From 9fc5b83b6114c8b266f5c750ef71eba3f30de711 Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 17 Jun 2024 22:00:39 +0000 Subject: [PATCH] refactor: servo: hardcode OVPN-related IP addresses in far fewer places --- hosts/by-name/servo/services/coturn.nix | 9 +++++---- hosts/by-name/servo/services/email/postfix.nix | 5 ++--- hosts/by-name/servo/services/jackett.nix | 7 +++---- hosts/by-name/servo/services/slskd.nix | 4 ++-- hosts/by-name/servo/services/transmission.nix | 10 +++++----- hosts/by-name/servo/services/trust-dns.nix | 14 ++++++-------- 6 files changed, 23 insertions(+), 26 deletions(-) diff --git a/hosts/by-name/servo/services/coturn.nix b/hosts/by-name/servo/services/coturn.nix index ea8d927e..876e8474 100644 --- a/hosts/by-name/servo/services/coturn.nix +++ b/hosts/by-name/servo/services/coturn.nix @@ -36,7 +36,8 @@ # - rb = received bytes # - sp = sent packets # - sb = sent bytes -{ lib, ... }: + +{ config, lib, ... }: let # TURN port range (inclusive). # default coturn behavior is to use the upper quarter of all ports. i.e. 49152 - 65535. @@ -130,11 +131,11 @@ in "verbose" # "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really) "no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3) - # "listening-ip=10.0.1.5" "external-ip=185.157.162.178" #< 2024/04/25: works, if running in root namespace - "listening-ip=185.157.162.178" "external-ip=185.157.162.178" + # "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" #< 2024/04/25: works, if running in root namespace + "listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" # old attempts: - # "external-ip=185.157.162.178/10.0.1.5" + # "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}" # "listening-ip=10.78.79.51" # can be specified multiple times; omit for * # "external-ip=97.113.128.229/10.78.79.51" # "external-ip=97.113.128.229" diff --git a/hosts/by-name/servo/services/email/postfix.nix b/hosts/by-name/servo/services/email/postfix.nix index 36b6ce24..693ca703 100644 --- a/hosts/by-name/servo/services/email/postfix.nix +++ b/hosts/by-name/servo/services/email/postfix.nix @@ -1,6 +1,6 @@ # postfix config options: -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let submissionOptions = { @@ -56,8 +56,7 @@ in sane.dns.zones."uninsane.org".inet = { MX."@" = "10 mx.uninsane.org."; - # XXX: RFC's specify that the MX record CANNOT BE A CNAME - A."mx" = "185.157.162.178"; + A."mx" = "%AOVPNS%"; #< XXX: RFC's specify that the MX record CANNOT BE A CNAME. TODO: use "%AOVPNS%? # Sender Policy Framework: # +mx => mail passes if it originated from the MX diff --git a/hosts/by-name/servo/services/jackett.nix b/hosts/by-name/servo/services/jackett.nix index e71bfdc0..52ff707c 100644 --- a/hosts/by-name/servo/services/jackett.nix +++ b/hosts/by-name/servo/services/jackett.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: lib.mkIf false #< TODO: re-enable once confident of sandboxing { @@ -13,7 +13,7 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing systemd.services.jackett.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; - ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected # patch jackett to listen on the public interfaces # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic"; @@ -25,8 +25,7 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing enableACME = true; # inherit kTLS; locations."/" = { - # proxyPass = "http://ovpns.uninsane.org:9117"; - proxyPass = "http://10.0.1.6:9117"; + proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117"; recommendedProxySettings = true; }; }; diff --git a/hosts/by-name/servo/services/slskd.nix b/hosts/by-name/servo/services/slskd.nix index 29c781aa..17a495e9 100644 --- a/hosts/by-name/servo/services/slskd.nix +++ b/hosts/by-name/servo/services/slskd.nix @@ -32,7 +32,7 @@ forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://10.0.1.6:5030"; + proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030"; proxyWebsockets = true; }; }; @@ -71,7 +71,7 @@ systemd.services.slskd.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; - ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server RestartSec = "60s"; diff --git a/hosts/by-name/servo/services/transmission.nix b/hosts/by-name/servo/services/transmission.nix index 078c1252..8f4758d8 100644 --- a/hosts/by-name/servo/services/transmission.nix +++ b/hosts/by-name/servo/services/transmission.nix @@ -106,8 +106,8 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing # DOCUMENTATION/options list: # message-level = 3; #< enable for debug logging. 0-3, default is 2. - # 10.0.1.6 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be. - rpc-bind-address = "10.0.1.6"; + # ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be. + rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4; #rpc-host-whitelist = "bt.uninsane.org"; #rpc-whitelist = "*.*.*.*"; rpc-authentication-required = true; @@ -118,7 +118,7 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing rpc-whitelist-enabled = false; # force behind ovpns in case the NetworkNamespace fails somehow - bind-address-ipv4 = "185.157.162.178"; + bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4; port-forwarding-enabled = false; # hopefully, make the downloads world-readable @@ -160,7 +160,7 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing systemd.services.transmission.serviceConfig = { # run this behind the OVPN static VPN NetworkNamespacePath = "/run/netns/ovpns"; - ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ]; # abort if public IP is not as expected + ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected Restart = "on-failure"; RestartSec = "30s"; @@ -190,7 +190,7 @@ lib.mkIf false #< TODO: re-enable once confident of sandboxing # inherit kTLS; locations."/" = { # proxyPass = "http://ovpns.uninsane.org:9091"; - proxyPass = "http://10.0.1.6:9091"; + proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091"; }; }; diff --git a/hosts/by-name/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix index 1e4417c2..0d0269bc 100644 --- a/hosts/by-name/servo/services/trust-dns.nix +++ b/hosts/by-name/servo/services/trust-dns.nix @@ -4,8 +4,6 @@ let dyn-dns = config.sane.services.dyn-dns; nativeAddrs = lib.mapAttrs (_name: builtins.head) config.sane.dns.zones."uninsane.org".inet.A; - bindOvpn = "10.0.1.5"; - bindDoof = "10.0.2.5"; in { sane.ports.ports."53" = { @@ -48,9 +46,9 @@ in # it's best that we keep this identical, or a superset of, what org. lists as our NS. # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here. A."ns1" = "%ANATIVE%"; - A."ns2" = "185.157.162.178"; - A."ns3" = "185.157.162.178"; - A."ovpns" = "185.157.162.178"; + A."ns2" = "%AOVPNS%"; + A."ns3" = "%AOVPNS%"; + A."ovpns" = "%AOVPNS%"; NS."@" = [ "ns1.uninsane.org." "ns2.uninsane.org." @@ -92,7 +90,7 @@ in "%AWAN%" = "$(cat '${dyn-dns.ipPath}')"; "%CNAMENATIVE%" = "servo.${flavor}"; "%ANATIVE%" = nativeAddrs."servo.${flavor}"; - "%AOVPNS%" = "185.157.162.178"; + "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4; }; in { @@ -100,8 +98,8 @@ in substitutions = mkSubstitutions "wan"; listenAddrsIpv4 = [ nativeAddrs."servo.lan" - bindOvpn - bindDoof + config.sane.netns.ovpns.hostVethIpv4 + config.sane.netns.doof.hostVethIpv4 ]; }; lan = {