depot/cluster/services/dns/coredns.nix

75 lines
1.9 KiB
Nix
Raw Normal View History

2023-03-07 02:26:07 +02:00
{ config, depot, lib, pkgs, tools, ... }:
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
let
2023-03-07 02:26:07 +02:00
inherit (depot.reflection) interfaces;
inherit (tools.meta) domain;
2022-08-07 20:58:37 +03:00
inherit (config.links) localRecursor;
2023-03-07 02:26:07 +02:00
inherit (depot.packages) stevenblack-hosts;
dot = config.security.acme.certs."securedns.${domain}";
2022-08-07 20:58:37 +03:00
in
{
links.localRecursor = {};
2021-10-16 21:20:16 +03:00
networking.firewall = {
2022-08-07 20:58:37 +03:00
allowedTCPPorts = [ 853 ];
allowedUDPPorts = [ 853 ];
2021-10-16 21:20:16 +03:00
};
systemd.services.coredns = {
after = lib.optional (interfaces ? vstub) "network-addresses-vstub.service";
serviceConfig.LoadCredential = [
"dot-cert.pem:${dot.directory}/fullchain.pem"
"dot-key.pem:${dot.directory}/key.pem"
];
};
2022-08-07 20:58:37 +03:00
security.acme.certs."securedns.${domain}" = {
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
# using a different ACME provider because Android Private DNS is fucky
server = "https://api.buypass.com/acme/directory";
reloadServices = [
"coredns.service"
];
};
2022-08-07 20:58:37 +03:00
2021-10-16 21:20:16 +03:00
services.coredns = {
enable = true;
config = ''
. {
${lib.optionalString (interfaces ? vstub) "bind ${interfaces.vstub.addr}"}
2022-08-07 20:58:37 +03:00
bind 127.0.0.1
hosts ${stevenblack-hosts} {
2021-10-16 21:20:16 +03:00
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
2022-08-07 20:58:37 +03:00
forward . ${localRecursor.tuple}
2021-10-16 21:20:16 +03:00
}
tls://.:853 {
bind ${interfaces.primary.addr}
tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem
2022-08-07 20:58:37 +03:00
hosts ${stevenblack-hosts} {
fallthrough
}
chaos "Private Void DNS" info@privatevoid.net
2022-08-07 20:58:37 +03:00
forward . ${localRecursor.tuple}
}
2021-10-16 21:20:16 +03:00
'';
};
2022-08-07 20:58:37 +03:00
services.pdns-recursor = {
2021-10-16 21:20:16 +03:00
enable = true;
2022-08-07 20:58:37 +03:00
dnssecValidation = "process";
forwardZones = {
# optimize queries against our own domain
"${domain}" = interfaces.primary.addr;
};
dns = {
inherit (localRecursor) port;
address = localRecursor.ipv4;
allowFrom = [ "127.0.0.1" ];
};
2021-10-16 21:20:16 +03:00
};
}