post(nixos): update stubby to 22.05 syntax

https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-22.05
This commit is contained in:
Ming Di Leom 2022-07-06 07:03:24 +00:00
parent 6ae6c9dacc
commit 0cb811a549
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 124 additions and 58 deletions

View File

@ -2,7 +2,7 @@
title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)"
excerpt: "Part 2: Securing NixOS"
date: 2020-03-04
updated: 2020-11-09
updated: 2022-07-06
tags:
- server
- linux
@ -11,7 +11,7 @@ tags:
series: true
---
> 9 Nov 2020: Updated to NixOS 20.09 syntax.
> 6 Jul 2022: Updated to NixOS 22.05 syntax.
In this post, I show you how I securely configure the NixOS, the server OS behind this website.
@ -96,23 +96,27 @@ Combining with the previous user configs, I ended up with:
hashedPassword = "*";
};
nixos = {
group = "nixos";
hashedPassword = "xxxx";
isNormalUser = true;
extraGroups = [ "wheel" ];
};
caddyProxy = {
group = "caddyProxy";
home = "/var/lib/caddyProxy";
createHome = true;
isSystemUser = true;
group = "caddyProxy";
};
caddyTor = {
group = "caddyTor";
home = "/var/lib/caddyTor";
createHome = true;
isSystemUser = true;
group = "caddyTor";
};
tor = {
group = "tor";
home = "/var/lib/tor";
createHome = true;
isSystemUser = true;
@ -122,15 +126,10 @@ Combining with the previous user configs, I ended up with:
};
groups = {
caddyProxy = {
members = [ "caddyProxy" ];
};
caddyTor = {
members = [ "caddyTor" ];
};
tor = {
gid = config.ids.gids.tor;
};
nixos = {};
caddyProxy = {};
caddyTor = {};
tor = {};
};
};
```
@ -166,42 +165,74 @@ Once the secret is generated, TOTP can be enabled using the following config. I
Since DNS is not encrypted in transit, it risks being tampered. To resolve that, I use DNS-over-TLS which as the name implies, uses TLS to encrypt the DNS traffic. I use `stubby` which creates a DNS resolver that listens on localhost and forward DNS query to the upstream server(s) using DoT. `stubby` enables DNSSEC by default to verify authenticity of the DNS response for supported domains. (This domain mdleom.com has DNSSEC enabled through a DS record)
I use Cloudflare DNS simply because I'm already using its CDN, using other alternatives wouldn't have the privacy benefit since it already knows that a visitor is browsing this website. I add [Quad9](https://quad9.net/) as a backup. Refer to [stubby.yml](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example) for a full list of supported servers.
I use Cloudflare DNS (simply because I'm already using its CDN) and [Quad9](https://quad9.net/) as backup. Refer to [stubby.yml](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example) for a full list of supported servers. For Cloudflare DNS, I opt for the malware-blocking flavour, refer to the following IPs if you prefer the default flavour.
```
Source: https://developers.cloudflare.com/1.1.1.1/setup/
# No malware blocking
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
# Malware blocking
1.1.1.2
1.0.0.2
2606:4700:4700::1112
2606:4700:4700::1002
```
``` nix
## DNS-over-TLS
services.stubby = {
enable = true;
listenAddresses = [ "0::1" "127.0.0.1" ];
roundRobinUpstreams = false;
upstreamServers =
''
## Cloudflare DNS
- address_data: 2606:4700:4700::1112
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1002
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.2
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.2
tls_auth_name: "cloudflare-dns.com"
## Quad9
- address_data: 2620:fe::fe
tls_auth_name: "dns.quad9.net"
- address_data: 2620:fe::9
tls_auth_name: "dns.quad9.net"
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"
'';
extraConfig =
''
# Set TLS 1.3 as minimum acceptable version
tls_min_version: GETDNS_TLS1_3
# Require DNSSEC validation
dnssec: GETDNS_EXTENSION_TRUE
'';
settings = {
# ::1 cause error, use 0::1 instead
listen_addresses = [ "127.0.0.1" "0::1" ];
# https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
resolution_type = "GETDNS_RESOLUTION_STUB";
dns_transport_list = [ "GETDNS_TRANSPORT_TLS" ];
tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
tls_query_padding_blocksize = 128;
idle_timeout = 10000;
round_robin_upstreams = 1;
tls_min_version = "GETDNS_TLS1_3";
dnssec = "GETDNS_EXTENSION_TRUE";
upstream_recursive_servers = [
{
address_data = "1.1.1.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.0.0.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1112";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1002";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "9.9.9.9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "149.112.112.112";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::fe";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::9";
tls_auth_name = "dns.quad9.net";
}
];
};
};
```
@ -477,21 +508,52 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
## DNS-over-TLS
services.stubby = {
enable = true;
# ::1 cause error, use 0::1 instead
listenAddresses = [ "0::1" "127.0.0.1" ];
roundRobinUpstreams = false;
upstreamServers =
''
## Cloudflare DNS
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
'';
settings = {
listen_addresses = [ "127.0.0.1" "0::1" ];
# https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
resolution_type = "GETDNS_RESOLUTION_STUB";
dns_transport_list = [ "GETDNS_TRANSPORT_TLS" ];
tls_authentication = "GETDNS_AUTHENTICATION_REQUIRED";
tls_query_padding_blocksize = 128;
idle_timeout = 10000;
round_robin_upstreams = 1;
tls_min_version = "GETDNS_TLS1_3";
dnssec = "GETDNS_EXTENSION_TRUE";
upstream_recursive_servers = [
{
address_data = "1.1.1.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "1.0.0.2";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1112";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "2606:4700:4700::1002";
tls_auth_name = "cloudflare-dns.com";
}
{
address_data = "9.9.9.9";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "149.112.112.112";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::fe";
tls_auth_name = "dns.quad9.net";
}
{
address_data = "2620:fe::9";
tls_auth_name = "dns.quad9.net";
}
];
};
};
networking.nameservers = [ "::1" "127.0.0.1" ];
@ -566,7 +628,11 @@ Since [unattended upgrade](#Unattended-upgrade) is executed on 00:00, I delay ga
### The rest will be explained in the next articles
## Caddy web server
require = [ /etc/caddy/caddyProxy.nix /etc/caddy/caddyTor.nix /etc/caddy/caddyI2p.nix ];
require = [
/etc/caddy/caddyProxy.nix
/etc/caddy/caddyTor.nix
/etc/caddy/caddyI2p.nix
];
services.caddyProxy = {
enable = false;
config = "/etc/caddy/caddyProxy.conf";