home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

use dns.nix voor zone file generation

Browse source
This commit is contained in:
Pim Kunis 2024-01-07 20:24:12 +01:00
parent a152cde165
commit 62bbc7c13d
7 changed files with 185 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
flake.lock
View file

@ -84,6 +84,27 @@
"type": "github" "type": "github"
} }
}, },
"dns": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1635273082,
"narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
"owner": "kirelagin",
"repo": "dns.nix",
"rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
"type": "github"
},
"original": {
"owner": "kirelagin",
"repo": "dns.nix",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -116,6 +137,21 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -213,6 +249,7 @@
"agenix": "agenix", "agenix": "agenix",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"disko": "disko", "disko": "disko",
"dns": "dns",
"kubenix": "kubenix", "kubenix": "kubenix",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"

9
flake.nix
View file

@ -19,10 +19,15 @@
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
dns = {
url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
{ self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, ... }: { self, nixpkgs, deploy-rs, disko, agenix, kubenix, nixpkgs-unstable, dns, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
@ -65,7 +70,7 @@
nixosConfigurations = mkNixosSystems (machine: { nixosConfigurations = mkNixosSystems (machine: {
inherit system; inherit system;
specialArgs = { inherit kubenix; }; specialArgs = { inherit kubenix dns; };
modules = [ modules = [
machine.nixosModule machine.nixosModule
disko.nixosModules.disko disko.nixosModules.disko

2
nixos/modules/default.nix
View file

@ -11,7 +11,7 @@ in
./backups.nix ./backups.nix
./networking.nix ./networking.nix
./data-sharing.nix ./data-sharing.nix
./dns.nix ./dns
]; ];
options.lab.dataHost.enable = lib.mkOption { options.lab.dataHost.enable = lib.mkOption {

121
nixos/modules/dns.nix
View file

@ -1,121 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.lab.dns;
kunisZoneFile = pkgs.writeTextFile {
name = "kunis-zone-file";
text = ''
$ORIGIN kun.is.
$TTL 1m
@ IN SOA ns1.kun.is. hostmaster.kun.is. (
1704580936
1D
1H
1W
1D )
IN NS ns1.kun.is.
IN NS ns2.kun.is.
@ IN MX 10 mail.kun.is.
ns IN A 192.145.57.90
ns1 IN A 192.145.57.90
ns2 IN A 192.145.57.90
* IN A 192.145.57.90
verify.bing.com. IN CNAME fcfe5d31d5b7ae1af0b352a6b4c75d3f
@ IN TXT "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\""
'';
};
geokunisnlZoneFile = pkgs.writeTextFile {
name = "geokunisnl-zone-file";
text = ''
$ORIGIN geokunis2.nl.
$TTL 1h
@ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. (
1704580936
1D
1H
1W
1D )
IN NS ns.geokunis2.nl.
IN NS ns0.transip.net.
IN NS ns1.transip.nl.
IN NS ns2.transip.eu.
@ IN MX 10 mail.geokunis2.nl.
@ IN A 192.145.57.90
@ IN AAAA 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
mail IN A 192.145.57.90
wg IN A 192.145.57.90
wg IN AAAA 2a0d:6e00:1a77::1
wg4 IN A 192.145.57.90
wg6 IN AAAA 2a0d:6e00:1a77::1
tuindersweijde IN A 192.145.57.90
ns IN A 192.145.57.90
ns IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
cyberchef IN A 192.145.57.90
cyberchef IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
inbucket IN A 192.145.57.90
kms IN A 192.145.57.90
@ IN CAA 0 issue \"letsencrypt.org\"
'';
};
in
{
options.lab.dns.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
'';
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.bind = {
enable = true;
forwarders = [ ];
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = ''
allow-transfer { none; };
allow-recursion { none; };
version "No dice.";
'';
zones = {
"kun.is" = {
master = true;
file = kunisZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
"geokunis2.nl" = {
master = true;
file = geokunisnlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
};
};
};
}

65
nixos/modules/dns/default.nix Normal file
View file

@ -0,0 +1,65 @@
{ pkgs, lib, config, dns, ... }:
let
cfg = config.lab.dns;
publicIpv4 = "192.145.57.90";
kunisZoneFile = pkgs.writeTextFile {
name = "kunis-zone-file";
text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
};
geokunis2nlZoneFile = pkgs.writeTextFile {
name = "geokunis2nl-zone-file";
text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
};
in
{
options.lab.dns.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
'';
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.bind = {
enable = true;
forwarders = [ ];
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = ''
allow-transfer { none; };
allow-recursion { none; };
version "No dice.";
'';
zones = {
"kun.is" = {
master = true;
file = kunisZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
"geokunis2.nl" = {
master = true;
file = geokunis2nlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
};
};
};
}

47
nixos/modules/dns/zones/geokunis2.nl.nix Normal file
View file

@ -0,0 +1,47 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns";
adminEmail = "hostmaster@geokunis2.nl";
serial = 1704580936;
};
NS = [
"ns.geokunis2.nl."
"ns0.transip.net."
"ns1.transip.nl."
"ns2.transip.eu."
];
MX = [ (mx.mx 10 "mail.geokunis2.nl.") ];
A = [ publicIpv4 ];
AAAA = [ "2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda" ];
CAA = letsEncrypt "caa@geokunis2.nl";
subdomains = {
mail.A = [ publicIpv4 ];
wg4.A = [ publicIpv4 ];
wg6.AAAA = [ "2a0d:6e00:1a77::1" ];
tuindersweijde.A = [ publicIpv4 ];
inbucket.A = [ publicIpv4 ];
kms.A = [ publicIpv4 ];
wg = {
A = [ publicIpv4 ];
AAAA = [ "2a0d:6e00:1a77::1" ];
};
ns = {
A = [ publicIpv4 ];
AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07" ];
};
cyberchef = {
A = [ publicIpv4 ];
AAAA = [ "2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03" ];
};
};
}

28
nixos/modules/dns/zones/kun.is.nix Normal file
View file

@ -0,0 +1,28 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
CAA = letsEncrypt "caa@kun.is";
SOA = {
nameServer = "ns1";
adminEmail = "webmaster@kun.is";
serial = 1704580936;
};
NS = [
"ns1.kun.is."
"ns2.kun.is."
];
MX = [
(mx.mx 10 "mail.kun.is.")
];
subdomains = {
ns.A = [ publicIpv4 ];
ns1.A = [ publicIpv4 ];
ns2.A = [ publicIpv4 ];
"*".A = [ publicIpv4 ];
};
}