nixos: Add auth DNS module (and serving from estuary)

2022-05-22 23:24:57 +01:00
parent b504f11c6b
commit 1789d11927
6 changed files with 278 additions and 5 deletions
--- a/nixos/vms/estuary/default.nix
+++ b/nixos/vms/estuary/default.nix
@@ -0,0 +1,118 @@
+{
+  nixos.systems.estuary = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+    home-manager = "unstable";
+
+    assignments.internal = {
+      name = "estuary-vm";
+      altNames = [ "fw" ];
+      ipv4 = {
+        address = "10.100.0.1";
+        gateway = null;
+      };
+      ipv6.address = "2a0e:97c0:4d1:0::1";
+    };
+
+    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
+      let
+        inherit (lib) mkIf mkMerge mkForce;
+        inherit (lib.my) networkdAssignment;
+      in
+      {
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./dns.nix ];
+
+        config = mkMerge [
+          {
+            networking.domain = "fra1.int.nul.ie";
+
+            boot.kernelParams = [ "console=ttyS0,115200n8" ];
+            fileSystems = {
+              "/boot" = {
+                device = "/dev/disk/by-label/ESP";
+                fsType = "vfat";
+              };
+              "/nix" = {
+                device = "/dev/main/nix";
+                fsType = "ext4";
+              };
+              "/persist" = {
+                device = "/dev/main/persist";
+                fsType = "ext4";
+                neededForBoot = true;
+              };
+            };
+
+            services = {
+              lvm = {
+                dmeventd.enable = true;
+              };
+            };
+
+            systemd.network = {
+              links = {
+                "10-wan" = {
+                  matchConfig.MACAddress = "52:54:00:a1:b2:5f";
+                  linkConfig.Name = "wan";
+                };
+                "10-base" = {
+                  matchConfig.MACAddress = "52:54:00:ab:f1:52";
+                  linkConfig.Name = "base";
+                };
+              };
+
+              networks = {
+                #"80-wan" = {
+                #  matchConfig.Name = "wan";
+                #  address = [
+                #    "1.2.3.4/24"
+                #    "2a00::2/64"
+                #  ];
+                #};
+                "80-wan" = {
+                  matchConfig.Name = "wan";
+                  DHCP = "ipv4";
+                };
+                "80-base" = mkMerge [
+                  (networkdAssignment "base" assignments.internal)
+                  {
+                    networkConfig = {
+                      IPv6AcceptRA = mkForce false;
+                      IPv6SendRA = true;
+                      IPMasquerade = "both";
+                    };
+                    ipv6SendRAConfig.DNS = [ assignments.internal.ipv6.address ];
+                    ipv6Prefixes = [
+                      {
+                        ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
+                      }
+                    ];
+                  }
+                ];
+              };
+            };
+
+            my = {
+              server.enable = true;
+
+              firewall = {
+                trustedInterfaces = [ "base" ];
+                nat = {
+                  enable = true;
+                  externalInterface = "wan";
+                };
+              };
+            };
+          }
+          (mkIf config.my.build.isDevVM {
+            systemd.network = {
+              netdevs."05-dummy-base".netdevConfig = {
+                Name = "base";
+                Kind = "dummy";
+              };
+            };
+          })
+        ];
+      };
+  };
+}
--- a/nixos/vms/estuary/dns.nix
+++ b/nixos/vms/estuary/dns.nix
@@ -0,0 +1,89 @@
+{ lib, config, allAssignments, ... }:
+let
+  inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList filterAttrs optional;
+in
+{
+  config = {
+    networking.domain = "fra1.int.nul.ie";
+    my.pdns.auth = {
+      enable = true;
+      settings = {
+        primary = true;
+        expand-alias = true;
+        local-address = [
+          "127.0.0.1:5353" "[::]:5353"
+        ] ++ (optional (!config.my.build.isDevVM) "192.168.122.126");
+      };
+
+      bind.zones =
+      let
+        genRecords = f:
+          concatStringsSep
+            "\n"
+            (mapAttrsToList
+              (_: as: f as.internal)
+              (filterAttrs (_: as: as ? "internal" && as.internal.visible) allAssignments));
+
+        intRecords =
+          genRecords (a: ''
+            ${a.name} IN A ${a.ipv4.address}
+            ${a.name} IN AAAA ${a.ipv6.address}
+            ${concatMapStringsSep "\n" (alt: "${alt} IN CNAME ${a.name}") a.altNames}
+          '');
+        intPtrRecords =
+          genRecords (a: ''@@PTR:${a.ipv4.address}:2@@ IN PTR ${a.name}.${config.networking.domain}.'');
+        intPtr6Records =
+          genRecords (a: ''@@PTR:${a.ipv6.address}:20@@ IN PTR ${a.name}.${config.networking.domain}.'');
+      in
+      {
+        "${config.networking.domain}" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            @ IN ALIAS ${config.networking.fqdn}.
+
+            ${intRecords}
+          '';
+        };
+        "100.10.in-addr.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            ${intPtrRecords}
+          '';
+        };
+        "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+                @@SERIAL@@ ; serial
+                3h ; refresh
+                1h ; retry
+                1w ; expire
+                1h ; minimum
+              )
+
+            ${intPtr6Records}
+          '';
+        };
+      };
+    };
+  };
+}