No description
This repository has been archived on 2023-12-26. You can view files and clone it, but cannot push or open issues or pull requests.
Find a file
Pim Kunis 788939d8cf add nix flake for development
remove secret service usage with password in home dir
replace hermes mounted dir with data disk
pin terraform libvirt provider due to SSH issue
hard-code ssh known host file
2023-10-26 19:59:51 +02:00
ansible add nix flake for development 2023-10-26 19:59:51 +02:00
terraform add nix flake for development 2023-10-26 19:59:51 +02:00
.envrc add nix flake for development 2023-10-26 19:59:51 +02:00
.gitignore add nix flake for development 2023-10-26 19:59:51 +02:00
flake.lock add nix flake for development 2023-10-26 19:59:51 +02:00
flake.nix add nix flake for development 2023-10-26 19:59:51 +02:00
README.md restructure 2023-04-13 18:02:00 +02:00

Hermes

Hermes is the virtual machine that performs DHCP and DNS on our DMZ network. It also acts as a SSH certificate authority.

The VM is provisioned using Terraform and configured using Ansible.

Motivation

The VMs on our DMZ might like to contact eachother. For example, one VM wants to clone a repository from the git server. However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address. This will in general not work, because the public IP address is only assigned on the WAN port of the router.

One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs. However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security. Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.

This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server. Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses. Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using ra-names). Dnsmasq also overwrites the public IP address to 192.168.30.3 to solve the above problem.

What is needed from the router:

  • Static IPv4 addresses on the DMZ interface (192.168.30.1/24).
  • Static IPv6 addresses on the DMZ interface (2a02:58:19a:f730::1/64).
  • DNS domain override for geokunis2.nl, pizzapim.nl, pim.kunis.nl and dmz to 192.18.30.7.
  • unmanaged (SLAAC) IPv6 router advertisements on the DMZ interface.