From ab883950020c58f7b8e94086512d573dd9283039 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Fri, 20 Sep 2024 12:33:26 +0800 Subject: [PATCH] hosts/plover: update DNS server config --- configs/nixos/plover/modules/default.nix | 2 +- .../default.nix} | 104 +++++++++--------- .../modules/services/dns-server/secrets.yaml | 23 ++++ .../dns-server/zones}/foodogsquared.one.zone | 33 +++--- .../zones}/plover.foodogsquared.one.zone | 0 5 files changed, 88 insertions(+), 74 deletions(-) rename configs/nixos/plover/modules/services/{dns-server.nix => dns-server/default.nix} (80%) create mode 100644 configs/nixos/plover/modules/services/dns-server/secrets.yaml rename configs/nixos/plover/{config/dns => modules/services/dns-server/zones}/foodogsquared.one.zone (71%) rename configs/nixos/plover/{config/dns => modules/services/dns-server/zones}/plover.foodogsquared.one.zone (100%) diff --git a/configs/nixos/plover/modules/default.nix b/configs/nixos/plover/modules/default.nix index 1e099ed6..aaf002df 100644 --- a/configs/nixos/plover/modules/default.nix +++ b/configs/nixos/plover/modules/default.nix @@ -11,7 +11,7 @@ ./services/database.nix # The primary DNS server that is completely hidden. - ./services/dns-server.nix + ./services/dns-server # The single-sign on setup. ./services/idm.nix diff --git a/configs/nixos/plover/modules/services/dns-server.nix b/configs/nixos/plover/modules/services/dns-server/default.nix similarity index 80% rename from configs/nixos/plover/modules/services/dns-server.nix rename to configs/nixos/plover/modules/services/dns-server/default.nix index b9d37f38..90f17a4b 100644 --- a/configs/nixos/plover/modules/services/dns-server.nix +++ b/configs/nixos/plover/modules/services/dns-server/default.nix @@ -8,29 +8,23 @@ let cfg = hostCfg.services.dns-server; inherit (config.networking) domain fqdn; - inherit (import ../hardware/networks.nix) interfaces clientNetworks serverNetworks secondaryNameServers; - secondaryNameServersIPs = lib.foldl' - (total: addresses: total ++ addresses.IPv4 ++ addresses.IPv6) - [ ] - (lib.attrValues secondaryNameServers); - domainZone = pkgs.substituteAll { - src = ../../config/dns/${domain}.zone; - ploverWANIPv4 = interfaces.wan.IPv4.address; - ploverWANIPv6 = interfaces.wan.IPv6.address; + zonesDir = "/etc/bind/zones"; + getZoneFile = domain: "${zonesDir}/${domain}.zone"; + + zonefile = pkgs.substituteAll { + src = ../setups/dns/zones/${domain}.zone; + ploverWANIPv4 = config.state.network.ipv4; + ploverWANIPv6 = config.state.network.ipv6; }; fqdnZone = pkgs.substituteAll { - src = ../../config/dns/${fqdn}.zone; - ploverLANIPv4 = interfaces.lan.IPv4.address; - ploverLANIPv6 = interfaces.lan.IPv6.address; + src = ../setups/dns/zones/${fqdn}.zone; + ploverWANIPv4 = config.state.network.ipv4; + ploverWANIPv6 = config.state.network.ipv6; }; - zonesDir = "/etc/bind/zones"; - zoneFile = domain: "${zonesDir}/${domain}.zone"; - dnsSubdomain = "ns1.${domain}"; - dnsOverHTTPSPort = 8443; in { options.hosts.plover.services.dns-server.enable = @@ -38,6 +32,13 @@ in config = lib.mkIf cfg.enable (lib.mkMerge [ { + state.ports = { + bindStatistics.value = 9423; + dns.value = 53; + dnsOverHTTPS.value = 8443; + dnsOverTLS.value = 853; + }; + sops.secrets = let dnsFileAttribute = { @@ -46,10 +47,7 @@ in mode = "0400"; }; in - foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml { - "dns/${domain}/mailbox-security-key" = dnsFileAttribute; - "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; - "dns/${domain}/keybase-verification-key" = dnsFileAttribute; + foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml { "dns/${domain}/rfc2136-key" = dnsFileAttribute // { reloadUnits = [ "bind.service" ]; }; @@ -69,16 +67,18 @@ in listenOn = [ "127.0.0.1" - interfaces.lan.IPv4.address - interfaces.wan.IPv4.address + config.state.network.ipv4 ]; listenOnIpv6 = [ "::1" - interfaces.lan.IPv6.address - interfaces.wan.IPv6.address + config.state.network.ipv6 ]; + extraConfig = '' + include "${config.state.paths.dataDir}/dns/*-dnskeys.conf"; + ''; + # Welp, since the template is pretty limited, we'll have to go with our # own. This is partially based from the NixOS Bind module except without # the template for filling in zones since we use views. @@ -110,7 +110,7 @@ in endpoints { "/dns-query"; }; }; - acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; }; + acl trusted { ${lib.concatStringsSep "; " [ "10.0.0.0/8" ]}; localhost; }; acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; @@ -124,7 +124,8 @@ in listen-on-v6 tls ${dnsSubdomain} { ${listenInterfacesIpv6} }; # DNS-over-HTTPS. - https-port ${builtins.toString dnsOverHTTPSPort}; + tls-port ${builtins.toString config.state.ports.dnsOverTLS.value}; + https-port ${builtins.toString config.state.ports.dnsOverHTTPS.value}; listen-on tls ${dnsSubdomain} http ${dnsSubdomain} { ${listenInterfaces} }; listen-on-v6 tls ${dnsSubdomain} http ${dnsSubdomain} { ${listenInterfacesIpv6} }; @@ -147,14 +148,14 @@ in zone "${fqdn}" { type primary; - file "${zoneFile fqdn}"; + file "${getZoneFile fqdn}"; }; zone "${domain}" { type primary; - file "${zoneFile domain}"; - allow-transfer { ${lib.concatStringsSep "; " secondaryNameServersIPs}; }; + file "${getZoneFile domain}"; + allow-transfer { ${lib.concatStringsSep "; " config.state.network.secondaryNameservers}; }; update-policy { grant rfc2136key.${domain}. zonesub TXT; }; @@ -182,22 +183,15 @@ in path = with pkgs; [ replace-secret ]; preStart = let - domainZone' = zoneFile domain; - fqdnZone' = zoneFile fqdn; - secretPath = path: config.sops.secrets."dns/${path}".path; - rndc = lib.getExe' config.services.bind.package "rndc"; + domainZone' = getZoneFile domain; + fqdnZone' = getZoneFile fqdn; in lib.mkAfter '' # Install the domain zone. - { - install -Dm0600 '${domainZone}' '${domainZone'}' - replace-secret '#mailboxSecurityKey#' '${secretPath "${domain}/mailbox-security-key"}' '${domainZone'}' - replace-secret '#mailboxSecurityKeyRecord#' '${secretPath "${domain}/mailbox-security-key-record"}' '${domainZone'}' - #${rndc} sync "${domain}" IN external - } + [ -f ${lib.escapeShellArg domainZone'} ] && install -Dm0600 ${zonefile} ${lib.escapeShellArg domainZone'} # Install the internal DNS zones. - install -Dm0600 '${fqdnZone}' '${fqdnZone'}' + [ -f ${lib.escapeShellArg fqdnZone'} ] && install -Dm0600 '${fqdnZone}' ${lib.escapeShellArg fqdnZone'} ''; serviceConfig = { @@ -287,6 +281,14 @@ in security.dhparams.params.bind.bits = 4096; } + (lib.mkIf hostCfg.setups.monitoring.enable { + services.bind.extraConfig = '' + statistics-channels { + inet 127.0.0.1 port ${builtins.toString config.state.ports.bindStatistics.value} allow { 127.0.0.1; }; + }; + ''; + }) + (lib.mkIf hostCfg.services.reverse-proxy.enable { # Making this with nginx. services.nginx.upstreams.local-dns = { @@ -294,7 +296,7 @@ in zone dns 64k; ''; servers = { - "127.0.0.1:${builtins.toString dnsOverHTTPSPort}" = { }; + "127.0.0.1:${builtins.toString config.state.ports.dnsOverHTTPS.value}" = { }; }; }; @@ -329,23 +331,19 @@ in proxy_pass dns_servers; } ''; - }) # Set up the firewall. Take note the ports with the transport layer being # accepted in Bind. (lib.mkIf hostCfg.services.firewall.enable { - networking.firewall = - let - ports = [ - 53 # DNS - 853 # DNS-over-TLS/DNS-over-QUIC - ]; - in - { - allowedUDPPorts = ports; - allowedTCPPorts = ports; - }; + networking.firewall = { + allowedUDPPorts = [ config.state.ports.dns.value ]; + allowedTCPPorts = with config.state.ports; [ + dns.value + dnsOverHTTPS.value + dnsOverTLS.value + ]; + }; }) # Add the following to be backed up. diff --git a/configs/nixos/plover/modules/services/dns-server/secrets.yaml b/configs/nixos/plover/modules/services/dns-server/secrets.yaml new file mode 100644 index 00000000..6adfb201 --- /dev/null +++ b/configs/nixos/plover/modules/services/dns-server/secrets.yaml @@ -0,0 +1,23 @@ +dns: + foodogsquared.one: + rfc2136-key: ENC[AES256_GCM,data:wrYDf+kxNmRnEQdSyqNPtJCHHTnmoSUfZd+zgOKOxGJuggOKVLKinyQTqbHNlBr8Ww3mQSxJQHuUmlUlmBFadWD6jli/89V3g3Yf8Dfmp04dZqxxyeVf4tAfZPYxhvMYv3b3Vf8iwPVo+6wLp/sUjISj32zsUNqXv62Z,iv:HYWW6kCUrBfE9tK3TbocVgFNgemz4lMSrwXork7EYtQ=,tag:f40LfresTPzzBojGrRuS7g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yftkhugwrdnlpl45lthrhvvk720zza2nd085sxvjcxg2guavz3kquktplx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNXRmbXB6YWJxa0w1R3Rh + ZzVjMHNtdStETXkraEhrbVVIQWtRT1FEbWcwCiszSmFTR2s4RUI1SlJWL3RMTHN2 + a1Qva1Z5TC9PU3hSd2xHczdaZkdnelEKLS0tIE1kQ2FhV3hOY3lHbEx1SUlLSi9X + NHY2MWtSZEtKUkdJa1dnT0VhQWN1dUUKbi24Rv2vAT5teHt9dKltJyKjLpLDuYDw + SxoVKJ6zgEnkwhByAQwHKwwd6fSgPicl2b0kNGUJrooHlwHEUqsDMw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-19T13:08:29Z" + mac: ENC[AES256_GCM,data:K7u79dy6X9UtX/nlAuFLUgeU01j12BzGdibdDMmuCc0GEE6+SsByDxf9t1CK1eOlUyJZr1978cjvaYLR3DAv7gTnicBT4r0T6UM6qF0uD4OvlFAKOPz9oUf972NIjAHE2OO4gTHUbOPtIjFGrZSHXmFzQIbG8QAmNmKTPTGF2Fo=,iv:HFsc7i4CtbZCYEAdhbb7tt5D0xDj54oU7DkSDUAmcLY=,tag:m055t7fHlIUUvVKs39LhOA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/configs/nixos/plover/config/dns/foodogsquared.one.zone b/configs/nixos/plover/modules/services/dns-server/zones/foodogsquared.one.zone similarity index 71% rename from configs/nixos/plover/config/dns/foodogsquared.one.zone rename to configs/nixos/plover/modules/services/dns-server/zones/foodogsquared.one.zone index 86b023d9..0ccfb782 100644 --- a/configs/nixos/plover/config/dns/foodogsquared.one.zone +++ b/configs/nixos/plover/modules/services/dns-server/zones/foodogsquared.one.zone @@ -4,7 +4,7 @@ $TTL 12h $ORIGIN foodogsquared.one. @ 3600 IN SOA ns1 hostmaster ( - 2023100801 ; serial number + 2024091701 ; serial number 1h ; refresh 15m ; update retry 3w ; expiry @@ -15,29 +15,22 @@ $ORIGIN foodogsquared.one. 3600 IN NS robotns3.second-ns.com. ; Setting up the mail-related DNS entries. -; For future references, please the see the following document at -; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain -@ IN MX 10 mxext1.mailbox.org. - IN MX 10 mxext2.mailbox.org. - IN MX 20 mxext3.mailbox.org. - IN TXT v=spf1 include:mailbox.org ~all +; https://mxroutedocs.com/ +@ IN MX 10 heracles.mxrouting.net. + IN MX 20 heracles-relay.mxrouting.net. + IN TXT "v=spf1 include:mxlogin.com -all" + +; Protect the validity of my emails sent by me!!!! +x._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLlrgdsO4jLncMoGAowlE14oB9R2ESxNLRBtkzc24LOPJ1CwEIE+5AHZd+ZRMwiD7fdXcyCH7/E1BRXWT+TtLnKnBgf5I0z6EbPqiPPb6nmpDWrbZzA2mdKetAKz0kFJC8oYK7lQF7Bdh57y/HWksoH6yjl1E88m8tEQ/thlyABGjqzV+txgmc1BryFu23KasqI2c4We/KgvsoSSAaUHkjpAMCuJck/P0G9mJWyTHrnZN2gCotyenLBZew0BIbiA2XYp6dQW4sU+MawfZ0E1KA0lem0SRYCB+sGD248uj4xVo9sIiCVyO9EQXy/YCZTeuTQHf1+QeFzI82vIrlv63QIDAQAB" + +; Protect my domain email from spoofing. +_dmarc 400 IN TXT "v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one" + + ; Keybase verification key. @ 3600 IN TXT #keybaseVerificationKey# -; This is something that is needed for mailbox.org to verify it is indeed in my -; domain. -#mailboxSecurityKey# 3600 IN TXT #mailboxSecurityKeyRecord# - -; Protect the validity of my emails sent by me!!!! -MBO0001._domainkey IN CNAME MBO0001._domainkey.mailbox.org. -MBO0002._domainkey IN CNAME MBO0002._domainkey.mailbox.org. -MBO0003._domainkey IN CNAME MBO0003._domainkey.mailbox.org. -MBO0004._domainkey IN CNAME MBO0004._domainkey.mailbox.org. - -; Protect my domain email from spoofing. -_dmarc 400 IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one - ; This will make PGP clients find my public key for the email. _hkps._tcp IN SRV 1 1 443 pgp.mailbox.org. diff --git a/configs/nixos/plover/config/dns/plover.foodogsquared.one.zone b/configs/nixos/plover/modules/services/dns-server/zones/plover.foodogsquared.one.zone similarity index 100% rename from configs/nixos/plover/config/dns/plover.foodogsquared.one.zone rename to configs/nixos/plover/modules/services/dns-server/zones/plover.foodogsquared.one.zone