From b6818d156cff8e86555b61f8a126d1ecd6c3918e Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Tue, 15 Aug 2023 16:21:59 +0200 Subject: [PATCH] move dnscrypt to port 443 --- configuration.nix | 9 +++-- email.nix | 2 +- matrix.nix | 2 +- nameserver.nix | 86 ++++++++++++++++++++++++++++++----------------- variables.nix | 4 ++- 5 files changed, 68 insertions(+), 35 deletions(-) diff --git a/configuration.nix b/configuration.nix index a3fec40..2f9b384 100644 --- a/configuration.nix +++ b/configuration.nix @@ -51,8 +51,8 @@ 64738 # mumble server ]; firewall.allowedUDPPorts = [ + 443 # dnscrypt 53 # powerdns - 1194 # dnscrypt 3478 # turn server 21027 # syncthing discovery 64738 # mumble server @@ -63,7 +63,12 @@ usePredictableInterfaceNames = false; nameservers = [ "127.0.0.1" ]; - hosts."127.0.0.1" = [ config.var.hostname ]; + + # ensure hostname work without DNS + hosts = with config.var; + { ${ipv4LanAddress} = [ hostname ]; + ${ipv6Address} = [ hostname ]; + }; }; # Only declarative users and no password logins diff --git a/email.nix b/email.nix index 3ca1b50..13337da 100644 --- a/email.nix +++ b/email.nix @@ -52,7 +52,7 @@ # Prefer IPv6 smtp_address_preference = ipv6 # Prevent binding on temporary addresses - smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1 + smtp_bind_address6 = ${config.var.ipv6Address} ''; # Keep the key stable across renewals (for DANE) diff --git a/matrix.nix b/matrix.nix index 68e573c..6184b4a 100644 --- a/matrix.nix +++ b/matrix.nix @@ -185,7 +185,7 @@ in listening-ips = [ "0.0.0.0" ]; extraConfig = '' - external-ip=${config.var.ipAddress} + external-ip=${config.var.ipv4WanAddress} cipher-list=HIGH no-multicast-peers no-tlsv1 diff --git a/nameserver.nix b/nameserver.nix index fa3af16..af022d2 100644 --- a/nameserver.nix +++ b/nameserver.nix @@ -1,52 +1,78 @@ -{ config, ... }: +{ config, lib, ... }: # Setup: # PDNS recursor on port 53 -# DNSCrypt wrapper on port 1194 +# DNSCrypt wrapper on port 5353 # NCDNS for Namecoin bit. zone resolution +# sslh handling both HTTP and DSN on 443 { # Recursive DNS resolver - services.pdns-recursor = { - enable = true; - # Configures the bit. zone - resolveNamecoin = true; - # Use both IPv4 and IPv6 - dns.allowFrom = [ "0.0.0.0/0" "::0/0" ]; - settings.local-address = [ "0.0.0.0" "::" ]; - }; + services.pdns-recursor = + { enable = true; + # Configures the bit. zone + resolveNamecoin = true; + # Use both IPv4 and IPv6 + dns.allowFrom = [ "0.0.0.0/0" "::0/0" ]; + settings.local-address = [ "0.0.0.0" "::" ]; + }; # Wrap the local recursive resolver # in DNSCrypt on the default OpenVPN port. # This port is chosen because it's usually # not blocked in corporate networks. - services.dnscrypt-wrapper = { - enable = true; - address = "0.0.0.0"; - port = 1194; - providerKey.public = config.secrets.dnscrypt.pub; - providerKey.secret = config.secrets.dnscrypt.sec; - }; + services.dnscrypt-wrapper = + { enable = true; + address = "[::]"; + providerKey.public = config.secrets.dnscrypt.pub; + providerKey.secret = config.secrets.dnscrypt.sec; + }; + + # Demultiplex HTTP and DNS from port 443 + services.sslh = + { enable = true; + method = "ev"; + settings.transparent = true; + settings.listen = with config.var; lib.mkForce + [ { host = hostname; port = "443"; is_udp = false; } + { host = hostname; port = "443"; is_udp = true; } + ]; + settings.protocols = + [ # Send TLS to nginx (TCP) + { name = "tls"; host= "localhost"; port= "443"; } + # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP) + { name = "anyprot"; host = "localhost"; port = "5353"; } + { name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true;} + ]; + }; + + # Prevent collision between sslh and nginx + services.nginx.virtualHosts = with config.var; + { "brve.bit" .listenAddresses = [ "localhost" ]; + "mail.eurofusion.eu".listenAddresses = [ "localhost" ]; + ${hostname} .listenAddresses = [ "localhost" ]; + "riot.${hostname}" .listenAddresses = [ "localhost" ]; + }; # This is needed for the rotation of DNSCrypt keys security.polkit.enable = true; # Namecoin resolver - services.ncdns = { - enable = true; - # This is currently broken, see ncdns issue: - # https://github.com/namecoin/ncdns/issues/127 - dnssec.enable = false; - }; + services.ncdns = + { enable = true; + # This is currently broken, see ncdns issue: + # https://github.com/namecoin/ncdns/issues/127 + dnssec.enable = false; + }; # Namecoin daemon with RPC server - services.namecoind = { - enable = true; - # This are used by the resolver (ncdns) - # to query the blockchain. - rpc.user = config.secrets.namecoin.user; - rpc.password = config.secrets.namecoin.password; - }; + services.namecoind = + { enable = true; + # This are used by the resolver (ncdns) + # to query the blockchain. + rpc.user = config.secrets.namecoin.user; + rpc.password = config.secrets.namecoin.password; + }; users.users.namecoin.group = "namecoin"; diff --git a/variables.nix b/variables.nix index 9055bd3..7863b61 100644 --- a/variables.nix +++ b/variables.nix @@ -10,7 +10,9 @@ readOnly = true; default = { hostname = "maxwell.ydns.eu"; - ipAddress = "2.35.5.112"; + ipv4WanAddress = "2.35.5.112"; + ipv4LanAddress = "192.168.1.5"; + ipv6Address = "2001:470:c8e8:0:230:48ff:fefa:91e1"; }; description = "Global constants."; };