foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 04:58:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover: update DNS server settings

Browse Source
This commit is contained in:
Gabriel Arazas 2023-06-11 12:26:59 +08:00
parent 271750f755
commit bfb4837627
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
hosts/plover/modules/services/coredns.nix
View File

@ -6,7 +6,7 @@
# on you. Either that or we can easily move the resolver somewhere else. # on you. Either that or we can easily move the resolver somewhere else.
let let
inherit (config.networking) domain fqdn; inherit (config.networking) domain fqdn;
inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers; inherit (import ../hardware/networks.nix) privateIPv6Prefix interfaces clientNetworks serverNetworks secondaryNameServers wireguardPeers;
dnsSubdomain = "ns1"; dnsSubdomain = "ns1";
dnsDomainName = "${dnsSubdomain}.${domain}"; dnsDomainName = "${dnsSubdomain}.${domain}";
@ -38,12 +38,20 @@ let
allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ]; allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ];
allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/48" ]; allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/48" ];
dnsListenAddresses = with interfaces; [ dnsListenInterfaces = (with interfaces; [
# For whatever reason, I would say though I don't think it is wise to
# attach one in this interface.
internal.IPv4.address internal.IPv4.address
internal.IPv6.address internal.IPv6.address
# This is needed for the secondary name servers to reach the DNS records
# (or at least I think).
main'.IPv4.address main'.IPv4.address
main'.IPv6.address main'.IPv6.address
]; ]) ++ (with wireguardPeers.server; [
# This is for use from Wireguard peers.
IPv4 IPv6
]);
in in
{ {
sops.secrets = sops.secrets =
@ -73,10 +81,12 @@ in
# Setting up the firewall to make less things to screw up in case anything is # Setting up the firewall to make less things to screw up in case anything is
# screwed up. # screwed up.
networking.firewall.extraInputRules = '' networking.firewall.extraInputRules = ''
meta l4proto {tcp, udp} th dport 53 ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks" meta l4proto {tcp, udp} th dport domain ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
meta l4proto {tcp, udp} th dport 53 ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks" meta l4proto {tcp, udp} th dport domain ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
''; '';
networking.nameservers = dnsListenInterfaces;
# The main DNS server. # The main DNS server.
services.coredns = { services.coredns = {
enable = true; enable = true;
@ -91,15 +101,18 @@ in
# https://docs.hetzner.com/dns-console/dns/general/dnssec # https://docs.hetzner.com/dns-console/dns/general/dnssec
config = '' config = ''
. { . {
forward . /etc/resolv.conf
log ${domain} ${fqdn} { log ${domain} ${fqdn} {
class success error class success error
} }
errors { errors {
consolidate 1m "^.* no next plugin found$" consolidate 1m "^.* no next plugin found$"
consolidate 5m "^.* i/o timeout$"
} }
bind lo ${lib.concatStringsSep " " dnsListenAddresses} { bind ${lib.concatStringsSep " " dnsListenInterfaces} {
# These are already taken from systemd-resolved. # These are already taken from systemd-resolved.
except 127.0.0.53 127.0.0.54 except 127.0.0.53 127.0.0.54
} }
@ -143,17 +156,13 @@ in
to ${lib.concatStringsSep " " secondaryNameServersIPs} to ${lib.concatStringsSep " " secondaryNameServersIPs}
} }
} }
tls://. {
tls {$CREDENTIALS_DIRECTORY}/cert.pem {$CREDENTIALS_DIRECTORY}/key.pem {$CREDENTIALS_DIRECTORY}/fullchain.pem
forward . /etc/resolv.conf
}
''; '';
}; };
# This is based from the Gitea pre-start script. # This is based from the Gitea pre-start script.
systemd.services.${corednsServiceName} = { systemd.services.${corednsServiceName} = {
requires = [ "acme-finished-${dnsDomainName}.target" ]; requires = [ "acme-finished-${dnsDomainName}.target" ];
preStart = preStart =
let let
secretsPath = path: config.sops.secrets."plover/${path}".path; secretsPath = path: config.sops.secrets."plover/${path}".path;
@ -165,6 +174,8 @@ in
${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}' ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}'
${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}' ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}'
''; '';
# Though DNSSEC is disabled for now, we'll set it up in anticipation.
serviceConfig.LoadCredential = serviceConfig.LoadCredential =
let let
certDirectory = certs."${dnsDomainName}".directory; certDirectory = certs."${dnsDomainName}".directory;