From 98fbbbd1e29e381ea03ee137f74651a92a48e169 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Mon, 23 May 2022 00:57:25 +0100
Subject: [PATCH] nixos/estuary: Implement recursive DNS

---
 lib.nix                       | 13 ++++++++
 nixos/modules/common.nix      |  5 +++
 nixos/modules/network.nix     |  8 ++++-
 nixos/vms/estuary/default.nix | 13 ++++++--
 nixos/vms/estuary/dns.nix     | 63 +++++++++++++++++++++++++++++------
 5 files changed, 89 insertions(+), 13 deletions(-)

diff --git a/lib.nix b/lib.nix
index d6b4057..e2c7730 100644
--- a/lib.nix
+++ b/lib.nix
@@ -97,6 +97,10 @@ rec {
       LLDP = true;
       EmitLLDP = "customer-bridge";
     };
+    ipv6AcceptRAConfig = {
+      UseDNS = true;
+      UseDomains = true;
+    };
   };
 
   deploy-rs =
@@ -147,6 +151,15 @@ rec {
     filterOpts = filterAttrsRecursive (_: v: v != null);
   };
 
+  colonyDomain = "fra1.int.nul.ie";
+  # Shouldn't need this hopefully (IPv6 RA)
+  colonyDNS = {
+    domains = [ colonyDomain ];
+    dns = [
+      "10.100.0.1"
+      "2a0e:97c0:4d1:0::1"
+    ];
+  };
   sshKeyFiles = {
     me = .keys/me.pub;
     deploy = .keys/deploy.pub;
diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix
index 1fd5d0b..c09b2f5 100644
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -77,6 +77,11 @@ in
       boot = {
         # Use latest LTS release by default
         kernelPackages = mkDefault pkgs.linuxKernel.packages.linux_5_15;
+        kernel = {
+          sysctl = {
+            "net.ipv6.route.max_size" = mkDefault 16384;
+          };
+        };
         loader = {
           efi = {
             efiSysMountPoint = mkDefault "/boot";
diff --git a/nixos/modules/network.nix b/nixos/modules/network.nix
index dc238af..7953985 100644
--- a/nixos/modules/network.nix
+++ b/nixos/modules/network.nix
@@ -12,7 +12,13 @@ in
         useNetworkd = mkDefault true;
       };
 
-      services.resolved.domains = [ config.networking.domain ];
+      services.resolved = {
+        domains = [ config.networking.domain ];
+        # Explicitly unset fallback DNS (Nix module will not allow for a blank config)
+        extraConfig = ''
+          FallbackDNS=
+        '';
+      };
     }
 
     (mkIf config.my.build.isDevVM {
diff --git a/nixos/vms/estuary/default.nix b/nixos/vms/estuary/default.nix
index 7740316..413d05c 100644
--- a/nixos/vms/estuary/default.nix
+++ b/nixos/vms/estuary/default.nix
@@ -24,7 +24,7 @@
 
         config = mkMerge [
           {
-            networking.domain = "fra1.int.nul.ie";
+            networking.domain = lib.my.colonyDomain;
 
             boot.kernelParams = [ "console=ttyS0,115200n8" ];
             fileSystems = {
@@ -72,16 +72,25 @@
                 "80-wan" = {
                   matchConfig.Name = "wan";
                   DHCP = "ipv4";
+                  dhcpV4Config = {
+                    UseDNS = false;
+                    UseHostname = false;
+                  };
                 };
                 "80-base" = mkMerge [
                   (networkdAssignment "base" assignments.internal)
                   {
+                    dns = [ "127.0.0.1" "::1" ];
+                    domains = [ config.networking.domain ];
                     networkConfig = {
                       IPv6AcceptRA = mkForce false;
                       IPv6SendRA = true;
                       IPMasquerade = "both";
                     };
-                    ipv6SendRAConfig.DNS = [ assignments.internal.ipv6.address ];
+                    ipv6SendRAConfig = {
+                      DNS = [ assignments.internal.ipv6.address ];
+                      Domains = [ config.networking.domain ];
+                    };
                     ipv6Prefixes = [
                       {
                         ipv6PrefixConfig.Prefix = "2a0e:97c0:4d1:0::/64";
diff --git a/nixos/vms/estuary/dns.nix b/nixos/vms/estuary/dns.nix
index 78f9b00..0f57b7c 100644
--- a/nixos/vms/estuary/dns.nix
+++ b/nixos/vms/estuary/dns.nix
@@ -1,18 +1,54 @@
-{ lib, config, allAssignments, ... }:
+{ lib, pkgs, config, assignments, allAssignments, ... }:
 let
-  inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList filterAttrs optional;
+  inherit (builtins) attrNames;
+  inherit (lib) concatStringsSep concatMapStringsSep mapAttrsToList filterAttrs genAttrs optional;
+
+  ptrDots = 2;
+  reverseZone = "100.10.in-addr.arpa";
+  ptrDots6 = 20;
+  reverseZone6 = "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa";
+
+  authZones = attrNames config.my.pdns.auth.bind.zones;
 in
 {
   config = {
-    networking.domain = "fra1.int.nul.ie";
+    services.pdns-recursor = {
+      enable = true;
+      dns = {
+        address = [
+          "127.0.0.1" "::1"
+          assignments.internal.ipv4.address assignments.internal.ipv6.address
+        ];
+        allowFrom = [
+          "127.0.0.0/8" "::1/128"
+          "10.100.0.0/16" "2a0e:97c0:4d1::/48"
+        ];
+      };
+      forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
+
+      settings = {
+        query-local-address = [ "0.0.0.0" "::" ];
+
+        # DNS NOTIFY messages override TTL
+        allow-notify-for = authZones;
+        allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+      };
+    };
+    # For rec_control
+    environment.systemPackages = with pkgs; [
+      pdns-recursor
+    ];
+
     my.pdns.auth = {
       enable = true;
       settings = {
         primary = true;
+        resolver = "127.0.0.1";
         expand-alias = true;
         local-address = [
           "127.0.0.1:5353" "[::]:5353"
         ] ++ (optional (!config.my.build.isDevVM) "192.168.122.126");
+        also-notify = [ "127.0.0.1" ];
       };
 
       bind.zones =
@@ -31,16 +67,16 @@ in
             ${concatMapStringsSep "\n" (alt: "${alt} IN CNAME ${a.name}") a.altNames}
           '');
         intPtrRecords =
-          genRecords (a: ''@@PTR:${a.ipv4.address}:2@@ IN PTR ${a.name}.${config.networking.domain}.'');
+          genRecords (a: ''@@PTR:${a.ipv4.address}:${toString ptrDots}@@ IN PTR ${a.name}.${config.networking.domain}.'');
         intPtr6Records =
-          genRecords (a: ''@@PTR:${a.ipv6.address}:20@@ IN PTR ${a.name}.${config.networking.domain}.'');
+          genRecords (a: ''@@PTR:${a.ipv6.address}:${toString ptrDots6}@@ IN PTR ${a.name}.${config.networking.domain}.'');
       in
       {
         "${config.networking.domain}" = {
           type = "master";
           text = ''
             $TTL 60
-            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+            @ IN SOA ns.${config.networking.domain}. dev.nul.ie. (
                 @@SERIAL@@ ; serial
                 3h ; refresh
                 1h ; retry
@@ -48,16 +84,19 @@ in
                 1h ; minimum
               )
 
+            @ IN NS ns
+            ns IN ALIAS ${config.networking.fqdn}.
+
             @ IN ALIAS ${config.networking.fqdn}.
 
             ${intRecords}
           '';
         };
-        "100.10.in-addr.arpa" = {
+        "${reverseZone}" = {
           type = "master";
           text = ''
             $TTL 60
-            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+            @ IN SOA ns.${config.networking.domain}. dev.nul.ie (
                 @@SERIAL@@ ; serial
                 3h ; refresh
                 1h ; retry
@@ -65,14 +104,16 @@ in
                 1h ; minimum
               )
 
+            @ IN NS ns.${config.networking.domain}.
+
             ${intPtrRecords}
           '';
         };
-        "1.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
+        "${reverseZone6}" = {
           type = "master";
           text = ''
             $TTL 60
-            @ IN SOA ns.${config.networking.domain}. hostmaster.${config.networking.domain}. (
+            @ IN SOA ns.${config.networking.domain}. dev.nul.ie (
                 @@SERIAL@@ ; serial
                 3h ; refresh
                 1h ; retry
@@ -80,6 +121,8 @@ in
                 1h ; minimum
               )
 
+            @ IN NS ns.${config.networking.domain}.
+
             ${intPtr6Records}
           '';
         };