326 lines
No EOL
7.8 KiB
Nix
326 lines
No EOL
7.8 KiB
Nix
{ lib, pkgs, config, ... }:
|
|
let
|
|
cfg = config.skynet_dns;
|
|
|
|
# reads that date to a string (will need to be fixed in 2038)
|
|
current_date = toString builtins.currentTime;
|
|
|
|
|
|
|
|
get_config_file = (domain:
|
|
''
|
|
$TTL 60 ; 1 minute
|
|
; hostmaster@${domain} is an email address that recieves stuff related to dns
|
|
@ IN SOA ${cfg.own.nameserver}.${domain}. hostmaster.${domain}. (
|
|
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
|
${current_date}
|
|
600 ; Refresh (10 minutes)
|
|
300 ; Retry (5 minutes)
|
|
604800 ; Expire (1 week)
|
|
3600 ; Minimum (1 hour)
|
|
)
|
|
|
|
@ NS ns1.${domain}.
|
|
@ NS ns2.${domain}.
|
|
; @ stands for teh root domain so teh A record below is where ${domain} points to
|
|
@ A 193.1.99.76
|
|
;@ MX 5 ${domain}.
|
|
|
|
; can have multiple mailserves
|
|
;@ MX 20 mail2.${domain}.
|
|
|
|
|
|
; ------------------------------------------
|
|
; Server Names
|
|
; ------------------------------------------
|
|
|
|
; External addresses
|
|
; ------------------------------------------
|
|
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
|
|
|
|
|
|
; this is fixed for now
|
|
wintermute A 193.1.101.148
|
|
|
|
|
|
; internal addresses
|
|
; ------------------------------------------
|
|
; May come back to this idea in teh future
|
|
; agentjones.int A 172.20.20.1
|
|
|
|
|
|
; cname's
|
|
; ------------------------------------------
|
|
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
|
|
|
|
''
|
|
);
|
|
|
|
in {
|
|
options = {
|
|
skynet_dns = {
|
|
enable = lib.mkEnableOption {
|
|
default = false;
|
|
example = true;
|
|
description = "Skynet DNS";
|
|
type = lib.types.bool;
|
|
};
|
|
|
|
own = {
|
|
nameserver = lib.mkOption {
|
|
default = "ns1";
|
|
type = lib.types.str;
|
|
description = ''
|
|
the hostname of this nameserver, eg ns1, ns2
|
|
'';
|
|
};
|
|
|
|
external = lib.mkOption {
|
|
default = [ ];
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
External records like: agentjones A 193.1.99.72
|
|
'';
|
|
};
|
|
|
|
cname = lib.mkOption {
|
|
default = [ ];
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
External records like: ns1 CNAME ns1
|
|
'';
|
|
};
|
|
};
|
|
|
|
|
|
records = {
|
|
external = lib.mkOption {
|
|
default = [ ];
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
External records like: agentjones A 193.1.99.72
|
|
'';
|
|
};
|
|
|
|
cname = lib.mkOption {
|
|
default = [ ];
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
External records like: ns1 CNAME ns1
|
|
'';
|
|
};
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# secrets required
|
|
age.secrets.dns_dnskeys = {
|
|
file = ../secrets/dns_dnskeys.conf.age;
|
|
owner = "named";
|
|
group = "named";
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [53];
|
|
allowedUDPPorts = [53];
|
|
};
|
|
|
|
services.bind = {
|
|
enable = true;
|
|
|
|
ipv4Only = true;
|
|
|
|
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
|
|
extraConfig = ''
|
|
include "/run/agenix/dns_dnskeys";
|
|
'';
|
|
|
|
# piles of no valid RRSIG resolving 'com/DS/IN' errors
|
|
extraOptions = ''
|
|
dnssec-validation yes;
|
|
'';
|
|
|
|
# set the upstream dns servers
|
|
# overrides the default dns servers
|
|
forwarders = [
|
|
# Cloudflare
|
|
"1.1.1.1"
|
|
# Google
|
|
"8.8.8.8"
|
|
# Quad9
|
|
"9.9.9.9"
|
|
];
|
|
|
|
cacheNetworks = [
|
|
# this server itself
|
|
"127.0.0.0/24"
|
|
# all of skynet can use this as a resolver
|
|
/*
|
|
Origianl idea, however all external traffic had the ip of the router
|
|
"193.1.99.64/26"
|
|
|
|
So to fix this we need to allow smaller ranges? - Didnt work
|
|
Fallback is explisitly listing each ip we have
|
|
*/
|
|
|
|
"193.1.99.71/32"
|
|
"193.1.99.72/32"
|
|
"193.1.99.73/32"
|
|
"193.1.99.71/32"
|
|
"193.1.99.74/32"
|
|
"193.1.99.75/32"
|
|
"193.1.99.76/32"
|
|
"193.1.99.77/32"
|
|
"193.1.99.78/32"
|
|
"193.1.99.79/32"
|
|
|
|
"193.1.99.80/32"
|
|
"193.1.99.81/32"
|
|
"193.1.99.82/32"
|
|
"193.1.99.83/32"
|
|
"193.1.99.81/32"
|
|
"193.1.99.84/32"
|
|
"193.1.99.85/32"
|
|
"193.1.99.86/32"
|
|
"193.1.99.87/32"
|
|
"193.1.99.88/32"
|
|
"193.1.99.89/32"
|
|
|
|
"193.1.99.90/32"
|
|
"193.1.99.91/32"
|
|
"193.1.99.92/32"
|
|
"193.1.99.93/32"
|
|
"193.1.99.91/32"
|
|
"193.1.99.94/32"
|
|
"193.1.99.95/32"
|
|
"193.1.99.96/32"
|
|
"193.1.99.97/32"
|
|
"193.1.99.98/32"
|
|
"193.1.99.99/32"
|
|
|
|
|
|
"193.1.99.100/32"
|
|
"193.1.99.101/32"
|
|
"193.1.99.102/32"
|
|
"193.1.99.103/32"
|
|
"193.1.99.101/32"
|
|
"193.1.99.104/32"
|
|
"193.1.99.105/32"
|
|
"193.1.99.106/32"
|
|
"193.1.99.107/32"
|
|
"193.1.99.108/32"
|
|
"193.1.99.109/32"
|
|
|
|
"193.1.99.110/32"
|
|
"193.1.99.111/32"
|
|
"193.1.99.112/32"
|
|
"193.1.99.113/32"
|
|
"193.1.99.111/32"
|
|
"193.1.99.114/32"
|
|
"193.1.99.115/32"
|
|
"193.1.99.116/32"
|
|
"193.1.99.117/32"
|
|
"193.1.99.118/32"
|
|
"193.1.99.119/32"
|
|
|
|
"193.1.99.120/32"
|
|
"193.1.99.121/32"
|
|
"193.1.99.122/32"
|
|
"193.1.99.123/32"
|
|
"193.1.99.121/32"
|
|
"193.1.99.124/32"
|
|
"193.1.99.125/32"
|
|
"193.1.99.126/32"
|
|
|
|
];
|
|
|
|
zones = {
|
|
/*
|
|
put any other zones above skynet and link to their files like so:
|
|
|
|
example.ie = {
|
|
extraConfig = "";
|
|
file = ./dns/example;
|
|
master = true;
|
|
masters = [];
|
|
slaves = [ ];
|
|
};
|
|
|
|
Skynet is handled a bit more dynamically since it is the key one we should focus on
|
|
*/
|
|
|
|
"skynet.ie" = {
|
|
extraConfig = ''
|
|
allow-update { key rfc2136key.skynet.ie.; };
|
|
|
|
dnssec-policy default;
|
|
inline-signing yes;
|
|
|
|
// for bumping the config
|
|
// ${current_date}
|
|
'';
|
|
# really wish teh nixos config didnt use master/slave
|
|
master = true;
|
|
slaves = [ ];
|
|
# need to write this to a file
|
|
# using the date in it so it will trigger a restart
|
|
file = "/etc/dns_custom/dns_zone_skynet";
|
|
# no leading whitespace for first line
|
|
|
|
};
|
|
|
|
"csn.ul.ie" = {
|
|
extraConfig = ''
|
|
allow-update { key rfc2136key.skynet.ie.; };
|
|
|
|
dnssec-policy default;
|
|
inline-signing yes;
|
|
|
|
// for bumping the config
|
|
// ${current_date}
|
|
'';
|
|
# really wish teh nixos config didnt use master/slave
|
|
master = true;
|
|
slaves = [ ];
|
|
# need to write this to a file
|
|
# using the date in it so it will trigger a restart
|
|
file = "/etc/dns_custom/dns_zone_csn";
|
|
# no leading whitespace for first line
|
|
|
|
};
|
|
};
|
|
};
|
|
|
|
# creates a folder in /etc for the dns to use
|
|
users.users.named = {
|
|
createHome = true;
|
|
home = "/etc/dns_custom";
|
|
};
|
|
|
|
environment.etc = {
|
|
# Creates /etc/dns_custom/dns_zone_skynet
|
|
|
|
"dns_custom/dns_zone_skynet" = {
|
|
user = "named";
|
|
group = "named";
|
|
|
|
# The UNIX file mode bits
|
|
mode = "0644";
|
|
|
|
text = get_config_file "skynet.ie";
|
|
};
|
|
|
|
"dns_custom/dns_zone_csn" = {
|
|
user = "named";
|
|
group = "named";
|
|
|
|
# The UNIX file mode bits
|
|
mode = "0644";
|
|
|
|
text = get_config_file "csn.ul.ie";
|
|
};
|
|
};
|
|
};
|
|
} |