diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix index 6785f99..0fff622 100644 --- a/nixos/boxes/home/routing-common/default.nix +++ b/nixos/boxes/home/routing-common/default.nix @@ -54,6 +54,8 @@ in inherit (lib.my) networkdAssignment; in { + imports = [ (import ./dns.nix index) ]; + config = { environment = { systemPackages = with pkgs; [ @@ -140,7 +142,7 @@ in domains = [ config.networking.domain ]; networkConfig = { IPv6AcceptRA = mkForce false; - IPv6SendRA = true; + # IPv6SendRA = true; }; ipv6SendRAConfig = { DNS = [ diff --git a/nixos/boxes/home/routing-common/dns.nix b/nixos/boxes/home/routing-common/dns.nix new file mode 100644 index 0000000..f6adc52 --- /dev/null +++ b/nixos/boxes/home/routing-common/dns.nix @@ -0,0 +1,170 @@ +index: { lib, pkgs, config, assignments, allAssignments, ... }: +let + inherit (builtins) attrNames; + inherit (lib.my) net; + inherit (lib.my.c.home) prefixes vips; + + authZones = attrNames config.my.pdns.auth.bind.zones; +in +{ + config = { + my = { + secrets.files = { + "home/pdns/auth.conf" = { + owner = "pdns"; + group = "pdns"; + }; + "home/pdns/recursor.conf" = { + owner = "pdns-recursor"; + group = "pdns-recursor"; + }; + }; + + pdns.recursor = { + enable = true; + extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path; + }; + }; + + services = { + pdns-recursor = { + dns = { + address = [ + "127.0.0.1" "::1" + assignments.hi.ipv4.address assignments.hi.ipv6.address + assignments.lo.ipv4.address assignments.lo.ipv6.address + ]; + allowFrom = [ + "127.0.0.0/8" "::1/128" + prefixes.hi.v4 prefixes.hi.v6 + prefixes.lo.v4 prefixes.lo.v6 + ]; + }; + + settings = { + query-local-address = [ + # TODO: IPv4 WAN address? + # assignments.internal.ipv4.address + # assignments.internal.ipv6.address + # assignments.hi.ipv6.address + ]; + forward-zones = map (z: "${z}=127.0.0.1:5353") authZones; + + # DNS NOTIFY messages override TTL + allow-notify-for = authZones; + allow-notify-from = [ "127.0.0.0/8" "::1/128" ]; + + webserver = true; + webserver-address = "::"; + webserver-allow-from = [ "127.0.0.1" "::1" ]; + }; + }; + }; + + # For rec_control + environment.systemPackages = with pkgs; [ + pdns-recursor + ]; + + my.pdns.auth = { + enable = true; + extraSettingsFile = config.age.secrets."home/pdns/auth.conf".path; + settings = { + primary = true; + resolver = "127.0.0.1"; + expand-alias = true; + local-address = [ + "0.0.0.0:5353" "[::]:5353" + ]; + also-notify = [ "127.0.0.1" ]; + enable-lua-records = true; + #loglevel = 7; + #log-dns-queries = true; + #log-dns-details = true; + + api = true; + webserver = true; + webserver-address = "::"; + webserver-allow-from = [ "127.0.0.1" "::1" ]; + }; + + bind.zones = + let + names = [ "core" "hi" "lo" ]; + i = toString (index + 1); + in + { + "${config.networking.domain}" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + @ IN NS ns1 + @ IN NS ns2 + # TODO: WAN? + ns1 IN A ${net.cidr.host 1 prefixes.hi.v4} + ns2 IN A ${net.cidr.host 2 prefixes.hi.v4} + ns1 IN AAAA ${net.cidr.host 1 prefixes.hi.v6} + ns2 IN AAAA ${net.cidr.host 2 prefixes.hi.v6} + + ${lib.my.dns.fwdRecords { + inherit allAssignments names; + domain = config.networking.domain; + }} + ''; + }; + "168.192.in-addr.arpa" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + @ IN NS ns1.${config.networking.domain}. + @ IN NS ns2.${config.networking.domain}. + + ${lib.my.dns.ptrRecords { + inherit allAssignments names; + domain = config.networking.domain; + ndots = 2; + }} + ''; + }; + "0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = { + type = "master"; + text = '' + $TTL 60 + @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. ( + @@SERIAL@@ ; serial + 3h ; refresh + 1h ; retry + 1w ; expire + 1h ; minimum + ) + + @ IN NS ns1.${config.networking.domain}. + @ IN NS ns2.${config.networking.domain}. + + ${lib.my.dns.ptr6Records { + inherit allAssignments names; + domain = config.networking.domain; + ndots = 20; + }} + ''; + }; + }; + }; + }; +} diff --git a/secrets/home/pdns/auth.conf.age b/secrets/home/pdns/auth.conf.age new file mode 100644 index 0000000..7292d0e --- /dev/null +++ b/secrets/home/pdns/auth.conf.age @@ -0,0 +1,9 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXODJUY3hPLzlod3ovVGxr +eFlqMWErNEFIbHVTdHc1am4wWVJZenhxZHlVCk0zblRaOWhNS0JNcVZXL2t2L2gv +QVR2anV3YUsyeXd5RVY0MXY3Mk5PRlUKLT4gSUEqeEtzRC1ncmVhc2UgKXk2ZFEK +UW52c08xS3pzdWNFNHU1dHR3VGE5U0dhT0U4bHRvbjQ2UQotLS0gV1QvcTl1cUwx +MUFvVy95MU1GbGIzZDV5MmpFUFZkdWkvbkZWNUpSTmxYNApvECWZ2LbRFnitdSqx +f1lBim5B6fbe/3eDxk3Ft2htWfRoV2ljYuR6nPpwFj5pscF3+5hCFiLf40JQ2gnV +Q7sc/Qk/uh3hxVlgPd4= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/pdns/recursor.conf.age b/secrets/home/pdns/recursor.conf.age new file mode 100644 index 0000000..0735bc6 --- /dev/null +++ b/secrets/home/pdns/recursor.conf.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd082aFFvSFl2TGgxS2hY +L3pVMnM5ejBkd2d6bjhJRysyTERaYjhvdmdnCjRtbXV4L09sRDc3TTE1eWVJU2xH +Rm1IcEJUR1lxVjN2azRBUjRHRFk4UjAKLT4gYSNrXlZyLWdyZWFzZSB7dDl5IEty +CjZDK1FlNm1wK0pVakRrUkNZUDNYNlBvM0tGZ2JGcXArUHpDNGlGMUJpdUl1S20r +a3ZwUlNMcFQwcWwyWnBSSU0KMFhVM2l5Q0RUTUlQZk03bzZ3bjQxS2gxS3dINkVq +N1lydDBvYWVFNUlicTQxU2w2OGg0Ci0tLSArcnZuem9sRVVHSG1jS3dLdkdnZVZO +TnVtNnhkb3NzTnJOR2F0aVliN29JCkxvjrWBGdoQDJvs9qO7/bC+tpPspYq3GuQ1 +cYZSkaV0xgiX7BJTa5eyaaVRNSTlI/hYJlZthIgcdyz+R6UQRvziOuLGpdfKnCAq +Vw== +-----END AGE ENCRYPTED FILE-----