hosts/plover: remove CoreDNS module

Bind works well enough for now so no need for this service.
2025-04-16 00:19:12 +00:00 · 2023-06-28 09:12:01 +08:00 · 2023-06-28 09:12:01 +08:00 · 38321152f0
commit 38321152f0
parent 88c0c9aa75
1 changed files with 0 additions and 170 deletions
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@ -1,170 +0,0 @@
-{ config, options, lib, pkgs, ... }:
-
-# Take note we're also running with systemd-resolved which shouldn't really
-# conflict much with established DNS servers default configuration considering
-# it lives in 127.0.0.53 (not 127.0.0.1). So if you found some errors, that's
-# on you. Either that or we can easily move the resolver somewhere else.
-let
-  inherit (config.networking) domain fqdn;
-  inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers wireguardPeers;
-
-  domainZoneFile = pkgs.substituteAll {
-    src = ../../config/dns/${domain}.zone;
-    ploverWANIPv4 = interfaces.wan.IPv4.address;
-    ploverWANIPv6 = interfaces.wan.IPv6.address;
-  };
-
-  # The final location of the thing.
-  domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
-
-  secondaryNameserverDomains = lib.attrNames secondaryNameServers;
-  secondaryNameServersIPv4 = lib.foldl'
-    (total: addresses: total ++ addresses.IPv4)
-    [ ]
-    (lib.attrValues secondaryNameServers);
-  secondaryNameServersIPv6 = lib.foldl'
-    (total: addresses: total ++ addresses.IPv6)
-    [ ]
-    (lib.attrValues secondaryNameServers);
-  secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
-
-  # The local network segments.
-  allowedIPs = secondaryNameServersIPv4 ++ [
-    # Loopback address
-    "127.0.0.0/8"
-
-    # Private uses
-    "10.0.0.0/8"
-    "172.16.0.0/12"
-    "192.168.0.0/16"
-  ];
-  allowedIPv6s = secondaryNameServersIPv6 ++ [
-    "::1" # Loopback
-    "${privateIPv6Prefix}::/48" # Private uses
-  ];
-
-  mainIP = with interfaces.wan; [
-    IPv4.address
-    IPv6.address
-  ];
-
-  internalIP = with interfaces.lan; [
-    IPv4.address
-    IPv6.address
-  ];
-
-  wireguardIP = with wireguardPeers.server; [
-    IPv4 IPv6
-  ];
-
-  dnsListenInterfaces = (with interfaces; [
-    "127.0.0.1"
-    "::1"
-  ]) ++ mainIP ++ internalIP ++ wireguardPeers;
-in
-{
-  sops.secrets =
-    let
-      getKey = key: {
-        inherit key;
-        sopsFile = ../../secrets/secrets.yaml;
-      };
-      getSecrets = secrets:
-        lib.mapAttrs'
-          (secret: config:
-            lib.nameValuePair
-              "plover/${secret}"
-              ((getKey secret) // config))
-          secrets;
-    in
-    getSecrets {
-      "dns/${domain}/mailbox-security-key" = { };
-      "dns/${domain}/mailbox-security-key-record" = { };
-    };
-
-  # Setting up the firewall to make less things to screw up in case anything is
-  # screwed up.
-  networking.firewall.extraInputRules = ''
-    meta l4proto {tcp, udp} th dport domain ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-    meta l4proto {tcp, udp} th dport domain ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-  '';
-
-  # For more information how the server is set up, you could take a look at the
-  # hardware networking configuration.
-  services.coredns = {
-    enable = true;
-
-    # NOTE: Currently, Hetzner DNS servers does not support DNSSEC. Will need
-    # to visit the following document periodically to see if they support but
-    # it is doubtful since they are doubting the benefits of supporting it. :(
-    #
-    # From what I can tell, it seems like DNSSEC is not much embraced by the
-    # major organizations yet so I'll wait with them on this one.
-    #
-    # https://docs.hetzner.com/dns-console/dns/general/dnssec
-    config = ''
-      # The LAN.
-      ${fqdn} {
-        bind ${interfaces.lan.ifname}
-        acl {
-          # Hetzner doesn't support DNSSEC yet though.
-          block type DS SIG RRSIG TA TSIG PTR DLV DNSKEY KEY NSEC NSEC3
-
-          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
-          allow net 127.0.0.0/8 ::1
-          block
-        }
-
-        template IN A {
-          answer "{{ .Name }} IN 60 A ${interfaces.lan.IPv4.address}"
-        }
-
-        template IN AAAA {
-          answer "{{ .Name }} IN 60 AAAA ${interfaces.lan.IPv6.address}"
-        }
-      }
-
-      # The WAN.
-      ${domain} {
-        bind ${interfaces.main'.ifname}
-
-        acl {
-          # We're setting this up as a "hidden" primary server.
-          allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
-          allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
-
-          # This will allow internal clients connect to the subdomains that
-          # have internal resources.
-          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
-          allow net 127.0.0.0/8 ::1
-
-          # Otherwise, it's just really a primary server that is hidden
-          # somewhere (or just very shy, whichever of the two).
-          block
-        }
-
-        file ${domainZoneFile'} {
-          reload 30s
-        }
-
-        transfer {
-          to ${lib.concatStringsSep " " secondaryNameServersIPs}
-        }
-      }
-
-      # The NAN.
-      . {
-        cache
-        forward . /etc/resolv.conf
-
-        log ${domain} {
-          class success error
-        }
-
-        errors {
-          consolidate 1m "^.* no next plugin found$"
-        }
-      }
-    '';
-  };
-}