From 8743ea7b0c0befaea2237bfb433b4c24c51219f4 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 12 Apr 2024 21:31:36 +0200 Subject: [PATCH 1/2] networking: add wireguard hosts to /etc/hosts Also re-enable DNSSEC, it's reported fixed in systemd-resolved --- hosts/flora-6/apps/drone.nix | 2 ++ modules/networking.nix | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hosts/flora-6/apps/drone.nix b/hosts/flora-6/apps/drone.nix index 88bd3027..9620d2bd 100644 --- a/hosts/flora-6/apps/drone.nix +++ b/hosts/flora-6/apps/drone.nix @@ -78,6 +78,7 @@ extraOptions = [ "--network=drone-net" "--pull=always" + "--add-host=nachtigall.pub.solar:10.7.6.1" ]; environment = { DRONE_GITEA_SERVER = "https://git.pub.solar"; @@ -101,6 +102,7 @@ extraOptions = [ "--network=drone-net" "--pull=always" + "--add-host=nachtigall.pub.solar:10.7.6.1" ]; environment = { DRONE_RPC_HOST = "ci.pub.solar"; diff --git a/modules/networking.nix b/modules/networking.nix index 21242d32..490715b2 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -2,6 +2,11 @@ # Don't expose SSH via public interfaces networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; + networking.hosts = { + "10.7.6.1" = ["nachtigall.pub.solar"]; + "10.7.6.2" = ["flora-6.pub.solar"]; + }; + services.openssh = { enable = true; openFirewall = lib.mkDefault false; @@ -31,14 +36,11 @@ services.resolved = { enable = true; - # DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS - # when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579 extraConfig = '' DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net Domains=~. DNSOverTLS=yes - DNSSEC=false ''; }; } From 8a9fe3b8fefe996430358c78983c461da387b98a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 12 Apr 2024 21:35:08 +0200 Subject: [PATCH 2/2] chore: update flake inputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'nixpkgs': 'github:nixos/nixpkgs/d272ca50d1f7424fbfcd1e6f1c9e01d92f6da167' (2024-04-08) → 'github:nixos/nixpkgs/b2cf36f43f9ef2ded5711b30b1f393ac423d8f72' (2024-04-10) • Updated input 'unstable': 'github:nixos/nixpkgs/4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6' (2024-04-08) → 'github:nixos/nixpkgs/1042fd8b148a9105f3c0aca3a6177fd1d9360ba5' (2024-04-10) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index f7f7c32e..f5fbb8b8 100644 --- a/flake.lock +++ b/flake.lock @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1710888565, - "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=", + "lastModified": 1712386041, + "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce", + "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1712168706, - "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=", + "lastModified": 1712741485, + "narHash": "sha256-bCs0+MSTra80oXAsnM6Oq62WsirOIaijQ/BbUY59tR4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb", + "rev": "b2cf36f43f9ef2ded5711b30b1f393ac423d8f72", "type": "github" }, "original": { @@ -405,11 +405,11 @@ }, "unstable": { "locked": { - "lastModified": 1712163089, - "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "lastModified": 1712791164, + "narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", + "rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5", "type": "github" }, "original": {