add authoritative DNS server
This commit is contained in:
parent
d92f27bd03
commit
a152cde165
3 changed files with 123 additions and 0 deletions
|
|
@ -43,6 +43,7 @@
|
|||
|
||||
nixosModule.lab = {
|
||||
dataHost.enable = true;
|
||||
dns.enable = true;
|
||||
|
||||
storage = {
|
||||
osDisk = "/dev/sda";
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ in
|
|||
./backups.nix
|
||||
./networking.nix
|
||||
./data-sharing.nix
|
||||
./dns.nix
|
||||
];
|
||||
|
||||
options.lab.dataHost.enable = lib.mkOption {
|
||||
|
|
|
|||
121
nixos/modules/dns.nix
Normal file
121
nixos/modules/dns.nix
Normal file
|
|
@ -0,0 +1,121 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.lab.dns;
|
||||
kunisZoneFile = pkgs.writeTextFile {
|
||||
name = "kunis-zone-file";
|
||||
text = ''
|
||||
$ORIGIN kun.is.
|
||||
$TTL 1m
|
||||
|
||||
@ IN SOA ns1.kun.is. hostmaster.kun.is. (
|
||||
1704580936
|
||||
1D
|
||||
1H
|
||||
1W
|
||||
1D )
|
||||
|
||||
IN NS ns1.kun.is.
|
||||
IN NS ns2.kun.is.
|
||||
|
||||
@ IN MX 10 mail.kun.is.
|
||||
|
||||
|
||||
ns IN A 192.145.57.90
|
||||
ns1 IN A 192.145.57.90
|
||||
ns2 IN A 192.145.57.90
|
||||
* IN A 192.145.57.90
|
||||
verify.bing.com. IN CNAME fcfe5d31d5b7ae1af0b352a6b4c75d3f
|
||||
@ IN TXT "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\""
|
||||
'';
|
||||
};
|
||||
|
||||
geokunisnlZoneFile = pkgs.writeTextFile {
|
||||
name = "geokunisnl-zone-file";
|
||||
text = ''
|
||||
$ORIGIN geokunis2.nl.
|
||||
$TTL 1h
|
||||
|
||||
@ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. (
|
||||
1704580936
|
||||
1D
|
||||
1H
|
||||
1W
|
||||
1D )
|
||||
|
||||
IN NS ns.geokunis2.nl.
|
||||
IN NS ns0.transip.net.
|
||||
IN NS ns1.transip.nl.
|
||||
IN NS ns2.transip.eu.
|
||||
|
||||
@ IN MX 10 mail.geokunis2.nl.
|
||||
|
||||
|
||||
@ IN A 192.145.57.90
|
||||
@ IN AAAA 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
|
||||
mail IN A 192.145.57.90
|
||||
wg IN A 192.145.57.90
|
||||
wg IN AAAA 2a0d:6e00:1a77::1
|
||||
wg4 IN A 192.145.57.90
|
||||
wg6 IN AAAA 2a0d:6e00:1a77::1
|
||||
tuindersweijde IN A 192.145.57.90
|
||||
ns IN A 192.145.57.90
|
||||
ns IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
|
||||
cyberchef IN A 192.145.57.90
|
||||
cyberchef IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
|
||||
inbucket IN A 192.145.57.90
|
||||
kms IN A 192.145.57.90
|
||||
@ IN CAA 0 issue \"letsencrypt.org\"
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
options.lab.dns.enable = lib.mkOption {
|
||||
default = false;
|
||||
type = lib.types.bool;
|
||||
description = ''
|
||||
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
|
||||
'';
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
|
||||
services.bind = {
|
||||
enable = true;
|
||||
forwarders = [ ];
|
||||
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
|
||||
ipv4Only = true;
|
||||
|
||||
extraOptions = ''
|
||||
allow-transfer { none; };
|
||||
allow-recursion { none; };
|
||||
version "No dice.";
|
||||
'';
|
||||
|
||||
zones = {
|
||||
"kun.is" = {
|
||||
master = true;
|
||||
file = kunisZoneFile;
|
||||
allowQuery = [ "any" ];
|
||||
extraConfig = ''
|
||||
notify yes;
|
||||
allow-update { none; };
|
||||
'';
|
||||
};
|
||||
|
||||
"geokunis2.nl" = {
|
||||
master = true;
|
||||
file = geokunisnlZoneFile;
|
||||
allowQuery = [ "any" ];
|
||||
extraConfig = ''
|
||||
notify yes;
|
||||
allow-update { none; };
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue