depot/cluster/services/dns/coredns.nix

114 lines
3.2 KiB
Nix
Raw Permalink Normal View History

{ cluster, config, depot, lib, pkgs, tools, ... }:
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
let
inherit (depot.reflection) interfaces hyprspace;
inherit (tools.meta) domain;
2022-08-07 20:58:37 +03:00
inherit (config.links) localRecursor;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsResolver;
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns) [
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
(lib.concatStringsSep " ")
];
authoritativeServers = lib.pipe (with cluster.config.services.dns.nodes; master ++ slave) [
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
(lib.concatStringsSep ";")
];
2023-03-07 02:26:07 +02:00
inherit (depot.packages) stevenblack-hosts;
dot = config.security.acme.certs."securedns.${domain}";
2022-08-07 20:58:37 +03:00
in
{
links.localRecursor = {};
2021-10-16 21:20:16 +03:00
networking.firewall = {
2022-08-07 20:58:37 +03:00
allowedTCPPorts = [ 853 ];
allowedUDPPorts = [ 853 ];
2021-10-16 21:20:16 +03:00
};
systemd.services.coredns = {
after = (lib.optional (interfaces ? vstub) "network-addresses-vstub.service") ++ [
"acme-selfsigned-securedns.${domain}.service"
];
before = [ "acme-securedns.${domain}.service" ];
wants = [ "acme-finished-securedns.${domain}.target" ];
serviceConfig.LoadCredential = [
"dot-cert.pem:${dot.directory}/fullchain.pem"
"dot-key.pem:${dot.directory}/key.pem"
];
};
2022-08-07 20:58:37 +03:00
security.acme.certs."securedns.${domain}" = {
dnsProvider = "pdns";
# using a different ACME provider because Android Private DNS is fucky
server = "https://api.buypass.com/acme/directory";
reloadServices = [
"coredns.service"
];
};
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
services.coredns = {
enable = true;
config = ''
.:${link.portStr} {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
2022-08-07 20:58:37 +03:00
bind 127.0.0.1
bind ${link.ipv4}
${lib.optionalString hyprspace.enable "bind ${hyprspace.addr}"}
2022-08-07 20:58:37 +03:00
hosts ${stevenblack-hosts} {
2021-10-16 21:20:16 +03:00
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
2021-10-16 21:20:16 +03:00
}
tls://.:853 {
bind ${interfaces.primary.addr}
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
2022-08-07 20:58:37 +03:00
hosts ${stevenblack-hosts} {
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
}
2021-10-16 21:20:16 +03:00
'';
};
2022-08-07 20:58:37 +03:00
services.pdns-recursor = {
2021-10-16 21:20:16 +03:00
enable = true;
2022-08-07 20:58:37 +03:00
dnssecValidation = "process";
forwardZones = {
# optimize queries against our own domain
"${domain}" = authoritativeServers;
2022-08-07 20:58:37 +03:00
};
dns = {
inherit (backend) port;
address = backend.ipv4;
allowFrom = [ "127.0.0.1" cluster.config.vars.meshNet.cidr "10.100.3.0/24" ];
};
};
consul.services.securedns = {
unit = "coredns";
mode = "external";
definition = rec {
name = "securedns";
address = interfaces.primary.addrPublic;
port = 853;
checks = lib.singleton {
name = "SecureDNS";
tcp = "${address}:${toString port}";
interval = "30s";
};
2022-08-07 20:58:37 +03:00
};
2021-10-16 21:20:16 +03:00
};
}