From ef2c667bfeda74b16d4b016f7d795c18bb34b8eb Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 15 Feb 2024 13:38:30 +0100 Subject: [PATCH] shinobu: Add NTP server This also changes the firewall rules for the IoT network to no longer accept connections to ntp.org pool hosts over 123/UDP. All clients should use the local NTP server. --- machines/shinobu/configuration.nix | 3 ++- machines/shinobu/services/ntp.nix | 11 +++++++++++ machines/shinobu/services/router/dnsmasq.nix | 12 ++++++------ machines/shinobu/services/router/rules.nft | 14 +------------- 4 files changed, 20 insertions(+), 20 deletions(-) create mode 100644 machines/shinobu/services/ntp.nix diff --git a/machines/shinobu/configuration.nix b/machines/shinobu/configuration.nix index 64a8b1d..d83b6d2 100644 --- a/machines/shinobu/configuration.nix +++ b/machines/shinobu/configuration.nix @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023 Simon Bruder +# SPDX-FileCopyrightText: 2023-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -9,6 +9,7 @@ ../../modules ./services/co2_exporter.nix + ./services/ntp.nix ./services/router ./services/snmp-exporter.nix ./services/wordclock-dimmer.nix diff --git a/machines/shinobu/services/ntp.nix b/machines/shinobu/services/ntp.nix new file mode 100644 index 0000000..78c5a1a --- /dev/null +++ b/machines/shinobu/services/ntp.nix @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ + services.ntp = { + enable = true; + }; + + networking.firewall.allowedUDPPorts = [ 123 ]; +} diff --git a/machines/shinobu/services/router/dnsmasq.nix b/machines/shinobu/services/router/dnsmasq.nix index 22fc110..7bfb7b6 100644 --- a/machines/shinobu/services/router/dnsmasq.nix +++ b/machines/shinobu/services/router/dnsmasq.nix @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023 Simon Bruder +# SPDX-FileCopyrightText: 2023-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -41,16 +41,16 @@ in cfg.vlan); dhcp-option = lib.flatten (lib.mapAttrsToList (name: { subnet, ... }: [ + # Gateway "tag:br-${name},option:router,${subnet.v4.gateway}" "tag:br-${name},option6:dns-server,${subnet.v6.gateway}" + + # NTP server (runs on gateway) + "tag:br-${name},option:ntp-server,${subnet.v4.gateway}" + "tag:br-${name},option6:ntp-server,${subnet.v6.gateway}" ]) cfg.vlan); - nftset = [ - "/pool.ntp.org/4#inet#filter#iot_ntp4" - "/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work - ]; - server = [ "127.0.0.1#5053" ]; diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft index 0f304a7..169425f 100644 --- a/machines/shinobu/services/router/rules.nft +++ b/machines/shinobu/services/router/rules.nft @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023 Simon Bruder +# SPDX-FileCopyrightText: 2023-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later @@ -7,16 +7,6 @@ define PHYSICAL_WAN = "enp1s0" define NAT_WAN_IFACES = { $PHYSICAL_WAN } table inet filter { - # These two sets are dynamically managed by dnsmasq - set iot_ntp4 { - type ipv4_addr - comment "IPv4 addresses of resolved NTP servers" - } - set iot_ntp6 { - type ipv6_addr - comment "IPv6 addresses of resolved NTP servers" - } - chain forward { type filter hook forward priority filter; policy drop @@ -31,8 +21,6 @@ table inet filter { iifname "br-lan" oifname $VLAN_BRIDGES counter accept; iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept - iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept - iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept } }