From 1789d1192733942c8d24a8bae86c982e4001adb2 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sun, 22 May 2022 23:24:57 +0100 Subject: [PATCH] nixos: Add auth DNS module (and serving from estuary) --- flake.nix | 2 +- nixos/boxes/colony.nix | 2 +- nixos/modules/_list.nix | 1 + nixos/modules/pdns.nix | 182 ++++++++++++++++++ .../vms/{estuary.nix => estuary/default.nix} | 7 +- nixos/vms/estuary/dns.nix | 89 +++++++++ 6 files changed, 278 insertions(+), 5 deletions(-) create mode 100644 nixos/modules/pdns.nix rename nixos/vms/{estuary.nix => estuary/default.nix} (93%) create mode 100644 nixos/vms/estuary/dns.nix diff --git a/flake.nix b/flake.nix index 26d744e..e72fc0c 100644 --- a/flake.nix +++ b/flake.nix @@ -95,7 +95,7 @@ nixos/installer.nix nixos/boxes/colony.nix - nixos/vms/estuary.nix + nixos/vms/estuary nixos/containers/vaultwarden.nix # Homes diff --git a/nixos/boxes/colony.nix b/nixos/boxes/colony.nix index 13ae7c2..9b56471 100644 --- a/nixos/boxes/colony.nix +++ b/nixos/boxes/colony.nix @@ -22,7 +22,7 @@ { imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; - networking.domain = "nl1.int.nul.ie"; + networking.domain = "fra1.int.nul.ie"; boot.kernelParams = [ "intel_iommu=on" ]; boot.loader.systemd-boot.configurationLimit = 20; diff --git a/nixos/modules/_list.nix b/nixos/modules/_list.nix index 5f32c5d..e65797a 100644 --- a/nixos/modules/_list.nix +++ b/nixos/modules/_list.nix @@ -12,5 +12,6 @@ containers = ./containers.nix; vms = ./vms.nix; network = ./network.nix; + pdns = ./pdns.nix; }; } diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix new file mode 100644 index 0000000..b382483 --- /dev/null +++ b/nixos/modules/pdns.nix @@ -0,0 +1,182 @@ +{ lib, pkgs, config, ... }: +let + inherit (builtins) isList; + inherit (lib) mkMerge mkIf mkDefault mapAttrsToList concatMapStringsSep concatStringsSep; + inherit (lib.my) mkBoolOpt' mkOpt'; + + # Yoinked from nixos/modules/services/networking/pdns-recursor.nix + oneOrMore = type: with lib.types; either type (listOf type); + valueType = with lib.types; oneOf [ int str bool path ]; + configType = with lib.types; attrsOf (nullOr (oneOrMore valueType)); + + toBool = val: if val then "yes" else "no"; + serialize = val: with lib.types; + if str.check val then val + else if int.check val then toString val + else if path.check val then toString val + else if bool.check val then toBool val + else if isList val then (concatMapStringsSep "," serialize val) + else ""; + settingsToLines = s: concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s); + + bindList = l: "{ ${concatStringsSep "; " l} }"; + bindAlsoNotify = with lib.types; mkOpt' (listOf str) [ ] "List of additional address to send DNS NOTIFY messages to."; + bindZoneOpts = with lib.types; { name, config, ... }: { + options = { + type = mkOpt' (enum [ "master" "slave" "native" ]) "native" "Zone type."; + masters = mkOpt' (listOf str) [ ] "List of masters to retrieve data from (as slave)."; + also-notify = bindAlsoNotify; + + template = mkBoolOpt' true "Whether to run the zone contents through a template for post-processing."; + text = mkOpt' (nullOr lines) null "Inline content of the zone file."; + path = mkOpt' path null "Path to zone file."; + }; + + config.path = mkIf (config.text != null) (pkgs.writeText "${name}.zone" config.text); + }; + namedZone = n: o: '' + zone "${n}" IN { + file "/run/pdns/bind-zones/${n}.zone"; + type ${o.type}; + masters ${bindList o.masters}; + also-notify ${bindList o.also-notify}; + }; + ''; + + loadZonesCommon = pkgs.writeShellScript "pdns-bind-load-common.sh" '' + loadZones() { + for z in /etc/pdns/bind-zones/*.zone; do + zoneName="$(echo "$z" | ${pkgs.gnused}/bin/sed -rn 's|/etc/pdns/bind-zones/(.*)\.zone|\1|p')" + + zDat="/var/lib/pdns/bind-zones/"$zoneName".dat" + newZonePath="$(readlink -f "$z")" + if [ ! -e "$zDat" ]; then + echo "zonePath=\"$newZonePath\"" > "$zDat" + echo "serial=$(date +%Y%m%d00)" >> "$zDat" + fi + source "$zDat" + + subSerial() { + ${pkgs.gnused}/bin/sed "s/@@SERIAL@@/$serial/g" < "$z" > /run/pdns/bind-zones/"$zoneName".zone + } + # Zone in /run won't have changed if it didn't exist + if [ "$newZonePath" != "$zonePath" ]; then + echo "$zoneName has changed; incrementing serial..." + ((serial++)) + echo "zonePath=\"$newZonePath\"" > "$zDat" + echo "serial=$serial" >> "$zDat" + + subSerial + if [ "$1" = reload ]; then + echo "Reloading $zoneName" + ${pkgs.pdns}/bin/pdns_control bind-reload-now "$zoneName" + fi + elif [ "$1" != reload ]; then + subSerial + fi + done + } + ''; + + cfg = config.my.pdns; + + namedConf = pkgs.writeText "pdns-named.conf" '' + options { + directory "/run/pdns/bind-zones"; + also-notify ${bindList cfg.auth.bind.options.also-notify}; + }; + + ${concatStringsSep "\n" (mapAttrsToList namedZone cfg.auth.bind.zones)} + ''; + + templateZone = n: s: pkgs.runCommand "${n}.zone" { + passAsFile = [ "script" ]; + script = '' + import re + import ipaddress + import sys + + def ptr(m): + ip = ipaddress.ip_address(m.group(1)) + return '.'.join(ip.reverse_pointer.split('.')[:int(m.group(2))]) + ex = re.compile(r'@@PTR:(.+):(\d+)@@') + + for line in sys.stdin: + print(ex.sub(ptr, line), end=''') + ''; + } '' + ${pkgs.python310}/bin/python "$scriptPath" < "${s}" > "$out" + ''; + zones = pkgs.linkFarm "pdns-bind-zones" (mapAttrsToList (n: o: rec { + name = "${n}.zone"; + path = if o.template then templateZone n o.path else o.path; + }) cfg.auth.bind.zones); +in +{ + options.my.pdns = with lib.types; { + auth = { + enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver."; + settings = mkOpt' configType { } "Authoritative server settings."; + + bind = { + options = { + also-notify = bindAlsoNotify; + }; + zones = mkOpt' (attrsOf (submodule bindZoneOpts)) { } "BIND-style zones definitions."; + }; + }; + }; + + config = mkMerge [ + (mkIf cfg.auth.enable { + my = { + tmproot.persistence.config.directories = [ "/var/lib/pdns" ]; + pdns.auth.settings = { + launch = [ "bind" ]; + socket-dir = "/run/pdns"; + bind-config = namedConf; + expand-alias = mkDefault true; + }; + }; + + environment = { + # For pdns_control etc + systemPackages = with pkgs; [ + pdns + ]; + + etc."pdns/bind-zones".source = "${zones}/*"; + }; + + systemd.services.pdns = { + preStart = '' + source ${loadZonesCommon} + + mkdir /run/pdns/bind-zones + mkdir -p /var/lib/pdns/bind-zones + loadZones start + ''; + + # pdns reloads existing zones, so the only trigger will be if the zone files themselves change. If any new zones + # are added or removed, named.conf will change, in turn changing the overall pdns settings and causing pdns to + # get fully restarted + reload = '' + source ${loadZonesCommon} + + loadZones reload + ''; + + reloadTriggers = [ zones ]; + serviceConfig = { + RuntimeDirectory = "pdns"; + StateDirectory = "pdns"; + }; + }; + + services.powerdns = { + enable = true; + extraConfig = settingsToLines cfg.auth.settings; + }; + }) + ]; +} diff --git a/nixos/vms/estuary.nix b/nixos/vms/estuary/default.nix similarity index 93% rename from nixos/vms/estuary.nix rename to nixos/vms/estuary/default.nix index 48c7778..7740316 100644 --- a/nixos/vms/estuary.nix +++ b/nixos/vms/estuary/default.nix @@ -14,17 +14,17 @@ ipv6.address = "2a0e:97c0:4d1:0::1"; }; - configuration = { lib, pkgs, modulesPath, config, systems, assignments, ... }: + configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: let inherit (lib) mkIf mkMerge mkForce; inherit (lib.my) networkdAssignment; in { - imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./dns.nix ]; config = mkMerge [ { - networking.domain = "nl1.int.nul.ie"; + networking.domain = "fra1.int.nul.ie"; boot.kernelParams = [ "console=ttyS0,115200n8" ]; fileSystems = { @@ -42,6 +42,7 @@ neededForBoot = true; }; }; + services = { lvm = { dmeventd.enable = true; diff --git a/nixos/vms/estuary/dns.nix b/nixos/vms/estuary/dns.nix new file mode 100644 index 0000000..78f9b00 --- /dev/null +++ b/nixos/vms/estuary/dns.nix @@ -0,0 +1,89 @@ +{ lib, config, allAssignments, ... }: +let + inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList filterAttrs optional; +in +{ + config = { + networking.domain = "fra1.int.nul.ie"; + my.pdns.auth = { + enable = true; + settings = { + primary = true; + expand-alias = true; + local-address = [ + "127.0.0.1:5353" "[::]:5353" + ] ++ (optional (!config.my.build.isDevVM) "192.168.122.126"); + }; + + bind.zones = + let + genRecords = f: + concatStringsSep + "\n" + (mapAttrsToList + (_: as: f as.internal) + (filterAttrs (_: as: as ? "internal" && as.internal.visible) allAssignments)); + + intRecords = + genRecords (a: '' + ${a.name} IN A ${a.ipv4.address} + ${a.name} IN AAAA ${a.ipv6.address} + ${concatMapStringsSep "\n" (alt: "${alt} IN CNAME ${a.name}") a.altNames} + ''); + intPtrRecords = + genRecords (a: ''@@PTR:${a.ipv4.address}:2@@ IN PTR ${a.name}.${config.networking.domain}.''); + intPtr6Records = + genRecords (a: ''@@PTR:${a.ipv6.address}:20@@ IN PTR ${a.name}.${config.networking.domain}.''); + in + { + "${config.networking.domain}" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + @ IN ALIAS ${config.networking.fqdn}. + + ${intRecords} + ''; + }; + "100.10.in-addr.arpa" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + ${intPtrRecords} + ''; + }; + "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + ${intPtr6Records} + ''; + }; + }; + }; + }; +}