diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index dfadb75..93736c7 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -43,6 +43,7 @@ nixosModule.lab = { dataHost.enable = true; + dns.enable = true; storage = { osDisk = "/dev/sda"; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 71fef6b..6ffb678 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -11,6 +11,7 @@ in ./backups.nix ./networking.nix ./data-sharing.nix + ./dns.nix ]; options.lab.dataHost.enable = lib.mkOption { diff --git a/nixos/modules/dns.nix b/nixos/modules/dns.nix new file mode 100644 index 0000000..dbbe593 --- /dev/null +++ b/nixos/modules/dns.nix @@ -0,0 +1,121 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.lab.dns; + kunisZoneFile = pkgs.writeTextFile { + name = "kunis-zone-file"; + text = '' + $ORIGIN kun.is. + $TTL 1m + + @ IN SOA ns1.kun.is. hostmaster.kun.is. ( + 1704580936 + 1D + 1H + 1W + 1D ) + + IN NS ns1.kun.is. + IN NS ns2.kun.is. + + @ IN MX 10 mail.kun.is. + + + ns IN A 192.145.57.90 + ns1 IN A 192.145.57.90 + ns2 IN A 192.145.57.90 + * IN A 192.145.57.90 + verify.bing.com. IN CNAME fcfe5d31d5b7ae1af0b352a6b4c75d3f + @ IN TXT "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\"" + ''; + }; + + geokunisnlZoneFile = pkgs.writeTextFile { + name = "geokunisnl-zone-file"; + text = '' + $ORIGIN geokunis2.nl. + $TTL 1h + + @ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. ( + 1704580936 + 1D + 1H + 1W + 1D ) + + IN NS ns.geokunis2.nl. + IN NS ns0.transip.net. + IN NS ns1.transip.nl. + IN NS ns2.transip.eu. + + @ IN MX 10 mail.geokunis2.nl. + + + @ IN A 192.145.57.90 + @ IN AAAA 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda + mail IN A 192.145.57.90 + wg IN A 192.145.57.90 + wg IN AAAA 2a0d:6e00:1a77::1 + wg4 IN A 192.145.57.90 + wg6 IN AAAA 2a0d:6e00:1a77::1 + tuindersweijde IN A 192.145.57.90 + ns IN A 192.145.57.90 + ns IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07 + cyberchef IN A 192.145.57.90 + cyberchef IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03 + inbucket IN A 192.145.57.90 + kms IN A 192.145.57.90 + @ IN CAA 0 issue \"letsencrypt.org\" + ''; + }; +in +{ + options.lab.dns.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to enable an authoritative DNS server and DNSmasq for DMZ network. + ''; + }; + + config = lib.mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + + services.bind = { + enable = true; + forwarders = [ ]; + # TODO: disable ipv6 for now, as the hosts themselves lack routes it seems. + ipv4Only = true; + + extraOptions = '' + allow-transfer { none; }; + allow-recursion { none; }; + version "No dice."; + ''; + + zones = { + "kun.is" = { + master = true; + file = kunisZoneFile; + allowQuery = [ "any" ]; + extraConfig = '' + notify yes; + allow-update { none; }; + ''; + }; + + "geokunis2.nl" = { + master = true; + file = geokunisnlZoneFile; + allowQuery = [ "any" ]; + extraConfig = '' + notify yes; + allow-update { none; }; + ''; + }; + }; + }; + }; +}