servo: switch to unbound for local DNS provider

2024-11-10 05:53:17 +00:00
parent e2dfbfe829
commit c30929e1a6
9 changed files with 226 additions and 186 deletions
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -3,7 +3,7 @@
 {
  imports = [
    ./fs.nix
-    ./net.nix
+    ./net
    ./services
  ];
@@ -21,14 +21,6 @@
    "sane-scripts.stop-all-servo"
  ];
  sane.services.dyn-dns.enable = true;
  sane.services.hickory-dns.asSystemResolver = false;  # TODO: enable once it's all working well
  sane.services.wg-home.enable = true;
  sane.services.wg-home.visibleToWan = true;
  sane.services.wg-home.forwardToWan = true;
  sane.services.wg-home.routeThroughServo = false;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  sane.ovpn.addrV4 = "172.23.174.114";
  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";
  sane.nixcache.remote-builders.desko = false;
  sane.nixcache.remote-builders.servo = false;
  sane.services.rsync-net.enable = true;
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@@ -1,124 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  portOpts = with lib; types.submodule {
    options = {
      visibleTo.ovpns = mkOption {
        type = types.bool;
        default = false;
        description = ''
          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
        '';
      };
      visibleTo.doof = mkOption {
        type = types.bool;
        default = false;
        description = ''
          whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
        '';
      };
    };
  };
 in
 {
  options = with lib; {
    sane.ports.ports = mkOption {
      # add the `visibleTo.{doof,ovpns}` options
      type = types.attrsOf portOpts;
    };
  };
  config = {
    networking.domain = "uninsane.org";
    systemd.network.networks."50-eth0" = {
      matchConfig.Name = "eth0";
      networkConfig.Address = [
        "205.201.63.12/32"
        "10.78.79.51/22"
      ];
      networkConfig.DNS = [ "10.78.79.1" ];
    };
    sane.ports.openFirewall = true;
    sane.ports.openUpnp = true;
    # unless we add interface-specific settings for each VPN, we have to define nameservers globally.
    # networking.nameservers = [
    #   "1.1.1.1"
    #   "9.9.9.9"
    # ];
    # services.resolved.extraConfig = ''
    #   # docs: `man resolved.conf`
    #   # DNS servers to use via the `wg-ovpns` interface.
    #   #   i hope that from the root ns, these aren't visible.
    #   DNS=46.227.67.134%wg-ovpns 192.165.9.158%wg-ovpns
    #   FallbackDNS=1.1.1.1 9.9.9.9
    # '';
    # tun-sea config
    sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
    # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";  #< TODO: enable IPv6
    networking.wireguard.interfaces.wg-doof = {
      privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
      # wg is active only in this namespace.
      # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
      #   sudo ip netns exec doof ping www.google.com
      interfaceNamespace = "doof";
      ips = [
        "205.201.63.12"
        # "2602:fce8:106::51/128"  #< TODO: enable IPv6
      ];
      peers = [
        {
          publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
          # TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
          # endpoint = "tun-sea.doof.net:53263";
          endpoint = "205.201.63.44:53263";
          allowedIPs = [ "0.0.0.0/0" "::/0" ];
          persistentKeepalive = 25; #< keep the NAT alive
        }
      ];
    };
    sane.netns.doof.hostVethIpv4 = "10.0.2.5";
    sane.netns.doof.netnsVethIpv4 = "10.0.2.6";
    sane.netns.doof.netnsPubIpv4 = "205.201.63.12";
    sane.netns.doof.routeTable = 12;
    # OVPN CONFIG (https://www.ovpn.com):
    # DOCS: https://nixos.wiki/wiki/WireGuard
    # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
    # TODO: why not create the namespace as a seperate operation (nix config for that?)
    networking.wireguard.enable = true;
    networking.wireguard.interfaces.wg-ovpns = {
      privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
      # wg is active only in this namespace.
      # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
      #   sudo ip netns exec ovpns ping www.google.com
      interfaceNamespace = "ovpns";
      ips = [ "185.157.162.178" ];
      peers = [
        {
          publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
          endpoint = "185.157.162.10:9930";
          # alternatively: use hostname, but that presents bootstrapping issues (e.g. if host net flakes)
          # endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
          allowedIPs = [ "0.0.0.0/0" ];
          # nixOS says this is important for keeping NATs active
          persistentKeepalive = 25;
          # re-executes wg this often. docs hint that this might help wg notice DNS/hostname changes.
          # so, maybe that helps if we specify endpoint as a domain name
          # dynamicEndpointRefreshSeconds = 30;
          # when refresh fails, try it again after this period instead.
          # TODO: not avail until nixpkgs upgrade
          # dynamicEndpointRefreshRestartSeconds = 5;
        }
      ];
    };
    sane.netns.ovpns.hostVethIpv4 = "10.0.1.5";
    sane.netns.ovpns.netnsVethIpv4 = "10.0.1.6";
    sane.netns.ovpns.netnsPubIpv4 = "185.157.162.178";
    sane.netns.ovpns.routeTable = 11;
    sane.netns.ovpns.dns = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
  };
 }
--- a/hosts/by-name/servo/net/default.nix
+++ b/hosts/by-name/servo/net/default.nix
@@ -0,0 +1,53 @@
 { config, lib, pkgs, ... }:
 let
  portOpts = with lib; types.submodule {
    options = {
      visibleTo.ovpns = mkOption {
        type = types.bool;
        default = false;
        description = ''
          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
        '';
      };
      visibleTo.doof = mkOption {
        type = types.bool;
        default = false;
        description = ''
          whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
        '';
      };
    };
  };
 in
 {
  options = with lib; {
    sane.ports.ports = mkOption {
      # add the `visibleTo.{doof,ovpns}` options
      type = types.attrsOf portOpts;
    };
  };
  imports = [
    ./doof.nix
    ./ovpn.nix
    ./wg-home.nix
  ];
  config = {
    networking.domain = "uninsane.org";
    systemd.network.networks."50-eth0" = {
      matchConfig.Name = "eth0";
      networkConfig.Address = [
        "205.201.63.12/32"
        "10.78.79.51/22"
      ];
      networkConfig.DNS = [ "10.78.79.1" ];
    };
    sane.ports.openFirewall = true;
    sane.ports.openUpnp = true;
    networking.wireguard.enable = true;
  };
 }
--- a/hosts/by-name/servo/net/doof.nix
+++ b/hosts/by-name/servo/net/doof.nix
@@ -0,0 +1,49 @@
 { config, ... }:
 {
  # tun-sea config
  sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
  # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";  #< TODO: enable IPv6
  # if the tunnel breaks, restart it manually:
  # - `systemctl restart netns-doof.service`  => recreates the network namespace
  # - `systemctl restart wireguard-wg-doof.service`  => recreates the wireguard device
  networking.wireguard.interfaces.wg-doof = {
    privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
    # wg is active only in this namespace.
    # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
    #   sudo ip netns exec doof ping www.google.com
    interfaceNamespace = "doof";
    ips = [
      "205.201.63.12"
      # "2602:fce8:106::51/128"  #< TODO: enable IPv6
    ];
    peers = [
      {
        publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
        # TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
        # endpoint = "tun-sea.doof.net:53263";
        endpoint = "205.201.63.44:53263";
        allowedIPs = [ "0.0.0.0/0" "::/0" ];
        persistentKeepalive = 25; #< keep the NAT alive
      }
    ];
  };
  sane.netns.doof.hostVethIpv4 = "10.0.2.5";
  sane.netns.doof.netnsVethIpv4 = "10.0.2.6";
  sane.netns.doof.netnsPubIpv4 = "205.201.63.12";
  sane.netns.doof.routeTable = 12;
  # inside doof, forward DNS requests back to the root machine
  # this is fine: nothing inside the ns performs DNS except for wireguard,
  # and we're not forwarding external DNS requests here
  # XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
  # TODO: just spin up another `unbound` instance in the netns
  # sane.netns.doof.dns = config.sane.netns.doof.netnsVethIpv4;
  # services.unbound.settings.server.interface = [
  #   config.sane.netns.doof.hostVethIpv4
  # ];
  # services.unbound.settings.server.access-control = [
  #   "${config.sane.netns.doof.hostVethIpv4}/24 allow"
  # ];
 }
--- a/hosts/by-name/servo/net/ovpn.nix
+++ b/hosts/by-name/servo/net/ovpn.nix
@@ -0,0 +1,39 @@
 { config, ... }:
 {
  sane.ovpn.addrV4 = "172.23.174.114";
  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";
  # OVPN CONFIG (https://www.ovpn.com):
  # DOCS: https://nixos.wiki/wiki/WireGuard
  # if you `systemctl restart wireguard-wg-ovpns` or `netns-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.
  networking.wireguard.interfaces.wg-ovpns = {
    privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
    # wg is active only in this namespace.
    # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
    #   sudo ip netns exec ovpns ping www.google.com
    interfaceNamespace = "ovpns";
    ips = [ "185.157.162.178" ];
    peers = [
      {
        publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
        endpoint = "185.157.162.10:9930";
        # alternatively: use hostname, but that presents bootstrapping issues (e.g. if host net flakes)
        # endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
        allowedIPs = [ "0.0.0.0/0" ];
        # nixOS says this is important for keeping NATs active
        persistentKeepalive = 25;
        # re-executes wg this often. docs hint that this might help wg notice DNS/hostname changes.
        # so, maybe that helps if we specify endpoint as a domain name
        # dynamicEndpointRefreshSeconds = 30;
        # when refresh fails, try it again after this period instead.
        # TODO: not avail until nixpkgs upgrade
        # dynamicEndpointRefreshRestartSeconds = 5;
      }
    ];
  };
  sane.netns.ovpns.hostVethIpv4 = "10.0.1.5";
  sane.netns.ovpns.netnsVethIpv4 = "10.0.1.6";
  sane.netns.ovpns.netnsPubIpv4 = "185.157.162.178";
  sane.netns.ovpns.routeTable = 11;
  sane.netns.ovpns.dns = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
 }
--- a/hosts/by-name/servo/net/wg-home.nix
+++ b/hosts/by-name/servo/net/wg-home.nix
@@ -0,0 +1,15 @@
 { config, ... }:
 {
  sane.services.wg-home.enable = true;
  sane.services.wg-home.visibleToWan = true;
  sane.services.wg-home.forwardToWan = true;
  sane.services.wg-home.routeThroughServo = false;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  services.unbound.settings.server.interface = [
    # provide DNS to my wireguard clients
    config.sane.hosts.by-name."servo".wg-home.ip
  ];
  services.unbound.settings.server.access-control = [
    "${config.sane.hosts.by-name."servo".wg-home.ip}/24 allow"
  ];
 }
--- a/hosts/by-name/servo/services/hickory-dns.nix
+++ b/hosts/by-name/servo/services/hickory-dns.nix
@@ -103,31 +103,31 @@ in
        # config.sane.netns.ovpns.hostVethIpv4
      ];
    };
-    hn = {
+    # hn = {
-      substitutions = mkSubstitutions "hn";
+    #   substitutions = mkSubstitutions "hn";
-      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+    #   listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
-      enableRecursiveResolver = true;  #< allow wireguard clients to use this as their DNS resolver
+    #   enableRecursiveResolver = true;  #< allow wireguard clients to use this as their DNS resolver
-      # extraConfig = {
+    #   # extraConfig = {
-      #   zones = [
+    #   #   zones = [
-      #     {
+    #   #     {
-      #       # forward the root zone to the local DNS resolver
+    #   #       # forward the root zone to the local DNS resolver
-      #       # to allow wireguard clients to use this as their DNS resolver
+    #   #       # to allow wireguard clients to use this as their DNS resolver
-      #       zone = ".";
+    #   #       zone = ".";
-      #       zone_type = "Forward";
+    #   #       zone_type = "Forward";
-      #       stores = {
+    #   #       stores = {
-      #         type = "forward";
+    #   #         type = "forward";
-      #         name_servers = [
+    #   #         name_servers = [
-      #           {
+    #   #           {
-      #             socket_addr = "127.0.0.53:53";
+    #   #             socket_addr = "127.0.0.53:53";
-      #             protocol = "udp";
+    #   #             protocol = "udp";
-      #             trust_nx_responses = true;
+    #   #             trust_nx_responses = true;
-      #           }
+    #   #           }
-      #         ];
+    #   #         ];
-      #       };
+    #   #       };
-      #     }
+    #   #     }
-      #   ];
+    #   #   ];
-      # };
+    #   # };
-    };
+    # };
    # lan = {
    #   substitutions = mkSubstitutions "lan";
    #   listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
--- a/hosts/common/net/dns.nix
+++ b/hosts/common/net/dns.nix
@@ -26,16 +26,28 @@ lib.mkMerge [
  sane.services.hickory-dns.enable = lib.mkDefault config.sane.services.hickory-dns.asSystemResolver;
  # sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
 }
-(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && !config.sane.services.hickory-dns.enable) {
+(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver) {
  services.resolved.enable = lib.mkForce false;
  # resolve DNS recursively with Unbound.
  services.unbound.enable = lib.mkDefault true;
-  services.unbound.resolveLocalQueries = true;
+  services.unbound.settings.server.interface = [ "127.0.0.1" ];
  services.unbound.settings.server.access-control = [ "127.0.0.0/8 allow" ];
  services.unbound.resolveLocalQueries = false;  #< disable, so that i can manage networking.nameservers manually
  networking.nameservers = [
    # be compatible with systemd-resolved
    # "127.0.0.53"
    # or don't be compatible with systemd-resolved, but with libc and pasta instead
    #   see <pkgs/by-name/sane-scripts/src/sane-vpn>
    "127.0.0.1"
-    "::1"
+    # enable IPv6, or don't, because having just a single name server makes monkey-patching it easier
    # "::1"
  ];
  networking.resolvconf.extraConfig = ''
    # DNS serviced by `unbound` recursive resolver
    name_servers='127.0.0.1'
  '';
  # effectively disable DNSSEC, to avoid a circular dependency between DNS resolution and NTP.
  # without this, if the RTC fails, then both time and DNS are unrecoverable.
  # if you enable this, make sure to persist the stateful data.
@@ -45,29 +57,29 @@ lib.mkMerge [
  # services.unbound.settings.server.use-caps-for-id = true;  #< TODO: randomizes casing to avoid spoofing
  services.unbound.settings.server.prefetch = true;  # prefetch RRs which are about to expire from the cache, to keep them primed
 })
-(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
+# (lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
-  # use systemd's stub resolver.
+#   # use systemd's stub resolver.
-  # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
+#   # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
-  # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
+#   # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-  # in servo's ovnps namespace to use the provider's DNS resolvers.
+#   # in servo's ovnps namespace to use the provider's DNS resolvers.
-  # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
+#   # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # TODO: improve hickory-dns recursive resolver and then remove this
+#   # TODO: improve hickory-dns recursive resolver and then remove this
-  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
+#   services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
-  # without DNSSEC:
+#   # without DNSSEC:
-  # - dig matrix.org => works
+#   # - dig matrix.org => works
-  # - curl https://matrix.org => works
+#   # - curl https://matrix.org => works
-  # with default DNSSEC:
+#   # with default DNSSEC:
-  # - dig matrix.org => works
+#   # - dig matrix.org => works
-  # - curl https://matrix.org => fails
+#   # - curl https://matrix.org => fails
-  # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
+#   # i don't know why. this might somehow be interfering with the DNS run on this device (hickory-dns)
-  services.resolved.dnssec = "false";
+#   services.resolved.dnssec = "false";
-  networking.nameservers = [
+#   networking.nameservers = [
-    # use systemd-resolved resolver
+#     # use systemd-resolved resolver
-    # full resolver (which understands /etc/hosts) lives on 127.0.0.53
+#     # full resolver (which understands /etc/hosts) lives on 127.0.0.53
-    # stub resolver (just forwards upstream) lives on 127.0.0.54
+#     # stub resolver (just forwards upstream) lives on 127.0.0.54
-    "127.0.0.53"
+#     "127.0.0.53"
-  ];
+#   ];
-})
+# })
 {
  # nscd -- the Name Service Caching Daemon -- caches DNS query responses
  # in a way that's unaware of my VPN routing, so routes are frequently poor against
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -1,11 +1,15 @@
 { config, lib, pkgs, sane-lib, ... }:
 let
  cfg = config.sane.netns;
  nsIpv4 = builtins.head (builtins.filter
    (ns: (builtins.match "[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+" ns) != null)
    config.networking.nameservers
  );
  netnsOpts = with lib; types.submodule {
    options = {
      dns = mkOption {
        type = types.str;
-        default = "1.1.1.1";  #< TODO: make the default be to forward DNS queries to the init namespace.
+        default = "1.1.1.1";
      };
      hostVethIpv4 = mkOption {
        type = types.str;
@@ -78,7 +82,7 @@ let
        # in order to access DNS in this netns, we need to route it to the VPN's nameservers
        # - alternatively, we could fix DNS servers like 1.1.1.1.
-        ${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.53 \
+        ${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range ${nsIpv4} \
          -j DNAT --to-destination ${dns}:53
      '' + (lib.concatStringsSep "\n" bridgeStatements);
      preStop = ''