From 4c62274145bc8ada6939f187d7f408a4a3b62922 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Fri, 10 Feb 2023 21:09:05 +0800
Subject: [PATCH] hosts/plover: update DNS-related configuration

---
 .../config/coredns/foodogsquared.one.zone     | 62 ++++++++++---------
 hosts/plover/default.nix                      |  3 +
 hosts/plover/modules/services/coredns.nix     | 29 ++++-----
 3 files changed, 51 insertions(+), 43 deletions(-)

diff --git a/hosts/plover/config/coredns/foodogsquared.one.zone b/hosts/plover/config/coredns/foodogsquared.one.zone
index 46346994..612b3d0a 100644
--- a/hosts/plover/config/coredns/foodogsquared.one.zone
+++ b/hosts/plover/config/coredns/foodogsquared.one.zone
@@ -1,59 +1,63 @@
 ; This is trying to be discrete with certain information. This should be copied
 ; and replaced with more confidential information somewhere.
 $TTL 2h
-$ORIGIN @domain@
+$ORIGIN foodogsquared.one
 
-; Take note we're not making the NS record type since it will be dynamically
-; queried by the DNS server.
-@	IN	SOA	@dnsNameserver@ @dnsEmail@ (
-				2023021002	; serial number
+@	IN	SOA	ns1.foodogsquared.one. hostmaster.foodogsquared.one. (
+				2023021100	; serial number
 				2h		; refresh
 				15m		; update retry
 				3w		; expiry
 				3h		; nx = nxdomain ttl
 			)
-@dnsNameservers@
+	IN	NS	ns1.first-ns.de.
+	IN	NS	robotns2.second-ns.de.
+	IN	NS	robotns3.second-ns.com.
 
 ; Setting up the mail-related DNS entries.
 ; For future references, please the see the following document at
 ; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain
-@	IN	MX	10 mxext1.mailbox.org
-	IN	MX	10 mxext2.mailbox.org
-	IN	MX	20 mxext3.mailbox.org
+@	IN	MX	10 mxext1.mailbox.org.
+	IN	MX	10 mxext2.mailbox.org.
+	IN	MX	20 mxext3.mailbox.org.
 	IN	TXT	v=spf1 include:mailbox.org ~all
-_dmarc.	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
-mbo0001._domainkey.	IN	CNAME	mbo0001._domainkey.mailbox.org.
-mbo0002._domainkey.	IN	CNAME	mbo0002._domainkey.mailbox.org.
-mbo0003._domainkey.	IN	CNAME	mbo0003._domainkey.mailbox.org.
-mbo0004._domainkey.	IN	CNAME	mbo0004._domainkey.mailbox.org.
-#mailboxSecurityKey#.	IN	TXT	#mailboxSecurityKeyRecord#
+_dmarc	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
+mbo0001._domainkey	IN	CNAME	mbo0001._domainkey.mailbox.org.
+mbo0002._domainkey	IN	CNAME	mbo0002._domainkey.mailbox.org.
+mbo0003._domainkey	IN	CNAME	mbo0003._domainkey.mailbox.org.
+mbo0004._domainkey	IN	CNAME	mbo0004._domainkey.mailbox.org.
+#mailboxSecurityKey#	IN	TXT	#mailboxSecurityKeyRecord#
 
 ; My websites that are deployed by somewhere else.
-@	IN	ALIAS	apex-loadbalancer.netlify.com.
+@	IN	A	75.2.60.5
 www	IN	CNAME	foodogsquared.netlify.app.
 wiki	IN	CNAME	foodogsquared-wiki.netlify.app.
 
-; Public-facing services from this server.
-auth.	IN	A	@publicIPv4@
-auth.	IN	AAAA	@publicIPv6@
+; Public-facing services from this server. Just remember to increment the
+; serial number once the public IPs changes. PLEEEEEEEEEEEAAAAAAAAASE!
+auth	IN	A	@publicIPv4@
+auth	IN	AAAA	@publicIPv6@
 
-pass.	IN	A	@publicIPv4@
-pass.	IN	AAAA	@publicIPv6@
+pass	IN	A	@publicIPv4@
+pass	IN	AAAA	@publicIPv6@
 
-code.	IN	A	@publicIPv4@
-code.	IN	AAAA	@publicIPv6@
+code	IN	A	@publicIPv4@
+code	IN	AAAA	@publicIPv6@
+
+vpn	IN	A	@publicIPv4@
+vpn	IN	AAAA	@publicIPv6@
 
 ; Other things.
-_github-pages-challenge-foo-dogsquared.	IN	TXT	673febae1ea0095e76d1e02a7a1709
+_github-pages-challenge-foo-dogsquared	IN	TXT	673febae1ea0095e76d1e02a7a1709
 
 ; Setting up SendGrid.
 ; This is for rewriting tracking links to my domain.
-url2871.	IN	CNAME	sendgrid.net
-30339354.	IN	CNAME	sendgrid.net
+url2871	IN	CNAME	sendgrid.net
+30339354	IN	CNAME	sendgrid.net
 
 ; This is for SendGrid sender authentication.
-em1172.	IN	CNAME	u30339354.wl105.sendgrid.net
-s1._domainkey.	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
-s2._domainkey.	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net
+em1172	IN	CNAME	u30339354.wl105.sendgrid.net
+s1._domainkey	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
+s2._domainkey	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net
 
 ; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns
diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 17f75f5a..49fea7d2 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -209,6 +209,9 @@ in
 
             # PostgreSQL database dumps
             config.services.postgresqlBackup.location
+
+            # DNS records.
+            "/etc/coredns"
           ];
           repo = borgRepo "services";
           passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix
index 82beee90..3bf9815a 100644
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@@ -16,17 +16,13 @@ let
 
   domainZoneFile = pkgs.substituteAll {
     src = ../../config/coredns/${domain}.zone;
-    inherit domain dnsSubdomain;
-    dnsEmail = "dns.hetzner.com.";
     publicIPv4 = interfaces.main'.IPv4.address;
     publicIPv6 = interfaces.main'.IPv6.address;
-    dnsNameserver = lib.head secondaryNameserverDomains;
-    dnsNameservers = lib.concatStringsSep "\n"
-      (lib.lists.map
-        (ns: "\tIN\tNS\t${ns}")
-        secondaryNameserverDomains);
   };
 
+  # The final location of the thing.
+  domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
+
   secondaryNameserverDomains = lib.attrNames secondaryNameServers;
   secondaryNameServersIPv4 = lib.foldl'
     (total: addresses: total ++ addresses.IPv4)
@@ -38,8 +34,12 @@ let
     (lib.attrValues secondaryNameServers);
   secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
 
-  # The final location of the thing.
-  domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
+  dnsListenAddresses = with interfaces; [
+    internal.IPv4.address
+    internal.IPv6.address
+    main'.IPv4.address
+    main'.IPv6.address
+  ];
 in
 {
   sops.secrets =
@@ -87,11 +87,10 @@ in
     # https://docs.hetzner.com/dns-console/dns/general/dnssec
     config = ''
       . {
-        forward . /etc/resolv.conf
         log
         errors
 
-        bind lo ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} {
+        bind lo ${lib.concatStringsSep " " dnsListenAddresses} {
           # These are already taken from systemd-resolved.
           except 127.0.0.53 127.0.0.54
         }
@@ -101,7 +100,9 @@ in
           allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
           allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
 
-          # Allowing this for debugging.
+          # This will allow internal clients connect to the subdomains that
+          # have internal resources.
+          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
           allow net 127.0.0.0/8 ::1
 
           # Otherwise, it's just really a primary server that is hidden
@@ -113,8 +114,6 @@ in
           to *
         }
 
-        file ${domainZoneFile'}
-
         # ${fqdn} DNS server blocks. This is an internal DNS server so we'll
         # only allow queries from the internal network.
         acl ${fqdn} {
@@ -130,6 +129,8 @@ in
         template IN AAAA ${fqdn} {
           answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
         }
+
+        file ${domainZoneFile'}
       }
 
       tls://. {