diff --git a/hosts/VEGAS/services/dns/default.nix b/hosts/VEGAS/services/dns/default.nix index 48b4a3a..aade8b0 100644 --- a/hosts/VEGAS/services/dns/default.nix +++ b/hosts/VEGAS/services/dns/default.nix @@ -1,16 +1,33 @@ -{ config, hosts, inputs, pkgs, ... }: +{ config, hosts, inputs, pkgs, tools, ... }: # TODO: is this secure? let inherit (hosts.${config.networking.hostName}) interfaces; + inherit (tools.meta) domain; + dot = config.security.acme.certs."securedns.${domain}"; in { imports = [ ./zones.nix ]; networking.firewall = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 853 ]; + allowedUDPPorts = [ 53 853 ]; }; - systemd.services.coredns.after = [ "network-addresses-vstub.service" ]; + systemd.services.coredns = { + after = [ "network-addresses-vstub.service" ]; + serviceConfig.LoadCredential = [ + "dot-cert.pem:${dot.directory}/fullchain.pem" + "dot-key.pem:${dot.directory}/key.pem" + ]; + }; + security.acme.certs."securedns.${domain}" = { + group = "nginx"; + webroot = "/var/lib/acme/acme-challenge"; + # using a different ACME provider because Android Private DNS is fucky + server = "https://api.buypass.com/acme/directory"; + reloadServices = [ + "coredns.service" + ]; + }; services.coredns = { enable = true; config = '' @@ -22,6 +39,15 @@ in { chaos "Private Void DNS" info@privatevoid.net forward . 127.0.0.1 } + tls://.:853 { + bind ${interfaces.primary.addr} + tls {$CREDENTIALS_DIRECTORY}/dot-cert.pem {$CREDENTIALS_DIRECTORY}/dot-key.pem + hosts ${inputs.self.packages.${pkgs.system}.stevenblack-hosts} { + fallthrough + } + chaos "Private Void DNS" info@privatevoid.net + forward . ${interfaces.primary.addr} + } ''; }; @@ -36,19 +62,17 @@ in { acl "trusted" { 127.0.0.0/8; ::1/128; - ${interfaces.primary.addr}/32; ${interfaces.vstub.addr}/32; 10.100.0.0/16; 10.10.0.0/16; }; acl "publicservers" { - ${interfaces.primary.addr}/32; 116.202.226.86/32; }; ''; extraOptions = '' recursion yes; - allow-recursion { trusted; }; + allow-recursion { trusted; ${interfaces.primary.addr}/32; }; dnssec-validation no; ''; };