diff --git a/hosts/plover/config/coredns/foodogsquared.one.zone b/hosts/plover/config/coredns/foodogsquared.one.zone index eed14565..46346994 100644 --- a/hosts/plover/config/coredns/foodogsquared.one.zone +++ b/hosts/plover/config/coredns/foodogsquared.one.zone @@ -1,18 +1,18 @@ ; This is trying to be discrete with certain information. This should be copied ; and replaced with more confidential information somewhere. - -; Take note we're not making the NS record type since it will be dynamically -; queried by the DNS server. $TTL 2h $ORIGIN @domain@ -@ IN SOA @dnsSubdomain@.@domain@ @email@ ( - 2023020800 ; serial number - 3h ; refresh +; Take note we're not making the NS record type since it will be dynamically +; queried by the DNS server. +@ IN SOA @dnsNameserver@ @dnsEmail@ ( + 2023021002 ; serial number + 2h ; refresh 15m ; update retry 3w ; expiry 3h ; nx = nxdomain ttl - ) + ) +@dnsNameservers@ ; Setting up the mail-related DNS entries. ; For future references, please the see the following document at @@ -21,12 +21,12 @@ $ORIGIN @domain@ IN MX 10 mxext2.mailbox.org IN MX 20 mxext3.mailbox.org IN TXT v=spf1 include:mailbox.org ~all -_dmarc IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one -mbo0001._domainkey IN CNAME mbo0001._domainkey.mailbox.org. -mbo0002._domainkey IN CNAME mbo0002._domainkey.mailbox.org. -mbo0003._domainkey IN CNAME mbo0003._domainkey.mailbox.org. -mbo0004._domainkey IN CNAME mbo0004._domainkey.mailbox.org. -#mailboxSecurityKey# IN TXT #mailboxSecurityKeyRecord# +_dmarc. IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one +mbo0001._domainkey. IN CNAME mbo0001._domainkey.mailbox.org. +mbo0002._domainkey. IN CNAME mbo0002._domainkey.mailbox.org. +mbo0003._domainkey. IN CNAME mbo0003._domainkey.mailbox.org. +mbo0004._domainkey. IN CNAME mbo0004._domainkey.mailbox.org. +#mailboxSecurityKey#. IN TXT #mailboxSecurityKeyRecord# ; My websites that are deployed by somewhere else. @ IN ALIAS apex-loadbalancer.netlify.com. @@ -34,26 +34,26 @@ www IN CNAME foodogsquared.netlify.app. wiki IN CNAME foodogsquared-wiki.netlify.app. ; Public-facing services from this server. -auth IN A @publicIPv4@ -auth IN AAAA @publicIPv6@ +auth. IN A @publicIPv4@ +auth. IN AAAA @publicIPv6@ -pass IN A @publicIPv4@ -pass IN AAAA @publicIPv6@ +pass. IN A @publicIPv4@ +pass. IN AAAA @publicIPv6@ -code IN A @publicIPv4@ -code IN AAAA @publicIPv6@ +code. IN A @publicIPv4@ +code. IN AAAA @publicIPv6@ ; Other things. -_github-pages-challenge-foo-dogsquared IN TXT 673febae1ea0095e76d1e02a7a1709 +_github-pages-challenge-foo-dogsquared. IN TXT 673febae1ea0095e76d1e02a7a1709 ; Setting up SendGrid. ; This is for rewriting tracking links to my domain. -url2871 IN CNAME sendgrid.net -30339354 IN CNAME sendgrid.net +url2871. IN CNAME sendgrid.net +30339354. IN CNAME sendgrid.net ; This is for SendGrid sender authentication. -em1172 IN CNAME u30339354.wl105.sendgrid.net -s1._domainkey IN CNAME s1.domainkey.u30339354.wl105.sendgrid.net -s2._domainkey IN CNAME s2.domainkey.u30339354.wl105.sendgrid.net +em1172. IN CNAME u30339354.wl105.sendgrid.net +s1._domainkey. IN CNAME s1.domainkey.u30339354.wl105.sendgrid.net +s2._domainkey. IN CNAME s2.domainkey.u30339354.wl105.sendgrid.net ; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix index e95a8e8c..82beee90 100644 --- a/hosts/plover/modules/services/coredns.nix +++ b/hosts/plover/modules/services/coredns.nix @@ -11,25 +11,20 @@ let dnsSubdomain = "ns1"; dnsDomainName = "${dnsSubdomain}.${domain}"; certs = config.security.acme.certs; - dnsEmail = "hostmaster.${domain}"; - - # This is the part of the SOA record. You'll have to modify it here instead - # of modifying a zone file since it does not play well with a dynamically - # configured server it seems. - dnsSerialNumber = "2023020800"; - dnsRefresh = "3h"; - dnsUpdateRetry = "15m"; - dnsExpiry = "3w"; - dnsNxTTL = "3h"; corednsServiceName = "coredns"; domainZoneFile = pkgs.substituteAll { src = ../../config/coredns/${domain}.zone; inherit domain dnsSubdomain; - email = dnsEmail; + dnsEmail = "dns.hetzner.com."; publicIPv4 = interfaces.main'.IPv4.address; publicIPv6 = interfaces.main'.IPv6.address; + dnsNameserver = lib.head secondaryNameserverDomains; + dnsNameservers = lib.concatStringsSep "\n" + (lib.lists.map + (ns: "\tIN\tNS\t${ns}") + secondaryNameserverDomains); }; secondaryNameserverDomains = lib.attrNames secondaryNameServers; @@ -91,78 +86,55 @@ in # # https://docs.hetzner.com/dns-console/dns/general/dnssec config = '' - (common) { + . { forward . /etc/resolv.conf log - cache errors - } - ${fqdn} { - import common - - bind ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} - - local - - acl { - allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)} - block - } - - # We're just setting up a dummy SOA. If the authority section is - # missing, it will be considered invalid and might not play nice with - # the other things that rely on the DNS server so we'll play nice. - template ANY ANY { - authority "{{ .Zone }} IN SOA {{ .Zone }} ${dnsEmail} (1 60 60 60 60)" - fallthrough - } - - template IN A { - answer "{{ .Zone }} IN 60 A ${interfaces.internal.IPv4.address}" - answer "{{ .Zone }} IN 60 A ${interfaces.internal.IPv4.address}" - } - - template IN AAAA { - answer "{{ .Zone }} IN 60 AAAA ${interfaces.internal.IPv6.address}" - answer "{{ .Zone }} IN 60 AAAA ${interfaces.internal.IPv6.address}" - } - } - - ${domain} { - import common - - bind lo { + bind lo ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} { # These are already taken from systemd-resolved. except 127.0.0.53 127.0.0.54 } - acl { + acl ${domain} { # We're setting this up as a "hidden" primary server. allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs} allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs} - block type AXFR - block type IXFR + + # Allowing this for debugging. + allow net 127.0.0.0/8 ::1 + + # Otherwise, it's just really a primary server that is hidden + # somewhere (or just very shy, whichever of the two). + block } - template IN NS { - ${lib.concatStringsSep "\n " - (lib.lists.map - (ns: ''answer "{{ .Zone }} IN NS ${ns}"'') - secondaryNameserverDomains)} + transfer ${domain} { + to * } file ${domainZoneFile'} - transfer { - to * + # ${fqdn} DNS server blocks. This is an internal DNS server so we'll + # only allow queries from the internal network. + acl ${fqdn} { + allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)} + allow net 127.0.0.0/8 ::1 + block + } + + template IN A ${fqdn} { + answer "{{ .Name }} IN 60 A ${interfaces.internal.IPv4.address}" + } + + template IN AAAA ${fqdn} { + answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}" } } - tls://${domain} { - import common - + tls://. { tls {$CREDENTIALS_DIRECTORY}/cert.pem {$CREDENTIALS_DIRECTORY}/key.pem {$CREDENTIALS_DIRECTORY}/fullchain.pem + forward . /etc/resolv.conf } ''; };