From bfb483762776633a6c00c28c7cce4b7e38e3754b Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Sun, 11 Jun 2023 12:26:59 +0800 Subject: [PATCH] hosts/plover: update DNS server settings --- hosts/plover/modules/services/coredns.nix | 33 +++++++++++++++-------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix index 39da8400..5ad49deb 100644 --- a/hosts/plover/modules/services/coredns.nix +++ b/hosts/plover/modules/services/coredns.nix @@ -6,7 +6,7 @@ # on you. Either that or we can easily move the resolver somewhere else. let inherit (config.networking) domain fqdn; - inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers; + inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers wireguardPeers; dnsSubdomain = "ns1"; dnsDomainName = "${dnsSubdomain}.${domain}"; @@ -38,12 +38,20 @@ let allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ]; allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/48" ]; - dnsListenAddresses = with interfaces; [ + dnsListenInterfaces = (with interfaces; [ + # For whatever reason, I would say though I don't think it is wise to + # attach one in this interface. internal.IPv4.address internal.IPv6.address + + # This is needed for the secondary name servers to reach the DNS records + # (or at least I think). main'.IPv4.address main'.IPv6.address - ]; + ]) ++ (with wireguardPeers.server; [ + # This is for use from Wireguard peers. + IPv4 IPv6 + ]); in { sops.secrets = @@ -73,10 +81,12 @@ in # Setting up the firewall to make less things to screw up in case anything is # screwed up. networking.firewall.extraInputRules = '' - meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks" - meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks" + meta l4proto {tcp, udp} th dport domain ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks" + meta l4proto {tcp, udp} th dport domain ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks" ''; + networking.nameservers = dnsListenInterfaces; + # The main DNS server. services.coredns = { enable = true; @@ -91,15 +101,18 @@ in # https://docs.hetzner.com/dns-console/dns/general/dnssec config = '' . { + forward . /etc/resolv.conf + log ${domain} ${fqdn} { class success error } errors { consolidate 1m "^.* no next plugin found$" + consolidate 5m "^.* i/o timeout$" } - bind lo ${lib.concatStringsSep " " dnsListenAddresses} { + bind ${lib.concatStringsSep " " dnsListenInterfaces} { # These are already taken from systemd-resolved. except 127.0.0.53 127.0.0.54 } @@ -143,17 +156,13 @@ in to ${lib.concatStringsSep " " secondaryNameServersIPs} } } - - tls://. { - tls {$CREDENTIALS_DIRECTORY}/cert.pem {$CREDENTIALS_DIRECTORY}/key.pem {$CREDENTIALS_DIRECTORY}/fullchain.pem - forward . /etc/resolv.conf - } ''; }; # This is based from the Gitea pre-start script. systemd.services.${corednsServiceName} = { requires = [ "acme-finished-${dnsDomainName}.target" ]; + preStart = let secretsPath = path: config.sops.secrets."plover/${path}".path; @@ -165,6 +174,8 @@ in ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}' ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}' ''; + + # Though DNSSEC is disabled for now, we'll set it up in anticipation. serviceConfig.LoadCredential = let certDirectory = certs."${dnsDomainName}".directory;