||
}
|
||||
];
|
||||
defaultGateway.address = "141.56.51.254";
|
||||
nameservers = [
|
||||
"9.9.9.9"
|
||||
"1.1.1.1"
|
||||
];
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
22
|
||||
53 # DNS
|
||||
80
|
||||
443
|
||||
1005
|
||||
2142
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
53 # DNS
|
||||
123 # NTP
|
||||
];
|
||||
};
|
||||
nftables = {
|
||||
enable = true;
|
||||
|
|
@ -206,6 +207,44 @@
|
|||
};
|
||||
in
|
||||
{
|
||||
# BIND DNS recursive resolver for the internal network
|
||||
bind = {
|
||||
enable = true;
|
||||
cacheNetworks = [
|
||||
"127.0.0.0/8"
|
||||
"141.56.51.0/24"
|
||||
];
|
||||
forwarders = [
|
||||
"9.9.9.9"
|
||||
"1.1.1.1"
|
||||
];
|
||||
listenOn = [
|
||||
"141.56.51.1"
|
||||
"127.0.0.1"
|
||||
];
|
||||
listenOnIpv6 = [ ];
|
||||
};
|
||||
|
||||
# Chrony NTP server for the internal network
|
||||
chrony = {
|
||||
enable = true;
|
||||
enableNTS = false;
|
||||
servers = [
|
||||
"0.de.pool.ntp.org"
|
||||
"1.de.pool.ntp.org"
|
||||
"2.de.pool.ntp.org"
|
||||
"3.de.pool.ntp.org"
|
||||
];
|
||||
serverOption = "iburst";
|
||||
extraConfig = ''
|
||||
# Allow NTP client access from local network
|
||||
allow 141.56.51.0/24
|
||||
|
||||
# Serve time even if not synced to a time source
|
||||
local stratum 10
|
||||
'';
|
||||
};
|
||||
|
||||
openssh = {
|
||||
# admin ssh access port
|
||||
listenAddresses = [
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue