home/nixos-servers
home/nixos-servers
Archived
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

restructure modules

Browse source
This commit is contained in:
Pim Kunis 2024-01-07 23:06:27 +01:00
parent 11ec763244
commit aba16d3fd1
7 changed files with 51 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

72
nixos/modules/networking/dmz/default.nix Normal file
View file

@ -0,0 +1,72 @@
{ pkgs, lib, config, dns, ... }:
let
cfg = config.lab.networking.dmzServices;
publicIpv4 = "192.145.57.90";
kunisZoneFile = pkgs.writeTextFile {
name = "kunis-zone-file";
text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
};
geokunis2nlZoneFile = pkgs.writeTextFile {
name = "geokunis2nl-zone-file";
text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
};
in
{
options.lab.networking.dmzServices.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
'';
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 ];
};
services = {
bind = {
enable = true;
forwarders = [ ];
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
ipv4Only = true;
extraOptions = ''
allow-transfer { none; };
allow-recursion { none; };
version "No dice.";
'';
zones = {
"kun.is" = {
master = true;
file = kunisZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
"geokunis2.nl" = {
master = true;
file = geokunis2nlZoneFile;
allowQuery = [ "any" ];
extraConfig = ''
notify yes;
allow-update { none; };
'';
};
};
};
dnsmasq = {
enable = true;
settings = import ./dnsmasq.nix;
};
};
};
}

41
nixos/modules/networking/dmz/dnsmasq.nix Normal file
View file

@ -0,0 +1,41 @@
{
no-resolv = true;
server = [
"192.168.30.1"
"/geokunis2.nl/192.168.30.7"
"/kun.is/192.168.30.7"
];
local = "/dmz/";
dhcp-fqdn = true;
no-hosts = true;
expand-hosts = true;
domain = "dmz";
dhcp-authoritative = true;
dhcp-range = [
"192.168.30.50,192.168.30.127,15m"
"2a02:58:19a:f730::, ra-stateless, ra-names"
];
dhcp-host = [
"b8:27:eb:b9:ab:e2,esrom"
"ca:fe:c0:ff:ee:03,max,192.168.30.3"
"ca:fe:c0:ff:ee:08,maestro,192.168.30.8"
"dc:a6:32:7b:e2:11,iris,192.168.30.9"
"ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10"
"52:54:00:72:e0:9a,forum,192.168.30.11"
];
dhcp-option = [
"3,192.168.30.1"
"option6:dns-server,[2a02:58:19a:f730::1]"
"option:dns-server,192.168.30.1"
];
ra-param = "*,0,0";
alias = "192.145.57.90,192.168.30.8";
log-dhcp = true;
log-queries = true;
interface-name = "hermes.dmz,ens3";
port = "5353";
address = [
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7"
"/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07"
];
}

29
nixos/modules/networking/dmz/zones/geokunis2.nl.nix Normal file
View file

@ -0,0 +1,29 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns";
adminEmail = "hostmaster@geokunis2.nl";
serial = 1704580936;
};
NS = [
"ns.geokunis2.nl."
"ns0.transip.net."
"ns1.transip.nl."
"ns2.transip.eu."
];
MX = [ (mx.mx 10 "mail.geokunis2.nl.") ];
A = [ publicIpv4 ];
CAA = letsEncrypt "caa@geokunis2.nl";
subdomains = {
ns.A = [ publicIpv4 ];
ns1.A = [ publicIpv4 ];
ns2.A = [ publicIpv4 ];
"*".A = [ publicIpv4 ];
};
}

28
nixos/modules/networking/dmz/zones/kun.is.nix Normal file
View file

@ -0,0 +1,28 @@
{ publicIpv4, dns }:
with dns.lib.combinators;
{
CAA = letsEncrypt "caa@kun.is";
SOA = {
nameServer = "ns1";
adminEmail = "webmaster@kun.is";
serial = 1704580936;
};
NS = [
"ns1.kun.is."
"ns2.kun.is."
];
MX = [
(mx.mx 10 "mail.kun.is.")
];
subdomains = {
ns.A = [ publicIpv4 ];
ns1.A = [ publicIpv4 ];
ns2.A = [ publicIpv4 ];
"*".A = [ publicIpv4 ];
};
}