diff --git a/applications/dns.nix b/applications/dns.nix index 85a0cf5..eabdce8 100644 --- a/applications/dns.nix +++ b/applications/dns.nix @@ -73,106 +73,124 @@ in { }; services.bind = { - enable = true; + enable = true; - ipv4Only = true; + ipv4Only = true; - # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns - extraConfig = '' - include "/run/agenix/dns_dnskeys"; - ''; + # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns + extraConfig = '' + include "/run/agenix/dns_dnskeys"; + ''; - # set the upstream dns servers - # overrides the default dns servers - forwarders = [ - # Cloudflare - "1.1.1.1" - # Google - "8.8.8.8" - # Quad9 - "9.9.9.9" - ]; + # set the upstream dns servers + # overrides the default dns servers + forwarders = [ + # Cloudflare + "1.1.1.1" + # Google + "8.8.8.8" + # Quad9 + "9.9.9.9" + ]; - cacheNetworks = [ - # this server itself - "127.0.0.0/24" - # all of skynet can use this as a resolver - "193.1.99.64/26" - ]; + cacheNetworks = [ + # this server itself + "127.0.0.0/24" + # all of skynet can use this as a resolver + "193.1.99.64/26" + ]; - zones = { - /* - put any other zones above skynet and link to their files like so: + zones = { + /* + put any other zones above skynet and link to their files like so: - example.ie = { - extraConfig = ""; - file = ./dns/example; - master = true; - masters = []; - slaves = [ ]; - }; - - Skynet is handled a bit more dynamically since it is the key one we should focus on - */ - - "skynet.ie" = { - extraConfig = "allow-update { key rfc2136key.skynet.ie.; };"; - # really wish teh nixos config didnt use master/slave + example.ie = { + extraConfig = ""; + file = ./dns/example; master = true; + masters = []; slaves = [ ]; - # need to write this to a file - file = pkgs.writeText "dns_zone_skynet" - # no leading whitespace for first line - '' - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( - 2023011701 ; Serial (YYYYMMDDCC) - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 2419200 ; Expire (4 weeks) - 3600 ; Minimum (1 hour) - ) - NS ns1.skynet.ie. - NS ns2.skynet.ie. - ; @ stands for teh root domain so teh A record below is where skynet.ie points to - A 193.1.99.76 - MX 5 mail.skynet.ie. - - ; can have multiple mailserves - ;MX 20 mail2.skynet.ie. - - - ; ------------------------------------------ - ; Server Names - ; ------------------------------------------ - - ; External addresses - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} - - - ; this is fixed for now - wintermute A 193.1.101.148 - - - ; internal addresses - ; ------------------------------------------ - ; May come back to this idea in teh future - ; agentjones.int A 172.20.20.1 - - - ; cname's - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} - - ''; }; + + Skynet is handled a bit more dynamically since it is the key one we should focus on + */ + + "skynet.ie" = { + extraConfig = "allow-update { key rfc2136key.skynet.ie.; };"; + # really wish teh nixos config didnt use master/slave + master = true; + slaves = [ ]; + # need to write this to a file + file = "/etc/dns_custom/dns_zone_skynet"; + # no leading whitespace for first line + }; }; - }; + # creates a folder in /etc for the dns to use + users.users.named = { + createHome = true; + home = "/etc/dns_custom"; + }; + + environment.etc = { + # Creates /etc/dns_custom/dns_zone_skynet + + "dns_custom/dns_zone_skynet" = { + user = "named"; + group = "named"; + + # The UNIX file mode bits + mode = "0644"; + text = + '' + $TTL 60 ; 1 minute + ; hostmaster@skynet.ie is an email address that recieves stuff related to dns + @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( + 2023011701 ; Serial (YYYYMMDDCC) + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 2419200 ; Expire (4 weeks) + 3600 ; Minimum (1 hour) + ) + NS ns1.skynet.ie. + NS ns2.skynet.ie. + ; @ stands for teh root domain so teh A record below is where skynet.ie points to + A 193.1.99.76 + MX 5 mail.skynet.ie. + + ; can have multiple mailserves + ;MX 20 mail2.skynet.ie. + + + ; ------------------------------------------ + ; Server Names + ; ------------------------------------------ + + ; External addresses + ; ------------------------------------------ + ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} + + + ; this is fixed for now + wintermute A 193.1.101.148 + + + ; internal addresses + ; ------------------------------------------ + ; May come back to this idea in teh future + ; agentjones.int A 172.20.20.1 + + + ; cname's + ; ------------------------------------------ + ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} + + ''; + }; + }; + }; } \ No newline at end of file diff --git a/machines/_base.nix b/machines/_base.nix index 449925a..a94b718 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -35,16 +35,16 @@ # cannot use our own it seems? nameservers = [ # ns2 - #"193.1.99.109" + "193.1.99.109" # ns1 - #"193.1.99.120" + "193.1.99.120" # Cloudflare - "1.1.1.1" + #"1.1.1.1" # Google - "8.8.8.8" + #"8.8.8.8" # Quad9 - "9.9.9.9" + #"9.9.9.9" ]; }; diff --git a/secrets/dns_certs.secret.age b/secrets/dns_certs.secret.age index 72e4169..c233170 100644 Binary files a/secrets/dns_certs.secret.age and b/secrets/dns_certs.secret.age differ diff --git a/secrets/dns_dnskeys.conf.age b/secrets/dns_dnskeys.conf.age index f64e43e..911b8a9 100644 --- a/secrets/dns_dnskeys.conf.age +++ b/secrets/dns_dnskeys.conf.age @@ -1,19 +1,31 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA 2ktkYzbOCI8Sedb7cFXrmOL7HqPmMFSmavTgJ/kXVyA -3kcv57UNk7Hryd8RckwYzuzN7eY6Lle4+DdG+QC86Hk --> ssh-ed25519 rIwlvw MoH0rHRt6ZL/3Ew1O7zHN9pz5CSA6YxbJ840gx0jCGY -AO7z51p5PlbAYUZgmk/joTdGeK4SxlCc+VgMcOrxkP0 --> ssh-ed25519 bPfq4g zu5ZfmzDiMBSn0UUpyO9iFieE7b+MMbuk4X5ABSUwhg -HKNFCsxNqEK94tEnYz5+cVypheP5Cf+5tYRft3rCucY --> ssh-ed25519 P1ilJQ pnX29lb1zHoXzv4S6+D4VtLPJEsrnkyhfNjsaNwkJmw -hXc9XLxtvyzUJNdhPi40bMFzdpuUKOHkpZ3gWMfjWwk --> ssh-ed25519 XSrA6w +h7/dC7DYOcRK1nxTDvdsgDEM43bBChM6vJ4PuL45ww -n0mVPplmTM3A76iF27Wt62RDJ4yeoZa51q6bRhPEcXA --> ssh-ed25519 pBdJmw b/oJKbk8mXkUsd0oRuzrAQHTsiZdE8cW5bDC3dM3Vn8 -6L+Zry15OyCXKOE71iqihTFVc2WB2Y7X7ZuFZSWXFSw --> ssh-ed25519 v2Y09A DBZDXfWnm/3d83xG4a7XnMDAU+WYR2l4UDOjWAwlVxA -4wE9Ss/D2Mmq4WddUsoa79S3db4Z6vpDs9zQR+zLROw --> R9;-grease -C4FHCe8aUuP55YV6ZnrphOE ---- /fL2KiOXipdwzKNjkkfwON+3h9JGa+M8wod12lkJ37A -twkGhmhg?:LXJ^NN0O|a|3|8E"%3Z~uՆbrڈA.)q,\62a`/<1'rIV3P _ID )RݔcVc)BGƦOլ;R#4(-eD \ No newline at end of file +-> ssh-ed25519 V1pwNA sW0/BN/WfF+8VshBdG/RcuJNUJFoRiV207qXHJ+nEQU +3xBHqOiK1MXQpfefvXpsUCAtB8SmpPYQxgWnKLY4/Mo +-> ssh-ed25519 rIwlvw 5N++1xasQ3ngJK8rWcnV1febLgOxdQxzj2FdwLeuvm0 +Ync9n2pX/MPHi6fKcBw/rir/KUOBDRZapaxxsu+XQyI +-> ssh-ed25519 bPfq4g GM5ZOInllLXKdpyIREUMWU0QToOgJe7TNWVoMXbYHTk +EfTBSko70+g28s21kPAWixZmkgbwfmTzosmP11q5Kh0 +-> ssh-ed25519 P1ilJQ 6NcCV8qZcm4zCPAixGhazZvwh2bQxqHsz0p3XuS54z0 +wUPo7zXREnpUkS8mRTU3tM3WR9QuYiC48Rlzl7CyPdk +-> ssh-ed25519 XSrA6w XV0e5v8rRSuTgsFPNjQOcaQnAJJ4JOCViTsiK7ClFUI +BgY93FYHCAE2BmcNm8SRYKRqMoXc3IshLxkNlJVGxrU +-> ssh-ed25519 pBdJmw /ppt+XqNCOj3ToS59AbT40lliyPi5aYdgsb+nOd70Cc +pXQqbfdC00/ITW9zblgGS+SCaM84BcWRrVr12Gkaqqk +-> ssh-ed25519 v2Y09A 25QeUKlLkjSOKFIBUHi8I0yQFtjJ10eMd5skrgB4wh4 +87j2b0Lvx+Qow8ggjVmkqDTc9par1RUAfmPxB9hL810 +-> ssh-rsa l6p0xw +aXJe3/ZW4d1wW58cGO43c1c7VqUid6LQNudUXZQF7hDGwWp66zUeTtJS8iK1uVRr +fBEd9MfCQXZ6e4mmeEsFDYhhsrihjFNqjv/V229VRfvlh6PFjyFsi8kOZmN0IyPC +rffk42oS9cVuG1JT/98kE56vUdJ098E+D7W5vHD6lVayp97DpncQRNqXyTWMdYB+ +75aHyUnI3JXmhftwPmQXthwKqYm/z5Q1yHtUWqo3VZ/UIN2fWD17XOxIVVdksSh6 +WdhJ7B+KYP1oXHZKeTGMpmPP7FYrgybbFlNl2Bg3+hc2g+Pav63ovnokr4hzmxf9 ++Vy0/gwE5tLKYXhSgCsfYLoYLcjh2LtdyWttG7z12TjKFtoxS1wfO71PBmQAWwV6 +MAaOfZdCbxZ6xpcJuvONmuvXaxzOxbZ5bgtrd2msEf2L3xlDDAPzUB786kvTLjjh +SkQFZvX8SWQBB4u7GKu7jwUYl8zcBfczVvQQ0APL/UUdIyYEClhbJO1MKJHgFAGN +mnuU0GQguxllgsT6+lNyKT9yP9W7wP92Bh+FzfRBH39Rq+FTb+VSQ5aOdoxtmbdQ +G99WJKDW0v3JXnveUeNGLXe0p0kH5qBdsZmRGcXmu1Wqwa5iIZKC80HEzztYFngc +n9dxirg30yQYoGUdASEQUDA55ZWb4hsrY7O1bz/fJ/g +-> B21^W'i:-grease X\JYH |@t jh9o +t4jio4eAlhMaiiGmy7ZKe7feRi36XQpUMkHAWyF42EMDbwzRcNVcvophXSQ +--- mvcfX2P6vxluKGbahXGgsl0bnjzgZF7Gd1HNEDnPh0o +ׁK/Z7A0+F)Voe(O}cu([(m6rByX1=- _8&˔ۊw?Y,I9 =8F̑]oaWXG;2jem.H ?"mKF9 XR \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2a0509d..be972ac 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -16,6 +16,9 @@ let galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea"; + # for testing configs at home + silver_homelab = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCG1JzosOwS7oKjgm0+FlqMKrUbu+M5403un+VA7LwiGRQnneawuq6aqQsIoDqAlb9AzUdLTeBQb+rBf94kx7yVGdEIz1i34WdMK3kgl176jnDIR4TWeNKdj8Q6+4d7tn5mZrqmpXZ/+1KSauV9JHxytR+7A4NVexkhGX1Mq3efGBYsCKzUQh83lHs2baWUYuxaPCCR6vy6uklzQRQfg+NsxCCUKkbgJwv1ar5U1ccr4N89EWiR2Yu4XsPzXr0JJUQcUy587l+G7QYVoCwVgUKHevCRqtRlmnI6JrzWctQJPpAmWF4EF66QnWccdXUS+aVc0IKP0ORqmz8Nps4NWWVPjRRxeshl2XfFawWxGlgT4WJ0+qv/EDVPZQvNBrjFvY5QBAaU08Nnkg6QzehlwD4/zQQMFiDjMb7sUuhXdq0vOK235QMhS4jtX7Sm2ki6mJdXrlErq9dIaqcoYuw9EtfajaM/NnGYIy97JUOrfztQTAwiuPgrc4DijpdR0QtvYK7NvefiJYcW+osmcv+FYM03kMXK9uGtM6KI44i27ZdsUFWTIHeiR1yBGUfP1ObFLLaNx5E42jSA77RLF8BSUaPbGgRv3OciACNftIKhAJrV4AZGvBbaUvAlzC8CryFAcRDgQwIVlXBJzChc7Rh9/V8I5342Tq7xMmzBQ2WcQdqZ9Q== root@galatea"; + systems = [ agentjones @@ -23,12 +26,13 @@ let galatea vendetta vigil + + silver_homelab ]; in { # nix run github:ryantm/agenix -- -e secret1.age - "wireguard.age".publicKeys = users ++ systems; "dns_certs.secret.age".publicKeys = users ++ systems; "dns_dnskeys.conf.age".publicKeys = users ++ systems; diff --git a/secrets/stream_ulfm.age b/secrets/stream_ulfm.age index c68c602..9be6559 100644 Binary files a/secrets/stream_ulfm.age and b/secrets/stream_ulfm.age differ