diff --git a/nixos/hosts/fw1-nwk2/default.nix b/nixos/hosts/fw1-nwk2/default.nix index add125d..d022c02 100644 --- a/nixos/hosts/fw1-nwk2/default.nix +++ b/nixos/hosts/fw1-nwk2/default.nix @@ -1,4 +1,10 @@ -{ lib, inputs, pkgs, ... }: +{ + lib, + inputs, + pkgs, + config, + ... +}: let zoneSerial = toString inputs.self.lastModified; in @@ -10,7 +16,7 @@ in ]; networking.hostName = "fw1"; networking.domain = "nwk2.rabbito.tech"; - services.cfdyndns.records = [ + services.cloudflare-dyndns.domains = [ "fw-1.nwk2.rabbito.tech" "nwk2.rabbito.tech" ]; @@ -34,11 +40,56 @@ in ''; networking.interfaces = { - vlan8 = { ipv4 = { addresses = [{ address = "192.168.15.1"; prefixLength = 24; }]; }; }; - vlan10 = { ipv4 = { addresses = [{ address = "192.168.7.1"; prefixLength = 24; }]; }; }; - vlan99 = { ipv4 = { addresses = [{ address = "10.30.99.1"; prefixLength = 24; }]; }; }; - vlan100 = { ipv4 = { addresses = [{ address = "192.168.11.1"; prefixLength = 24; }]; }; }; - vlan101 = { ipv4 = { addresses = [{ address = "192.168.5.1"; prefixLength = 24; }]; }; }; + vlan8 = { + ipv4 = { + addresses = [ + { + address = "192.168.15.1"; + prefixLength = 24; + } + ]; + }; + }; + vlan10 = { + ipv4 = { + addresses = [ + { + address = "192.168.7.1"; + prefixLength = 24; + } + ]; + }; + }; + vlan99 = { + ipv4 = { + addresses = [ + { + address = "10.30.99.1"; + prefixLength = 24; + } + ]; + }; + }; + vlan100 = { + ipv4 = { + addresses = [ + { + address = "192.168.11.1"; + prefixLength = 24; + } + ]; + }; + }; + vlan101 = { + ipv4 = { + addresses = [ + { + address = "192.168.5.1"; + prefixLength = 24; + } + ]; + }; + }; }; services.tailscale.extraUpFlags = [ "--advertise-routes=192.168.11.0/24,10.30.99.0/24,192.168.7.0/24" @@ -162,21 +213,116 @@ in zones = { "nwk2.rabbito.tech." = { master = true; - file = pkgs.writeText "nwk2.rabbito.tech" (lib.strings.concatStrings [ - '' - $ORIGIN nwk2.rabbito.tech. - $TTL 86400 - @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( - ${zoneSerial} ; serial number - 3600 ; refresh - 900 ; retry - 1209600 ; expire - 1800 ; ttl - ) - IN NS fw1.nwk2.rabbito.tech. - fw1 IN A 10.30.99.1 - '' - ]); + file = pkgs.writeText "nwk2.rabbito.tech" ( + lib.strings.concatStrings [ + '' + $ORIGIN nwk2.rabbito.tech. + $TTL 86400 + @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( + ${zoneSerial} ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 1800 ; ttl + ) + IN NS fw1.nwk2.rabbito.tech. + fw1 IN A 10.30.99.1 + '' + ] + ); + }; + "11.168.192.in-addr.arpa." = { + master = true; + extraConfig = '' + allow-update { key "dhcp-update-key"; }; + journal "${config.services.bind.directory}/db.11.168.192.in-addr.arpa.jnl"; + ''; + file = pkgs.writeText "11.168.192.in-addr.arpa" ( + lib.strings.concatStrings [ + '' + $ORIGIN 11.168.192.in-addr.arpa. + $TTL 86400 + @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( + ${zoneSerial} ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 1800 ; ttl + ) + IN NS fw1.nwk2.rabbito.tech. + '' + ] + ); + }; + "7.168.192.in-addr.arpa." = { + master = true; + extraConfig = '' + allow-update { key "dhcp-update-key"; }; + journal "${config.services.bind.directory}/db.7.168.192.in-addr.arpa.jnl"; + ''; + file = pkgs.writeText "7.168.192.in-addr.arpa" ( + lib.strings.concatStrings [ + '' + $ORIGIN 7.168.192.in-addr.arpa. + $TTL 86400 + @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( + ${zoneSerial} ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 1800 ; ttl + ) + IN NS fw1.nwk2.rabbito.tech. + '' + ] + ); + }; + "5.58.192.in-addr.arpa." = { + master = true; + extraConfig = '' + allow-update { key "dhcp-update-key"; }; + journal "${config.services.bind.directory}/db.5.168.192.in-addr.arpa.jnl"; + ''; + file = pkgs.writeText "5.168.192.in-addr.arpa" ( + lib.strings.concatStrings [ + '' + $ORIGIN 5.168.192.in-addr.arpa. + $TTL 86400 + @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( + ${zoneSerial} ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 1800 ; ttl + ) + IN NS fw1.nwk2.rabbito.tech. + '' + ] + ); + }; + "99.30.10.in-addr.arpa." = { + master = true; + extraConfig = '' + allow-update { key "dhcp-update-key"; }; + journal "${config.services.bind.directory}/db.99.30.10.in-addr.arpa.jnl"; + ''; + file = pkgs.writeText "99.30.10.in-addr.arpa" ( + lib.strings.concatStrings [ + '' + $ORIGIN 99.30.10.in-addr.arpa. + $TTL 86400 + @ IN SOA nwk2.rabbito.tech. admin.rabbito.tech ( + ${zoneSerial} ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 1800 ; ttl + ) + IN NS fw1.nwk2.rabbito.tech. + 1 IN PTR fw1.nwk2.rabbito.tech. + '' + ] + ); }; }; }; diff --git a/nixos/hosts/fw1-nwk3/default.nix b/nixos/hosts/fw1-nwk3/default.nix index 2bf2f56..ea7ceeb 100644 --- a/nixos/hosts/fw1-nwk3/default.nix +++ b/nixos/hosts/fw1-nwk3/default.nix @@ -16,7 +16,7 @@ in ]; networking.hostName = "fw1"; networking.domain = "nwk3.rabbito.tech"; - services.cfdyndns.records = [ + services.cloudflare-dyndns.domains = [ "fw-1.nwk3.rabbito.tech" "nwk3.rabbito.tech" ]; diff --git a/nixos/personalities/server/router/ddns.nix b/nixos/personalities/server/router/ddns.nix index f6e9e09..da4c637 100644 --- a/nixos/personalities/server/router/ddns.nix +++ b/nixos/personalities/server/router/ddns.nix @@ -17,7 +17,7 @@ in owner = config.systemd.services.kea-dhcp-ddns-server.serviceConfig.User; group = config.systemd.services.kea-dhcp-ddns-server.serviceConfig.User; }; - services.cfdyndns = { + services.cloudflare-dyndns = { enable = true; apiTokenFile = config.sops.secrets.cfApiToken.path; }; diff --git a/secrets/users.yaml b/secrets/users.yaml index 1ef339f..494ab58 100644 --- a/secrets/users.yaml +++ b/secrets/users.yaml @@ -4,7 +4,7 @@ chromium-client-id: ENC[AES256_GCM,data:Rs3oOBRT9Efrp805fGzRGOJ6WhJAd1TApCiWYnBq chromium-client-secret: ENC[AES256_GCM,data:CrQUBfe8lZHdYkCbi7NfBUqqTK2BBe518OejzdWfJ3ozCy0=,iv:6bfQeF/6dggeMIssfAsdENHWSug81g4gswxao0sSveQ=,tag:BwUK/DQ4JIiBtCkV8MkZ5Q==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:bZlL8FYKJMOfj1RWHZFIgNkGY5G4qwBohZKf9aavYOelrIDjWb6kot3eLhGR6S3cJt+/pzFv75143AKrUNc=,iv:I3BAY57o8Bl7BIqRXzEmjDvNg1j6EPKS6KlDn0WXDLU=,tag:EP3KB3QOgqAVO8XXQ5Twog==,type:str] nixbuild-ssh-key: ENC[AES256_GCM,data:CJoF+QvIYYBF82iRwqfFsvyTaGZf4zgZYpnppA9jYij6lGWee3LGA0lDp05oG6h3QY5Yrp8XB8lx4WUzALWHjYn9cY+762PxfRO8SwQYx1oJvfP8zZv02WgzctbyxHNNP3bn4yC1YyWDyvWTCU9uQgL+kWOjNpfSBqGJ7rGAuF+XypgmgFMbly4sl8Z3SbICFNVWQOCloemHS/kN2hNu+KlaWgoAPbgAWmLnYb9qndkQKiwapxfi0J4KyU/ryqXW98a+ig89e8u+mJmA8Q9p6XwkEYZ9DAqHg95dqPgjJYgrlmpy4dJ8UHpdFACD8cWQEu11n2O9dIy5pw/YpF89n2toFgDX1Kn/4FMXVaBg/uzJfF9IaOLLOEnqMTXrin+2DWmFDnS+/9w0ybcDPGhIL3+d9xSN8cWgYIB4dr2AVBajbwF3PezczWTg+UIC6fyT1QQAXkusL07pcntOy0g+fMkCXBYLTu84QPmXpRXJVdBDF2v3TF9gtpfc1tpOW0LWc+U0x0m5WALNUAJJ1MXk,iv:UmwIuZIvndyzPQvsm/3M+EwA3gyfyLxZfFcKK6tkkVg=,tag:hIDXKv3E+7SPDBPwSmyV4Q==,type:str] -cfApiToken: ENC[AES256_GCM,data:H58ODWo3uRm/V4MuNRXV/LxGq6eSX/Og+k95wyV3cLLy9GCVPJP/AA==,iv:z71Fyl6XjcOwl0mwu/sycYm6g3ZZ8HijeeILWXUwUII=,tag:BIXwlUfI7CywLga4+zF87g==,type:str] +cfApiToken: ENC[AES256_GCM,data:Ajy7NlkGlHeOoHN3xfl7Eo/mUNUYRGYQJrD/kTbWkLU0QxowGEJPO8oGaB9NrOhuT6R0pAuAugTWj+/Yxg==,iv:MmGlH8xw1Buy9w7mJlGG9/RbLgB36iCMc5/0uHz0qwA=,tag:0uSCWejKa4mn1yt+vGn88g==,type:str] ddns-tsig-key: ENC[AES256_GCM,data:QstpuXoJUplS4BxvRmGIbGBk0+uiLtbyE5XV3CcCcJd6xz7CCIOpsb/YR7w=,iv:2eEL8mD49o9+Qd0VPGAkkudBZOv5YV9h5vuHnugJ8BY=,tag:nurtUr3nfPOmwAExybJsNQ==,type:str] bind-ddns-tsig-file: ENC[AES256_GCM,data:VoZh19vnpVxad/PBJdIv8axpZfZZA/txPNESwwRk23YrJ2aSJ+I19LbLPPniEryFSUchyaDocgeLy0vTC/FElc2IQQoj4oEX8sUeskL6Mi57WsZYLAQfIVEr1R0vyja6f+XOUSwmI/suU3AHDhmkSu0=,iv:cUKG+55PQiaGYm3056ri5OsG10YFJMWyC9+rPg6e7DM=,tag:J2PNelxamFMaUTbfN4dWcw==,type:str] sops: @@ -94,8 +94,8 @@ sops: aXVheUlzK3prQWR5bytPcmlWSC9qOFEKmLiEcU0rCyi7HnBlgG/WZESnqC8erjKa jNXj+pFjHW8bq6DlC8lclufntBiu7GYyX73SAE3Tpa9vMTyooGlv0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-13T01:37:56Z" - mac: ENC[AES256_GCM,data:8oW84vt/OyouzxAut+LD40tzfinoyXBMELsXuzDiQOPPXsj/GHf4kgAI0lFgjswGM6z8IWE1yvgpMryW59qTulbWnjfC753PQnmBvD2YGB1ASGq3OulursIGGtksWeUC3KDKcg4iAWeqXI6u7tTc+4hi5MTi7nPmQbjn1UrxZso=,iv:+r1IgqsV5402DU/ZmHTxgsS3wc0quSMfgyXGM/hScZE=,tag:nPE9vfoB94KJQcVQh+TeWQ==,type:str] + lastmodified: "2025-01-19T15:26:04Z" + mac: ENC[AES256_GCM,data:qU3HChCRp70wbNNfmQtkFoMWNTZQmDFVTATtOMU9PhBUBHF4Kxnyg5qnXgpfhyYtpbjs1kNFd+Gh5IsvRwI8GccsL+Q6dd1UT148ajpnBLNNZnRNS7kLK9Crh1Y0ganPul0WBHWJspzyyNBfRrigk4LMyoBXGnei6/zeRDJMvV4=,iv:BDbhV5kHxydzla3//HTNYllpTDH06CyJbsxYWLhnTHU=,tag:wSBlFyXFWOI8m+xdg8rPpA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.9.3