72 lines
1.8 KiB
Nix
72 lines
1.8 KiB
Nix
{ pkgs, lib, config, dns, ... }:
|
|
let
|
|
cfg = config.lab.networking.dmzServices;
|
|
publicIpv4 = "192.145.57.90";
|
|
kunisZoneFile = pkgs.writeTextFile {
|
|
name = "kunis-zone-file";
|
|
text = (dns.lib.toString "kun.is" (import ./zones/kun.is.nix { inherit dns publicIpv4; }));
|
|
};
|
|
|
|
geokunis2nlZoneFile = pkgs.writeTextFile {
|
|
name = "geokunis2nl-zone-file";
|
|
text = (dns.lib.toString "geokunis2.nl" (import ./zones/geokunis2.nl.nix { inherit dns publicIpv4; }));
|
|
};
|
|
in
|
|
{
|
|
options.lab.networking.dmzServices.enable = lib.mkOption {
|
|
default = false;
|
|
type = lib.types.bool;
|
|
description = ''
|
|
Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
|
|
'';
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 67 ];
|
|
};
|
|
|
|
services = {
|
|
bind = {
|
|
enable = true;
|
|
forwarders = [ ];
|
|
# TODO: disable ipv6 for now, as the hosts themselves lack routes it seems.
|
|
ipv4Only = true;
|
|
|
|
extraOptions = ''
|
|
allow-transfer { none; };
|
|
allow-recursion { none; };
|
|
version "No dice.";
|
|
'';
|
|
|
|
zones = {
|
|
"kun.is" = {
|
|
master = true;
|
|
file = kunisZoneFile;
|
|
allowQuery = [ "any" ];
|
|
extraConfig = ''
|
|
notify yes;
|
|
allow-update { none; };
|
|
'';
|
|
};
|
|
|
|
"geokunis2.nl" = {
|
|
master = true;
|
|
file = geokunis2nlZoneFile;
|
|
allowQuery = [ "any" ];
|
|
extraConfig = ''
|
|
notify yes;
|
|
allow-update { none; };
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
dnsmasq = {
|
|
enable = true;
|
|
settings = import ./dnsmasq.nix;
|
|
};
|
|
};
|
|
};
|
|
}
|