From 07ecda1116ffbd5c95a9219b6afc12d865bf2eaf Mon Sep 17 00:00:00 2001 From: Colin Date: Sun, 18 May 2025 06:07:10 +0000 Subject: [PATCH] servo: update OVPN IP address --- hosts/by-name/servo/net/ovpn.nix | 10 +++++----- hosts/by-name/servo/services/email/default.nix | 4 ++-- hosts/by-name/servo/services/email/postfix.nix | 2 +- scripts/check-uninsane | 8 +++++++- secrets/servo/wg_ovpns_privkey.bin | 15 +++++---------- 5 files changed, 20 insertions(+), 19 deletions(-) diff --git a/hosts/by-name/servo/net/ovpn.nix b/hosts/by-name/servo/net/ovpn.nix index 6628ebdce..5afdeac3a 100644 --- a/hosts/by-name/servo/net/ovpn.nix +++ b/hosts/by-name/servo/net/ovpn.nix @@ -1,6 +1,6 @@ { config, ... }: { - sane.ovpn.addrV4 = "172.23.174.114"; + sane.ovpn.addrV4 = "172.23.174.114"; #< this applies to the dynamic VPNs -- NOT the static VPN # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0"; # OVPN CONFIG (https://www.ovpn.com): @@ -12,9 +12,9 @@ dns.ipv4 = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here # wg.port = 51822; wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path; - wg.address.ipv4 = "185.157.162.178"; - wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs="; - wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930"; - # wg.peer.endpoint = "185.157.162.10:9930"; + wg.address.ipv4 = "156.146.51.235"; #< IP address for my end of the VPN tunnel. for OVPN public IPv4, this is also the public IP address. + wg.peer.publicKey = "7cpFX9zXv+2hQnGOKpqyDC4HvjkBDOUOfF7zS7xBayE="; #< pubkey by which i can authenticate OVPN, varies per OVPN endpoint + wg.peer.endpoint = "vpn102.prd.seattle.ovpn.com:9930"; + # wg.peer.endpoint = "156.146.51.227:9929"; }; } diff --git a/hosts/by-name/servo/services/email/default.nix b/hosts/by-name/servo/services/email/default.nix index 848df134a..9c3643643 100644 --- a/hosts/by-name/servo/services/email/default.nix +++ b/hosts/by-name/servo/services/email/default.nix @@ -25,10 +25,10 @@ # # debugging: general connectivity issues # - test that inbound port 25 is unblocked: -# - `curl https://canyouseeme.org/ --data 'port=25&IP=185.157.162.178' | grep 'see your service'` +# - `curl https://canyouseeme.org/ --data 'port=25&IP=$MX_IP' | grep 'see your service'` # - and retry with port 465, 587 # - i think this API requires the queried IP match the source IP -# - if necessary, `systemctl stop postfix` and `sudo nc -l 185.157.162.178 25`, then try https://canyouseeme.org +# - if necessary, `systemctl stop postfix` and `sudo nc -l $MX_IP 25`, then try https://canyouseeme.org { ... }: { diff --git a/hosts/by-name/servo/services/email/postfix.nix b/hosts/by-name/servo/services/email/postfix.nix index 3da0fdcb5..337ee55ae 100644 --- a/hosts/by-name/servo/services/email/postfix.nix +++ b/hosts/by-name/servo/services/email/postfix.nix @@ -112,7 +112,7 @@ in # smtpd_milters = local:/run/opendkim/opendkim.sock # milter docs: http://www.postfix.org/MILTER_README.html # mail filters for receiving email and from authorized SMTP clients (i.e. via submission) - # smtpd_milters = inet:185.157.162.190:8891 + # smtpd_milters = inet:$IP:8891 # opendkim.sock will add a Authentication-Results header, with `dkim=pass|fail|...` value to received messages smtpd_milters = "unix:/run/opendkim/opendkim.sock"; # mail filters for sendmail diff --git a/scripts/check-uninsane b/scripts/check-uninsane index fbe9047f4..3d615a90e 100755 --- a/scripts/check-uninsane +++ b/scripts/check-uninsane @@ -5,7 +5,7 @@ echo "this script will check that uninsane.org is baseline operational" echo "it doesn't check all services, just the most critical ones" echo "" -OVPNS_IPV4=185.157.162.178 +OVPNS_IPV4=156.146.51.235 DOOF_IPV4=205.201.63.12 usage() { @@ -98,6 +98,12 @@ check "[DOOF] https://uninsane.org online" curl "--connect-to" "uninsane.org:443 check "[DOOF] https://matrix.uninsane.org online" curl "--connect-to" "matrix.uninsane.org:443:$DOOF_IPV4:443" --silent --fail-with-body https://matrix.uninsane.org check "uninsane.org DMARC record" nslookup -querytype=TXT _dmarc.uninsane.org. +_checkPtr() { + local fwd=$1 + local rev=$2 + nslookup "$fwd" | grep "name = $rev$" +} +check "mx.uninsane.org PTR" _checkPtr "$OVPNS_IPV4" mx.uninsane.org. check "servo-hn wireguard network" ping -c 1 -W 3 servo-hn diff --git a/secrets/servo/wg_ovpns_privkey.bin b/secrets/servo/wg_ovpns_privkey.bin index fbf44b1f0..8cb667e9b 100644 --- a/secrets/servo/wg_ovpns_privkey.bin +++ b/secrets/servo/wg_ovpns_privkey.bin @@ -1,10 +1,6 @@ { - "data": "ENC[AES256_GCM,data:Qd0BDxy5uggFgJSaohdXG5J/copzeCIY7hnwquXjYbeYKH465ELxkFQXZcvv,iv:C/a7dQcGH8kUaydupAqbnP34smi/dpTSv/lRl+WDaSo=,tag:O0GvldqETifBwmzDuwBN2g==,type:str]", + "data": "ENC[AES256_GCM,data:dunfeBCYqKUc3RhVb+9CHCU9DEGIN4nQpgJL5fKqiBeUKUUHDVUKbyYRVQ7k,iv:yYFCsODxUM9lUXsYCqMXc08BwNq76LUJoD1ckyYAlIw=,tag:T3mX4oWFJ3hH7WzsZe1v2A==,type:str]", "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, "age": [ { "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", @@ -23,10 +19,9 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZ29SUlhIRE0xbExuU2No\nakFxaEoxU1RvZmFGak5DbWIwYmpSMWtDemt3CkkrSHFGcXRQenZOK2N3Tk1ReW43\nM3c3N1J1WFhMaXBmVFJTTnU2bDIxdW8KLS0tIEVuYjM0T0I1dmNkQmxReURYemxK\nV3pIUUw0dTMxSWNlTTFta3VjemlEZU0KIUOwzoJXFGx5EbqRSObMTNrop/du5cfJ\nH01x46zgTAQOQOA7qlYdO429SMsQaPH3XX33M2plm4/0hKzlLZ4rRg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2023-05-14T08:37:29Z", - "mac": "ENC[AES256_GCM,data:GqTK4BvWgN1e8PViUcpGUimZnBmGjwZnrQrVwCIVj2KNgS5jqNYT91gLJ+CHsS5nbBfTGTJ0aRdoM5fOTLOFN+K6GZD/FIhDPrhvc3nyUK0qudWm1L+kAVnB5RYLewVYeWGKtuEGUHZSieOFRfiptXwPRPTccz9XCDYi7oIGTU4=,iv:TemQfusctCqSL/qjs72Unk6eYYFVHnIeo1zvEAiV4Pg=,tag:AG+FroYCsLgJeKtR0RX28w==,type:str]", - "pgp": null, + "lastmodified": "2025-05-18T06:30:44Z", + "mac": "ENC[AES256_GCM,data:+yuAJy3o/qk+/u5gNRbqzVVOXQuA6sgyn7RKXnm+KX/AVoLBwjMjjDVwZ37VV3RP81o2eFrBCz2mFjWk2cx5n3CCD2ieiwdV0lf9z92vromal3fdm9JFEDsWHPTVZnXBNvJ0awsC+Xeo/AjXeqqmQW4cs1vulHhIVIwPB38RaDs=,iv:mnzhiIAhL42LPs6m8Uhq1PmStz3vMRIlWnmxmzpjY2U=,tag:G03wZAUsRtVL9S1qIuXxDA==,type:str]", "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" + "version": "3.10.2" } -} \ No newline at end of file +}