diff --git a/applications/dns.nix b/applications/dns.nix index d3db25d..84037f1 100644 --- a/applications/dns.nix +++ b/applications/dns.nix @@ -44,6 +44,7 @@ then str else (fixedWidthString_post reqWidth filler str) + filler; +#------------------------------------------------------------------------------ # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) get_config_file = ( domain: '' @@ -102,6 +103,8 @@ '' ); +#------------------------------------------------------------------------------ + # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse # config for our reverse dnspointers (not properly working) get_config_file_rev = ( @@ -148,7 +151,8 @@ '' ); - # arrys of the two nameservers +#------------------------------------------------------------------------------ + # addresses of the two nameservers tmp1 = ["193.1.99.109"]; tmp2 = ["193.1.99.120"]; @@ -171,6 +175,7 @@ else [] ); +#------------------------------------------------------------------------------ # small function to tidy up the spam of the cache networks, would use the subnet except all external traffic has the ip of the router create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126); @@ -188,7 +193,7 @@ }; }; # (text.owned "csn.ul.ie") - +#------------------------------------------------------------------------------ # standard function to create the file in /etc/ - pass in the text and domain and the function creates that file create_entry_etc = domain: type: if type == "owned" @@ -198,7 +203,7 @@ else if type == "old" then create_entry_etc_sub domain (text.old domain) else {}; - +#------------------------------------------------------------------------------ create_entry_zone = domain: extraConfig: { "${domain}" = { extraConfig = '' @@ -222,7 +227,7 @@ reverse = domain: get_config_file_rev domain; old = domain: get_config_file_old_domains domain; }; - +#------------------------------------------------------------------------------ extraConfig = { owned = if cfg.server.primary @@ -239,7 +244,7 @@ old = ""; }; - +#------------------------------------------------------------------------------ records = builtins.concatLists ( lib.attrsets.mapAttrsToList ( key: value: let @@ -282,6 +287,7 @@ nodes ); +#------------------------------------------------------------------------------ nameserver = if cfg.server.primary then "ns1" @@ -338,6 +344,7 @@ in { }; }; +#------------------------------------------------------------------------------ config = lib.mkIf cfg.server.enable { # open the firewall for this skynet_firewall.forward = [ @@ -387,17 +394,17 @@ in { extraOptions = '' dnssec-validation yes; ''; - +#------------------------------------------------------------------------------ # set the upstream dns servers # overrides the default dns servers # Set for HEANet and Quad9 IPv4 servers, x4 total forwarders = [ - - + #------------------------------------------------------------------------------ + #------------------------------------------------------------------------------ # Name: HEANet # DNSSEC: not known # Details: ISP for UL, should be a good candidate for primary upstream. If they aren't available, we've no connectivity anyway. - + #------------------------------------------------------------------------------ # IPv4 # Server: ns.heanet.ie HEANet primary "193.1.193.194" @@ -405,7 +412,7 @@ in { "193.1.247.198" # Server: auth-ns3.heanet.ie HEANet tertiary (Germany location) # "5.196.22.225" - + #------------------------------------------------------------------------------ # IPV6 # Server: ns.heanet.ie HEANet IPv4 primary # "2001:770:18:4::c101:c1c2" @@ -413,42 +420,42 @@ in { # "2001:770:1c:4::c101:f7c6" # Server: auth-ns3.heanet.ie HEANet IPv4 tertiary (Germany location) # "2001:41d0:52:900::871" - - + #------------------------------------------------------------------------------ + #------------------------------------------------------------------------------ # Name: Quad9.net (free service - this one is unfiltered). # DNSSEC: not available # Details: Based in Switzerland, zero cost, stated as no tracking data saved. Also has https https://dns10.quad9.net/dns-query - + #------------------------------------------------------------------------------ # IPv4 # Server: dns10.quad9.net IPv4 Primary "9.9.9.10" # Server: dns10.quad9.net IPv4 Secondary "149.112.112.10" - + #------------------------------------------------------------------------------ # IPV6 # Server: dns10.quad9.net IPV6 Primary server # "2620:fe::10" # Server: dns10.quad9.net IPV6 Secondary server # "2620:fe::fe:10" - - + #------------------------------------------------------------------------------ + #------------------------------------------------------------------------------ # Name: Quad9.net (free service - this one is malware/phish blocked). Suggesting using the unfiltered set just above. # DNSSEC: available # Details: Based in Switzerland, zero cost, stated as no tracking data saved. Also has https https://dns.quad9.net/dns-query - + #------------------------------------------------------------------------------ # IPv4 # Server: dns9.quad9.net IPv4 Primary # "9.9.9.9" # Server: dns.quad9.net IPv4 Secondary # "149.112.112.112" - + #------------------------------------------------------------------------------ # IPv6 # Server: dns9.quad9.net IPV6 Primary server # "2620:fe::9" # Server: dns.quad9.net IPV6 Secondary server # "2620:fe::fe" ]; - +#------------------------------------------------------------------------------ cacheNetworks = [ # this server itself @@ -469,7 +476,7 @@ in { ] ++ create_cache_networks; }; - +#------------------------------------------------------------------------------ systemd.services.bind = { # deletes the journal files evey start so it no longer stalls out preStart = '' @@ -480,7 +487,7 @@ in { "${config.environment.etc."skynet/dns/skynet.ie".source}" ]; }; - +#------------------------------------------------------------------------------ # creates a folder in /etc for the dns to use users.users.named = { createHome = true;