depot/cluster/services/dns/authoritative.nix

81 lines
2.1 KiB
Nix

{ cluster, config, hosts, lib, tools, ... }:
let
inherit (hosts.${config.networking.hostName}) interfaces;
inherit (tools.meta) domain;
patroni = cluster.config.links.patroni-pg-access;
translateConfig = cfg: let
configList = lib.mapAttrsToList (n: v: "${n}=${v}") cfg;
in lib.concatStringsSep "\n" configList;
in {
links.localAuthoritativeDNS = {};
age.secrets = {
pdns-db-credentials = {
file = ./pdns-db-credentials.age;
mode = "0400";
owner = "pdns";
group = "pdns";
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.powerdns = {
enable = true;
extraConfig = translateConfig {
launch = "gpgsql";
local-address = config.links.localAuthoritativeDNS.tuple;
gpgsql-host = patroni.ipv4;
gpgsql-port = patroni.portStr;
gpgsql-dbname = "powerdns";
gpgsql-user = "powerdns";
gpgsql-extra-connection-parameters = "passfile=${config.age.secrets.pdns-db-credentials.path}";
version-string = "Private Void DNS";
enable-lua-records = "yes";
expand-alias = "yes";
resolver = "127.0.0.1:8600";
};
};
services.coredns = {
enable = true;
config = ''
. {
bind ${interfaces.primary.addr}
chaos "Private Void DNS" info@privatevoid.net
cache {
success 4000 86400
denial 0
prefetch 3
serve_stale 86400s
}
forward service.eu-central.sd-magic.${domain} 127.0.0.1:8600
forward addr.eu-central.sd-magic.${domain} 127.0.0.1:8600
forward . ${config.links.localAuthoritativeDNS.tuple}
}
'';
};
systemd.services.coredns = {
after = [ "pdns.service" ];
};
consul.services.pdns = {
mode = "external";
definition = {
name = "authoritative-dns-backend";
address = config.links.localAuthoritativeDNS.ipv4;
port = config.links.localAuthoritativeDNS.port;
checks = lib.singleton {
interval = "60s";
tcp = config.links.localAuthoritativeDNS.tuple;
};
};
};
}