vueko/mail: Add domain

When having DNSSEC activated (as it is the case on sbruder.de), dnsmasq
interfering in queries for hosts on the LAN often causes problems.

This domain is specifically for the case of not having DNSSEC on it.

machines/default.nix

@@ -29,7 +29,7 @@ in
       hardware.common-pc-ssd
     ];
 
-    targetHost = "fuuko.home.sbruder.de";
+    targetHost = "fuuko.lan.shinonome-lab.de";
   };
   mayushii = {
     system = "x86_64-linux";
@@ -60,7 +60,7 @@ in
       hardware.common-pc-ssd
     ];
 
-    targetHost = "shinobu.home.sbruder.de";
+    targetHost = "shinobu.lan.shinonome-lab.de";
   };
   nazuna = {
     system = "x86_64-linux";

machines/okarin/configuration.nix

@@ -5,6 +5,7 @@
     ./hardware-configuration.nix
     ../../modules
 
+    ./services/maggus.bayern.nix
     ./services/proxy.nix
   ];
 

machines/okarin/services/maggus.bayern.nix

@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+
+{
+  users.users.maggus = {
+    isSystemUser = true;
+    group = "maggus";
+    shell = "/bin/sh";
+
+    openssh.authorizedKeys.keys = map (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/maggus.bayern/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}") [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
+    ];
+  };
+  users.groups.maggus = { };
+
+  systemd.tmpfiles.rules = [
+    "d /var/www/maggus.bayern 0755 maggus root -"
+  ];
+
+  services.nginx.virtualHosts = {
+    "maggus.bayern" = {
+      enableACME = true;
+      forceSSL = true;
+      root = "/var/www/maggus.bayern";
+    };
+    "www.maggus.bayern" = {
+      enableACME = true;
+      forceSSL = true;
+      globalRedirect = "maggus.bayern";
+    };
+  };
+}

machines/renge/services/prometheus.nix

@@ -103,7 +103,7 @@ in
         static_configs = mkStaticTarget "shinobu.vpn.sbruder.de:${toString config.services.prometheus.exporters.dnsmasq.port}";
         relabel_configs = lib.singleton {
           target_label = "instance";
-          replacement = "shinobu.home.sbruder.de";
+          replacement = "shinobu";
         };
       }
       {
@@ -123,6 +123,42 @@ in
           replacement = "vueko.sbruder.de";
         };
       }
+      {
+        job_name = "knot";
+        static_configs = mkStaticTargets [
+          "okarin.vpn.sbruder.de:9433"
+          "vueko.vpn.sbruder.de:9433"
+        ];
+        relabel_configs = lib.singleton {
+          target_label = "instance";
+          source_labels = lib.singleton "__address__";
+          regex = "(.*)\\.vpn\\.sbruder\\.de:9433";
+        };
+      }
+      {
+        job_name = "snmp";
+        metrics_path = "/snmp";
+        params = {
+          module = [ "if_mib" ];
+        };
+        static_configs = mkStaticTargets [
+          "karibik.management.shinonome-lab.de"
+        ];
+        relabel_configs = [
+          {
+            source_labels = lib.singleton "__address__";
+            target_label = "__param_target";
+          }
+          {
+            source_labels = lib.singleton "__param_target";
+            target_label = "instance";
+          }
+          {
+            target_label = "__address__";
+            replacement = "shinobu.vpn.sbruder.de:9116";
+          }
+        ];
+      }
     ];
 
     rules =

machines/shinobu/configuration.nix

@@ -6,6 +6,7 @@
 
     ./services/co2_exporter.nix
     ./services/router
+    ./services/snmp-exporter.nix
   ];
 
   sbruder = {

machines/shinobu/services/router/common.nix

@@ -32,22 +32,22 @@ in
     lan = {
       id = 10;
       subnet = mkSubnet "10.80.1.0/24" "fd00:80:1::/64";
-      domain = "home.sbruder.de";
+      domain = "lan.shinonome-lab.de";
     };
     management = {
       id = 20;
       subnet = mkSubnet "10.80.2.0/24" "fd00:80:2::/64";
-      domain = "management.sbruder.de";
+      domain = "management.shinonome-lab.de";
     };
     guest = {
       id = 30;
       subnet = mkSubnet "10.80.3.0/24" "fd00:80:3::/64";
-      domain = "guest.sbruder.de";
+      domain = "guest.shinonome-lab.de";
     };
     iot = {
       id = 40;
       subnet = mkSubnet "10.80.4.0/24" "fd00:80:4::/64";
-      domain = "iot.sbruder.de";
+      domain = "iot.shinonome-lab.de";
     };
   };
   tc = {

machines/shinobu/services/snmp-exporter.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  services.prometheus.exporters.snmp = {
+    enable = true;
+    listenAddress = config.sbruder.wireguard.home.address;
+    configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
+  };
+}

machines/vueko/configuration.nix

@@ -23,6 +23,7 @@
         "jufeli.de"
         "kegelschiene.net"
         "psycho-power-papagei.de"
+        "salespointframework.org"
         "sbruder.de"
       ];
       autoconfig.enable = true;

modules/authoritative-dns.nix

@@ -40,7 +40,18 @@ in
 
         log:
           - target: syslog
-            any: info
+            server: info
+            control: warning # otherwise stats gets logged every scrape
+            zone: info
+
+        mod-stats:
+          - id: custom
+            edns-presence: on
+            flag-presence: on
+            query-size: on
+            query-type: on
+            reply-size: on
+
         remote:
         ${lib.concatStrings (lib.mapAttrsToList (host: hostAddresses: ''
           - id: ${host}
@@ -70,6 +81,8 @@ in
             # dnssec
             dnssec-signing: on
             dnssec-policy: default
+            # stats
+            module: mod-stats/custom
           - id: nix-generated
             storage: /var/lib/knot/nix-zones/
             semantic-checks: on
@@ -77,6 +90,8 @@ in
             zonefile-sync: -1
             zonefile-load: difference-no-serial
             journal-content: all
+            # stats
+            module: mod-stats/custom
 
         zone:
         ${lib.concatMapStrings (domain: ''
@@ -93,6 +108,8 @@ in
           - id: default
             master: [${primaryHost}]
             acl: [primary_notify]
+            # stats
+            module: mod-stats/custom
       '');
     };
 
@@ -167,6 +184,11 @@ in
       allowedUDPPorts = [ 53 ];
     };
 
+    services.prometheus.exporters.knot = {
+      enable = true;
+      listenAddress = config.sbruder.wireguard.home.address;
+    };
+
     assertions = [
       {
         assertion = isPrimaryHost -> (lib.hasAttr "vpn.sbruder.de" cfg.generated-zones);

modules/media-mount.nix

@@ -41,8 +41,8 @@ lib.mkIf config.sbruder.gui.enable {
   system.fsPackages = with pkgs; [ sshfs ];
 
   fileSystems = {
-    "/home/simon/mounts/media" = mkMount "media@fuuko.home.sbruder.de:/data/cold/media" { };
-    "/home/simon/mounts/torrent" = mkMount "media@fuuko.home.sbruder.de:/data/hot/torrent" { };
+    "/home/simon/mounts/media" = mkMount "media@fuuko.lan.shinonome-lab.de:/data/cold/media" { };
+    "/home/simon/mounts/torrent" = mkMount "media@fuuko.lan.shinonome-lab.de:/data/hot/torrent" { };
     "/home/simon/mounts/storagebox" = mkMount "u313368@personal.storagebox.sbruder.de:" {
       port = 23;
       ro = false;

modules/pipewire.nix

@@ -13,6 +13,7 @@ lib.mkIf config.sbruder.gui.enable {
       enable = true;
       support32Bit = true;
     };
+    jack.enable = true;
   };
 
   environment.systemPackages = with pkgs; [

modules/ssh.nix

@@ -19,7 +19,7 @@
     };
 
     hitagi = {
-      hostNames = [ "hitagi" "hitagi.home.sbruder.de" "hitagi.vpn.sbruder.de" ];
+      hostNames = [ "hitagi" "hitagi.lan.shinonome-lab.de" "hitagi.vpn.sbruder.de" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIg/622wS8SFlzS29TPW9li3pNdbdHNjlGb4XTyXR0QR";
     };
     # TODO: replace with vueko!
@@ -32,15 +32,15 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWuJy00S4eoLsuu29HR/T1RkFs4ujqe5e4tFiEINcWn vueko";
     };
     fuuko = {
-      hostNames = [ "fuuko" "fuuko.home.sbruder.de" "fuuko.sbruder.de" "fuuko.vpn.sbruder.de" ];
+      hostNames = [ "fuuko" "fuuko.lan.shinonome-lab.de" "fuuko.sbruder.de" "fuuko.vpn.sbruder.de" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIrUqI2CZh2ipzDNVCTNdBen8IdhbddgwQzEMWoQzNB";
     };
     fuuko-initrd = {
-      hostNames = [ "[fuuko.home.sbruder.de]:2222" ];
+      hostNames = [ "[fuuko.lan.shinonome-lab.de]:2222" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxqaJgDOZ8FdY68o/r1YNlGvNatFtP86QoqV147g3Lb";
     };
     mayushii = {
-      hostNames = [ "mayushii" "mayushii.home.sbruder.de" "maushii.vpn.sbruder.de" ];
+      hostNames = [ "mayushii" "mayushii.lan.shinonome-lab.de" "maushii.vpn.sbruder.de" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKa53rGEQtBYyjGspeS8x2OZFPjLpFgm2C7+lttEKm60";
     };
     renge = {
@@ -52,7 +52,7 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HmxGDJO1jkVoUdiKEC3yXrkJ1ZWn4FurGyt2UgzYu";
     };
     nunotaba = {
-      hostNames = [ "nunotaba" "nunotaba.home.sbruder.de" "nunotaba.vpn.sbruder.de" ];
+      hostNames = [ "nunotaba" "nunotaba.lan.shinonome-lab.de" "nunotaba.vpn.sbruder.de" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUEVBJcEibRdQzp0bDXpPqLGQ8vtQTKTcpGZU07W4eo";
     };
     okarin = {
@@ -64,7 +64,7 @@
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJbp0kZJEXf1gSVcBsef1Bihd5iCzhzSbjgyrC1SXXT";
     };
     shinobu = {
-      hostNames = [ "shinobu" "shinobu.home.sbruder.de" "shinobu.vpn.sbruder.de" ];
+      hostNames = [ "shinobu" "shinobu.lan.shinonome-lab.de" "shinobu.vpn.sbruder.de" ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJNZPT2Mmys2nw/ovX6Z1Cb4WDAaWBWanycNwF9IEjl";
     };
     nazuna = {

modules/tools.nix

@@ -63,5 +63,8 @@
 
     # eye candy
     ccze # log coloriser
+
+    # helpers
+    rlwrap # readline wrapper
   ];
 }