hosts/plover: update DNS server config

configs/nixos/plover/modules/default.nix

@@ -11,7 +11,7 @@
     ./services/database.nix
 
     # The primary DNS server that is completely hidden.
-    ./services/dns-server.nix
+    ./services/dns-server
 
     # The single-sign on setup.
     ./services/idm.nix

configs/nixos/plover/modules/services/dns-server/default.nix

@@ -8,29 +8,23 @@ let
   cfg = hostCfg.services.dns-server;
 
   inherit (config.networking) domain fqdn;
-  inherit (import ../hardware/networks.nix) interfaces clientNetworks serverNetworks secondaryNameServers;
-  secondaryNameServersIPs = lib.foldl'
-    (total: addresses: total ++ addresses.IPv4 ++ addresses.IPv6)
-    [ ]
-    (lib.attrValues secondaryNameServers);
 
-  domainZone = pkgs.substituteAll {
-    src = ../../config/dns/${domain}.zone;
-    ploverWANIPv4 = interfaces.wan.IPv4.address;
-    ploverWANIPv6 = interfaces.wan.IPv6.address;
+  zonesDir = "/etc/bind/zones";
+  getZoneFile = domain: "${zonesDir}/${domain}.zone";
+
+  zonefile = pkgs.substituteAll {
+    src = ../setups/dns/zones/${domain}.zone;
+    ploverWANIPv4 = config.state.network.ipv4;
+    ploverWANIPv6 = config.state.network.ipv6;
   };
 
   fqdnZone = pkgs.substituteAll {
-    src = ../../config/dns/${fqdn}.zone;
-    ploverLANIPv4 = interfaces.lan.IPv4.address;
-    ploverLANIPv6 = interfaces.lan.IPv6.address;
+    src = ../setups/dns/zones/${fqdn}.zone;
+    ploverWANIPv4 = config.state.network.ipv4;
+    ploverWANIPv6 = config.state.network.ipv6;
   };
 
-  zonesDir = "/etc/bind/zones";
-  zoneFile = domain: "${zonesDir}/${domain}.zone";
-
   dnsSubdomain = "ns1.${domain}";
-  dnsOverHTTPSPort = 8443;
 in
 {
   options.hosts.plover.services.dns-server.enable =
@@ -38,6 +32,13 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
+      state.ports = {
+        bindStatistics.value = 9423;
+        dns.value = 53;
+        dnsOverHTTPS.value = 8443;
+        dnsOverTLS.value = 853;
+      };
+
       sops.secrets =
         let
           dnsFileAttribute = {
@@ -46,10 +47,7 @@ in
             mode = "0400";
           };
         in
-        foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
-          "dns/${domain}/mailbox-security-key" = dnsFileAttribute;
-          "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
-          "dns/${domain}/keybase-verification-key" = dnsFileAttribute;
+        foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml {
           "dns/${domain}/rfc2136-key" = dnsFileAttribute // {
             reloadUnits = [ "bind.service" ];
           };
@@ -69,16 +67,18 @@ in
 
         listenOn = [
           "127.0.0.1"
-          interfaces.lan.IPv4.address
-          interfaces.wan.IPv4.address
+          config.state.network.ipv4
         ];
 
         listenOnIpv6 = [
           "::1"
-          interfaces.lan.IPv6.address
-          interfaces.wan.IPv6.address
+          config.state.network.ipv6
         ];
 
+        extraConfig = ''
+          include "${config.state.paths.dataDir}/dns/*-dnskeys.conf";
+        '';
+
         # Welp, since the template is pretty limited, we'll have to go with our
         # own. This is partially based from the NixOS Bind module except without
         # the template for filling in zones since we use views.
@@ -110,7 +110,7 @@ in
               endpoints { "/dns-query"; };
             };
 
-            acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; };
+            acl trusted { ${lib.concatStringsSep "; " [ "10.0.0.0/8" ]}; localhost; };
             acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
             acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
 
@@ -124,7 +124,8 @@ in
               listen-on-v6 tls ${dnsSubdomain} { ${listenInterfacesIpv6} };
 
               # DNS-over-HTTPS.
-              https-port ${builtins.toString dnsOverHTTPSPort};
+              tls-port ${builtins.toString config.state.ports.dnsOverTLS.value};
+              https-port ${builtins.toString config.state.ports.dnsOverHTTPS.value};
               listen-on tls ${dnsSubdomain} http ${dnsSubdomain} { ${listenInterfaces} };
               listen-on-v6 tls ${dnsSubdomain} http ${dnsSubdomain} { ${listenInterfacesIpv6} };
 
@@ -147,14 +148,14 @@ in
 
               zone "${fqdn}" {
                 type primary;
-                file "${zoneFile fqdn}";
+                file "${getZoneFile fqdn}";
               };
 
               zone "${domain}" {
                 type primary;
 
-                file "${zoneFile domain}";
-                allow-transfer { ${lib.concatStringsSep "; " secondaryNameServersIPs}; };
+                file "${getZoneFile domain}";
+                allow-transfer { ${lib.concatStringsSep "; " config.state.network.secondaryNameservers}; };
                 update-policy {
                   grant rfc2136key.${domain}. zonesub TXT;
                 };
@@ -182,22 +183,15 @@ in
         path = with pkgs; [ replace-secret ];
         preStart =
           let
-            domainZone' = zoneFile domain;
-            fqdnZone' = zoneFile fqdn;
-            secretPath = path: config.sops.secrets."dns/${path}".path;
-            rndc = lib.getExe' config.services.bind.package "rndc";
+            domainZone' = getZoneFile domain;
+            fqdnZone' = getZoneFile fqdn;
           in
           lib.mkAfter ''
             # Install the domain zone.
-            {
-              install -Dm0600 '${domainZone}' '${domainZone'}'
-              replace-secret '#mailboxSecurityKey#' '${secretPath "${domain}/mailbox-security-key"}' '${domainZone'}'
-              replace-secret '#mailboxSecurityKeyRecord#' '${secretPath "${domain}/mailbox-security-key-record"}' '${domainZone'}'
-              #${rndc} sync "${domain}" IN external
-            }
+            [ -f ${lib.escapeShellArg domainZone'} ] && install -Dm0600 ${zonefile} ${lib.escapeShellArg domainZone'}
 
             # Install the internal DNS zones.
-            install -Dm0600 '${fqdnZone}' '${fqdnZone'}'
+            [ -f ${lib.escapeShellArg fqdnZone'} ] && install -Dm0600 '${fqdnZone}' ${lib.escapeShellArg fqdnZone'}
           '';
 
         serviceConfig = {
@@ -287,6 +281,14 @@ in
       security.dhparams.params.bind.bits = 4096;
     }
 
+    (lib.mkIf hostCfg.setups.monitoring.enable {
+      services.bind.extraConfig = ''
+        statistics-channels {
+          inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; };
+        };
+      '';
+    })
+
     (lib.mkIf hostCfg.services.reverse-proxy.enable {
       # Making this with nginx.
       services.nginx.upstreams.local-dns = {
@@ -294,7 +296,7 @@ in
           zone dns 64k;
         '';
         servers = {
-          "127.0.0.1:${builtins.toString dnsOverHTTPSPort}" = { };
+          "127.0.0.1:${builtins.toString config.state.ports.dnsOverHTTPS.value}" = { };
         };
       };
 
@@ -329,23 +331,19 @@ in
           proxy_pass dns_servers;
         }
       '';
-
     })
 
     # Set up the firewall. Take note the ports with the transport layer being
     # accepted in Bind.
     (lib.mkIf hostCfg.services.firewall.enable {
-      networking.firewall =
-        let
-          ports = [
-            53 # DNS
-            853 # DNS-over-TLS/DNS-over-QUIC
-          ];
-        in
-        {
-          allowedUDPPorts = ports;
-          allowedTCPPorts = ports;
-        };
+      networking.firewall = {
+        allowedUDPPorts = [ config.state.ports.dns.value ];
+        allowedTCPPorts = with config.state.ports; [
+          dns.value
+          dnsOverHTTPS.value
+          dnsOverTLS.value
+        ];
+      };
     })
 
     # Add the following to be backed up.

configs/nixos/plover/modules/services/dns-server/secrets.yaml

@@ -0,0 +1,23 @@
+dns:
+    foodogsquared.one:
+        rfc2136-key: ENC[AES256_GCM,data:wrYDf+kxNmRnEQdSyqNPtJCHHTnmoSUfZd+zgOKOxGJuggOKVLKinyQTqbHNlBr8Ww3mQSxJQHuUmlUlmBFadWD6jli/89V3g3Yf8Dfmp04dZqxxyeVf4tAfZPYxhvMYv3b3Vf8iwPVo+6wLp/sUjISj32zsUNqXv62Z,iv:HYWW6kCUrBfE9tK3TbocVgFNgemz4lMSrwXork7EYtQ=,tag:f40LfresTPzzBojGrRuS7g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yftkhugwrdnlpl45lthrhvvk720zza2nd085sxvjcxg2guavz3kquktplx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNXRmbXB6YWJxa0w1R3Rh
+            ZzVjMHNtdStETXkraEhrbVVIQWtRT1FEbWcwCiszSmFTR2s4RUI1SlJWL3RMTHN2
+            a1Qva1Z5TC9PU3hSd2xHczdaZkdnelEKLS0tIE1kQ2FhV3hOY3lHbEx1SUlLSi9X
+            NHY2MWtSZEtKUkdJa1dnT0VhQWN1dUUKbi24Rv2vAT5teHt9dKltJyKjLpLDuYDw
+            SxoVKJ6zgEnkwhByAQwHKwwd6fSgPicl2b0kNGUJrooHlwHEUqsDMw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-19T13:08:29Z"
+    mac: ENC[AES256_GCM,data:K7u79dy6X9UtX/nlAuFLUgeU01j12BzGdibdDMmuCc0GEE6+SsByDxf9t1CK1eOlUyJZr1978cjvaYLR3DAv7gTnicBT4r0T6UM6qF0uD4OvlFAKOPz9oUf972NIjAHE2OO4gTHUbOPtIjFGrZSHXmFzQIbG8QAmNmKTPTGF2Fo=,iv:HFsc7i4CtbZCYEAdhbb7tt5D0xDj54oU7DkSDUAmcLY=,tag:m055t7fHlIUUvVKs39LhOA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

configs/nixos/plover/modules/services/dns-server/zones/foodogsquared.one.zone

@@ -4,7 +4,7 @@ $TTL 12h
 $ORIGIN foodogsquared.one.
 
 @	3600	IN	SOA	ns1 hostmaster (
-				2023100801 	; serial number
+				2024091701 	; serial number
 				1h		; refresh
 				15m		; update retry
 				3w		; expiry
@@ -15,29 +15,22 @@ $ORIGIN foodogsquared.one.
 	3600	IN	NS	robotns3.second-ns.com.
 
 ; Setting up the mail-related DNS entries.
-; For future references, please the see the following document at
-; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain
-@	IN	MX	10 mxext1.mailbox.org.
-	IN	MX	10 mxext2.mailbox.org.
-	IN	MX	20 mxext3.mailbox.org.
-	IN	TXT	v=spf1 include:mailbox.org ~all
+; https://mxroutedocs.com/
+@	IN	MX	10 heracles.mxrouting.net.
+	IN	MX	20 heracles-relay.mxrouting.net.
+	IN	TXT	"v=spf1 include:mxlogin.com -all"
+
+; Protect the validity of my emails sent by me!!!!
+x._domainkey	3600	IN	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLlrgdsO4jLncMoGAowlE14oB9R2ESxNLRBtkzc24LOPJ1CwEIE+5AHZd+ZRMwiD7fdXcyCH7/E1BRXWT+TtLnKnBgf5I0z6EbPqiPPb6nmpDWrbZzA2mdKetAKz0kFJC8oYK7lQF7Bdh57y/HWksoH6yjl1E88m8tEQ/thlyABGjqzV+txgmc1BryFu23KasqI2c4We/KgvsoSSAaUHkjpAMCuJck/P0G9mJWyTHrnZN2gCotyenLBZew0BIbiA2XYp6dQW4sU+MawfZ0E1KA0lem0SRYCB+sGD248uj4xVo9sIiCVyO9EQXy/YCZTeuTQHf1+QeFzI82vIrlv63QIDAQAB"
+
+; Protect my domain email from spoofing.
+_dmarc	400	IN	TXT	"v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one"
+
+
 
 ; Keybase verification key.
 @	3600	IN	TXT	#keybaseVerificationKey#
 
-; This is something that is needed for mailbox.org to verify it is indeed in my
-; domain.
-#mailboxSecurityKey#	3600	IN	TXT	#mailboxSecurityKeyRecord#
-
-; Protect the validity of my emails sent by me!!!!
-MBO0001._domainkey	IN	CNAME	MBO0001._domainkey.mailbox.org.
-MBO0002._domainkey	IN	CNAME	MBO0002._domainkey.mailbox.org.
-MBO0003._domainkey	IN	CNAME	MBO0003._domainkey.mailbox.org.
-MBO0004._domainkey	IN	CNAME	MBO0004._domainkey.mailbox.org.
-
-; Protect my domain email from spoofing.
-_dmarc	400	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one
-
 ; This will make PGP clients find my public key for the email.
 _hkps._tcp	IN	SRV	1 1 443 pgp.mailbox.org.