summaryrefslogtreecommitdiff
path: root/hosts/vidhar/dns
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/dns')
-rw-r--r--hosts/vidhar/dns/Gupfile2
-rw-r--r--hosts/vidhar/dns/default.nix127
-rw-r--r--hosts/vidhar/dns/key.gup6
-rw-r--r--hosts/vidhar/dns/keys/local.yaml26
-rw-r--r--hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa12
-rw-r--r--hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa14
-rw-r--r--hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa11
-rw-r--r--hosts/vidhar/dns/zones/yggdrasil.lan.soa13
-rw-r--r--hosts/vidhar/dns/zones/yggdrasil.mgmt.soa15
-rw-r--r--hosts/vidhar/dns/zones/yggdrasil.soa21
10 files changed, 247 insertions, 0 deletions
diff --git a/hosts/vidhar/dns/Gupfile b/hosts/vidhar/dns/Gupfile
new file mode 100644
index 00000000..ac96f620
--- /dev/null
+++ b/hosts/vidhar/dns/Gupfile
@@ -0,0 +1,2 @@
1key.gup:
2 keys/*.yaml \ No newline at end of file
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
new file mode 100644
index 00000000..19a121f6
--- /dev/null
+++ b/hosts/vidhar/dns/default.nix
@@ -0,0 +1,127 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 knotKeys = let
7 dir = ./keys;
8 toKeyInfo = name: v:
9 if v == "regular" || v == "symlink"
10 then { path = dir + "/${name}"; inherit name; }
11 else null;
12 in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
13in {
14 config = {
15 services.unbound = {
16 enable = true;
17 resolveLocalQueries = false;
18 stateDir = "/var/lib/unbound";
19 localControlSocketPath = "/run/unbound/unbound.ctl";
20 settings = {
21 server = {
22 interface = ["127.0.0.1" "10.141.0.1" "::0"];
23 prefer-ip6 = true;
24 access-control = ["0.0.0.0/0 allow" "::/0 allow"];
25 root-hints = "${pkgs.dns-root-data}/root.hints";
26
27 num-threads = 12;
28 so-reuseport = true;
29 msg-cache-slabs = 16;
30 rrset-cache-slabs = 16;
31 infra-cache-slabs = 16;
32 key-cache-slabs = 16;
33
34 rrset-cache-size = "100m";
35 msg-cache-size = "50m";
36 outgoing-range = 8192;
37 num-queries-per-thread = 4096;
38
39 so-rcvbuf = "4m";
40 so-sndbuf = "4m";
41
42 # serve-expired = true;
43 # serve-expired-ttl = 86400;
44 # serve-expired-reply-ttl = 0;
45
46 prefetch = true;
47 prefetch-key = true;
48
49 minimal-responses = false;
50
51 extended-statistics = true;
52
53 rrset-roundrobin = true;
54 use-caps-for-id = true;
55
56 local-zone = [
57 "141.10.in-addr.arpa transparent"
58 "yggdrasil transparent"
59 ];
60 domain-insecure = [
61 "141.10.in-addr.arpa"
62 "yggdrasil"
63 ];
64 };
65
66 stub-zone = map (name: {
67 inherit name;
68 stub-addr = "127.0.0.1@5353";
69 stub-first = true;
70 stub-no-cache = true;
71 stub-prime = false;
72 }) ["yggdrasil" "lan.yggdrasil" "mgmt.yggdrasil" "arpa.in-addr.10.141" "arpa.in-addr.10.141.0" "arpa.in-addr.10.141.1"];
73 };
74 };
75
76 services.knot = {
77 enable = true;
78 keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
79 extraConfig = ''
80 server:
81 listen: 127.0.0.1@5353
82 listen: ::1@5353
83
84 acl:
85 - id: local_acl
86 key: local_key
87 action: update
88
89 template:
90 - id: local_zone
91 storage: /var/lib/knot
92 zonefile-sync: -1
93 zonefile-load: difference-no-serial
94 serial-policy: dateserial
95 journal-content: all
96 semantic-checks: on
97 acl: [local_acl]
98
99 zone:
100 - domain: yggdrasil
101 template: local_zone
102 file: ${./zones/yggdrasil.soa}
103 - domain: lan.yggdrasil
104 template: local_zone
105 file: ${./zones/yggdrasil.lan.soa}
106 - domain: mgmt.yggdrasil
107 template: local_zone
108 file: ${./zones/yggdrasil.mgmt.soa}
109 - domain: 141.10.in-addr.arpa
110 template: local_zone
111 file: ${./zones/arpa.in-addr.10.141.soa}
112 - domain: 0.141.10.in-addr.arpa
113 template: local_zone
114 file: ${./zones/arpa.in-addr.10.141.0.soa}
115 - domain: 1.141.10.in-addr.arpa
116 template: local_zone
117 file: ${./zones/arpa.in-addr.10.141.1.soa}
118 '';
119 };
120
121 sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
122 format = "binary";
123 owner = "knot";
124 sopsFile = path;
125 }) knotKeys);
126 };
127}
diff --git a/hosts/vidhar/dns/key.gup b/hosts/vidhar/dns/key.gup
new file mode 100644
index 00000000..83c36b0e
--- /dev/null
+++ b/hosts/vidhar/dns/key.gup
@@ -0,0 +1,6 @@
1#!/usr/bin/env zsh
2
3keyName=${${2:t}%.yaml}_key
4
5keymgr -t ${keyName} > $1
6sops -p 'A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary --output-type=binary -e -i $1
diff --git a/hosts/vidhar/dns/keys/local.yaml b/hosts/vidhar/dns/keys/local.yaml
new file mode 100644
index 00000000..e66f4b61
--- /dev/null
+++ b/hosts/vidhar/dns/keys/local.yaml
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:hpWdnmsmBmO01PkTlmRLHdmXrPX6POuU/PWrOUMgH6glThzsFdk84tskUExnsl3N39ryCmgZwotIZ8zCWduPBn+nN3VTEP5Z4xltC8I82C6F283gWC3gxpTXFSwF7JetRM5uBQV0FFd9iXHUySEHdzoRqsGuZTMYdT44Bm6gGQHyt7N3/EeLHyJKa7MH+SLLznjlaTnmrAxEyGP8Talda0s/mkh4nRqQnbxX6aOTQpQ=,iv:eRQuxRNQGU2Zwudaqjr+QvLLpJ5QqrjvAN/uL6x8hUs=,tag:CYEt1K+gOGiOX9qQR/Q9jw==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-03-15T13:30:32Z",
10 "mac": "ENC[AES256_GCM,data:PG4ywF/U6ITmdRB4OU5uXu54YabYt9Yyy2oYEMx0XpMlpKWH5bmg2qQNFakxBD6wCy2H6e3LmwcUl2N692crm3n/qQRNPQ0ETHVlaPlRFG85tiz/Ngi6tasoKG+ciLAXMy05c+yY6oENN7grm1TTMZRGSIyxo27ZU+k4kmz4eVM=,iv:fluwCnXHAJ/z2oGWCLXbjooymXbViPrZdVJOnoSrn1g=,tag:QtNGIKMBDtKnb3JPuRqmiA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-03-15T13:30:31Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAQAK54tXtgsLn6MmWQC/4irGRJd160lpAxCIT+nt/MBUw\nznjpLnbZXSft1RQI6/B95udkm0U/MBKt7wSMe9I/Po44qJrqHqb4jofz6NCeqxD3\n0l4Bl/DpnWfam9knZFQ9NIEaKYWXSmVuxVduhpYYGopXUrKol8BVTdXU6qHaPKgV\nQc72FvezgyHngZwXNEggvS1IWPq4m6pamLi77e8hNGiQx5CiaFXWwCP4gY6A80pS\n=FNi5\n-----END PGP MESSAGE-----\n",
15 "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
16 },
17 {
18 "created_at": "2022-03-15T13:30:31Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+/lLWPxgadpnWQlbAVbdzpbevoVKuaGrQmp79m4wKycw\nBeErMZugDNzHWXkTHXez5SpS94RYlGzhLcVLGfMg7C0h3wN192QaMrcH01udnjhK\n0l4BRYt9+9CCZL+Nb/ss+BIyOAFCZi2RkwzvXl9wVk+mb1As9/UYml9zqh/juU5F\nBZXqwNPA5RSNCoB0wy3A5yIB3uniMuYczTs67VHJ5cw2VVSQvXF5zue90i2F4mC4\n=IsU1\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa
new file mode 100644
index 00000000..75e6b3a8
--- /dev/null
+++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa
@@ -0,0 +1,12 @@
1$ORIGIN 0.141.10.in-addr.arpa.
2$TTL 300
3@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. (
4 2022031504 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.lan.yggdrasil.
121 IN PTR vidhar.lan.yggdrasil.
diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa
new file mode 100644
index 00000000..2d535d56
--- /dev/null
+++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa
@@ -0,0 +1,14 @@
1$ORIGIN 1.141.10.in-addr.arpa.
2$TTL 300
3@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. (
4 2022031505 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.mgmt.yggdrasil.
121 IN PTR vidhar.mgmt.yggdrasil.
132 IN PTR switch01.mgmt.yggdrasil.
144 IN PTR ap01.mgmt.yggdrasil.
diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa
new file mode 100644
index 00000000..ea5a35f3
--- /dev/null
+++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa
@@ -0,0 +1,11 @@
1$ORIGIN 141.10.in-addr.arpa.
2$TTL 300
3@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. (
4 2022031505 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.lan.yggdrasil.
diff --git a/hosts/vidhar/dns/zones/yggdrasil.lan.soa b/hosts/vidhar/dns/zones/yggdrasil.lan.soa
new file mode 100644
index 00000000..c58b9a13
--- /dev/null
+++ b/hosts/vidhar/dns/zones/yggdrasil.lan.soa
@@ -0,0 +1,13 @@
1$ORIGIN lan.yggdrasil.
2$TTL 300
3@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. (
4 2022031504 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.lan.yggdrasil.
12
13vidhar IN A 10.141.0.1
diff --git a/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa
new file mode 100644
index 00000000..8a630a9a
--- /dev/null
+++ b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa
@@ -0,0 +1,15 @@
1$ORIGIN mgmt.yggdrasil.
2$TTL 300
3@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. (
4 2022031505 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.mgmt.yggdrasil.
12
13vidhar IN A 10.141.1.1
14switch01 IN A 10.141.1.2
15ap01 IN A 10.141.1.4
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
new file mode 100644
index 00000000..6e66a063
--- /dev/null
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -0,0 +1,21 @@
1$ORIGIN yggdrasil.
2$TTL 300
3@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
4 2022031504 ; serial
5 300 ; refresh
6 300 ; retry
7 300 ; expire
8 300 ; min TTL
9)
10
11 IN NS vidhar.yggdrasil.
12
13surtr IN AAAA 2a03:4000:52:ada:1::
14vidhar IN AAAA 2a03:4000:52:ada:1:1::
15sif IN AAAA 2a03:4000:52:ada:1:2::
16
17grafana.vidhar IN CNAME vidhar.yggdrasil.
18
19
20vidhar.lan IN A 10.141.0.1
21vidhar.mgmt IN A 10.141.1.1