VEGAS: add DNS service

2021-10-16 20:20:16 +02:00 · 2021-10-16 20:20:16 +02:00 · d0721d38b7
commit d0721d38b7
parent 1384345400
3 changed files with 120 additions and 0 deletions
--- a/hosts/VEGAS/services/dns/default.nix
+++ b/hosts/VEGAS/services/dns/default.nix
@ -0,0 +1,55 @@
+{ config, hosts, ... }:
+# TODO: is this secure?
+let
+  inherit (hosts.${config.networking.hostName}) interfaces;
+in {
+  imports = [ ./zones.nix ];
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+  services.coredns = {
+    enable = true;
+    config = ''
+      . {
+        bind ${interfaces.vstub.addr}
+        hosts /ipfs/QmRgDmvcHsB61pYEPDrwsvHwkoC6hCR9dTEnvkDHrypcFJ {
+          fallthrough
+        }
+        chaos "Private Void DNS" info@privatevoid.net
+        forward . 127.0.0.1
+      }
+    '';
+  };
+
+  services.bind = {
+    enable = true;
+    # TODO: un-hardcode all ip addresses
+    listenOn = [ interfaces.primary.addr "127.0.0.1" ];
+    ipv4Only = true;
+
+    cacheNetworks = [ "10.0.0.0/8" ];
+    extraConfig = ''
+      acl "trusted" {
+        127.0.0.0/8;
+        ::1/128;
+        ${interfaces.primary.addr}/32;
+        ${interfaces.vstub.addr}/32;
+        10.100.0.0/16;
+        10.10.0.0/16;
+      };
+      acl "publicservers" {
+        ${interfaces.primary.addr}/32;
+        116.202.226.86/32;
+      };
+    '';
+    extraOptions = ''
+      recursion yes;
+      allow-recursion { trusted; };
+      dnssec-enable yes;
+      dnssec-validation no;
+    '';
+  };
+}
--- a/hosts/VEGAS/services/dns/zones.nix
+++ b/hosts/VEGAS/services/dns/zones.nix
@ -0,0 +1,64 @@
+{ lib, tools, ... }:
+
+# upstream's zone generator is pretty bad, so...
+
+# TODO: make this prettier
+
+let
+  inherit (tools.meta) domain;
+  inherit (tools) nginx identity;
+
+  externalSlave = { name, masters ? [ identity.dns.master.addr ], notify ? "no", alsoNotify ? [ "none" ] }: let
+    zoneName = "${name}";
+    file = "/var/named/slaves/ext_${zoneName}.db";
+    mastersFormatted = builtins.concatStringsSep "; " masters;
+    notifiersFormatted = builtins.concatStringsSep "; " alsoNotify;
+  in ''
+    zone "${zoneName}." IN {
+      type slave;
+      masters { ${mastersFormatted}; };
+      file "${file}";
+      allow-transfer { trusted; publicservers; };
+      allow-query { any; };
+      notify ${notify};
+      also-notify { ${notifiersFormatted}; };
+    };
+  '';
+  internalSlave' = domain: name: let
+    zoneName  = "${name}${domain}";
+    file = "/var/named/slaves/int_${zoneName}.db";
+  in ''
+    zone "${zoneName}." IN {
+      type slave;
+      masters { ${identity.dns.master.addr}; };
+      file "${file}";
+      allow-transfer { trusted; };
+      allow-query { trusted; };
+      notify no;
+    };
+  '';
+  internalSlave = internalSlave' ".${domain}";
+  revSlave = internalSlave' ".in-addr.arpa";
+  toAttr = value: { inherit (value) name; inherit value; };
+in
+{
+  services.bind.extraConfig = builtins.concatStringsSep "\n" ([
+    (externalSlave { name = domain; notify = "explicit"; alsoNotify = [ "116.202.226.86" ]; })
+    (externalSlave { name = "animus.com"; masters = [ "116.202.226.86" ]; })
+  ] ++ map internalSlave [
+    "virtual-machines"
+    "core"
+    "services"
+    "ext"
+    "int"
+    "vpn"
+    "find"
+  ] ++ map revSlave [
+    "0.10.10"
+    "1.10.10"
+    "2.10.10"
+    "100.10"
+  ] ++ map (internalSlave' "") [
+    "void"
+  ]);
+}
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -15,6 +15,7 @@

      # Services
      ./services/backbone-routing
+      ./services/dns
    ]
    # TODO: fix users
    # ++ (import ../../users "server").groups.admin