nixos/home/routing-common: Add starting DNS server

nixos/oxbow: Rename to stream
2023-11-19 14:32:23 +00:00 · 2023-11-19 13:47:23 +00:00
6 changed files with 196 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -116,7 +116,7 @@
        nixos/boxes/colony
        nixos/boxes/tower
        nixos/boxes/castle
-        nixos/boxes/home/oxbow.nix
+        nixos/boxes/home/stream.nix
        nixos/boxes/kelder
        # Homes
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -54,6 +54,8 @@ in
        inherit (lib.my) networkdAssignment;
      in
      {
        imports = [ (import ./dns.nix index) ];
        config = {
          environment = {
            systemPackages = with pkgs; [
@@ -140,7 +142,7 @@ in
                    domains = [ config.networking.domain ];
                    networkConfig = {
                      IPv6AcceptRA = mkForce false;
-                      IPv6SendRA = true;
+                      # IPv6SendRA = true;
                    };
                    ipv6SendRAConfig = {
                      DNS = [
--- a/nixos/boxes/home/routing-common/dns.nix
+++ b/nixos/boxes/home/routing-common/dns.nix
@@ -0,0 +1,170 @@
 index: { lib, pkgs, config, assignments, allAssignments, ... }:
 let
  inherit (builtins) attrNames;
  inherit (lib.my) net;
  inherit (lib.my.c.home) prefixes vips;
  authZones = attrNames config.my.pdns.auth.bind.zones;
 in
 {
  config = {
    my = {
      secrets.files = {
        "home/pdns/auth.conf" = {
          owner = "pdns";
          group = "pdns";
        };
        "home/pdns/recursor.conf" = {
          owner = "pdns-recursor";
          group = "pdns-recursor";
        };
      };
      pdns.recursor = {
        enable = true;
        extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
      };
    };
    services = {
      pdns-recursor = {
        dns = {
          address = [
            "127.0.0.1" "::1"
            assignments.hi.ipv4.address assignments.hi.ipv6.address
            assignments.lo.ipv4.address assignments.lo.ipv6.address
          ];
          allowFrom = [
            "127.0.0.0/8" "::1/128"
            prefixes.hi.v4 prefixes.hi.v6
            prefixes.lo.v4 prefixes.lo.v6
          ];
        };
        settings = {
          query-local-address = [
            # TODO: IPv4 WAN address?
            # assignments.internal.ipv4.address
            # assignments.internal.ipv6.address
            # assignments.hi.ipv6.address
          ];
          forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
          # DNS NOTIFY messages override TTL
          allow-notify-for = authZones;
          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
          webserver = true;
          webserver-address = "::";
          webserver-allow-from = [ "127.0.0.1" "::1" ];
        };
      };
    };
    # For rec_control
    environment.systemPackages = with pkgs; [
      pdns-recursor
    ];
    my.pdns.auth = {
      enable = true;
      extraSettingsFile = config.age.secrets."home/pdns/auth.conf".path;
      settings = {
        primary = true;
        resolver = "127.0.0.1";
        expand-alias = true;
        local-address = [
          "0.0.0.0:5353" "[::]:5353"
        ];
        also-notify = [ "127.0.0.1" ];
        enable-lua-records = true;
        #loglevel = 7;
        #log-dns-queries = true;
        #log-dns-details = true;
        api = true;
        webserver = true;
        webserver-address = "::";
        webserver-allow-from = [ "127.0.0.1" "::1" ];
      };
      bind.zones =
      let
        names = [ "core" "hi" "lo" ];
        i = toString (index + 1);
      in
      {
        "${config.networking.domain}" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )
            @ IN NS ns1
            @ IN NS ns2
            # TODO: WAN?
            ns1 IN A ${net.cidr.host 1 prefixes.hi.v4}
            ns2 IN A ${net.cidr.host 2 prefixes.hi.v4}
            ns1 IN AAAA ${net.cidr.host 1 prefixes.hi.v6}
            ns2 IN AAAA ${net.cidr.host 2 prefixes.hi.v6}
            ${lib.my.dns.fwdRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
            }}
          '';
        };
        "168.192.in-addr.arpa" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )
            @ IN NS ns1.${config.networking.domain}.
            @ IN NS ns2.${config.networking.domain}.
            ${lib.my.dns.ptrRecords {
              inherit allAssignments names;
              domain = config.networking.domain;
              ndots = 2;
            }}
          '';
        };
        "0.d.4.0.0.c.7.9.e.0.a.2.ip6.arpa" = {
          type = "master";
          text = ''
            $TTL 60
            @ IN SOA ns${i}.${config.networking.domain}. dev.nul.ie. (
              @@SERIAL@@ ; serial
              3h ; refresh
              1h ; retry
              1w ; expire
              1h ; minimum
            )
            @ IN NS ns1.${config.networking.domain}.
            @ IN NS ns2.${config.networking.domain}.
            ${lib.my.dns.ptr6Records {
              inherit allAssignments names;
              domain = config.networking.domain;
              ndots = 20;
            }}
          '';
        };
      };
    };
  };
 }
--- a/nixos/boxes/home/stream.nix
+++ b/nixos/boxes/home/stream.nix
@@ -2,11 +2,11 @@
  imports = [
    (import ./routing-common {
      index = 1;
-      name = "oxbow";
+      name = "stream";
    })
  ];
-  config.nixos.systems.oxbow = {
+  config.nixos.systems.stream = {
    system = "x86_64-linux";
    nixpkgs = "mine";
    home-manager = "mine";
--- a/secrets/home/pdns/auth.conf.age
+++ b/secrets/home/pdns/auth.conf.age
@@ -0,0 +1,9 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXODJUY3hPLzlod3ovVGxr
 eFlqMWErNEFIbHVTdHc1am4wWVJZenhxZHlVCk0zblRaOWhNS0JNcVZXL2t2L2gv
 QVR2anV3YUsyeXd5RVY0MXY3Mk5PRlUKLT4gSUEqeEtzRC1ncmVhc2UgKXk2ZFEK
 UW52c08xS3pzdWNFNHU1dHR3VGE5U0dhT0U4bHRvbjQ2UQotLS0gV1QvcTl1cUwx
 MUFvVy95MU1GbGIzZDV5MmpFUFZkdWkvbkZWNUpSTmxYNApvECWZ2LbRFnitdSqx
 f1lBim5B6fbe/3eDxk3Ft2htWfRoV2ljYuR6nPpwFj5pscF3+5hCFiLf40JQ2gnV
 Q7sc/Qk/uh3hxVlgPd4=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/home/pdns/recursor.conf.age
+++ b/secrets/home/pdns/recursor.conf.age
@@ -0,0 +1,11 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd082aFFvSFl2TGgxS2hY
 L3pVMnM5ejBkd2d6bjhJRysyTERaYjhvdmdnCjRtbXV4L09sRDc3TTE1eWVJU2xH
 Rm1IcEJUR1lxVjN2azRBUjRHRFk4UjAKLT4gYSNrXlZyLWdyZWFzZSB7dDl5IEty
 CjZDK1FlNm1wK0pVakRrUkNZUDNYNlBvM0tGZ2JGcXArUHpDNGlGMUJpdUl1S20r
 a3ZwUlNMcFQwcWwyWnBSSU0KMFhVM2l5Q0RUTUlQZk03bzZ3bjQxS2gxS3dINkVq
 N1lydDBvYWVFNUlicTQxU2w2OGg0Ci0tLSArcnZuem9sRVVHSG1jS3dLdkdnZVZO
 TnVtNnhkb3NzTnJOR2F0aVliN29JCkxvjrWBGdoQDJvs9qO7/bC+tpPspYq3GuQ1
 cYZSkaV0xgiX7BJTa5eyaaVRNSTlI/hYJlZthIgcdyz+R6UQRvziOuLGpdfKnCAq
 Vw==
 -----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Jack O'Sullivan	7330b8f832	nixos/home/routing-common: Add starting DNS server All checks were successful CI / Check, build and cache Nix flake (push) Successful in 14m21s Details	2023-11-19 14:32:23 +00:00
Jack O'Sullivan	aa18ebcb3b	nixos/oxbow: Rename to `stream`	2023-11-19 13:47:23 +00:00