move dnscrypt to port 443
This commit is contained in:
parent
c1e5b4d542
commit
b6818d156c
@ -51,8 +51,8 @@
|
|||||||
64738 # mumble server
|
64738 # mumble server
|
||||||
];
|
];
|
||||||
firewall.allowedUDPPorts = [
|
firewall.allowedUDPPorts = [
|
||||||
|
443 # dnscrypt
|
||||||
53 # powerdns
|
53 # powerdns
|
||||||
1194 # dnscrypt
|
|
||||||
3478 # turn server
|
3478 # turn server
|
||||||
21027 # syncthing discovery
|
21027 # syncthing discovery
|
||||||
64738 # mumble server
|
64738 # mumble server
|
||||||
@ -63,7 +63,12 @@
|
|||||||
|
|
||||||
usePredictableInterfaceNames = false;
|
usePredictableInterfaceNames = false;
|
||||||
nameservers = [ "127.0.0.1" ];
|
nameservers = [ "127.0.0.1" ];
|
||||||
hosts."127.0.0.1" = [ config.var.hostname ];
|
|
||||||
|
# ensure hostname work without DNS
|
||||||
|
hosts = with config.var;
|
||||||
|
{ ${ipv4LanAddress} = [ hostname ];
|
||||||
|
${ipv6Address} = [ hostname ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Only declarative users and no password logins
|
# Only declarative users and no password logins
|
||||||
|
@ -52,7 +52,7 @@
|
|||||||
# Prefer IPv6
|
# Prefer IPv6
|
||||||
smtp_address_preference = ipv6
|
smtp_address_preference = ipv6
|
||||||
# Prevent binding on temporary addresses
|
# Prevent binding on temporary addresses
|
||||||
smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1
|
smtp_bind_address6 = ${config.var.ipv6Address}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Keep the key stable across renewals (for DANE)
|
# Keep the key stable across renewals (for DANE)
|
||||||
|
@ -185,7 +185,7 @@ in
|
|||||||
listening-ips = [ "0.0.0.0" ];
|
listening-ips = [ "0.0.0.0" ];
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
external-ip=${config.var.ipAddress}
|
external-ip=${config.var.ipv4WanAddress}
|
||||||
cipher-list=HIGH
|
cipher-list=HIGH
|
||||||
no-multicast-peers
|
no-multicast-peers
|
||||||
no-tlsv1
|
no-tlsv1
|
||||||
|
@ -1,52 +1,78 @@
|
|||||||
{ config, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
# Setup:
|
# Setup:
|
||||||
# PDNS recursor on port 53
|
# PDNS recursor on port 53
|
||||||
# DNSCrypt wrapper on port 1194
|
# DNSCrypt wrapper on port 5353
|
||||||
# NCDNS for Namecoin bit. zone resolution
|
# NCDNS for Namecoin bit. zone resolution
|
||||||
|
# sslh handling both HTTP and DSN on 443
|
||||||
|
|
||||||
{
|
{
|
||||||
# Recursive DNS resolver
|
# Recursive DNS resolver
|
||||||
services.pdns-recursor = {
|
services.pdns-recursor =
|
||||||
enable = true;
|
{ enable = true;
|
||||||
# Configures the bit. zone
|
# Configures the bit. zone
|
||||||
resolveNamecoin = true;
|
resolveNamecoin = true;
|
||||||
# Use both IPv4 and IPv6
|
# Use both IPv4 and IPv6
|
||||||
dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
|
dns.allowFrom = [ "0.0.0.0/0" "::0/0" ];
|
||||||
settings.local-address = [ "0.0.0.0" "::" ];
|
settings.local-address = [ "0.0.0.0" "::" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Wrap the local recursive resolver
|
# Wrap the local recursive resolver
|
||||||
# in DNSCrypt on the default OpenVPN port.
|
# in DNSCrypt on the default OpenVPN port.
|
||||||
# This port is chosen because it's usually
|
# This port is chosen because it's usually
|
||||||
# not blocked in corporate networks.
|
# not blocked in corporate networks.
|
||||||
services.dnscrypt-wrapper = {
|
services.dnscrypt-wrapper =
|
||||||
enable = true;
|
{ enable = true;
|
||||||
address = "0.0.0.0";
|
address = "[::]";
|
||||||
port = 1194;
|
providerKey.public = config.secrets.dnscrypt.pub;
|
||||||
providerKey.public = config.secrets.dnscrypt.pub;
|
providerKey.secret = config.secrets.dnscrypt.sec;
|
||||||
providerKey.secret = config.secrets.dnscrypt.sec;
|
};
|
||||||
};
|
|
||||||
|
# Demultiplex HTTP and DNS from port 443
|
||||||
|
services.sslh =
|
||||||
|
{ enable = true;
|
||||||
|
method = "ev";
|
||||||
|
settings.transparent = true;
|
||||||
|
settings.listen = with config.var; lib.mkForce
|
||||||
|
[ { host = hostname; port = "443"; is_udp = false; }
|
||||||
|
{ host = hostname; port = "443"; is_udp = true; }
|
||||||
|
];
|
||||||
|
settings.protocols =
|
||||||
|
[ # Send TLS to nginx (TCP)
|
||||||
|
{ name = "tls"; host= "localhost"; port= "443"; }
|
||||||
|
# Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
|
||||||
|
{ name = "anyprot"; host = "localhost"; port = "5353"; }
|
||||||
|
{ name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true;}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Prevent collision between sslh and nginx
|
||||||
|
services.nginx.virtualHosts = with config.var;
|
||||||
|
{ "brve.bit" .listenAddresses = [ "localhost" ];
|
||||||
|
"mail.eurofusion.eu".listenAddresses = [ "localhost" ];
|
||||||
|
${hostname} .listenAddresses = [ "localhost" ];
|
||||||
|
"riot.${hostname}" .listenAddresses = [ "localhost" ];
|
||||||
|
};
|
||||||
|
|
||||||
# This is needed for the rotation of DNSCrypt keys
|
# This is needed for the rotation of DNSCrypt keys
|
||||||
security.polkit.enable = true;
|
security.polkit.enable = true;
|
||||||
|
|
||||||
# Namecoin resolver
|
# Namecoin resolver
|
||||||
services.ncdns = {
|
services.ncdns =
|
||||||
enable = true;
|
{ enable = true;
|
||||||
# This is currently broken, see ncdns issue:
|
# This is currently broken, see ncdns issue:
|
||||||
# https://github.com/namecoin/ncdns/issues/127
|
# https://github.com/namecoin/ncdns/issues/127
|
||||||
dnssec.enable = false;
|
dnssec.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Namecoin daemon with RPC server
|
# Namecoin daemon with RPC server
|
||||||
services.namecoind = {
|
services.namecoind =
|
||||||
enable = true;
|
{ enable = true;
|
||||||
# This are used by the resolver (ncdns)
|
# This are used by the resolver (ncdns)
|
||||||
# to query the blockchain.
|
# to query the blockchain.
|
||||||
rpc.user = config.secrets.namecoin.user;
|
rpc.user = config.secrets.namecoin.user;
|
||||||
rpc.password = config.secrets.namecoin.password;
|
rpc.password = config.secrets.namecoin.password;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.namecoin.group = "namecoin";
|
users.users.namecoin.group = "namecoin";
|
||||||
|
|
||||||
|
@ -10,7 +10,9 @@
|
|||||||
readOnly = true;
|
readOnly = true;
|
||||||
default = {
|
default = {
|
||||||
hostname = "maxwell.ydns.eu";
|
hostname = "maxwell.ydns.eu";
|
||||||
ipAddress = "2.35.5.112";
|
ipv4WanAddress = "2.35.5.112";
|
||||||
|
ipv4LanAddress = "192.168.1.5";
|
||||||
|
ipv6Address = "2001:470:c8e8:0:230:48ff:fefa:91e1";
|
||||||
};
|
};
|
||||||
description = "Global constants.";
|
description = "Global constants.";
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user