nixos/home/routing-common: Add starting DNS server

nixos/oxbow: Rename to stream
2023-11-19 14:32:23 +00:00 · 2023-11-19 13:47:23 +00:00
6 changed files with 196 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -116,7 +116,7 @@
        nixos/boxes/colony
        nixos/boxes/tower
        nixos/boxes/castle
-        nixos/boxes/home/oxbow.nix
+        nixos/boxes/home/stream.nix
        nixos/boxes/kelder

        # Homes
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -54,6 +54,8 @@ in
        inherit (lib.my) networkdAssignment;
      in
      {
+        imports = [ (import ./dns.nix index) ];
+
        config = {
          environment = {
            systemPackages = with pkgs; [
@@ -140,7 +142,7 @@ in
                    domains = [ config.networking.domain ];
                    networkConfig = {
                      IPv6AcceptRA = mkForce false;
-                      IPv6SendRA = true;
+                      # IPv6SendRA = true;
                    };
                    ipv6SendRAConfig = {
                      DNS = [
--- a/nixos/boxes/home/routing-common/dns.nix
+++ b/nixos/boxes/home/routing-common/dns.nix
@@ -0,0 +1,170 @@
+index: { lib, pkgs, config, assignments, allAssignments, ... }:
+let
+  inherit (builtins) attrNames;
+  inherit (lib.my) net;
+  inherit (lib.my.c.home) prefixes vips;
+
+  authZones = attrNames config.my.pdns.auth.bind.zones;
+in
+{
+  config = {
+    my = {
+      secrets.files = {
+        "home/pdns/auth.conf" = {
+          owner = "pdns";
+          group = "pdns";
+        };
+        "home/pdns/recursor.conf" = {
+          owner = "pdns-recursor";
+          group = "pdns-recursor";
+        };
+      };
+
+      pdns.recursor = {
+        enable = true;
+        extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
+      };
+    };
+
+    services = {
+      pdns-recursor = {
+        dns = {
+          address = [
+            "127.0.0.1" "::1"
+            assignments.hi.ipv4.address assignments.hi.ipv6.address
+            assignments.lo.ipv4.address assignments.lo.ipv6.address
+          ];
+          allowFrom = [
+            "127.0.0.0/8" "::1/128"
+            prefixes.hi.v4 prefixes.hi.v6
+            prefixes.lo.v4 prefixes.lo.v6
+          ];
+        };
+
+        settings = {
+          query-local-address = [
+            # TODO: IPv4 WAN address?
+            # assignments.internal.ipv4.address
+            # assignments.internal.ipv6.address
+            # assignments.hi.ipv6.address
+          ];
+          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
+
+          # DNS NOTIFY messages override TTL
+          allow-notify-for = authZones;
+          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+
+          webserver = true;
+          webserver-address = "::";
+          webserver-allow-from = [ "127.0.0.1" "::1" ];
+        };
+      };
+    };
+
+    # For rec_control
+    environment.systemPackages = with pkgs; [
+      pdns-recursor
+    ];
+
+    my.pdns.auth = {
+      enable = true;
+      extraSettingsFile = config.age.secrets."home/pdns/auth.conf".path;
+      settings = {
+        primary = true;
+        resolver = "127.0.0.1";
+        expand-alias = true;
+        local-address = [
+          "0.0.0.0:5353" "[::]:5353"
+        ];
+        also-notify = [ "127.0.0.1" ];
+        enable-lua-records = true;
+        #loglevel = 7;
+        #log-dns-queries = true;
+        #log-dns-details = true;
+
+        api = true;
+        webserver = true;
+        webserver-address = "::";
+        webserver-allow-from = [ "127.0.0.1" "::1" ];
+      };
+
+      bind.zones =
+      let
+        names = [ "core" "hi" "lo" ];
+        i = toString (index + 1);
+      in
+      {
+        "${config.networking.domain}" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
+              @@SERIAL@@ ; serial
+              3h ; refresh
+              1h ; retry
+              1w ; expire
+              1h ; minimum
+            )
+
+            @ IN NS ns1
+            @ IN NS ns2
+            # TODO: WAN?
+            ns1 IN A ${net.cidr.host 1 prefixes.hi.v4}
+            ns2 IN A ${net.cidr.host 2 prefixes.hi.v4}
+            ns1 IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
+            ns2 IN AAAA ${net.cidr.host 2 prefixes.hi.v6}
+
+            ${lib.my.dns.fwdRecords {
+              inherit allAssignments names;
+              domain = config.networking.domain;
+            }}
+          '';
+        };
+        "168.192.in-addr.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
+              @@SERIAL@@ ; serial
+              3h ; refresh
+              1h ; retry
+              1w ; expire
+              1h ; minimum
+            )
+
+            @ IN NS ns1.${config.networking.domain}.
+            @ IN NS ns2.${config.networking.domain}.
+
+            ${lib.my.dns.ptrRecords {
+              inherit allAssignments names;
+              domain = config.networking.domain;
+              ndots = 2;
+            }}
+          '';
+        };
+        "0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
+          type = "master";
+          text = ''
+            $TTL 60
+            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
+              @@SERIAL@@ ; serial
+              3h ; refresh
+              1h ; retry
+              1w ; expire
+              1h ; minimum
+            )
+
+            @ IN NS ns1.${config.networking.domain}.
+            @ IN NS ns2.${config.networking.domain}.
+
+            ${lib.my.dns.ptr6Records {
+              inherit allAssignments names;
+              domain = config.networking.domain;
+              ndots = 20;
+            }}
+          '';
+        };
+      };
+    };
+  };
+}
--- a/nixos/boxes/home/stream.nix
+++ b/nixos/boxes/home/stream.nix
@@ -2,11 +2,11 @@
  imports = [
    (import ./routing-common {
      index = 1;
-      name = "oxbow";
+      name = "stream";
    })
  ];

-  config.nixos.systems.oxbow = {
+  config.nixos.systems.stream = {
    system = "x86_64-linux";
    nixpkgs = "mine";
    home-manager = "mine";
--- a/secrets/home/pdns/auth.conf.age
+++ b/secrets/home/pdns/auth.conf.age
@@ -0,0 +1,9 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXODJUY3hPLzlod3ovVGxr
+eFlqMWErNEFIbHVTdHc1am4wWVJZenhxZHlVCk0zblRaOWhNS0JNcVZXL2t2L2gv
+QVR2anV3YUsyeXd5RVY0MXY3Mk5PRlUKLT4gSUEqeEtzRC1ncmVhc2UgKXk2ZFEK
+UW52c08xS3pzdWNFNHU1dHR3VGE5U0dhT0U4bHRvbjQ2UQotLS0gV1QvcTl1cUwx
+MUFvVy95MU1GbGIzZDV5MmpFUFZkdWkvbkZWNUpSTmxYNApvECWZ2LbRFnitdSqx
+f1lBim5B6fbe/3eDxk3Ft2htWfRoV2ljYuR6nPpwFj5pscF3+5hCFiLf40JQ2gnV
+Q7sc/Qk/uh3hxVlgPd4=
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/home/pdns/recursor.conf.age
+++ b/secrets/home/pdns/recursor.conf.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd082aFFvSFl2TGgxS2hY
+L3pVMnM5ejBkd2d6bjhJRysyTERaYjhvdmdnCjRtbXV4L09sRDc3TTE1eWVJU2xH
+Rm1IcEJUR1lxVjN2azRBUjRHRFk4UjAKLT4gYSNrXlZyLWdyZWFzZSB7dDl5IEty
+CjZDK1FlNm1wK0pVakRrUkNZUDNYNlBvM0tGZ2JGcXArUHpDNGlGMUJpdUl1S20r
+a3ZwUlNMcFQwcWwyWnBSSU0KMFhVM2l5Q0RUTUlQZk03bzZ3bjQxS2gxS3dINkVq
+N1lydDBvYWVFNUlicTQxU2w2OGg0Ci0tLSArcnZuem9sRVVHSG1jS3dLdkdnZVZO
+TnVtNnhkb3NzTnJOR2F0aVliN29JCkxvjrWBGdoQDJvs9qO7/bC+tpPspYq3GuQ1
+cYZSkaV0xgiX7BJTa5eyaaVRNSTlI/hYJlZthIgcdyz+R6UQRvziOuLGpdfKnCAq
+Vw==
+-----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	7330b8f832	nixos/home/routing-common: Add starting DNS server All checks were successful CI / Check, build and cache Nix flake (push) Successful in 14m21s Details	2023-11-19 14:32:23 +00:00
Jack O'Sullivan	aa18ebcb3b	nixos/oxbow: Rename to `stream`	2023-11-19 13:47:23 +00:00