hosts/plover: add internal DNS server

2025-01-31 04:58:01 +00:00 · 2023-02-06 16:00:56 +08:00 · 2023-02-06 16:00:56 +08:00 · 0086448efa
commit 0086448efa
parent d2a272f16b
4 changed files with 54 additions and 27 deletions
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -114,11 +114,6 @@ in
      };
    };

-  services.resolved = {
-    enable = true;
-    dnssec = "true";
-  };
-
  # All of the keys required to deploy the secrets.
  sops.age.keyFile = "/var/lib/sops-nix/key.txt";

--- a/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
+++ b/hosts/plover/modules/hardware/hetzner-cloud-cx21.nix
@ -5,11 +5,15 @@
 # from nixos-generators.
 let
  inherit (builtins) toString;
-  inherit (import ./networks.nix) interfaces privateIPv6Prefix;
+  inherit (import ./networks.nix) interfaces preferredInternalTLD privateIPv6Prefix;

  # This is just referring to the same interface just with alternative names.
  mainEthernetInterfaceNames = [ "ens3" "enp0s3" ];
  internalEthernetInterfaceNames = [ "ens10" "enp0s10" ];
+
+  internalDomains = [
+    "~${config.networking.domain}.${preferredInternalTLD}"
+  ];
 in
 {
  imports = [
@ -50,6 +54,19 @@ in
    dhcpcd.enable = false;
  };

+  # The internal DNS server of choice.
+  services.dnsmasq = {
+    enable = true;
+    settings.listen-address = with interfaces.internal; [ IPv4.address IPv6.address ];
+  };
+
+  # The main DNS server (not exactly by choice).
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = internalDomains;
+  };
+
  # The interface configuration is based from the following discussion:
  # https://discourse.nixos.org/t/nixos-on-hetzner-cloud-servers-ipv6/221/
  systemd.network = {
@ -68,7 +85,6 @@ in
        networkConfig = {
          DHCP = "yes";
          IPForward = true;
-          IPMasquerade = "ipv4";
        };
      };

@ -85,11 +101,12 @@ in
          IPv4.gateway
          IPv6.gateway
        ];
+
+        networkConfig = {
+          DNS = [ interfaces.internal.IPv4.address ];
+          Domains = lib.concatStringsSep " " internalDomains;
+        };
      };
    };
  };
-
-  # This is to look out for any errors that will occur for my networking setup
-  # which is always a possibility.
-  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=info";
 }
--- a/hosts/plover/modules/services/atuin.nix
+++ b/hosts/plover/modules/services/atuin.nix
@ -6,7 +6,7 @@
 let
  inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;

-  atuinDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
+  atuinInternalDomain = "atuin.${config.networking.domain}.${preferredInternalTLD}";
  host = interfaces.internal.IPv4.address;
 in
 {
@ -31,8 +31,11 @@ in
    '';
  };

+  # Attaching the domain name to the DNS server.
+  services.dnsmasq.settings.address = [ "/${atuinInternalDomain}/${host}" ];
+
  # Putting it altogether in the reverse proxy of choice.
-  services.nginx.virtualHosts."${atuinDomain}" = {
+  services.nginx.virtualHosts."${atuinInternalDomain}" = {
    locations."/" = {
      proxyPass = "http://${host}:${toString config.services.atuin.port}";
    };
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@ -2,9 +2,10 @@
 { config, lib, pkgs, ... }:

 let
-  inherit (import ../hardware/networks.nix) interfaces;
+  inherit (import ../hardware/networks.nix) preferredInternalTLD interfaces;

  authDomain = "auth.${config.networking.domain}";
+  authInternalDomain = "auth.${config.networking.domain}.${preferredInternalTLD}";

  # This is also set on our own.
  keycloakUser = config.services.keycloak.database.username;
@ -68,20 +69,31 @@ in
    ];
  };

-  # Attaching it to the reverse proxy of choice.
-  services.nginx.virtualHosts."${authDomain}" = {
-    forceSSL = true;
-    enableACME = true;
+  # Attach an domain name to the DNS server.
+  services.dnsmasq.settings.address = [ "/${authInternalDomain}/${host}" ];

-    # This is based from the reverse proxy guide from the official
-    # documentation at https://www.keycloak.org/server/reverseproxy.
-    locations = let
-      keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}";
-    in
-    lib.listToAttrs
-      (lib.lists.map
-        (appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; })
-        [ "/js/" "/realms/" "/resources/" "/robots.txt" ]);
+  # Attaching it to the reverse proxy of choice.
+  services.nginx.virtualHosts = {
+    "${authDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      # This is based from the reverse proxy guide from the official
+      # documentation at https://www.keycloak.org/server/reverseproxy.
+      locations = let
+        keycloakPath = path: "http://${host}:${toString config.services.keycloak.settings.http-port}";
+      in
+      lib.listToAttrs
+        (lib.lists.map
+          (appPath: lib.nameValuePair appPath { proxyPass = keycloakPath appPath; })
+          [ "/js/" "/realms/" "/resources/" "/robots.txt" ]);
+    };
+
+    "${authInternalDomain}" = {
+      locations."/" = {
+        proxyPass = "http://${host}:${toString config.services.keycloak.settings.http-port}";
+      };
+    };
  };

  # Configuring fail2ban for this services which is only present as a neat