From a0db30ca26ee0ca8c8efbabd76ba584331b5337c Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 24 Mar 2023 12:58:44 +0100 Subject: Sanitize DNS configuration - get rid of outside nameserver, unbound does the recursive resolving itself (and it checks DNSSEC) - remove CAP_NET_BIND_SERVICE for Consul as it is no longer binding on port 53 (was already obsolete) - make unbound config independant of LAN IPv4 address --- cluster/staging/site/bespin.nix | 1 - cluster/staging/site/corrin.nix | 1 - cluster/staging/site/jupiter.nix | 1 - cluster/staging/site/neptune.nix | 1 - nix/deuxfleurs.nix | 38 ++++++++++---------------------------- 5 files changed, 10 insertions(+), 32 deletions(-) diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 9401f74..1133603 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.5.254" ]; deuxfleurs.cname_target = "bespin.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index ca2ae49..8bf8693 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "fe80::7ec1:77ff:fe3e:bb90"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org."; deuxfleurs.public_ipv4 = "82.120.233.78"; diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 31b9f47..291e582 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "fe80::9038:202a:73a0:e73b"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Jupiter diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index 5399826..b030b46 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Neptune, diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index f7b70d7..245e12c 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -96,10 +96,6 @@ in type = types.nullOr types.str; default = null; }; - nameservers = mkOption { - description = "External DNS servers to use"; - type = types.listOf types.str; - }; # Parameters common to all nodes cluster_name = mkOption { @@ -190,47 +186,36 @@ in }; }; - # Configure Unbound DNS to redirect to Consul queries under .consul - # and to pass directly to public DNS resolver all others + # Configure Unbound as a central DNS server for everything + # - is its own recursor (applies DNSSec) for everything, + # no need to declare an outside nameserver + # - redirects to Consul queries under .consul services.unbound = { enable = true; - enableRootTrustAnchor = false; # disable DNSSEC as it causes issues settings = { server = { - interface = [ "127.0.0.1" "${cfg.lan_ip}" "172.17.0.1" ]; + interface = [ "127.0.0.1" "172.17.0.1" ]; domain-insecure = [ "consul." ]; local-zone = [ "consul. nodefault" ]; log-servfail = true; access-control = [ "127.0.0.0/8 allow" - "${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow" "172.17.0.0/16 allow" ]; }; - forward-zone = [ + stub-zone = [ # Forward .consul queries to Consul daemon { name = "consul."; - forward-addr = "${cfg.lan_ip}@8600"; - forward-no-cache = true; - forward-tcp-upstream = false; - forward-tls-upstream = false; - } - # Forward all queries to our ISP's nameserver - { - name = "."; - forward-addr = cfg.nameservers; - forward-first = true; + stub-addr = "${cfg.cluster_ip}@8600"; + stub-no-cache = true; + stub-tcp-upstream = false; + stub-tls-upstream = false; } ]; }; resolveLocalQueries = true; }; - # Reach Unbound through the IP of our LAN interface, - # instead of 127.0.0.1 (this will also work in Docker containers) - networking.nameservers = [ # TODO remove this ? - cfg.lan_ip - ]; services.resolved.enable = false; # Configure Wireguard VPN between all nodes @@ -321,9 +306,6 @@ in verify_outgoing = true; verify_server_hostname = true; }; - systemd.services.consul.serviceConfig = { # TODO remove this ? - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - }; services.nomad.enable = true; systemd.services.nomad.after = [ "wg-quick-wg0.service" ]; -- cgit v1.2.3