Deploy DNS server with ad-block and NAT loopback

2021-04-14 14:09:17 +02:00
7 changed files with 40 additions and 45 deletions
--- a/README.org
+++ b/README.org
@@ -1,17 +1,3 @@
 * Unit

 Declarative configuration for the main server, using [[https://nixos.org][NixOS]]
-
-** Modules
-
- The configuration is sliced into different files, per category:
-
- - ZFS pool configuration: hardware-configuration.nix
- - Network configuration: networking.nix
- - Synchronization and backup services: datasync.nix
- - Web services and reverse proxy: webstack.nix
- - Smartd: monitoring.nix
- - Systemd services and timers: periodic.nix
- - Virtual machines: virtualization.nix
-
- All the modules are imported in *configuration.nix*
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@@ -7,6 +7,7 @@
  services.samba = {
    enable = true;
    nsswins = true;
+    syncPasswordsByPam = true;
    extraConfig = ''
      workgroup = WORKGROUP
      server string = unit
--- a/modules/hardware-configuration.nix
+++ b/modules/hardware-configuration.nix
@@ -43,13 +43,18 @@
      fsType = "zfs";
    };

+  fileSystems."/vault/backups" =
+    { device = "vault/backups";
+      fsType = "zfs";
+    };
+
  fileSystems."/vault/VMs" =
    { device = "vault/VMs";
      fsType = "zfs";
    };

-  fileSystems."/vault/backups" =
-    { device = "vault/backups";
+  fileSystems."/vault/code" =
+    { device = "vault/code";
      fsType = "zfs";
    };

@@ -58,8 +63,8 @@
      fsType = "zfs";
    };

-  fileSystems."/vault/code" =
-    { device = "vault/code";
+  fileSystems."/vault/config" =
+    { device = "vault/config";
      fsType = "zfs";
    };

@@ -73,33 +78,23 @@
      fsType = "zfs";
    };

-  fileSystems."/vault/backups/wordpress" =
-    { device = "vault/backups/wordpress";
-      fsType = "zfs";
-    };
-
-  fileSystems."/vault/backups/frontend" =
-    { device = "vault/backups/frontend";
-      fsType = "zfs";
-    };
-
  fileSystems."/vault/backups/documents" =
    { device = "vault/backups/documents";
      fsType = "zfs";
    };

-  fileSystems."/vault/config" =
-    { device = "vault/config";
-      fsType = "zfs";
-    };
-
  fileSystems."/vault/VMs/legacy" =
    { device = "vault/VMs/legacy";
      fsType = "zfs";
    };

-  fileSystems."/vault/frontend" =
-    { device = "vault/frontend";
+  fileSystems."/vault/backups/frontend" =
+    { device = "vault/backups/frontend";
+      fsType = "zfs";
+    };
+
+  fileSystems."/vault/backups/wordpress" =
+    { device = "vault/backups/wordpress";
      fsType = "zfs";
    };

--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -103,11 +103,6 @@ in {
          publicKey = "5DU9ipxJcut2wKrUr3yQux9crzXMSW4ZeKWFLRpUc1I=";
          allowedIPs = [ "10.9.0.4/32" ];
        }
-        # manuela
-        {
-          publicKey = "V+DaOya2hLuV6C9BeCkDyFqXpPAFq9jMAeg1dvQw/FI=";
-          allowedIPs = [ "10.9.0.5/32" ];
-        }
      ];
    };
  };
@@ -146,7 +141,7 @@ in {
      bogus-priv
      no-resolv

-      listen-address=127.0.0.1,10.0.1.3
+      listen-address=127.0.0.1,10.0.1.3,10.9.0.1
      bind-interfaces

      cache-size=10000
--- a/modules/periodic.nix
+++ b/modules/periodic.nix
@@ -15,8 +15,16 @@ in {
      cd "$base_folder" || exit
      ls | xargs -P10 -I{} git -C {} pull --rebase
    '';
-    serviceConfig.Type = "oneshot";
-    startAt = "22:00:00";
+    serviceConfig = { Type = "oneshot"; };
+  };
+
+  systemd.user.timers.git-pull = {
+    description = "Daily code update";
+    wantedBy = [ "default.target" ];
+    timerConfig = {
+      OnCalendar = "22:00:00";
+      Unit = "git-pull.service";
+    };
  };

  # PostgreSQL daily backups
@@ -39,7 +47,14 @@ in {
      chown -R dnsmasq ${stateDir}
      systemctl restart dnsmasq
    '';
-    startAt = "02:00:00";
  };

+  systemd.timers.download-dns-blocklist = {
+    description = "Daily download of hosts-blocklists";
+    wantedBy = [ "default.target" ];
+    timerConfig = {
+      OnCalendar = "02:00:00";
+      Unit = "download-dns-blocklist.service";
+    };
+  };
 }
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -68,4 +68,7 @@
      host    all             all             ::1/128                 trust
    '';
  };
+
+  # Restart reverse proxy after services startup
+  systemd.services.nginx.after = [ "nextcloud.service" ];
 }
--- a/scripts/sybase-backup.sh
+++ b/scripts/sybase-backup.sh
@@ -6,7 +6,7 @@ sybase_service() {

 perform_backup() {
 	zip -r BBDD_"$(date +"%d%m%Y")".zip /opt/sybase
-	scp -i /root/.ssh/unit BBDD_"$(date +"%d%m%Y")".zip coace@192.168.122.1:/vault/backups/databases/sica
+	scp BBDD_"$(date +"%d%m%Y")".zip -i /root/.ssh/unit coace@192.168.122.1:/vault/backups/databases/sica
 }

 cleanup() {