nixos-servers/nixos/modules/networking/dmz/default.nix

{ pkgs, lib, config, dns, ... }@inputs:
let
  cfg = config.lab.networking.dmzServices;
  kunisZoneFile = pkgs.writeTextFile {
    name = "kunis-zone-file";
    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs));
  };

  geokunis2nlZoneFile = pkgs.writeTextFile {
    name = "geokunis2nl-zone-file";
    text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs));
  };
in
{
  options.lab.networking.dmzServices.enable = lib.mkOption {
    default = false;
    type = lib.types.bool;
    description = ''
      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
    '';
  };

  config = lib.mkIf cfg.enable {
    lab.networking.allowDMZConnectivity = true;

    networking.firewall.interfaces.${config.lab.networking.dmzBridgeName} = {
      allowedTCPPorts = [ 53 5353 ];
      allowedUDPPorts = [ 53 67 5353 ];
    };

    services = {
      bind = {
        enable = true;
        forwarders = [ ];

        extraOptions = ''
          allow-transfer { none; };
          allow-recursion { none; };
          version none;
          notify no;
        '';

        zones = {
          "kun.is" = {
            master = true;
            file = kunisZoneFile;
            allowQuery = [ "any" ];
          };

          "geokunis2.nl" = {
            master = true;
            file = geokunis2nlZoneFile;
            allowQuery = [ "any" ];
            slaves = [
              "87.253.155.96/27"
              "157.97.168.160/27"
            ];
          };
        };
      };

      dnsmasq = {
        enable = true;
        settings = import ./dnsmasq.nix inputs;
      };
    };
  };
}
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 23:17:37 +01:00			`{ pkgs, lib, config, dns, ... }@inputs:`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`let`
restructure modules 2024-01-07 23:06:27 +01:00			`cfg = config.lab.networking.dmzServices;`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`kunisZoneFile = pkgs.writeTextFile {`
			`name = "kunis-zone-file";`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 23:17:37 +01:00			`text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs));`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`};`

			`geokunis2nlZoneFile = pkgs.writeTextFile {`
			`name = "geokunis2nl-zone-file";`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 23:17:37 +01:00			`text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs));`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`};`
			`in`
			`{`
restructure modules 2024-01-07 23:06:27 +01:00			`options.lab.networking.dmzServices.enable = lib.mkOption {`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`default = false;`
			`type = lib.types.bool;`
			`description = ''`
			`Whether to enable an authoritative DNS server and DNSmasq for DMZ network.`
			`'';`
			`};`

			`config = lib.mkIf cfg.enable {`
enable ipv6 networking on DMZ 2024-01-13 17:33:14 +01:00			`lab.networking.allowDMZConnectivity = true;`

parameterize main nic and dmz bridge interface names firewall some services to particular interfaces 2024-01-13 00:05:25 +01:00			`networking.firewall.interfaces.${config.lab.networking.dmzBridgeName} = {`
enable firewall again replace iptables with nftables disable reverse path filtering for all hosts allow port 5353 for host running dnsmasq closes #31 2024-01-12 22:31:15 +01:00			`allowedTCPPorts = [ 53 5353 ];`
			`allowedUDPPorts = [ 53 67 5353 ];`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`};`

enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`services = {`
			`bind = {`
			`enable = true;`
			`forwarders = [ ];`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`extraOptions = ''`
allow zone transfers for geokunis2.nl 2024-01-14 19:31:17 +01:00			`allow-transfer { none; };`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`allow-recursion { none; };`
allow zone transfers for geokunis2.nl 2024-01-14 19:31:17 +01:00			`version none;`
			`notify no;`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`'';`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`zones = {`
			`"kun.is" = {`
			`master = true;`
			`file = kunisZoneFile;`
			`allowQuery = [ "any" ];`
			`};`

			`"geokunis2.nl" = {`
			`master = true;`
			`file = geokunis2nlZoneFile;`
			`allowQuery = [ "any" ];`
allow zone transfers for geokunis2.nl 2024-01-14 19:31:17 +01:00			`slaves = [`
			`"87.253.155.96/27"`
			`"157.97.168.160/27"`
			`];`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`};`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`};`
enable dnsmasq for DHCP and DNS allow setting static ipv4 address on DMZ 2024-01-07 22:36:26 +01:00			`};`

			`dnsmasq = {`
			`enable = true;`
create global module for machine-independent custom configuration parameterize various IP addresses 2024-01-08 23:17:37 +01:00			`settings = import ./dnsmasq.nix inputs;`
use dns.nix voor zone file generation 2024-01-07 20:24:12 +01:00			`};`
			`};`
			`};`
			`}`