2024-01-31 20:58:23 +00:00
|
|
|
# TODO: we should split this into DHCP and DNS
|
|
|
|
# This decoupling makes it easier to put one service on another host.
|
2024-01-08 22:17:37 +00:00
|
|
|
{ pkgs, lib, config, dns, ... }@inputs:
|
2024-01-07 19:24:12 +00:00
|
|
|
let
|
2024-01-31 20:58:23 +00:00
|
|
|
cfg = config.lab.networking.dmz.services;
|
|
|
|
|
2024-01-07 19:24:12 +00:00
|
|
|
kunisZoneFile = pkgs.writeTextFile {
|
|
|
|
name = "kunis-zone-file";
|
2024-01-08 22:17:37 +00:00
|
|
|
text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs));
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
|
|
|
in
|
|
|
|
{
|
2024-01-31 20:58:23 +00:00
|
|
|
options.lab.networking.dmz.services.enable = lib.mkOption {
|
2024-01-07 19:24:12 +00:00
|
|
|
default = false;
|
|
|
|
type = lib.types.bool;
|
|
|
|
description = ''
|
|
|
|
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
2024-01-31 20:58:23 +00:00
|
|
|
# TODO Remove this; make this explicit in the machine config.
|
|
|
|
lab.networking.dmz.allowConnectivity = true;
|
2024-01-13 16:33:14 +00:00
|
|
|
|
2024-01-29 21:21:15 +00:00
|
|
|
# TODO: listen only on dmz interface, make this portable between physical and VM.
|
|
|
|
networking.firewall = {
|
2024-01-12 21:31:15 +00:00
|
|
|
allowedTCPPorts = [ 53 5353 ];
|
|
|
|
allowedUDPPorts = [ 53 67 5353 ];
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
|
|
|
|
2024-01-07 21:36:26 +00:00
|
|
|
services = {
|
|
|
|
bind = {
|
|
|
|
enable = true;
|
|
|
|
forwarders = [ ];
|
2024-01-07 19:24:12 +00:00
|
|
|
|
2024-01-07 21:36:26 +00:00
|
|
|
extraOptions = ''
|
2024-01-14 18:31:17 +00:00
|
|
|
allow-transfer { none; };
|
2024-01-07 21:36:26 +00:00
|
|
|
allow-recursion { none; };
|
2024-01-14 18:31:17 +00:00
|
|
|
version none;
|
|
|
|
notify no;
|
2024-01-07 21:36:26 +00:00
|
|
|
'';
|
2024-01-07 19:24:12 +00:00
|
|
|
|
2024-01-07 21:36:26 +00:00
|
|
|
zones = {
|
|
|
|
"kun.is" = {
|
|
|
|
master = true;
|
|
|
|
file = kunisZoneFile;
|
|
|
|
allowQuery = [ "any" ];
|
|
|
|
};
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
2024-01-07 21:36:26 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
dnsmasq = {
|
|
|
|
enable = true;
|
2024-01-08 22:17:37 +00:00
|
|
|
settings = import ./dnsmasq.nix inputs;
|
2024-01-07 19:24:12 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|