shinobu: Add NTP server

This also changes the firewall rules for the IoT network to no longer
accept connections to ntp.org pool hosts over 123/UDP. All clients
should use the local NTP server.
This commit is contained in:
Simon Bruder 2024-02-15 13:38:30 +01:00
parent 7f8859f85b
commit ef2c667bfe
Signed by: simon
GPG key ID: 347FF8699CDA0776
4 changed files with 20 additions and 20 deletions

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -9,6 +9,7 @@
../../modules ../../modules
./services/co2_exporter.nix ./services/co2_exporter.nix
./services/ntp.nix
./services/router ./services/router
./services/snmp-exporter.nix ./services/snmp-exporter.nix
./services/wordclock-dimmer.nix ./services/wordclock-dimmer.nix

View file

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{
services.ntp = {
enable = true;
};
networking.firewall.allowedUDPPorts = [ 123 ];
}

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -41,16 +41,16 @@ in
cfg.vlan); cfg.vlan);
dhcp-option = lib.flatten (lib.mapAttrsToList dhcp-option = lib.flatten (lib.mapAttrsToList
(name: { subnet, ... }: [ (name: { subnet, ... }: [
# Gateway
"tag:br-${name},option:router,${subnet.v4.gateway}" "tag:br-${name},option:router,${subnet.v4.gateway}"
"tag:br-${name},option6:dns-server,${subnet.v6.gateway}" "tag:br-${name},option6:dns-server,${subnet.v6.gateway}"
# NTP server (runs on gateway)
"tag:br-${name},option:ntp-server,${subnet.v4.gateway}"
"tag:br-${name},option6:ntp-server,${subnet.v6.gateway}"
]) ])
cfg.vlan); cfg.vlan);
nftset = [
"/pool.ntp.org/4#inet#filter#iot_ntp4"
"/pool.ntp.org/6#inet#filter#iot_ntp6" # does not work
];
server = [ server = [
"127.0.0.1#5053" "127.0.0.1#5053"
]; ];

View file

@ -1,4 +1,4 @@
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2023-2024 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -7,16 +7,6 @@ define PHYSICAL_WAN = "enp1s0"
define NAT_WAN_IFACES = { $PHYSICAL_WAN } define NAT_WAN_IFACES = { $PHYSICAL_WAN }
table inet filter { table inet filter {
# These two sets are dynamically managed by dnsmasq
set iot_ntp4 {
type ipv4_addr
comment "IPv4 addresses of resolved NTP servers"
}
set iot_ntp6 {
type ipv6_addr
comment "IPv6 addresses of resolved NTP servers"
}
chain forward { chain forward {
type filter hook forward priority filter; policy drop type filter hook forward priority filter; policy drop
@ -31,8 +21,6 @@ table inet filter {
iifname "br-lan" oifname $VLAN_BRIDGES counter accept; iifname "br-lan" oifname $VLAN_BRIDGES counter accept;
iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept iifname $VLAN_BRIDGES oifname "br-lan" ct state established,related counter accept
iifname "br-iot" ip daddr @iot_ntp4 udp dport 123 counter accept
iifname "br-iot" ip6 daddr @iot_ntp6 udp dport 123 counter accept
iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept iifname $NAT_WAN_IFACES oifname "br-iot" ct state established,related counter accept
} }
} }