dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/home/routing-common: Add starting DNS server
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 14m21s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-11-19 14:32:23 +00:00
parent aa18ebcb3b
commit 7330b8f832
4 changed files with 193 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/boxes/home/routing-common/default.nix
View File

@ -54,6 +54,8 @@ in
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
in in
{ {
imports = [ (import ./dns.nix index) ];
config = { config = {
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
@ -140,7 +142,7 @@ in
domains = [ config.networking.domain ]; domains = [ config.networking.domain ];
networkConfig = { networkConfig = {
IPv6AcceptRA = mkForce false; IPv6AcceptRA = mkForce false;
IPv6SendRA = true; # IPv6SendRA = true;
}; };
ipv6SendRAConfig = { ipv6SendRAConfig = {
DNS = [ DNS = [

170
nixos/boxes/home/routing-common/dns.nix Normal file
View File

@ -0,0 +1,170 @@
index: { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (builtins) attrNames;
inherit (lib.my) net;
inherit (lib.my.c.home) prefixes vips;
authZones = attrNames config.my.pdns.auth.bind.zones;
in
{
config = {
my = {
secrets.files = {
"home/pdns/auth.conf" = {
owner = "pdns";
group = "pdns";
};
"home/pdns/recursor.conf" = {
owner = "pdns-recursor";
group = "pdns-recursor";
};
};
pdns.recursor = {
enable = true;
extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
};
};
services = {
pdns-recursor = {
dns = {
address = [
"127.0.0.1" "::1"
assignments.hi.ipv4.address assignments.hi.ipv6.address
assignments.lo.ipv4.address assignments.lo.ipv6.address
];
allowFrom = [
"127.0.0.0/8" "::1/128"
prefixes.hi.v4 prefixes.hi.v6
prefixes.lo.v4 prefixes.lo.v6
];
};
settings = {
query-local-address = [
# TODO: IPv4 WAN address?
# assignments.internal.ipv4.address
# assignments.internal.ipv6.address
# assignments.hi.ipv6.address
];
forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
};
};
};
# For rec_control
environment.systemPackages = with pkgs; [
pdns-recursor
];
my.pdns.auth = {
enable = true;
extraSettingsFile = config.age.secrets."home/pdns/auth.conf".path;
settings = {
primary = true;
resolver = "127.0.0.1";
expand-alias = true;
local-address = [
"0.0.0.0:5353" "[::]:5353"
];
also-notify = [ "127.0.0.1" ];
enable-lua-records = true;
#loglevel = 7;
#log-dns-queries = true;
#log-dns-details = true;
api = true;
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
};
bind.zones =
let
names = [ "core" "hi" "lo" ];
i = toString (index + 1);
in
{
"${config.networking.domain}" = {
type = "master";
text = ''
$TTL 60
@ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
@@SERIAL@@ ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ; minimum
)
@ IN NS ns1
@ IN NS ns2
# TODO: WAN?
ns1 IN A ${net.cidr.host 1 prefixes.hi.v4}
ns2 IN A ${net.cidr.host 2 prefixes.hi.v4}
ns1 IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
ns2 IN AAAA ${net.cidr.host 2 prefixes.hi.v6}
${lib.my.dns.fwdRecords {
inherit allAssignments names;
domain = config.networking.domain;
}}
'';
};
"168.192.in-addr.arpa" = {
type = "master";
text = ''
$TTL 60
@ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
@@SERIAL@@ ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ; minimum
)
@ IN NS ns1.${config.networking.domain}.
@ IN NS ns2.${config.networking.domain}.
${lib.my.dns.ptrRecords {
inherit allAssignments names;
domain = config.networking.domain;
ndots = 2;
}}
'';
};
"0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
type = "master";
text = ''
$TTL 60
@ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
@@SERIAL@@ ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ; minimum
)
@ IN NS ns1.${config.networking.domain}.
@ IN NS ns2.${config.networking.domain}.
${lib.my.dns.ptr6Records {
inherit allAssignments names;
domain = config.networking.domain;
ndots = 20;
}}
'';
};
};
};
};
}

9
secrets/home/pdns/auth.conf.age Normal file
View File

@ -0,0 +1,9 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXODJUY3hPLzlod3ovVGxr
eFlqMWErNEFIbHVTdHc1am4wWVJZenhxZHlVCk0zblRaOWhNS0JNcVZXL2t2L2gv
QVR2anV3YUsyeXd5RVY0MXY3Mk5PRlUKLT4gSUEqeEtzRC1ncmVhc2UgKXk2ZFEK
UW52c08xS3pzdWNFNHU1dHR3VGE5U0dhT0U4bHRvbjQ2UQotLS0gV1QvcTl1cUwx
MUFvVy95MU1GbGIzZDV5MmpFUFZkdWkvbkZWNUpSTmxYNApvECWZ2LbRFnitdSqx
f1lBim5B6fbe/3eDxk3Ft2htWfRoV2ljYuR6nPpwFj5pscF3+5hCFiLf40JQ2gnV
Q7sc/Qk/uh3hxVlgPd4=
-----END AGE ENCRYPTED FILE-----

11
secrets/home/pdns/recursor.conf.age Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd082aFFvSFl2TGgxS2hY
L3pVMnM5ejBkd2d6bjhJRysyTERaYjhvdmdnCjRtbXV4L09sRDc3TTE1eWVJU2xH
Rm1IcEJUR1lxVjN2azRBUjRHRFk4UjAKLT4gYSNrXlZyLWdyZWFzZSB7dDl5IEty
CjZDK1FlNm1wK0pVakRrUkNZUDNYNlBvM0tGZ2JGcXArUHpDNGlGMUJpdUl1S20r
a3ZwUlNMcFQwcWwyWnBSSU0KMFhVM2l5Q0RUTUlQZk03bzZ3bjQxS2gxS3dINkVq
N1lydDBvYWVFNUlicTQxU2w2OGg0Ci0tLSArcnZuem9sRVVHSG1jS3dLdkdnZVZO
TnVtNnhkb3NzTnJOR2F0aVliN29JCkxvjrWBGdoQDJvs9qO7/bC+tpPspYq3GuQ1
cYZSkaV0xgiX7BJTa5eyaaVRNSTlI/hYJlZthIgcdyz+R6UQRvziOuLGpdfKnCAq
Vw==
-----END AGE ENCRYPTED FILE-----