[BROKEN DYNDNS] feat(containers): switch to hetzner for primary domain

2023-08-08 17:53:01 +02:00 · 2023-08-08 17:53:01 +02:00 · 9988e3e969
commit 9988e3e969
parent 09374a71fd
7 changed files with 132 additions and 35 deletions
--- a/nix/os/devices/sj-vps-htz0/system.nix
+++ b/nix/os/devices/sj-vps-htz0/system.nix
@ -6,6 +6,8 @@
  ...
 }: {
  networking.firewall.enable = true;
+  networking.nftables.enable = true;
+
  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
@ -38,19 +40,32 @@
    interface = "eth0";
  };

-  networking.nameservers = ["1.1.1.1"];
+  networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = ["~."];
+    fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
+    extraConfig = ''
+      DNSOverTLS=yes
+    '';
+  };

  networking.nat = {
    enable = true;
-    internalInterfaces = ["ve-+"];
+    internalInterfaces = ["ve-*"];
    externalInterface = "eth0";
  };

-  # Kubernetes
-  # services.kubernetes.roles = ["master" "node"];
+  networking.firewall.filterForward = true;
+  networking.firewall.extraForwardRules = ''
+    meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1360;
+    meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340;
+  '';

  # virtualization
-  virtualisation = {docker.enable = true;};
+  virtualisation = {docker.enable = false;};

  services.spice-vdagentd.enable = true;
  services.qemuGuest.enable = true;