# TODO: we should split this into DHCP and DNS # This decoupling makes it easier to put one service on another host. { pkgs, lib, config, dns, ... }@inputs: let cfg = config.lab.networking.dmz.services; kunisZoneFile = pkgs.writeTextFile { name = "kunis-zone-file"; text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix inputs)); }; geokunis2nlZoneFile = pkgs.writeTextFile { name = "geokunis2nl-zone-file"; text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix inputs)); }; in { options.lab.networking.dmz.services.enable = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to enable an authoritative DNS server and DNSmasq for DMZ network. ''; }; config = lib.mkIf cfg.enable { # TODO Remove this; make this explicit in the machine config. lab.networking.dmz.allowConnectivity = true; # TODO: listen only on dmz interface, make this portable between physical and VM. networking.firewall = { allowedTCPPorts = [ 53 5353 ]; allowedUDPPorts = [ 53 67 5353 ]; }; services = { bind = { enable = true; forwarders = [ ]; extraOptions = '' allow-transfer { none; }; allow-recursion { none; }; version none; notify no; ''; zones = { "kun.is" = { master = true; file = kunisZoneFile; allowQuery = [ "any" ]; }; "geokunis2.nl" = { master = true; file = geokunis2nlZoneFile; allowQuery = [ "any" ]; slaves = [ "87.253.155.96/27" "157.97.168.160/27" ]; }; }; }; dnsmasq = { enable = true; settings = import ./dnsmasq.nix inputs; }; }; }; }