{ lib, pkgs, config, ... }: let cfg = config.skynet_dns; # reads that date to a string (will need to be fixed in 2038) current_date = toString builtins.currentTime; in { options = { skynet_dns = { enable = lib.mkEnableOption { default = false; example = true; description = "Skynet DNS"; type = lib.types.bool; }; own = { nameserver = lib.mkOption { default = "ns1"; type = lib.types.str; description = '' the hostname of this nameserver, eg ns1, ns2 ''; }; external = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; description = '' External records like: agentjones A 193.1.99.72 ''; }; cname = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; description = '' External records like: ns1 CNAME ns1 ''; }; }; records = { external = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; description = '' External records like: agentjones A 193.1.99.72 ''; }; cname = lib.mkOption { default = [ ]; type = lib.types.listOf lib.types.str; description = '' External records like: ns1 CNAME ns1 ''; }; }; }; }; config = lib.mkIf cfg.enable { # secrets required age.secrets.dns_dnskeys = { file = ../secrets/dns_dnskeys.conf.age; owner = "named"; group = "named"; }; networking.firewall = { allowedTCPPorts = [53]; allowedUDPPorts = [53]; }; services.bind = { enable = true; ipv4Only = true; # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns extraConfig = '' include "/run/agenix/dns_dnskeys"; ''; # piles of no valid RRSIG resolving 'com/DS/IN' errors extraOptions = '' dnssec-validation yes; ''; # set the upstream dns servers # overrides the default dns servers forwarders = [ # Cloudflare "1.1.1.1" # Google "8.8.8.8" # Quad9 "9.9.9.9" ]; cacheNetworks = [ # this server itself "127.0.0.0/24" # all of skynet can use this as a resolver /* Origianl idea, however all external traffic had the ip of the router "193.1.99.64/26" So to fix this we need to allow smaller ranges? - Didnt work Fallback is explisitly listing each ip we have */ "193.1.99.71/32" "193.1.99.72/32" "193.1.99.73/32" "193.1.99.71/32" "193.1.99.74/32" "193.1.99.75/32" "193.1.99.76/32" "193.1.99.77/32" "193.1.99.78/32" "193.1.99.79/32" "193.1.99.80/32" "193.1.99.81/32" "193.1.99.82/32" "193.1.99.83/32" "193.1.99.81/32" "193.1.99.84/32" "193.1.99.85/32" "193.1.99.86/32" "193.1.99.87/32" "193.1.99.88/32" "193.1.99.89/32" "193.1.99.90/32" "193.1.99.91/32" "193.1.99.92/32" "193.1.99.93/32" "193.1.99.91/32" "193.1.99.94/32" "193.1.99.95/32" "193.1.99.96/32" "193.1.99.97/32" "193.1.99.98/32" "193.1.99.99/32" "193.1.99.100/32" "193.1.99.101/32" "193.1.99.102/32" "193.1.99.103/32" "193.1.99.101/32" "193.1.99.104/32" "193.1.99.105/32" "193.1.99.106/32" "193.1.99.107/32" "193.1.99.108/32" "193.1.99.109/32" "193.1.99.110/32" "193.1.99.111/32" "193.1.99.112/32" "193.1.99.113/32" "193.1.99.111/32" "193.1.99.114/32" "193.1.99.115/32" "193.1.99.116/32" "193.1.99.117/32" "193.1.99.118/32" "193.1.99.119/32" "193.1.99.120/32" "193.1.99.121/32" "193.1.99.122/32" "193.1.99.123/32" "193.1.99.121/32" "193.1.99.124/32" "193.1.99.125/32" "193.1.99.126/32" ]; zones = { /* put any other zones above skynet and link to their files like so: example.ie = { extraConfig = ""; file = ./dns/example; master = true; masters = []; slaves = [ ]; }; Skynet is handled a bit more dynamically since it is the key one we should focus on */ "skynet.ie" = { extraConfig = '' allow-update { key rfc2136key.skynet.ie.; }; dnssec-policy default; inline-signing yes; // for bumping the config // ${current_date} ''; # really wish teh nixos config didnt use master/slave master = true; slaves = [ ]; # need to write this to a file # using the date in it so it will trigger a restart file = "/etc/dns_custom/dns_zone_skynet"; # no leading whitespace for first line }; }; }; # creates a folder in /etc for the dns to use users.users.named = { createHome = true; home = "/etc/dns_custom"; }; environment.etc = { # Creates /etc/dns_custom/dns_zone_skynet "dns_custom/dns_zone_skynet" = { user = "named"; group = "named"; # The UNIX file mode bits mode = "0644"; text = '' $TTL 60 ; 1 minute ; hostmaster@skynet.ie is an email address that recieves stuff related to dns @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ${current_date} 600 ; Refresh (10 minutes) 300 ; Retry (5 minutes) 604800 ; Expire (1 week) 3600 ; Minimum (1 hour) ) @ NS ns1.skynet.ie. @ NS ns2.skynet.ie. ; @ stands for teh root domain so teh A record below is where skynet.ie points to @ A 193.1.99.76 ;@ MX 5 mail.skynet.ie. ; can have multiple mailserves ;@ MX 20 mail2.skynet.ie. ; ------------------------------------------ ; Server Names ; ------------------------------------------ ; External addresses ; ------------------------------------------ ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} ; this is fixed for now wintermute A 193.1.101.148 ; internal addresses ; ------------------------------------------ ; May come back to this idea in teh future ; agentjones.int A 172.20.20.1 ; cname's ; ------------------------------------------ ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} ''; }; }; }; }