use dns.nix voor zone file generation

2024-01-07 20:24:12 +01:00 · 2024-01-07 20:24:12 +01:00 · 62bbc7c13d
commit 62bbc7c13d
parent a152cde165
7 changed files with 185 additions and 124 deletions
--- a/flake.lock
+++ b/flake.lock
@ -84,6 +84,27 @@
        "type": "github"
      }
    },
+    "dns": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1635273082,
+        "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kirelagin",
+        "repo": "dns.nix",
+        "type": "github"
+      }
+    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -116,6 +137,21 @@
        "type": "github"
      }
    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1614513358,
+        "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -213,6 +249,7 @@
        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "disko": "disko",
+        "dns": "dns",
        "kubenix": "kubenix",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable"
--- a/flake.nix
+++ b/flake.nix
@ -19,10 +19,15 @@
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    dns = {
+      url = "github:kirelagin/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
-    { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }:
+    { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, ... }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
@ -65,7 +70,7 @@

      nixosConfigurations = mkNixosSystems (machine: {
        inherit system;
-        specialArgs = { inherit kubenix; };
+        specialArgs = { inherit kubenix dns; };
        modules = [
          machine.nixosModule
          disko.nixosModules.disko
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -11,7 +11,7 @@ in
    ./backups.nix
    ./networking.nix
    ./data-sharing.nix
-    ./dns.nix
+    ./dns
  ];

  options.lab.dataHost.enable = lib.mkOption {
--- a/nixos/modules/dns.nix
+++ b/nixos/modules/dns.nix
@ -1,121 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.lab.dns;
-  kunisZoneFile = pkgs.writeTextFile {
-    name = "kunis-zone-file";
-    text = ''
-      $ORIGIN kun.is.
-      $TTL 1m
-
-      @ IN SOA ns1.kun.is. hostmaster.kun.is. (
-        1704580936
-        1D
-        1H
-        1W
-        1D )
-
-                                 IN  NS     ns1.kun.is.
-                                 IN  NS     ns2.kun.is.
-
-      @                          IN  MX     10  mail.kun.is. 
-
-
-      ns                         IN  A      192.145.57.90
-      ns1                        IN  A      192.145.57.90
-      ns2                        IN  A      192.145.57.90
-      *                          IN  A      192.145.57.90
-      verify.bing.com.           IN  CNAME  fcfe5d31d5b7ae1af0b352a6b4c75d3f
-      @                    IN  TXT    "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\""
-    '';
-  };
-
-  geokunisnlZoneFile = pkgs.writeTextFile {
-    name = "geokunisnl-zone-file";
-    text = ''
-      $ORIGIN geokunis2.nl.
-      $TTL 1h
-
-      @ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. (
-        1704580936
-        1D
-        1H
-        1W
-        1D )
-
-                                 IN  NS     ns.geokunis2.nl.
-                                 IN  NS     ns0.transip.net.
-                                 IN  NS     ns1.transip.nl.
-                                 IN  NS     ns2.transip.eu.
-
-      @                          IN  MX     10  mail.geokunis2.nl. 
-
-
-      @                          IN  A      192.145.57.90
-      @                          IN  AAAA   2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
-      mail                       IN  A      192.145.57.90
-      wg                         IN  A      192.145.57.90
-      wg                         IN  AAAA   2a0d:6e00:1a77::1
-      wg4                        IN  A      192.145.57.90
-      wg6                        IN  AAAA   2a0d:6e00:1a77::1
-      tuindersweijde             IN  A      192.145.57.90
-      ns                         IN  A      192.145.57.90
-      ns                         IN  AAAA   2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
-      cyberchef                  IN  A      192.145.57.90
-      cyberchef                  IN  AAAA   2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
-      inbucket                   IN  A      192.145.57.90
-      kms                        IN  A      192.145.57.90
-      @                    IN  CAA    0 issue \"letsencrypt.org\"
-    '';
-  };
-in
-{
-  options.lab.dns.enable = lib.mkOption {
-    default = false;
-    type = lib.types.bool;
-    description = ''
-      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
-    '';
-  };
-
-  config = lib.mkIf cfg.enable {
-    networking.firewall = {
-      allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 ];
-    };
-
-    services.bind = {
-      enable = true;
-      forwarders = [ ];
-      # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
-      ipv4Only = true;
-
-      extraOptions = ''
-        allow-transfer { none; }; 
-        allow-recursion { none; };
-        version "No dice.";
-      '';
-
-      zones = {
-        "kun.is" = {
-          master = true;
-          file = kunisZoneFile;
-          allowQuery = [ "any" ];
-          extraConfig = ''
-            notify yes;
-            allow-update { none; };
-          '';
-        };
-
-        "geokunis2.nl" = {
-          master = true;
-          file = geokunisnlZoneFile;
-          allowQuery = [ "any" ];
-          extraConfig = ''
-            notify yes;
-            allow-update { none; };
-          '';
-        };
-      };
-    };
-  };
-}
--- a/nixos/modules/dns/default.nix
+++ b/nixos/modules/dns/default.nix
@ -0,0 +1,65 @@
+{ pkgs, lib, config, dns, ... }:
+let
+  cfg = config.lab.dns;
+  publicIpv4 = "192.145.57.90";
+  kunisZoneFile = pkgs.writeTextFile {
+    name = "kunis-zone-file";
+    text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
+  };
+
+  geokunis2nlZoneFile = pkgs.writeTextFile {
+    name = "geokunis2nl-zone-file";
+    text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
+  };
+in
+{
+  options.lab.dns.enable = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+    description = ''
+      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
+    services.bind = {
+      enable = true;
+      forwarders = [ ];
+      # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
+      ipv4Only = true;
+
+      extraOptions = ''
+        allow-transfer { none; }; 
+        allow-recursion { none; };
+        version "No dice.";
+      '';
+
+      zones = {
+        "kun.is" = {
+          master = true;
+          file = kunisZoneFile;
+          allowQuery = [ "any" ];
+          extraConfig = ''
+            notify yes;
+            allow-update { none; };
+          '';
+        };
+
+        "geokunis2.nl" = {
+          master = true;
+          file = geokunis2nlZoneFile;
+          allowQuery = [ "any" ];
+          extraConfig = ''
+            notify yes;
+            allow-update { none; };
+          '';
+        };
+      };
+    };
+  };
+}
--- a/nixos/modules/dns/zones/geokunis2.nl.nix
+++ b/nixos/modules/dns/zones/geokunis2.nl.nix
@ -0,0 +1,47 @@
+{ publicIpv4, dns }:
+with dns.lib.combinators;
+
+{
+  SOA = {
+    nameServer = "ns";
+    adminEmail = "hostmaster@geokunis2.nl";
+    serial = 1704580936;
+  };
+
+  NS = [
+    "ns.geokunis2.nl."
+    "ns0.transip.net."
+    "ns1.transip.nl."
+    "ns2.transip.eu."
+  ];
+
+  MX = [ (mx.mx 10 "mail.geokunis2.nl.") ];
+
+  A = [ publicIpv4 ];
+  AAAA = [ "2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda" ];
+  CAA = letsEncrypt "caa@geokunis2.nl";
+
+  subdomains = {
+    mail.A = [ publicIpv4 ];
+    wg4.A = [ publicIpv4 ];
+    wg6.AAAA = [ "2a0d:6e00:1a77::1" ];
+    tuindersweijde.A = [ publicIpv4 ];
+    inbucket.A = [ publicIpv4 ];
+    kms.A = [ publicIpv4 ];
+
+    wg = {
+      A = [ publicIpv4 ];
+      AAAA = [ "2a0d:6e00:1a77::1" ];
+    };
+
+    ns = {
+      A = [ publicIpv4 ];
+      AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07" ];
+    };
+
+    cyberchef = {
+      A = [ publicIpv4 ];
+      AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03" ];
+    };
+  };
+}
--- a/nixos/modules/dns/zones/kun.is.nix
+++ b/nixos/modules/dns/zones/kun.is.nix
@ -0,0 +1,28 @@
+{ publicIpv4, dns }:
+with dns.lib.combinators;
+
+{
+  CAA = letsEncrypt "caa@kun.is";
+
+  SOA = {
+    nameServer = "ns1";
+    adminEmail = "webmaster@kun.is";
+    serial = 1704580936;
+  };
+
+  NS = [
+    "ns1.kun.is."
+    "ns2.kun.is."
+  ];
+
+  MX = [
+    (mx.mx 10 "mail.kun.is.")
+  ];
+
+  subdomains = {
+    ns.A = [ publicIpv4 ];
+    ns1.A = [ publicIpv4 ];
+    ns2.A = [ publicIpv4 ];
+    "*".A = [ publicIpv4 ];
+  };
+}