From 366cf64e848eebea98f9d9bb95e623597af74669 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 15 Mar 2022 16:37:42 +0100 Subject: vidhar: ddns --- hosts/vidhar/dns/default.nix | 127 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 hosts/vidhar/dns/default.nix (limited to 'hosts/vidhar/dns/default.nix') diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix new file mode 100644 index 00000000..19a121f6 --- /dev/null +++ b/hosts/vidhar/dns/default.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + knotKeys = let + dir = ./keys; + toKeyInfo = name: v: + if v == "regular" || v == "symlink" + then { path = dir + "/${name}"; inherit name; } + else null; + in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); +in { + config = { + services.unbound = { + enable = true; + resolveLocalQueries = false; + stateDir = "/var/lib/unbound"; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + interface = ["127.0.0.1" "10.141.0.1" "::0"]; + prefer-ip6 = true; + access-control = ["0.0.0.0/0 allow" "::/0 allow"]; + root-hints = "${pkgs.dns-root-data}/root.hints"; + + num-threads = 12; + so-reuseport = true; + msg-cache-slabs = 16; + rrset-cache-slabs = 16; + infra-cache-slabs = 16; + key-cache-slabs = 16; + + rrset-cache-size = "100m"; + msg-cache-size = "50m"; + outgoing-range = 8192; + num-queries-per-thread = 4096; + + so-rcvbuf = "4m"; + so-sndbuf = "4m"; + + # serve-expired = true; + # serve-expired-ttl = 86400; + # serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + minimal-responses = false; + + extended-statistics = true; + + rrset-roundrobin = true; + use-caps-for-id = true; + + local-zone = [ + "141.10.in-addr.arpa transparent" + "yggdrasil transparent" + ]; + domain-insecure = [ + "141.10.in-addr.arpa" + "yggdrasil" + ]; + }; + + stub-zone = map (name: { + inherit name; + stub-addr = "127.0.0.1@5353"; + stub-first = true; + stub-no-cache = true; + stub-prime = false; + }) ["yggdrasil" "lan.yggdrasil" "mgmt.yggdrasil" "arpa.in-addr.10.141" "arpa.in-addr.10.141.0" "arpa.in-addr.10.141.1"]; + }; + }; + + services.knot = { + enable = true; + keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; + extraConfig = '' + server: + listen: 127.0.0.1@5353 + listen: ::1@5353 + + acl: + - id: local_acl + key: local_key + action: update + + template: + - id: local_zone + storage: /var/lib/knot + zonefile-sync: -1 + zonefile-load: difference-no-serial + serial-policy: dateserial + journal-content: all + semantic-checks: on + acl: [local_acl] + + zone: + - domain: yggdrasil + template: local_zone + file: ${./zones/yggdrasil.soa} + - domain: lan.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.lan.soa} + - domain: mgmt.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.mgmt.soa} + - domain: 141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.soa} + - domain: 0.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.0.soa} + - domain: 1.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.1.soa} + ''; + }; + + sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { + format = "binary"; + owner = "knot"; + sopsFile = path; + }) knotKeys); + }; +} -- cgit v1.2.3