move dnscrypt to port 443

This commit is contained in:
Michele Guerini Rocco 2023-08-15 16:21:59 +02:00
parent c1e5b4d542
commit b6818d156c
Signed by: rnhmjoj
GPG Key ID: BFBAF4C975F76450
5 changed files with 68 additions and 35 deletions

View File

@ -51,8 +51,8 @@
64738 # mumble server
];
firewall.allowedUDPPorts = [
443 # dnscrypt
53 # powerdns
1194 # dnscrypt
3478 # turn server
21027 # syncthing discovery
64738 # mumble server
@ -63,7 +63,12 @@
usePredictableInterfaceNames = false;
nameservers = [ "127.0.0.1" ];
hosts."127.0.0.1" = [ config.var.hostname ];
# ensure hostname work without DNS
hosts = with config.var;
{ ${ipv4LanAddress} = [ hostname ];
${ipv6Address} = [ hostname ];
};
};
# Only declarative users and no password logins

View File

@ -52,7 +52,7 @@
# Prefer IPv6
smtp_address_preference = ipv6
# Prevent binding on temporary addresses
smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1
smtp_bind_address6 = ${config.var.ipv6Address}
'';
# Keep the key stable across renewals (for DANE)

View File

@ -185,7 +185,7 @@ in
listening-ips = [ "0.0.0.0" ];
extraConfig = ''
external-ip=${config.var.ipAddress}
external-ip=${config.var.ipv4WanAddress}
cipher-list=HIGH
no-multicast-peers
no-tlsv1

View File

@ -1,14 +1,15 @@
{ config, ... }:
{ config, lib, ... }:
# Setup:
# PDNS recursor on port 53
# DNSCrypt wrapper on port 1194
# DNSCrypt wrapper on port 5353
# NCDNS for Namecoin bit. zone resolution
# sslh handling both HTTP and DSN on 443
{
# Recursive DNS resolver
services.pdns-recursor = {
enable = true;
services.pdns-recursor =
{ enable = true;
# Configures the bit. zone
resolveNamecoin = true;
# Use both IPv4 and IPv6
@ -20,28 +21,53 @@
# in DNSCrypt on the default OpenVPN port.
# This port is chosen because it's usually
# not blocked in corporate networks.
services.dnscrypt-wrapper = {
enable = true;
address = "0.0.0.0";
port = 1194;
services.dnscrypt-wrapper =
{ enable = true;
address = "[::]";
providerKey.public = config.secrets.dnscrypt.pub;
providerKey.secret = config.secrets.dnscrypt.sec;
};
# Demultiplex HTTP and DNS from port 443
services.sslh =
{ enable = true;
method = "ev";
settings.transparent = true;
settings.listen = with config.var; lib.mkForce
[ { host = hostname; port = "443"; is_udp = false; }
{ host = hostname; port = "443"; is_udp = true; }
];
settings.protocols =
[ # Send TLS to nginx (TCP)
{ name = "tls"; host= "localhost"; port= "443"; }
# Send DNSCrypt to dnscrypt-wrapper (TCP or UDP)
{ name = "anyprot"; host = "localhost"; port = "5353"; }
{ name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true;}
];
};
# Prevent collision between sslh and nginx
services.nginx.virtualHosts = with config.var;
{ "brve.bit" .listenAddresses = [ "localhost" ];
"mail.eurofusion.eu".listenAddresses = [ "localhost" ];
${hostname} .listenAddresses = [ "localhost" ];
"riot.${hostname}" .listenAddresses = [ "localhost" ];
};
# This is needed for the rotation of DNSCrypt keys
security.polkit.enable = true;
# Namecoin resolver
services.ncdns = {
enable = true;
services.ncdns =
{ enable = true;
# This is currently broken, see ncdns issue:
# https://github.com/namecoin/ncdns/issues/127
dnssec.enable = false;
};
# Namecoin daemon with RPC server
services.namecoind = {
enable = true;
services.namecoind =
{ enable = true;
# This are used by the resolver (ncdns)
# to query the blockchain.
rpc.user = config.secrets.namecoin.user;

View File

@ -10,7 +10,9 @@
readOnly = true;
default = {
hostname = "maxwell.ydns.eu";
ipAddress = "2.35.5.112";
ipv4WanAddress = "2.35.5.112";
ipv4LanAddress = "192.168.1.5";
ipv6Address = "2001:470:c8e8:0:230:48ff:fefa:91e1";
};
description = "Global constants.";
};