From 62bbc7c13de03f5747fb379c3404db3db5ca755a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 7 Jan 2024 20:24:12 +0100 Subject: [PATCH] use dns.nix voor zone file generation --- flake.lock | 37 +++++++ flake.nix | 9 +- nixos/modules/default.nix | 2 +- nixos/modules/dns.nix | 121 ----------------------- nixos/modules/dns/default.nix | 65 ++++++++++++ nixos/modules/dns/zones/geokunis2.nl.nix | 47 +++++++++ nixos/modules/dns/zones/kun.is.nix | 28 ++++++ 7 files changed, 185 insertions(+), 124 deletions(-) delete mode 100644 nixos/modules/dns.nix create mode 100644 nixos/modules/dns/default.nix create mode 100644 nixos/modules/dns/zones/geokunis2.nl.nix create mode 100644 nixos/modules/dns/zones/kun.is.nix diff --git a/flake.lock b/flake.lock index e28e088..d5b79c3 100644 --- a/flake.lock +++ b/flake.lock @@ -84,6 +84,27 @@ "type": "github" } }, + "dns": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1635273082, + "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=", + "owner": "kirelagin", + "repo": "dns.nix", + "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", + "type": "github" + }, + "original": { + "owner": "kirelagin", + "repo": "dns.nix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -116,6 +137,21 @@ "type": "github" } }, + "flake-utils": { + "locked": { + "lastModified": 1614513358, + "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -213,6 +249,7 @@ "agenix": "agenix", "deploy-rs": "deploy-rs", "disko": "disko", + "dns": "dns", "kubenix": "kubenix", "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable" diff --git a/flake.nix b/flake.nix index 68b8ee9..194fbef 100644 --- a/flake.nix +++ b/flake.nix @@ -19,10 +19,15 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + dns = { + url = "github:kirelagin/dns.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = - { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }: + { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, ... }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -65,7 +70,7 @@ nixosConfigurations = mkNixosSystems (machine: { inherit system; - specialArgs = { inherit kubenix; }; + specialArgs = { inherit kubenix dns; }; modules = [ machine.nixosModule disko.nixosModules.disko diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 6ffb678..8388026 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -11,7 +11,7 @@ in ./backups.nix ./networking.nix ./data-sharing.nix - ./dns.nix + ./dns ]; options.lab.dataHost.enable = lib.mkOption { diff --git a/nixos/modules/dns.nix b/nixos/modules/dns.nix deleted file mode 100644 index dbbe593..0000000 --- a/nixos/modules/dns.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ pkgs, lib, config, ... }: -let - cfg = config.lab.dns; - kunisZoneFile = pkgs.writeTextFile { - name = "kunis-zone-file"; - text = '' - $ORIGIN kun.is. - $TTL 1m - - @ IN SOA ns1.kun.is. hostmaster.kun.is. ( - 1704580936 - 1D - 1H - 1W - 1D ) - - IN NS ns1.kun.is. - IN NS ns2.kun.is. - - @ IN MX 10 mail.kun.is. - - - ns IN A 192.145.57.90 - ns1 IN A 192.145.57.90 - ns2 IN A 192.145.57.90 - * IN A 192.145.57.90 - verify.bing.com. IN CNAME fcfe5d31d5b7ae1af0b352a6b4c75d3f - @ IN TXT "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\"" - ''; - }; - - geokunisnlZoneFile = pkgs.writeTextFile { - name = "geokunisnl-zone-file"; - text = '' - $ORIGIN geokunis2.nl. - $TTL 1h - - @ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. ( - 1704580936 - 1D - 1H - 1W - 1D ) - - IN NS ns.geokunis2.nl. - IN NS ns0.transip.net. - IN NS ns1.transip.nl. - IN NS ns2.transip.eu. - - @ IN MX 10 mail.geokunis2.nl. - - - @ IN A 192.145.57.90 - @ IN AAAA 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda - mail IN A 192.145.57.90 - wg IN A 192.145.57.90 - wg IN AAAA 2a0d:6e00:1a77::1 - wg4 IN A 192.145.57.90 - wg6 IN AAAA 2a0d:6e00:1a77::1 - tuindersweijde IN A 192.145.57.90 - ns IN A 192.145.57.90 - ns IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07 - cyberchef IN A 192.145.57.90 - cyberchef IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03 - inbucket IN A 192.145.57.90 - kms IN A 192.145.57.90 - @ IN CAA 0 issue \"letsencrypt.org\" - ''; - }; -in -{ - options.lab.dns.enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to enable an authoritative DNS server and DNSmasq for DMZ network. - ''; - }; - - config = lib.mkIf cfg.enable { - networking.firewall = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 ]; - }; - - services.bind = { - enable = true; - forwarders = [ ]; - # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems. - ipv4Only = true; - - extraOptions = '' - allow-transfer { none; }; - allow-recursion { none; }; - version "No dice."; - ''; - - zones = { - "kun.is" = { - master = true; - file = kunisZoneFile; - allowQuery = [ "any" ]; - extraConfig = '' - notify yes; - allow-update { none; }; - ''; - }; - - "geokunis2.nl" = { - master = true; - file = geokunisnlZoneFile; - allowQuery = [ "any" ]; - extraConfig = '' - notify yes; - allow-update { none; }; - ''; - }; - }; - }; - }; -} diff --git a/nixos/modules/dns/default.nix b/nixos/modules/dns/default.nix new file mode 100644 index 0000000..fd1c3dc --- /dev/null +++ b/nixos/modules/dns/default.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, dns, ... }: +let + cfg = config.lab.dns; + publicIpv4 = "192.145.57.90"; + kunisZoneFile = pkgs.writeTextFile { + name = "kunis-zone-file"; + text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; })); + }; + + geokunis2nlZoneFile = pkgs.writeTextFile { + name = "geokunis2nl-zone-file"; + text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; })); + }; +in +{ + options.lab.dns.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to enable an authoritative DNS server and DNSmasq for DMZ network. + ''; + }; + + config = lib.mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + + services.bind = { + enable = true; + forwarders = [ ]; + # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems. + ipv4Only = true; + + extraOptions = '' + allow-transfer { none; }; + allow-recursion { none; }; + version "No dice."; + ''; + + zones = { + "kun.is" = { + master = true; + file = kunisZoneFile; + allowQuery = [ "any" ]; + extraConfig = '' + notify yes; + allow-update { none; }; + ''; + }; + + "geokunis2.nl" = { + master = true; + file = geokunis2nlZoneFile; + allowQuery = [ "any" ]; + extraConfig = '' + notify yes; + allow-update { none; }; + ''; + }; + }; + }; + }; +} diff --git a/nixos/modules/dns/zones/geokunis2.nl.nix b/nixos/modules/dns/zones/geokunis2.nl.nix new file mode 100644 index 0000000..29ec2c3 --- /dev/null +++ b/nixos/modules/dns/zones/geokunis2.nl.nix @@ -0,0 +1,47 @@ +{ publicIpv4, dns }: +with dns.lib.combinators; + +{ + SOA = { + nameServer = "ns"; + adminEmail = "hostmaster@geokunis2.nl"; + serial = 1704580936; + }; + + NS = [ + "ns.geokunis2.nl." + "ns0.transip.net." + "ns1.transip.nl." + "ns2.transip.eu." + ]; + + MX = [ (mx.mx 10 "mail.geokunis2.nl.") ]; + + A = [ publicIpv4 ]; + AAAA = [ "2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda" ]; + CAA = letsEncrypt "caa@geokunis2.nl"; + + subdomains = { + mail.A = [ publicIpv4 ]; + wg4.A = [ publicIpv4 ]; + wg6.AAAA = [ "2a0d:6e00:1a77::1" ]; + tuindersweijde.A = [ publicIpv4 ]; + inbucket.A = [ publicIpv4 ]; + kms.A = [ publicIpv4 ]; + + wg = { + A = [ publicIpv4 ]; + AAAA = [ "2a0d:6e00:1a77::1" ]; + }; + + ns = { + A = [ publicIpv4 ]; + AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07" ]; + }; + + cyberchef = { + A = [ publicIpv4 ]; + AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03" ]; + }; + }; +} diff --git a/nixos/modules/dns/zones/kun.is.nix b/nixos/modules/dns/zones/kun.is.nix new file mode 100644 index 0000000..d734902 --- /dev/null +++ b/nixos/modules/dns/zones/kun.is.nix @@ -0,0 +1,28 @@ +{ publicIpv4, dns }: +with dns.lib.combinators; + +{ + CAA = letsEncrypt "caa@kun.is"; + + SOA = { + nameServer = "ns1"; + adminEmail = "webmaster@kun.is"; + serial = 1704580936; + }; + + NS = [ + "ns1.kun.is." + "ns2.kun.is." + ]; + + MX = [ + (mx.mx 10 "mail.kun.is.") + ]; + + subdomains = { + ns.A = [ publicIpv4 ]; + ns1.A = [ publicIpv4 ]; + ns2.A = [ publicIpv4 ]; + "*".A = [ publicIpv4 ]; + }; +}