nixos: Add auth DNS module (and serving from estuary)

2022-05-22 23:24:57 +01:00 · 2022-05-22 23:24:57 +01:00 · 1789d11927
commit 1789d11927
parent b504f11c6b
6 changed files with 278 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -95,7 +95,7 @@
        nixos/installer.nix

        nixos/boxes/colony.nix
-        nixos/vms/estuary.nix
+        nixos/vms/estuary
        nixos/containers/vaultwarden.nix

        # Homes
--- a/nixos/boxes/colony.nix
+++ b/nixos/boxes/colony.nix
@ -22,7 +22,7 @@
      {
        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];

-        networking.domain = "nl1.int.nul.ie";
+        networking.domain = "fra1.int.nul.ie";

        boot.kernelParams = [ "intel_iommu=on" ];
        boot.loader.systemd-boot.configurationLimit = 20;
--- a/nixos/modules/_list.nix
+++ b/nixos/modules/_list.nix
@ -12,5 +12,6 @@
    containers = ./containers.nix;
    vms = ./vms.nix;
    network = ./network.nix;
+    pdns = ./pdns.nix;
  };
 }
--- a/nixos/modules/pdns.nix
+++ b/nixos/modules/pdns.nix
@ -0,0 +1,182 @@
+{ lib, pkgs, config, ... }:
+let
+  inherit (builtins) isList;
+  inherit (lib) mkMerge mkIf mkDefault mapAttrsToList concatMapStringsSep concatStringsSep;
+  inherit (lib.my) mkBoolOpt' mkOpt';
+
+  # Yoinked from nixos/modules/services/networking/pdns-recursor.nix
+  oneOrMore  = type: with lib.types; either type (listOf type);
+  valueType  = with lib.types; oneOf [ int str bool path ];
+  configType = with lib.types; attrsOf (nullOr (oneOrMore valueType));
+
+  toBool    = val: if val then "yes" else "no";
+  serialize = val: with lib.types;
+          if str.check       val then val
+    else if int.check       val then toString val
+    else if path.check      val then toString val
+    else if bool.check      val then toBool val
+    else if isList          val then (concatMapStringsSep "," serialize val)
+    else "";
+  settingsToLines = s: concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s);
+
+  bindList = l: "{ ${concatStringsSep "; " l} }";
+  bindAlsoNotify = with lib.types; mkOpt' (listOf str) [ ] "List of additional address to send DNS NOTIFY messages to.";
+  bindZoneOpts = with lib.types; { name, config, ... }: {
+    options = {
+      type = mkOpt' (enum [ "master" "slave" "native" ]) "native" "Zone type.";
+      masters = mkOpt' (listOf str) [ ] "List of masters to retrieve data from (as slave).";
+      also-notify = bindAlsoNotify;
+
+      template = mkBoolOpt' true "Whether to run the zone contents through a template for post-processing.";
+      text = mkOpt' (nullOr lines) null "Inline content of the zone file.";
+      path = mkOpt' path null "Path to zone file.";
+    };
+
+    config.path = mkIf (config.text != null) (pkgs.writeText "${name}.zone" config.text);
+  };
+  namedZone = n: o: ''
+    zone "${n}" IN {
+      file "/run/pdns/bind-zones/${n}.zone";
+      type ${o.type};
+      masters ${bindList o.masters};
+      also-notify ${bindList o.also-notify};
+    };
+  '';
+
+  loadZonesCommon = pkgs.writeShellScript "pdns-bind-load-common.sh" ''
+    loadZones() {
+      for z in /etc/pdns/bind-zones/*.zone; do
+        zoneName="$(echo "$z" | ${pkgs.gnused}/bin/sed -rn 's|/etc/pdns/bind-zones/(.*)\.zone|\1|p')"
+
+        zDat="/var/lib/pdns/bind-zones/"$zoneName".dat"
+        newZonePath="$(readlink -f "$z")"
+        if [ ! -e "$zDat" ]; then
+          echo "zonePath=\"$newZonePath\"" > "$zDat"
+          echo "serial=$(date +%Y%m%d00)" >> "$zDat"
+        fi
+        source "$zDat"
+
+        subSerial() {
+          ${pkgs.gnused}/bin/sed "s/@@SERIAL@@/$serial/g" < "$z" > /run/pdns/bind-zones/"$zoneName".zone
+        }
+        # Zone in /run won't have changed if it didn't exist
+        if [ "$newZonePath" != "$zonePath" ]; then
+          echo "$zoneName has changed; incrementing serial..."
+          ((serial++))
+          echo "zonePath=\"$newZonePath\"" > "$zDat"
+          echo "serial=$serial" >> "$zDat"
+
+          subSerial
+          if [ "$1" = reload ]; then
+            echo "Reloading $zoneName"
+            ${pkgs.pdns}/bin/pdns_control bind-reload-now "$zoneName"
+          fi
+        elif [ "$1" != reload ]; then
+          subSerial
+        fi
+      done
+    }
+  '';
+
+  cfg = config.my.pdns;
+
+  namedConf = pkgs.writeText "pdns-named.conf" ''
+    options {
+      directory "/run/pdns/bind-zones";
+      also-notify ${bindList cfg.auth.bind.options.also-notify};
+    };
+
+    ${concatStringsSep "\n" (mapAttrsToList namedZone cfg.auth.bind.zones)}
+  '';
+
+  templateZone = n: s: pkgs.runCommand "${n}.zone" {
+    passAsFile = [ "script" ];
+    script = ''
+      import re
+      import ipaddress
+      import sys
+
+      def ptr(m):
+        ip = ipaddress.ip_address(m.group(1))
+        return '.'.join(ip.reverse_pointer.split('.')[:int(m.group(2))])
+      ex = re.compile(r'@@PTR:(.+):(\d+)@@')
+
+      for line in sys.stdin:
+        print(ex.sub(ptr, line), end=''')
+    '';
+  } ''
+    ${pkgs.python310}/bin/python "$scriptPath" < "${s}" > "$out"
+  '';
+  zones = pkgs.linkFarm "pdns-bind-zones" (mapAttrsToList (n: o: rec {
+    name = "${n}.zone";
+    path = if o.template then templateZone n o.path else o.path;
+  }) cfg.auth.bind.zones);
+in
+{
+  options.my.pdns = with lib.types; {
+    auth = {
+      enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
+      settings = mkOpt' configType { } "Authoritative server settings.";
+
+      bind = {
+        options = {
+          also-notify = bindAlsoNotify;
+        };
+        zones = mkOpt' (attrsOf (submodule bindZoneOpts)) { } "BIND-style zones definitions.";
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfg.auth.enable {
+      my = {
+        tmproot.persistence.config.directories = [ "/var/lib/pdns" ];
+        pdns.auth.settings = {
+          launch = [ "bind" ];
+          socket-dir = "/run/pdns";
+          bind-config = namedConf;
+          expand-alias = mkDefault true;
+        };
+      };
+
+      environment = {
+        # For pdns_control etc
+        systemPackages = with pkgs; [
+          pdns
+        ];
+
+        etc."pdns/bind-zones".source = "${zones}/*";
+      };
+
+      systemd.services.pdns = {
+        preStart = ''
+          source ${loadZonesCommon}
+
+          mkdir /run/pdns/bind-zones
+          mkdir -p /var/lib/pdns/bind-zones
+          loadZones start
+        '';
+
+        # pdns reloads existing zones, so the only trigger will be if the zone files themselves change. If any new zones
+        # are added or removed, named.conf will change, in turn changing the overall pdns settings and causing pdns to
+        # get fully restarted
+        reload = ''
+          source ${loadZonesCommon}
+
+          loadZones reload
+        '';
+
+        reloadTriggers = [ zones ];
+        serviceConfig = {
+          RuntimeDirectory = "pdns";
+          StateDirectory = "pdns";
+        };
+      };
+
+      services.powerdns = {
+        enable = true;
+        extraConfig = settingsToLines cfg.auth.settings;
+      };
+    })
+  ];
+}
--- a/nixos/vms/estuary/default.nix
+++ b/nixos/vms/estuary/default.nix
@ -14,17 +14,17 @@
      ipv6.address = "2a0e:97c0:4d1:0::1";
    };

-    configuration = { lib, pkgs, modulesPath, config, systems, assignments, ... }:
+    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
      let
        inherit (lib) mkIf mkMerge mkForce;
        inherit (lib.my) networkdAssignment;
      in
      {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./dns.nix ];

        config = mkMerge [
          {
-            networking.domain = "nl1.int.nul.ie";
+            networking.domain = "fra1.int.nul.ie";

            boot.kernelParams = [ "console=ttyS0,115200n8" ];
            fileSystems = {
@ -42,6 +42,7 @@
                neededForBoot = true;
              };
            };
+
            services = {
              lvm = {
                dmeventd.enable = true;
--- a/nixos/vms/estuary/dns.nix
+++ b/nixos/vms/estuary/dns.nix
@ -0,0 +1,89 @@
+{ lib, config, allAssignments, ... }:
+let
+  inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList filterAttrs optional;
+in
+{
+  config = {
+    networking.domain = "fra1.int.nul.ie";
+    my.pdns.auth = {
+      enable = true;
+      settings = {
+        primary = true;
+        expand-alias = true;
+        local-address = [
+          "127.0.0.1:5353" "[::]:5353"
+        ] ++ (optional (!config.my.build.isDevVM) "192.168.122.126");
+      };
+
+      bind.zones =
+      let
+        genRecords = f:
+          concatStringsSep
+            "\n"
+            (mapAttrsToList
+              (_: as: f as.internal)
+              (filterAttrs (_: as: as ? "internal" && as.internal.visible) allAssignments));
+
+        intRecords =
+          genRecords (a: ''
+            ${a.name} IN A ${a.ipv4.address}
+            ${a.name} IN AAAA ${a.ipv6.address}
+            ${concatMapStringsSep "\n" (alt: "${alt} IN CNAME ${a.name}") a.altNames}
+          '');
+        intPtrRecords =
+          genRecords (a: ''@@PTR:${a.ipv4.address}:2@@ IN PTR ${a.name}.${config.networking.domain}.'');
+        intPtr6Records =
+          genRecords (a: ''@@PTR:${a.ipv6.address}:20@@ IN PTR ${a.name}.${config.networking.domain}.'');
+      in
+      {
+        "${config.networking.domain}" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            @ IN ALIAS ${config.networking.fqdn}.
+
+            ${intRecords}
+          '';
+        };
+        "100.10.in-addr.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            ${intPtrRecords}
+          '';
+        };
+        "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            ${intPtr6Records}
+          '';
+        };
+      };
+    };
+  };
+}