From d98527c89b8024799f0b05a47bbe8d8fbab66c52 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 27 Jun 2023 22:56:18 +0800
Subject: [PATCH] hosts/plover: update Bind config for dynamic updates

---
 .../plover/config/dns/foodogsquared.one.zone  |   4 +-
 hosts/plover/default.nix                      |   4 +-
 hosts/plover/modules/services/bind.nix        | 108 +++++++++---------
 hosts/plover/secrets/secrets.yaml             |   7 +-
 modules/nixos/profiles/server.nix             |   2 +-
 5 files changed, 66 insertions(+), 59 deletions(-)

diff --git a/hosts/plover/config/dns/foodogsquared.one.zone b/hosts/plover/config/dns/foodogsquared.one.zone
index d35840da..b3df92a1 100644
--- a/hosts/plover/config/dns/foodogsquared.one.zone
+++ b/hosts/plover/config/dns/foodogsquared.one.zone
@@ -3,8 +3,8 @@
 $TTL 12h
 $ORIGIN foodogsquared.one.
 
-@	3600	IN	SOA	ns1.first-ns.de. hostmaster.foodogsquared.one. (
-				2023062201 	; serial number
+@	3600	IN	SOA	ns1 hostmaster (
+				2023062601 	; serial number
 				1h		; refresh
 				15m		; update retry
 				3w		; expiry
diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index bad4e866..3581b7f7 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -133,10 +133,10 @@ in
   # DNS-related settings. We're settling by configuring the ACME setup with a
   # self-hosted DNS server.
   security.acme.defaults = {
-    email = "admin@foodogsquared.one";
+    email = "admin+acme@foodogsquared.one";
     dnsProvider = "rfc2136";
+    dnsResolver = "1.1.1.1";
     credentialsFile = config.sops.secrets."plover/lego/env".path;
-    dnsPropagationCheck = false;
   };
 
   services.openssh.hostKeys = [{
diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix
index 8be65cdd..a3985da5 100644
--- a/hosts/plover/modules/services/bind.nix
+++ b/hosts/plover/modules/services/bind.nix
@@ -14,6 +14,8 @@ let
     (lib.attrValues secondaryNameServers);
   secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
 
+  serviceUser = config.users.users.named.name;
+
   domainZone = pkgs.substituteAll {
     src = ../../config/dns/${domain}.zone;
     ploverWANIPv4 = interfaces.wan.IPv4.address;
@@ -26,7 +28,7 @@ let
     ploverLANIPv6 = interfaces.lan.IPv6.address;
   };
 
-  zonesDir = "/var/db/dns";
+  zonesDir = "/etc/bind/zones";
   zoneFile = domain: "${zonesDir}/${domain}.zone";
 
   localhostIP = [
@@ -48,6 +50,8 @@ let
     "::1" # Loopback
     "${privateIPv6Prefix}::/48" # Private uses
   ];
+
+  internalsACL = clientNetworks ++ serverNetworks;
 in
 {
   sops.secrets =
@@ -67,16 +71,26 @@ in
     getSecrets {
       "dns/${domain}/mailbox-security-key" = { };
       "dns/${domain}/mailbox-security-key-record" = { };
+
+      "dns/${domain}/rfc2136-key" = {
+        owner = serviceUser;
+        group = "root";
+        reloadUnits = [ "bind.service" ];
+        mode = "0400";
+      };
     };
 
-  networking.nameservers = localhostIP;
-
-  environment.etc."bind/named.conf".source = config.services.bind.configFile;
+  # Install the utilities.
+  environment.systemPackages = [ config.services.bind.package ];
 
   services.bind = {
     enable = true;
     forward = "first";
-    forwarders = [ "127.0.0.53 port 53" ];
+
+    cacheNetworks = [
+      "127.0.0.1"
+      "::1"
+    ];
 
     listenOn = [
       "127.0.0.1"
@@ -91,58 +105,50 @@ in
     ];
 
     extraConfig = ''
-      acl internals { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks ++ [ "127.0.0.0/8" "::1" ])}; };
-    '';
+      include "${config.sops.secrets."plover/dns/${domain}/rfc2136-key".path}";
+      acl trusted { ${lib.concatStringsSep "; " internalsACL}; localhost; };
 
-    extraOptions = ''
-      allow-recursion { internals; };
-      empty-zones-enable yes;
-    '';
+      view external {
+        match-clients { any; };
 
-    zones = {
-      "${config.networking.domain}" = {
-        file = zoneFile domain;
-        allowQuery = allowedLANIPs ++ allowedLANIPv6s;
-        master = true;
-        slaves = secondaryNameServersIPs;
-        extraConfig = ''
-          forwarders { };
-          update-policy local;
-        '';
+        forwarders { };
+        empty-zones-enable yes;
+        allow-query { any; };
+        allow-recursion { none; };
+
+        zone "${domain}" {
+          type primary;
+
+          file "${zoneFile domain}";
+          allow-transfer { ${lib.concatStringsSep "; " secondaryNameServersIPs}; };
+          update-policy {
+            grant rfc2136key.${domain}. zonesub TXT;
+          };
+        };
       };
 
-      "${config.networking.fqdn}" = {
-        file = zoneFile fqdn;
-        master = true;
-        allowQuery = allowedLANIPs ++ allowedLANIPv6s;
-        slaves = [ "none" ];
+      view internal {
+        match-clients { trusted; };
+        allow-recursion { any; };
+        forwarders { 127.0.0.53 port 53; };
+
+        zone "${fqdn}" {
+          type primary;
+          file "${zoneFile fqdn}";
+        };
+
+        zone "${domain}" {
+          in-view external;
+        };
       };
-    };
+    '';
   };
 
-  networking.firewall.extraInputRules =
-    let
-      allowedIPs = secondaryNameServersIPv4 ++ allowedLANIPs;
-      allowedIPv6s = secondaryNameServersIPv6 ++ allowedLANIPv6s;
-    in
-    ''
-      meta l4proto {tcp, udp} th dport domain ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-      meta l4proto {tcp, udp} th dport domain ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-      meta l4proto {tcp, udp} th dport domain-s ip saddr { ${lib.concatStringsSep ", " allowedIPs} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-      meta l4proto {tcp, udp} th dport domain-s ip6 saddr { ${lib.concatStringsSep ", " allowedIPv6s} } accept comment "Accept DNS queries from secondary nameservers and private networks"
-    '';
-
-  systemd.services.bind = {
-    preStart = let
-      secretsPath = path: config.sops.secrets."plover/${path}".path;
-      replaceSecretBin = "${lib.getBin pkgs.replace-secret}/bin/replace-secret";
-    in
-    lib.mkBefore ''
-      install -Dm0644 ${domainZone} ${zoneFile domain}
-      install -Dm0644 ${fqdnZone} ${zoneFile fqdn}
-
-      ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${zoneFile domain}'
-      ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${zoneFile domain}'
-    '';
+  networking.firewall ={
+    allowedUDPPorts = [
+      53  # DNS
+      853 # DNS-over-TLS/DNS-over-QUIC
+    ];
+    allowedTCPPorts = [ 53 853 ];
   };
 }
diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml
index fb3ad4bd..4f7aa5a5 100644
--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@@ -1,6 +1,6 @@
 ssh-key: ENC[AES256_GCM,data:UgJB9WiLs1nt8e95sYeBr9XJRw16CldxBFYazppwHD0Tx0rkv9YDsqJMdrMFQJJ15UgOx61yQ2rg56KoaR4cJIqQM/7foKY3+LgdI4ePtfnbGRebIMyeqCiEVWq+a5ppwsG6B9w9liRqaOG7LpD90JpXcLKVG6Lo/YwTmwDbOBGJHhyJk2DindJ7qWly1gcys5Mm9GTZmtuz8lKG7hNVQar5lmuq1fhyOolnxlFKCLG3zfumttVnT3U1ELd3TzZIaWnNIL7SuhfZDBko3ZO4bbDj/JdX1uNKlEh2FeS7Mp/DvylFlVleoQOMI9FTes/tQHmztVaA7DllYP6gKHzvLsKX577fXeoZihrGvQiNj11qDXxcj3qhUx/8iXdyVzvy/UTGWW5/QeDGNDsrT7wlwuVmqVHb7s+9Ep6Oq9tFbDQHkRMRv/Nl3C/xxtH23RuShJ1IjxXTPu9t+AiD/qPvecXyD0iZ9OX1YJn5AM9WyPLisEFasaFbgfhF6uDS2l61oCS3LPwjdbXA8UyB7vUi,iv:1OGfGUojkL0/DS+HMbyAK0GeVKa6AuQkyRwO5txiD54=,tag:TmD3ljgWGv0SNPq8GxI/kw==,type:str]
 lego:
-    env: ENC[AES256_GCM,data:pJPaYAuFEj8f0Rm+Quhf4T2FKmvJ5cxGPAW7TCZkl++0yMaYx7e94WKYjLmWp+OWfUQss6byZ4WiARHY0XuF7w/S41isJdObSGgeUXnoLAu9oqt9JLsVOlQABtrY45ZF,iv:J6vBXY1gi12Zy6wXM1NyGZNxuVApKWy7eJUs8WapDoE=,tag:nEoAiY7Uy92/JjJDaSJZzw==,type:str]
+    env: ENC[AES256_GCM,data:gmzfAQOK94baSS0nOHEX33n61kLbGRHqoAa1W+KnLsfC3RLSbtgeRXgmKfsKFwfd1czQE5Yf/ZB/eTjDSUPLfXcnt4OoiNAyJNxAoc5cpeveYIlp9WaqdSkcD+zefLPmwYDTVPyrBKS1qE8GjYBxpfObnesbwq8hxx9Tm19Z+MTB+DznYqhSFt5Yx5+VnBaeQBMKnLd3XGazRv//QnpUFvgJba0SF4mhD3I40SHKMt3enmj1M+ITIn99ELf7HG0XSCH7aGmccXraQNUnAOwdJCNXyFY/ASxoK0DLv8Um5VX6O04GZVg2y3EoGsNZkyH9T8/3jTg=,iv:iYct97YZhUcoy/C5aVmSlsHLEyPVlRP2pGdwvwTIm9w=,tag:Hf3CMJwUXY5yf0CUxPNbtQ==,type:str]
 sourcehut:
     network-key: ENC[AES256_GCM,data:e28WJt1POxWnCgjYG+6HdSOwhHiIArGPrGb/3pQ5o2P2R4gIuxm8YxRPg4E=,iv:44VlT5ID8KXDquDOZMIEPBWl7r+JwbamRdqhBsFO4Rw=,tag:JRTs4FRT8bBpPyetDbt6zg==,type:str]
     service-key: ENC[AES256_GCM,data:glZuT+e9c2UOXieP313ny6Dl15HRXpeHtGr4XPWjhNSAvFgcwp/1AgFYrHDWZBf771MkN0pgVE/d/fx0oBOgSg==,iv:S4BzMYPZtVFhXV0g5qBxjItqCyEQ25Ct6swBut7FefQ=,tag:w3t59DqroYuAmgHlu/BhEQ==,type:str]
@@ -40,6 +40,7 @@ dns:
     foodogsquared.one:
         mailbox-security-key: ENC[AES256_GCM,data:CmiAcewC47dTlKX+PmWJrnSM7dreMImEL3nw6+MnJ2MCwcnakT8zUw==,iv:tRh4d+QUUqxzz+c0r6NLnnPOgqtYZNdE3RgCa7MbvE4=,tag:RHkPwRVt8+YCw61RwBZZzg==,type:str]
         mailbox-security-key-record: ENC[AES256_GCM,data:vXwTyZEsov20GDkg/X2P/MJFKWkrijnNNHrGRp0AMJORh0H5/mnshQ==,iv:7BKnkKj1vwLYCcm1uoHF+Ndunl2enSoXRpReW/uuaAo=,tag:KTzU1MMwXard4+Ar4WrJhA==,type:str]
+        rfc2136-key: ENC[AES256_GCM,data:K6CRj09oQA/po/IYfM/LH1y8Hjt/gXewUxfDcEzZVsFCYs4CEpysnhFlu6P9Srwy0lXapZI+4x4kB0mY5TarxZc5OFpx+6Xslw964x10Eot1sTFn8Y7Mrogh8VwHFXdtKuvHKkHcW2nZshBnKv0FPsy6Wvv79NUwEfc=,iv:TJiq+z552fT0vVT1WKJUUwB+oP/sUGIav1ab8G/1ENc=,tag:aqpBcdWh2i551p8aAzsUXA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -55,8 +56,8 @@ sops:
             ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
             miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-22T08:57:24Z"
-    mac: ENC[AES256_GCM,data:Ltx4nr5Llq3txLTcK1mO1/BoOKm6O0FaQd60FMPpFtpIUhFQhPaPrDmnAB7/j1rMMCc4fg9hv2AYAx/rCCoaMy2aQmgRnjsuX8S7UfwqOYqvCVl6CJz3HeCfficDe5P2Un0BeblK1SeSJ689VXO0kAa2z8/uB5tis5cULfAIkBs=,iv:HKEN2YLM83mu4JjNWdBQGI+RX03nssZPwIdaP9iMW1I=,tag:VMHrarG2H/NPuymojxntUQ==,type:str]
+    lastmodified: "2023-06-27T13:01:04Z"
+    mac: ENC[AES256_GCM,data:4Zzgji5OsdUZL93sO00Sf6pQ9+LhUODv8YRp9o/lLiKelbZSLweAXeMCO3Zf8xLQDvd/6gQ8P6MvmDCtCmyQ4Nxlojv7cpX+H/bgN5skqIgYP+CMDoUvu99IiqK5SfGBZosG0c30x7mL42dzWIzZ8filHpX2t8lIm217OqTzEHo=,iv:VBGUmqVO1Wh/ZK+Z5kRJMI3kdqx6mbaTzZcaHcQK2/o=,tag:A52f7dRiLmMg7WSuX6URyQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix
index a4cd2db2..5a2a854c 100644
--- a/modules/nixos/profiles/server.nix
+++ b/modules/nixos/profiles/server.nix
@@ -76,7 +76,7 @@ in
       # this.
       security.acme = {
         acceptTerms = true;
-        defaults.email = "admin@foodogsquared.one";
+        defaults.email = "admin+acme@foodogsquared.one";
       };
 
       # We're only going to deal with servers in English.