Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change unbound

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-04 15:22:32 +01:00
parent 1dbba8eac6
commit cb01ec7e4c
2 changed files with 173 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
hosts/fw.cloonar.com/modules/gitea.nix
View File

@@ -15,87 +15,6 @@ in
users.groups.gitea = { users.groups.gitea = {
gid = 989; gid = 989;
}; };
# services.nginx.virtualHosts."${domain}" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "https://${ip}:443/";
# extraConfig = ''
# proxy_set_header=Host ${domain}
# '';
# };
# };
#
# environment.etc."gitea/app.ini".text = ''
# APP_NAME = Cloonar Gitea server
# RUN_MODE = prod
#
# [cron.update_checker]
# ENABLED=false
#
# [database]
# DB_TYPE=sqlite3
# PATH=/bitnami/gitea/data/gitea.db
#
# [openid]
# ENABLE_OPENID_SIGNIN=false
# ENABLE_OPENID_SIGNUP=true
# WHITELISTED_URIS=auth.cloonar.com
#
# [server]
# DISABLE_SSH=false
# DOMAIN=git.cloonar.com
# HTTP_ADDR=0.0.0.0
# HTTP_PORT=443
# PROTOCOL=https
# ROOT_URL=https://git.cloonar.com/
# SSH_PORT=22
# CERT_FILE=/ssl/fullchain.pem
# KEY_FILE=/ssl/key.pem
#
# [service]
# ALLOW_ONLY_EXTERNAL_REGISTRATION=true
# DISABLE_REGISTRATION=false
# SHOW_REGISTRATION_BUTTON=false
#
# [webhook]
# ALLOWED_HOST_LIST=drone.cloonar.com
# '';
#
# virtualisation = {
# oci-containers.containers = {
# gitea = {
# image = "gitea/gitea:1";
# volumes = [
# "/var/lib/gitea:/data"
# "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
# "/var/lib/acme/git.cloonar.com:/ssl:ro"
# ];
# environment = {
# USER_UID = builtins.toString config.users.users.gitea.uid;
# USER_GID = builtins.toString config.users.groups.gitea.gid;
# };
# extraOptions = [
# "--ip=${ip}"
# ];
# };
# gitea = {
# image = "gitea/gitea:1";
# volumes = [
# "/var/lib/gitea:/data"
# "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
# "/var/lib/acme/git.cloonar.com:/ssl:ro"
# ];
# environment = {
# USER_UID = builtins.toString config.users.users.gitea.uid;
# USER_GID = builtins.toString config.users.groups.gitea.gid;
# };
# extraOptions = [
# "--ip=${ip}"
# ];
# };
# };
# };
containers.gitea = { containers.gitea = {
autoStart = true; autoStart = true;
@@ -107,12 +26,12 @@ in
isReadOnly = false; isReadOnly = false;
}; };
}; };
# bindMounts = { bindMounts = {
# "/var/lib/acme/gitea/" = { "/var/lib/acme/gitea/" = {
# hostPath = "${security.acme.certs.${domain}.directory}"; hostPath = "${config.security.acme.certs.${domain}.directory}";
# isReadOnly = true; isReadOnly = true;
# }; };
# }; };
config = { lib, config, pkgs, ... }: { config = { lib, config, pkgs, ... }: {
networking = { networking = {
hostName = "gitea"; hostName = "gitea";
@@ -124,8 +43,6 @@ in
allowedTCPPorts = [ 22 80 443 ]; allowedTCPPorts = [ 22 80 443 ];
}; };
}; };
# services.resolved.enable = true;
# services.nginx.enable = true; # services.nginx.enable = true;
# services.nginx.virtualHosts."${domain}" = { # services.nginx.virtualHosts."${domain}" = {
# sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; # sslCertificate = "/var/lib/acme/gitea/fullchain.pem";

295
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -1,138 +1,177 @@
{ config, ... }: { { config, ... }:
let
domain = "ns.cloonar.com";
cfg = {
server = {
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
"127.0.0.0/8 allow"
"10.42.96.0/24 allow"
"10.42.97.0/24 allow"
"10.42.98.0/24 allow"
"10.42.99.0/24 allow"
"10.42.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A 10.42.97.1\""
"\"fw A 10.42.97.1\""
"\"switch.cloonar.com IN A 10.42.97.10\""
"\"drone.cloonar.com IN A 10.42.97.118\""
"\"hv-02.cloonar.com IN A 10.42.97.3\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"home-assistant.cloonar.old IN A 10.44.97.20\""
"\"deconz.cloonar.com IN A 10.42.97.20\""
"\"mopidy.cloonar.com IN A 10.42.97.20\""
"\"snapcast.cloonar.com IN A 10.42.97.20\""
"\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
"\"git.cloonar.com IN A 10.44.97.118\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\""
"\"wohnservice-wien.at IN A 10.254.240.109\""
"\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\""
"\"a.wohnservice-wien.at IN A 10.254.240.109\""
"\"a.wohnpartner-wien.at IN A 10.254.240.109\""
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\""
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"testing.ebs.amz.at IN A 80.120.142.235\""
"\"api.testing-ebs.amz.at IN A 80.120.142.235\""
"\"metz.cloonar.com IN A 10.42.96.167\""
"\"firetv-living.cloonar.com IN A 10.42.96.175\""
"\"ps5-living.cloonar.com IN A 10.42.96.176\""
"\"ddl-warez.to IN A 172.67.184.30\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"10.42.97.10 switch.cloonar.com\""
"\"10.42.97.1 fw.cloonar.com\""
"\"10.42.97.118 drone.cloonar.com\""
"\"10.42.97.3 hv-02.cloonar.com\""
"\"10.42.97.20 home-assistant.cloonar.com\""
"\"10.42.97.9 cl-storage-01.cloonar.com\""
"\"10.42.97.118 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"80.120.142.235 testing.ebs.amz.at\""
"\"172.67.184.30 ddl-warez.to\""
];
};
forward-zone = [
{
name = ".";
forward-addr = [
"10.44.96.1"
# "9.9.9.9#dns11.quad9.net"
# "149.112.112.112#dns11.quad9.net"
];
}
{
name = "ghetto.at.local.";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-addr = [
"10.14.1.1"
];
}
];
};
in {
services.unbound = { services.unbound = {
enable = true; enable = true;
settings = { settings = cfg // {
server = { server = {
interface = [ "0.0.0.0" "::0" ]; tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
interface-automatic = "yes"; }
access-control = [ };
"127.0.0.0/8 allow" };
"10.42.96.0/24 allow" security.acme.certs."fw.cloonar.com" = {
"10.42.97.0/24 allow" domain = "fw.cloonar.com";
"10.42.98.0/24 allow" };
"10.42.99.0/24 allow"
"10.42.101.0/24 allow"
"0.0.0.0/0 allow"
];
tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
local-zone = "\"cloonar.com\" transparent";
local-data = [
"\"localhost A 127.0.0.1\""
"\"localhost.cloonar.com A 127.0.0.1\""
"\"localhost AAAA ::1\""
"\"localhost.cloonar.com AAAA ::1\""
"\"fw.cloonar.com A 10.42.97.1\""
"\"fw A 10.42.97.1\""
"\"switch.cloonar.com IN A 10.42.97.10\"" containers.unbound = {
"\"drone.cloonar.com IN A 10.42.97.118\"" autoStart = true;
"\"hv-02.cloonar.com IN A 10.42.97.3\"" ephemeral = true;
"\"home-assistant.cloonar.com IN A 10.42.97.20\"" macvlans = [ "vserver" ];
"\"home-assistant.cloonar.old IN A 10.44.97.20\"" bindMounts = {
"\"deconz.cloonar.com IN A 10.42.97.20\"" "/var/lib/acme/unbound/" = {
"\"mopidy.cloonar.com IN A 10.42.97.20\"" hostPath = "${config.security.acme.certs.${domain}.directory}";
"\"snapcast.cloonar.com IN A 10.42.97.20\"" isReadOnly = true;
"\"cl-storage-01.cloonar.com IN A 10.42.97.9\"" };
"\"git.cloonar.com IN A 10.44.97.118\"" };
config = { lib, config, pkgs, ... }: {
"\"stage.wsw.at IN A 10.254.235.22\"" networking = {
"\"prod.wsw.at IN A 10.254.217.23\"" hostName = "ns";
"\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" interfaces.mv-vserver = {
"\"wohnservice-wien.at IN A 10.254.240.109\"" useDHCP = true;
"\"mieterhilfe.at IN A 10.254.240.109\"" };
"\"wohnpartner-wien.at IN A 10.254.240.109\"" firewall = {
"\"wohnberatung-wien.at IN A 10.254.240.109\"" enable = true;
"\"wienbautvor.at IN A 10.254.240.109\"" allowedUDPPorts = [ 53 ];
"\"a.wohnservice-wien.at IN A 10.254.240.109\"" allowedTCPPorts = [ 853 ];
"\"a.wohnpartner-wien.at IN A 10.254.240.109\"" };
"\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" services.unbound = {
"\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" enable = true;
"\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" settings = cfg;
"\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" };
"\"a.stage.wienbautvor.at IN A 10.254.240.110\""
"\"a.stage.wienwohntbesser.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\""
"\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\""
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"testing.ebs.amz.at IN A 80.120.142.235\""
"\"api.testing-ebs.amz.at IN A 80.120.142.235\""
"\"metz.cloonar.com IN A 10.42.96.167\""
"\"firetv-living.cloonar.com IN A 10.42.96.175\""
"\"ps5-living.cloonar.com IN A 10.42.96.176\""
"\"ddl-warez.to IN A 172.67.184.30\""
];
local-data-ptr = [
"\"127.0.0.1 localhost\""
"\"::1 localhost\""
"\"10.42.97.10 switch.cloonar.com\""
"\"10.42.97.1 fw.cloonar.com\""
"\"10.42.97.118 drone.cloonar.com\""
"\"10.42.97.3 hv-02.cloonar.com\""
"\"10.42.97.20 home-assistant.cloonar.com\""
"\"10.42.97.9 cl-storage-01.cloonar.com\""
"\"10.42.97.118 git.cloonar.com\""
"\"10.254.235.22 stage.wsw.at\""
"\"10.254.217.23 prod.wsw.at\""
"\"10.254.240.109 wohnservice-wien.at\""
"\"10.254.240.110 a.stage.wohnservice-wien.at\""
"\"80.120.142.235 testing.ebs.amz.at\""
"\"172.67.184.30 ddl-warez.to\""
];
}; };
forward-zone = [
{
name = ".";
forward-addr = [
"10.44.96.1"
# "9.9.9.9#dns11.quad9.net"
# "149.112.112.112#dns11.quad9.net"
];
}
{
name = "ghetto.at.local.";
forward-addr = [
"10.43.97.1"
];
}
{
name = "epicenter.works.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "akvorrat.at.";
forward-addr = [
"10.50.60.1"
];
}
{
name = "epicenter.intra.";
forward-addr = [
"10.14.1.1"
];
}
{
name = "intra.epicenter.works.";
forward-addr = [
"10.14.1.1"
];
}
];
}; };
}; };
security.acme.certs."fw.cloonar.com" = { security.acme.certs."${domain}" = {
domain = "fw.cloonar.com"; domain = "${domain}";
group = config.services.unbound.group;
}; };
} }