2023-08-31 01:55:45 +03:00
|
|
|
{ cluster, config, depot, lib, ... }:
|
2022-08-07 20:58:37 +03:00
|
|
|
|
2021-10-16 21:20:16 +03:00
|
|
|
let
|
2023-03-23 00:00:29 +02:00
|
|
|
inherit (depot.reflection) interfaces hyprspace;
|
2023-08-31 01:55:45 +03:00
|
|
|
inherit (depot.lib.meta) domain;
|
2023-03-23 00:00:29 +02:00
|
|
|
inherit (config.networking) hostName;
|
|
|
|
|
|
|
|
link = cluster.config.hostLinks.${hostName}.dnsResolver;
|
|
|
|
backend = cluster.config.hostLinks.${hostName}.dnsResolverBackend;
|
|
|
|
|
2023-08-31 01:55:45 +03:00
|
|
|
otherRecursors = lib.pipe (cluster.config.services.dns.otherNodes.coredns hostName) [
|
2023-03-23 00:00:29 +02:00
|
|
|
(map (node: cluster.config.hostLinks.${node}.dnsResolverBackend.tuple))
|
|
|
|
(lib.concatStringsSep " ")
|
|
|
|
];
|
|
|
|
|
|
|
|
authoritativeServers = lib.pipe (with cluster.config.services.dns.nodes; master ++ slave) [
|
|
|
|
(map (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple))
|
|
|
|
(lib.concatStringsSep ";")
|
|
|
|
];
|
|
|
|
|
2023-03-07 02:26:07 +02:00
|
|
|
inherit (depot.packages) stevenblack-hosts;
|
2022-06-19 15:04:46 +03:00
|
|
|
dot = config.security.acme.certs."securedns.${domain}";
|
2022-08-07 20:58:37 +03:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
links.localRecursor = {};
|
2021-10-16 21:20:16 +03:00
|
|
|
|
|
|
|
networking.firewall = {
|
2022-08-07 20:58:37 +03:00
|
|
|
allowedTCPPorts = [ 853 ];
|
|
|
|
allowedUDPPorts = [ 853 ];
|
2021-10-16 21:20:16 +03:00
|
|
|
};
|
|
|
|
|
2022-06-19 15:04:46 +03:00
|
|
|
systemd.services.coredns = {
|
2023-03-23 00:00:29 +02:00
|
|
|
after = (lib.optional (interfaces ? vstub) "network-addresses-vstub.service") ++ [
|
|
|
|
"acme-selfsigned-securedns.${domain}.service"
|
|
|
|
];
|
|
|
|
before = [ "acme-securedns.${domain}.service" ];
|
|
|
|
wants = [ "acme-finished-securedns.${domain}.target" ];
|
2022-06-19 15:04:46 +03:00
|
|
|
serviceConfig.LoadCredential = [
|
|
|
|
"dot-cert.pem:${dot.directory}/fullchain.pem"
|
|
|
|
"dot-key.pem:${dot.directory}/key.pem"
|
|
|
|
];
|
|
|
|
};
|
2022-08-07 20:58:37 +03:00
|
|
|
|
2022-06-19 15:04:46 +03:00
|
|
|
security.acme.certs."securedns.${domain}" = {
|
2023-03-23 00:00:29 +02:00
|
|
|
dnsProvider = "pdns";
|
2022-06-19 15:04:46 +03:00
|
|
|
# using a different ACME provider because Android Private DNS is fucky
|
|
|
|
server = "https://api.buypass.com/acme/directory";
|
|
|
|
reloadServices = [
|
|
|
|
"coredns.service"
|
|
|
|
];
|
|
|
|
};
|
2022-08-07 20:58:37 +03:00
|
|
|
|
2021-10-16 21:20:16 +03:00
|
|
|
services.coredns = {
|
|
|
|
enable = true;
|
|
|
|
config = ''
|
2023-03-23 00:00:29 +02:00
|
|
|
.:${link.portStr} {
|
2023-03-05 22:21:10 +02:00
|
|
|
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
|
2022-08-07 20:58:37 +03:00
|
|
|
bind 127.0.0.1
|
2023-03-23 00:00:29 +02:00
|
|
|
bind ${link.ipv4}
|
2022-08-07 20:58:37 +03:00
|
|
|
hosts ${stevenblack-hosts} {
|
2021-10-16 21:20:16 +03:00
|
|
|
fallthrough
|
|
|
|
}
|
|
|
|
chaos "Private Void DNS" info@privatevoid.net
|
2023-10-25 00:41:34 +03:00
|
|
|
forward hyprspace. 127.80.1.53:5380
|
2023-03-23 00:00:29 +02:00
|
|
|
forward . ${backend.tuple} ${otherRecursors} {
|
|
|
|
policy sequential
|
|
|
|
}
|
2021-10-16 21:20:16 +03:00
|
|
|
}
|
2022-06-19 15:04:46 +03:00
|
|
|
tls://.:853 {
|
|
|
|
bind ${interfaces.primary.addr}
|
|
|
|
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
|
2022-08-07 20:58:37 +03:00
|
|
|
hosts ${stevenblack-hosts} {
|
2022-06-19 15:04:46 +03:00
|
|
|
fallthrough
|
|
|
|
}
|
|
|
|
chaos "Private Void DNS" info@privatevoid.net
|
2023-03-23 00:00:29 +02:00
|
|
|
forward . ${backend.tuple} ${otherRecursors} {
|
|
|
|
policy sequential
|
|
|
|
}
|
2022-06-19 15:04:46 +03:00
|
|
|
}
|
2021-10-16 21:20:16 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2022-08-07 20:58:37 +03:00
|
|
|
services.pdns-recursor = {
|
2021-10-16 21:20:16 +03:00
|
|
|
enable = true;
|
2022-08-07 20:58:37 +03:00
|
|
|
dnssecValidation = "process";
|
|
|
|
forwardZones = {
|
|
|
|
# optimize queries against our own domain
|
2023-03-23 00:00:29 +02:00
|
|
|
"${domain}" = authoritativeServers;
|
2022-08-07 20:58:37 +03:00
|
|
|
};
|
|
|
|
dns = {
|
2023-03-23 00:00:29 +02:00
|
|
|
inherit (backend) port;
|
|
|
|
address = backend.ipv4;
|
|
|
|
allowFrom = [ "127.0.0.1" cluster.config.vars.meshNet.cidr "10.100.3.0/24" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
consul.services.securedns = {
|
|
|
|
unit = "coredns";
|
|
|
|
mode = "external";
|
|
|
|
definition = rec {
|
|
|
|
name = "securedns";
|
|
|
|
address = interfaces.primary.addrPublic;
|
|
|
|
port = 853;
|
|
|
|
checks = lib.singleton {
|
|
|
|
name = "SecureDNS";
|
|
|
|
tcp = "${address}:${toString port}";
|
|
|
|
interval = "30s";
|
|
|
|
};
|
2022-08-07 20:58:37 +03:00
|
|
|
};
|
2021-10-16 21:20:16 +03:00
|
|
|
};
|
|
|
|
}
|