diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index fcc007a78a..e8de9a61b3 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -8,6 +8,7 @@ let in { imports = [ ../lib/bvm.nix + ../lib/as205479-web.nix ./radius.nix ]; @@ -28,6 +29,8 @@ in { defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; extraCommands = '' # Allow JANET inbound RADIUS traffic. # roaming0.ja.net @@ -52,12 +55,13 @@ in { acceptTerms = true; email = "letsencrypt@lukegb.com"; certs."as205479.net" = { + extraDomainNames = [ "www.as205479.net" ]; dnsProvider = "gcloud"; credentialsFile = secrets.gcpDNSCredentials; dnsPropagationCheck = false; - #postRun = '' - # systemctl restart freeradius - #''; + postRun = '' + systemctl restart freeradius + ''; }; }; diff --git a/ops/nixos/lib/as205479-web.nix b/ops/nixos/lib/as205479-web.nix new file mode 100644 index 0000000000..9ebd5bb339 --- /dev/null +++ b/ops/nixos/lib/as205479-web.nix @@ -0,0 +1,21 @@ +{ config, depot, lib, ... }: + +{ + security.acme = { + acceptTerms = true; + email = lib.mkDefault "letsencrypt@lukegb.com"; + certs."as205479.net" = { + dnsProvider = "gcloud"; + credentialsFile = depot.ops.secrets.gcpDNSCredentials; + dnsPropagationCheck = false; + }; + }; + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."as205479.net" = { + useACMEHost = "as205479.net"; + forceSSL = true; + locations."/".root = depot.web.as205479 config.networking.hostName; + }; + }; +} diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index 6f98cf73d9..4cb246ef12 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 35 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -14,6 +14,11 @@ $INCLUDE tmpl.ns @ 3600 IN MX 10 alt3.aspmx.l.google.com. @ 3600 IN MX 10 alt4.aspmx.l.google.com. +# bvm-radius serves HTTP(S) for root +@ 3600 IN A 92.118.28.9 +@ 3600 IN AAAA 2a09:a441::9 +www 3600 IN CNAME bvm-radius.as205479.net. + _acme-challenge 3600 IN NS ns-cloud-c1.googledomains.com. _acme-challenge 3600 IN NS ns-cloud-c2.googledomains.com. _acme-challenge 3600 IN NS ns-cloud-c3.googledomains.com. diff --git a/web/as205479/eduroam/index.html b/web/as205479/eduroam/index.html new file mode 100644 index 0000000000..c26f111a65 --- /dev/null +++ b/web/as205479/eduroam/index.html @@ -0,0 +1,19 @@ + + +
+ +AS205479 offers eduroam(UK) service to visiting members of institutions that are part of the eduroam confederation (aka "Visited" type service).
+This service is offered as the eduroam SSID at AS205479 home locations. Devices should support the "WPA3 Enterprise" specification - legacy "WPA2"-only devices may experience difficulty connection to AS205479-hosted SSIDs.
+Users of the service need to abide by the eduroam(UK) Policy. Violations of this policy will be reported to their home organisation.
+ +You've reached {{NODENAME}}, serving from {{DEPOT_VERSION}}.
+...is a private autonomous system operated by Luke Granger-Brown.
+ +You've reached {{NODENAME}}, serving from {{DEPOT_VERSION}}.
+