home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

add authoritative DNS server

Browse source
This commit is contained in:
Pim Kunis 2024-01-07 18:14:44 +01:00
parent d92f27bd03
commit a152cde165
3 changed files with 123 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/machines/default.nix
View file

@ -43,6 +43,7 @@
nixosModule.lab = { nixosModule.lab = {
dataHost.enable = true; dataHost.enable = true;
dns.enable = true;
storage = { storage = {
osDisk = "/dev/sda"; osDisk = "/dev/sda";

1
nixos/modules/default.nix
View file

@ -11,6 +11,7 @@ in
./backups.nix ./backups.nix
./networking.nix ./networking.nix
./data-sharing.nix ./data-sharing.nix
./dns.nix
]; ];
options.lab.dataHost.enable = lib.mkOption { options.lab.dataHost.enable = lib.mkOption {

121
nixos/modules/dns.nix Normal file
View file

@ -0,0 +1,121 @@
{ pkgs, lib, config, ... }:
let
cfg = config.lab.dns;
kunisZoneFile = pkgs.writeTextFile {
name = "kunis-zone-file";
text = ''
$ORIGIN kun.is.
$TTL 1m
@ IN SOA ns1.kun.is. hostmaster.kun.is. (
1704580936
1D
1H
1W
1D )
IN NS ns1.kun.is.
IN NS ns2.kun.is.
@ IN MX 10 mail.kun.is.
ns IN A 192.145.57.90
ns1 IN A 192.145.57.90
ns2 IN A 192.145.57.90
* IN A 192.145.57.90
verify.bing.com. IN CNAME fcfe5d31d5b7ae1af0b352a6b4c75d3f
@ IN TXT "\"google-site-verification=sznWJNdSZfiAESJhnDQEJ6hf06W9vndvhMi6wP_HH04\""
'';
};
geokunisnlZoneFile = pkgs.writeTextFile {
name = "geokunisnl-zone-file";
text = ''
$ORIGIN geokunis2.nl.
$TTL 1h
@ IN SOA ns.geokunis2.nl. hostmaster.geokunis2.nl. (
1704580936
1D
1H
1W
1D )
IN NS ns.geokunis2.nl.
IN NS ns0.transip.net.
IN NS ns1.transip.nl.
IN NS ns2.transip.eu.
@ IN MX 10 mail.geokunis2.nl.
@ IN A 192.145.57.90
@ IN AAAA 2a0d:6e00:1a77:30:b62e:99ff:fe77:1bda
mail IN A 192.145.57.90
wg IN A 192.145.57.90
wg IN AAAA 2a0d:6e00:1a77::1
wg4 IN A 192.145.57.90
wg6 IN AAAA 2a0d:6e00:1a77::1
tuindersweijde IN A 192.145.57.90
ns IN A 192.145.57.90
ns IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee07
cyberchef IN A 192.145.57.90
cyberchef IN AAAA 2a0d:6e00:1a77:30:c8fe:c0ff:feff:ee03
inbucket IN A 192.145.57.90
kms IN A 192.145.57.90
@ IN CAA 0 issue \"letsencrypt.org\"
'';
};
in
{
options.lab.dns.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
'';
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.bind = {
enable = true;
forwarders = [ ];
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = ''
allow-transfer { none; };
allow-recursion { none; };
version "No dice.";
'';
zones = {
"kun.is" = {
master = true;
file = kunisZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
"geokunis2.nl" = {
master = true;
file = geokunisnlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
};
};
};
}