hosts/plover: update DNS-related configuration

2025-01-31 04:58:01 +00:00 · 2023-02-10 21:09:05 +08:00 · 2023-02-10 21:09:05 +08:00 · 4c62274145
commit 4c62274145
parent 7aca74924c
3 changed files with 51 additions and 43 deletions
--- a/hosts/plover/config/coredns/foodogsquared.one.zone
+++ b/hosts/plover/config/coredns/foodogsquared.one.zone
@ -1,59 +1,63 @@
 ; This is trying to be discrete with certain information. This should be copied
 ; and replaced with more confidential information somewhere.
 $TTL 2h
-$ORIGIN @domain@
+$ORIGIN foodogsquared.one

-; Take note we're not making the NS record type since it will be dynamically
-; queried by the DNS server.
-@	IN	SOA	@dnsNameserver@ @dnsEmail@ (
-				2023021002	; serial number
+@	IN	SOA	ns1.foodogsquared.one. hostmaster.foodogsquared.one. (
+				2023021100	; serial number
 				2h		; refresh
 				15m		; update retry
 				3w		; expiry
 				3h		; nx = nxdomain ttl
 			)
-@dnsNameservers@
+	IN	NS	ns1.first-ns.de.
+	IN	NS	robotns2.second-ns.de.
+	IN	NS	robotns3.second-ns.com.

 ; Setting up the mail-related DNS entries.
 ; For future references, please the see the following document at
 ; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain
-@	IN	MX	10 mxext1.mailbox.org
-	IN	MX	10 mxext2.mailbox.org
-	IN	MX	20 mxext3.mailbox.org
+@	IN	MX	10 mxext1.mailbox.org.
+	IN	MX	10 mxext2.mailbox.org.
+	IN	MX	20 mxext3.mailbox.org.
 	IN	TXT	v=spf1 include:mailbox.org ~all
-_dmarc.	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
-mbo0001._domainkey.	IN	CNAME	mbo0001._domainkey.mailbox.org.
-mbo0002._domainkey.	IN	CNAME	mbo0002._domainkey.mailbox.org.
-mbo0003._domainkey.	IN	CNAME	mbo0003._domainkey.mailbox.org.
-mbo0004._domainkey.	IN	CNAME	mbo0004._domainkey.mailbox.org.
-#mailboxSecurityKey#.	IN	TXT	#mailboxSecurityKeyRecord#
+_dmarc	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
+mbo0001._domainkey	IN	CNAME	mbo0001._domainkey.mailbox.org.
+mbo0002._domainkey	IN	CNAME	mbo0002._domainkey.mailbox.org.
+mbo0003._domainkey	IN	CNAME	mbo0003._domainkey.mailbox.org.
+mbo0004._domainkey	IN	CNAME	mbo0004._domainkey.mailbox.org.
+#mailboxSecurityKey#	IN	TXT	#mailboxSecurityKeyRecord#

 ; My websites that are deployed by somewhere else.
-@	IN	ALIAS	apex-loadbalancer.netlify.com.
+@	IN	A	75.2.60.5
 www	IN	CNAME	foodogsquared.netlify.app.
 wiki	IN	CNAME	foodogsquared-wiki.netlify.app.

-; Public-facing services from this server.
-auth.	IN	A	@publicIPv4@
-auth.	IN	AAAA	@publicIPv6@
+; Public-facing services from this server. Just remember to increment the
+; serial number once the public IPs changes. PLEEEEEEEEEEEAAAAAAAAASE!
+auth	IN	A	@publicIPv4@
+auth	IN	AAAA	@publicIPv6@

-pass.	IN	A	@publicIPv4@
-pass.	IN	AAAA	@publicIPv6@
+pass	IN	A	@publicIPv4@
+pass	IN	AAAA	@publicIPv6@

-code.	IN	A	@publicIPv4@
-code.	IN	AAAA	@publicIPv6@
+code	IN	A	@publicIPv4@
+code	IN	AAAA	@publicIPv6@
+
+vpn	IN	A	@publicIPv4@
+vpn	IN	AAAA	@publicIPv6@

 ; Other things.
-_github-pages-challenge-foo-dogsquared.	IN	TXT	673febae1ea0095e76d1e02a7a1709
+_github-pages-challenge-foo-dogsquared	IN	TXT	673febae1ea0095e76d1e02a7a1709

 ; Setting up SendGrid.
 ; This is for rewriting tracking links to my domain.
-url2871.	IN	CNAME	sendgrid.net
-30339354.	IN	CNAME	sendgrid.net
+url2871	IN	CNAME	sendgrid.net
+30339354	IN	CNAME	sendgrid.net

 ; This is for SendGrid sender authentication.
-em1172.	IN	CNAME	u30339354.wl105.sendgrid.net
-s1._domainkey.	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
-s2._domainkey.	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net
+em1172	IN	CNAME	u30339354.wl105.sendgrid.net
+s1._domainkey	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
+s2._domainkey	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net

 ; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@ -209,6 +209,9 @@ in

            # PostgreSQL database dumps
            config.services.postgresqlBackup.location
+
+            # DNS records.
+            "/etc/coredns"
          ];
          repo = borgRepo "services";
          passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@ -16,17 +16,13 @@ let

  domainZoneFile = pkgs.substituteAll {
    src = ../../config/coredns/${domain}.zone;
-    inherit domain dnsSubdomain;
-    dnsEmail = "dns.hetzner.com.";
    publicIPv4 = interfaces.main'.IPv4.address;
    publicIPv6 = interfaces.main'.IPv6.address;
-    dnsNameserver = lib.head secondaryNameserverDomains;
-    dnsNameservers = lib.concatStringsSep "\n"
-      (lib.lists.map
-        (ns: "\tIN\tNS\t${ns}")
-        secondaryNameserverDomains);
  };

+  # The final location of the thing.
+  domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
+
  secondaryNameserverDomains = lib.attrNames secondaryNameServers;
  secondaryNameServersIPv4 = lib.foldl'
    (total: addresses: total ++ addresses.IPv4)
@ -38,8 +34,12 @@ let
    (lib.attrValues secondaryNameServers);
  secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;

-  # The final location of the thing.
-  domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
+  dnsListenAddresses = with interfaces; [
+    internal.IPv4.address
+    internal.IPv6.address
+    main'.IPv4.address
+    main'.IPv6.address
+  ];
 in
 {
  sops.secrets =
@ -87,11 +87,10 @@ in
    # https://docs.hetzner.com/dns-console/dns/general/dnssec
    config = ''
      . {
-        forward . /etc/resolv.conf
        log
        errors

-        bind lo ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} {
+        bind lo ${lib.concatStringsSep " " dnsListenAddresses} {
          # These are already taken from systemd-resolved.
          except 127.0.0.53 127.0.0.54
        }
@ -101,7 +100,9 @@ in
          allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
          allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}

-          # Allowing this for debugging.
+          # This will allow internal clients connect to the subdomains that
+          # have internal resources.
+          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
          allow net 127.0.0.0/8 ::1

          # Otherwise, it's just really a primary server that is hidden
@ -113,8 +114,6 @@ in
          to *
        }

-        file ${domainZoneFile'}
-
        # ${fqdn} DNS server blocks. This is an internal DNS server so we'll
        # only allow queries from the internal network.
        acl ${fqdn} {
@ -130,6 +129,8 @@ in
        template IN AAAA ${fqdn} {
          answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
        }
+
+        file ${domainZoneFile'}
      }

      tls://. {