Fix dns for hera

2023-06-08 14:24:06 +02:00 · 2023-06-08 14:24:06 +02:00 · e6d6dd2721
parent 0ceba9bbb2
commit e6d6dd2721
5 changed files with 11 additions and 59 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -76,9 +76,10 @@ with lib; {
        hera-p = "${p}::3";
        v4-p = "10.0.0";
      in {
-        hera = "${p}::1";
-
-        hera-v4 = "213.136.94.190";
+        hera = {
+          AAAA = "${p}::1";
+          A = "213.136.94.190";
+        };

        hera-intern = "${hera-p}:1";
        chor-cloud = "${hera-p}:b";
--- a/nixos/machines/hera/mail.nix
+++ b/nixos/machines/hera/mail.nix
@ -81,8 +81,8 @@ in {
          (lib.concatStringsSep "\n"
            (builtins.filter (x: !builtins.elem x nonMailboxDomains)
              config.mailserver.domains)));
-        smtp_bind_address = hosts.hera-v4;
-        smtp_bind_address6 = hosts.hera;
+        smtp_bind_address = hosts.hera.A;
+        smtp_bind_address6 = hosts.hera.AAAA;
      };
    };
  };
--- a/nixos/machines/hera/network.nix
+++ b/nixos/machines/hera/network.nix
@ -7,7 +7,7 @@ in {
  m-0.tailscale-routes = "fd42:ccc:da:64::/64,172.20.64.0/24";
  systemd.network.networks."10-wan" = {
    matchConfig.Name = "ens18";
-    address = [ "213.136.94.190/24" "${hosts.hera}/128" ];
+    address = [ "${hosts.hera.A}/24" "${hosts.hera.AAAA}/128" ];
    routes = [
      { routeConfig.Gateway = "213.136.94.1"; }
      { routeConfig.Gateway = "fe80::1"; }
--- a/nixos/roles/coturn.nix
+++ b/nixos/roles/coturn.nix
@ -1,50 +0,0 @@
-{ config, pkgs, ... }:
-let
-  fqdn = "${config.networking.hostName}.${config.networking.domain}";
-  key_dir = config.security.acme.certs."${fqdn}".directory;
-in {
-  users.users.turnserver.extraGroups = [ "nginx" ]; # For read access to certs;
-  networking.firewall = let
-    range = [{
-      from = config.services.coturn.min-port;
-      to = config.services.coturn.max-port;
-    }];
-    ports = [
-      config.services.coturn.listening-port
-      config.services.coturn.alt-listening-port
-      config.services.coturn.tls-listening-port
-      config.services.coturn.alt-tls-listening-port
-    ];
-  in {
-    allowedUDPPortRanges = range;
-    allowedTCPPortRanges = range;
-    allowedTCPPorts = ports;
-    allowedUDPPorts = ports;
-  };
-  security.acme.certs = {
-    "${fqdn}".postRun = "systemctl restart coturn.service";
-  };
-  services = {
-    coturn = {
-      enable = true;
-      use-auth-secret = true;
-      no-cli = true;
-      no-tcp-relay = true;
-      min-port = 52000;
-      max-port = 52100;
-      pkey = "${key_dir}/key.pem";
-      cert = "${key_dir}/fullchain.pem";
-      static-auth-secret = (pkgs.privateValue { turn_shared_secret = ""; }
-        "matrix/server-secrets").turn_shared_secret;
-      realm = fqdn;
-      listening-ips = [ config.m-0.hosts.hera config.m-0.hosts.hera-v4 ];
-      extraConfig = ''
-        fingerprint
-
-        denied-peer-ip=10.0.0.0-10.255.255.255
-        denied-peer-ip=192.168.0.0-192.168.255.255
-        denied-peer-ip=172.16.0.0-172.31.255.255
-      '';
-    };
-  };
-}
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -24,9 +24,10 @@ in {
    useNetworkd = true;
    useDHCP = false; # enabled per interface
    hosts = lib.zipAttrs (lib.mapAttrsToList (host: ip:
-      if builtins.typeOf ip == "set" then
-        { }
-      else {
+      if builtins.typeOf ip == "set" then {
+        ${ip.AAAA or null} = "${host} ${host}.m-0.eu";
+        ${ip.A or null} = "${host} ${host}.m-0.eu";
+      } else {
        "${ip}" = "${host} ${host}.m-0.eu";
      }) config.m-0.hosts ++ lib.mapAttrsToList (host: ips:
        let