From b38f1c291adddca3855e0897884d35502079461f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 14 Jan 2024 15:20:32 +0100 Subject: [PATCH] enable IPv6 support on DNS --- nixos/lab.nix | 4 ++- nixos/machines/default.nix | 6 ++-- nixos/modules/networking/default.nix | 30 ++++++++++++++----- nixos/modules/networking/dmz/dnsmasq.nix | 15 ++++++---- .../networking/dmz/zones/geokunis2.nl.nix | 21 ++++++++++--- nixos/modules/networking/dmz/zones/kun.is.nix | 20 ++++++++++--- 6 files changed, 73 insertions(+), 23 deletions(-) diff --git a/nixos/lab.nix b/nixos/lab.nix index 1611d66..f883a58 100644 --- a/nixos/lab.nix +++ b/nixos/lab.nix @@ -3,6 +3,8 @@ publicIPv4 = "192.145.57.90"; dockerSwarmInternalIPv4 = "192.168.30.8"; dmzRouterIPv4 = "192.168.30.1"; - dmzDHCPIPv4 = "192.168.30.7"; + dmzServicesIPv4 = "192.168.30.7"; + # TODO: configure prefix length as well + dmzServicesIPv6 = "2a0d:6e00:1a77:30::7"; }; } diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index 7eba420..b0264d0 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -24,11 +24,13 @@ hostName = "atlas.hyp"; nixosModule = { config, ... }: - let inherit (config.lab.networking) dmzDHCPIPv4; in + let inherit (config.lab.networking) dmzServicesIPv4 dmzServicesIPv6; in { lab = { networking = { - staticDMZIpv4Address = "${dmzDHCPIPv4}/24"; + # TODO: Ideally, we don't have to set this here. + staticDMZIPv4Address = "${dmzServicesIPv4}/24"; + staticDMZIPv6Address = "${dmzServicesIPv6}/64"; dmzServices.enable = true; }; diff --git a/nixos/modules/networking/default.nix b/nixos/modules/networking/default.nix index 423fba4..90b9730 100644 --- a/nixos/modules/networking/default.nix +++ b/nixos/modules/networking/default.nix @@ -8,15 +8,23 @@ in { default = false; type = lib.types.bool; description = '' - Whether to create a networking interface on the DMZ bridge. + Whether to allow networking on the DMZ bridge interface. ''; }; - staticDMZIpv4Address = lib.mkOption { + staticDMZIPv4Address = lib.mkOption { default = ""; type = lib.types.str; description = '' - Assign a static IPv4 on the DMZ interface. + Assign a static IPv4 address on the DMZ interface. + ''; + }; + + staticDMZIPv6Address = lib.mkOption { + default = ""; + type = lib.types.str; + description = '' + Assign a static IPv6 address on the DMZ interface. ''; }; @@ -41,10 +49,17 @@ in { ''; }; - dmzDHCPIPv4 = lib.mkOption { + dmzServicesIPv4 = lib.mkOption { type = lib.types.str; description = '' - The IPv4 address of the DHCP server on the DMZ network. + The IPv4 address of the interface serving DHCP and DNS on the DMZ network. + ''; + }; + + dmzServicesIPv6 = lib.mkOption { + type = lib.types.str; + description = '' + The IPv6 address of the interface serving DHCP and DNS on the DMZ network. ''; }; @@ -126,8 +141,9 @@ in { networkConfig = { IPv6AcceptRA = cfg.allowDMZConnectivity; LinkLocalAddressing = if cfg.allowDMZConnectivity then "ipv6" else "no"; - DHCP = lib.mkIf (cfg.allowDMZConnectivity && cfg.staticDMZIpv4Address != "") "yes"; - Address = lib.mkIf (cfg.staticDMZIpv4Address != "") cfg.staticDMZIpv4Address; + DHCP = lib.mkIf (cfg.allowDMZConnectivity && cfg.staticDMZIPv4Address != "") "yes"; + Address = lib.lists.optional (cfg.staticDMZIPv4Address != "") cfg.staticDMZIPv4Address + ++ lib.lists.optional (cfg.staticDMZIPv6Address != "") cfg.staticDMZIPv6Address; }; }; }; diff --git a/nixos/modules/networking/dmz/dnsmasq.nix b/nixos/modules/networking/dmz/dnsmasq.nix index 83d9b75..e49446b 100644 --- a/nixos/modules/networking/dmz/dnsmasq.nix +++ b/nixos/modules/networking/dmz/dnsmasq.nix @@ -1,6 +1,6 @@ { config, ... }: let - inherit (config.lab.networking) publicIPv4 dockerSwarmInternalIPv4 dmzDHCPIPv4 dmzRouterIPv4; + inherit (config.lab.networking) publicIPv4 dockerSwarmInternalIPv4 dmzServicesIPv4 dmzServicesIPv6 dmzRouterIPv4; in { no-resolv = true; @@ -15,11 +15,16 @@ in log-dhcp = true; log-queries = true; port = "5353"; + host-record = [ + "hermes.dmz,${dmzServicesIPv4},${dmzServicesIPv6}" + "ipv4.hermes.dmz,${dmzServicesIPv4}" + "ipv6.hermes.dmz,${dmzServicesIPv6}" + ]; server = [ dmzRouterIPv4 - "/geokunis2.nl/${dmzDHCPIPv4}" - "/kun.is/${dmzDHCPIPv4}" + "/geokunis2.nl/${dmzServicesIPv4}" + "/kun.is/${dmzServicesIPv4}" ]; dhcp-range = [ @@ -39,7 +44,7 @@ in ]; address = [ - "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzDHCPIPv4}" - # "/ns.pizzapim.nl/ns.geokunis2.nl/TODOIPV6" + "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzServicesIPv4}" + "/ns.pizzapim.nl/ns.geokunis2.nl/${dmzServicesIPv6}" ]; } diff --git a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix index 971bab2..901592c 100644 --- a/nixos/modules/networking/dmz/zones/geokunis2.nl.nix +++ b/nixos/modules/networking/dmz/zones/geokunis2.nl.nix @@ -1,7 +1,7 @@ { config, dns, ... }: with dns.lib.combinators; let - inherit (config.lab.networking) publicIPv4; + inherit (config.lab.networking) publicIPv4 dmzServicesIPv6; in { SOA = { @@ -20,12 +20,25 @@ in MX = [ (mx.mx 10 "mail.geokunis2.nl.") ]; A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; CAA = letsEncrypt "caa@geokunis2.nl"; subdomains = { - ns.A = [ publicIPv4 ]; - ns1.A = [ publicIPv4 ]; - ns2.A = [ publicIPv4 ]; "*".A = [ publicIPv4 ]; + + ns = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; + + ns1 = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; + + ns2 = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; }; } diff --git a/nixos/modules/networking/dmz/zones/kun.is.nix b/nixos/modules/networking/dmz/zones/kun.is.nix index a98705a..6e7742b 100644 --- a/nixos/modules/networking/dmz/zones/kun.is.nix +++ b/nixos/modules/networking/dmz/zones/kun.is.nix @@ -1,7 +1,7 @@ { config, dns, ... }: with dns.lib.combinators; let - inherit (config.lab.networking) publicIPv4; + inherit (config.lab.networking) publicIPv4 dmzServicesIPv6; in { CAA = letsEncrypt "caa@kun.is"; @@ -22,9 +22,21 @@ in ]; subdomains = { - ns.A = [ publicIPv4 ]; - ns1.A = [ publicIPv4 ]; - ns2.A = [ publicIPv4 ]; "*".A = [ publicIPv4 ]; + + ns = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; + + ns1 = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; + + ns2 = { + A = [ publicIPv4 ]; + AAAA = [ dmzServicesIPv6 ]; + }; }; }