depot/cluster/services/dns/coredns.nix

112 lines
3.1 KiB
Nix
Raw Normal View History

2023-08-31 01:55:45 +03:00
{ cluster, config, depot, lib, ... }:
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
let
inherit (config.reflection) interfaces;
2023-08-31 01:55:45 +03:00
inherit (depot.lib.meta) domain;
inherit (config.networking) hostName;
link = cluster.config.hostLinks.${hostName}.dnsResolver;
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
2023-08-31 01:55:45 +03:00
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
(lib.concatStringsSep " ")
];
authoritativeServers = map
(node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
cluster.config.services.dns.nodes.authoritative;
2023-03-07 02:26:07 +02:00
inherit (depot.packages) stevenblack-hosts;
dot = config.security.acme.certs."securedns.${domain}";
2022-08-07 20:58:37 +03:00
in
{
links.localRecursor = {};
2021-10-16 21:20:16 +03:00
networking.firewall = {
2022-08-07 20:58:37 +03:00
allowedTCPPorts = [ 853 ];
allowedUDPPorts = [ 853 ];
2021-10-16 21:20:16 +03:00
};
systemd.services.coredns = {
after = (lib.optional (interfaces ? vstub) "network-addresses-vstub.service") ++ [
"acme-selfsigned-securedns.${domain}.service"
];
before = [ "acme-securedns.${domain}.service" ];
wants = [ "acme-finished-securedns.${domain}.target" ];
serviceConfig.LoadCredential = [
"dot-cert.pem:${dot.directory}/fullchain.pem"
"dot-key.pem:${dot.directory}/key.pem"
];
};
2022-08-07 20:58:37 +03:00
security.acme.certs."securedns.${domain}" = {
2023-12-04 20:31:03 +02:00
dnsProvider = "exec";
# using a different ACME provider because Android Private DNS is fucky
server = "https://api.buypass.com/acme/directory";
reloadServices = [
"coredns.service"
];
};
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
services.coredns = {
enable = true;
config = ''
(localresolver) {
2022-08-07 20:58:37 +03:00
hosts ${stevenblack-hosts} {
2021-10-16 21:20:16 +03:00
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
forward hyprspace. 127.43.104.80:11355
forward ${domain}. ${lib.concatStringsSep " " authoritativeServers} {
policy random
}
forward . ${backend.tuple} ${otherRecursors} {
policy sequential
}
2021-10-16 21:20:16 +03:00
}
.:${link.portStr} {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
bind 127.0.0.1
bind ${link.ipv4}
import localresolver
}
tls://.:853 {
bind ${interfaces.primary.addr}
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
import localresolver
}
2021-10-16 21:20:16 +03:00
'';
};
2022-08-07 20:58:37 +03:00
services.pdns-recursor = {
2021-10-16 21:20:16 +03:00
enable = true;
2022-08-07 20:58:37 +03:00
dnssecValidation = "process";
forwardZones = {
# optimize queries against our own domain
"${domain}" = lib.concatStringsSep ";" authoritativeServers;
2022-08-07 20:58:37 +03:00
};
dns = {
inherit (backend) port;
address = backend.ipv4;
allowFrom = [ "127.0.0.1" cluster.config.vars.meshNet.cidr "10.100.3.0/24" ];
};
};
consul.services.securedns = {
unit = "coredns";
mode = "external";
definition = rec {
name = "securedns";
address = interfaces.primary.addrPublic;
port = 853;
checks = lib.singleton {
name = "SecureDNS";
tcp = "${address}:${toString port}";
interval = "30s";
};
2022-08-07 20:58:37 +03:00
};
2021-10-16 21:20:16 +03:00
};
}