From 366cf64e848eebea98f9d9bb95e623597af74669 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 15 Mar 2022 16:37:42 +0100 Subject: vidhar: ddns --- hosts/vidhar/dns/Gupfile | 2 + hosts/vidhar/dns/default.nix | 127 +++++++++++++++++++++++ hosts/vidhar/dns/key.gup | 6 ++ hosts/vidhar/dns/keys/local.yaml | 26 +++++ hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa | 12 +++ hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa | 14 +++ hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa | 11 ++ hosts/vidhar/dns/zones/yggdrasil.lan.soa | 13 +++ hosts/vidhar/dns/zones/yggdrasil.mgmt.soa | 15 +++ hosts/vidhar/dns/zones/yggdrasil.soa | 21 ++++ 10 files changed, 247 insertions(+) create mode 100644 hosts/vidhar/dns/Gupfile create mode 100644 hosts/vidhar/dns/default.nix create mode 100644 hosts/vidhar/dns/key.gup create mode 100644 hosts/vidhar/dns/keys/local.yaml create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa create mode 100644 hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.lan.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.mgmt.soa create mode 100644 hosts/vidhar/dns/zones/yggdrasil.soa (limited to 'hosts/vidhar/dns') diff --git a/hosts/vidhar/dns/Gupfile b/hosts/vidhar/dns/Gupfile new file mode 100644 index 00000000..ac96f620 --- /dev/null +++ b/hosts/vidhar/dns/Gupfile @@ -0,0 +1,2 @@ +key.gup: + keys/*.yaml \ No newline at end of file diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix new file mode 100644 index 00000000..19a121f6 --- /dev/null +++ b/hosts/vidhar/dns/default.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + knotKeys = let + dir = ./keys; + toKeyInfo = name: v: + if v == "regular" || v == "symlink" + then { path = dir + "/${name}"; inherit name; } + else null; + in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); +in { + config = { + services.unbound = { + enable = true; + resolveLocalQueries = false; + stateDir = "/var/lib/unbound"; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + interface = ["127.0.0.1" "10.141.0.1" "::0"]; + prefer-ip6 = true; + access-control = ["0.0.0.0/0 allow" "::/0 allow"]; + root-hints = "${pkgs.dns-root-data}/root.hints"; + + num-threads = 12; + so-reuseport = true; + msg-cache-slabs = 16; + rrset-cache-slabs = 16; + infra-cache-slabs = 16; + key-cache-slabs = 16; + + rrset-cache-size = "100m"; + msg-cache-size = "50m"; + outgoing-range = 8192; + num-queries-per-thread = 4096; + + so-rcvbuf = "4m"; + so-sndbuf = "4m"; + + # serve-expired = true; + # serve-expired-ttl = 86400; + # serve-expired-reply-ttl = 0; + + prefetch = true; + prefetch-key = true; + + minimal-responses = false; + + extended-statistics = true; + + rrset-roundrobin = true; + use-caps-for-id = true; + + local-zone = [ + "141.10.in-addr.arpa transparent" + "yggdrasil transparent" + ]; + domain-insecure = [ + "141.10.in-addr.arpa" + "yggdrasil" + ]; + }; + + stub-zone = map (name: { + inherit name; + stub-addr = "127.0.0.1@5353"; + stub-first = true; + stub-no-cache = true; + stub-prime = false; + }) ["yggdrasil" "lan.yggdrasil" "mgmt.yggdrasil" "arpa.in-addr.10.141" "arpa.in-addr.10.141.0" "arpa.in-addr.10.141.1"]; + }; + }; + + services.knot = { + enable = true; + keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; + extraConfig = '' + server: + listen: 127.0.0.1@5353 + listen: ::1@5353 + + acl: + - id: local_acl + key: local_key + action: update + + template: + - id: local_zone + storage: /var/lib/knot + zonefile-sync: -1 + zonefile-load: difference-no-serial + serial-policy: dateserial + journal-content: all + semantic-checks: on + acl: [local_acl] + + zone: + - domain: yggdrasil + template: local_zone + file: ${./zones/yggdrasil.soa} + - domain: lan.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.lan.soa} + - domain: mgmt.yggdrasil + template: local_zone + file: ${./zones/yggdrasil.mgmt.soa} + - domain: 141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.soa} + - domain: 0.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.0.soa} + - domain: 1.141.10.in-addr.arpa + template: local_zone + file: ${./zones/arpa.in-addr.10.141.1.soa} + ''; + }; + + sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { + format = "binary"; + owner = "knot"; + sopsFile = path; + }) knotKeys); + }; +} diff --git a/hosts/vidhar/dns/key.gup b/hosts/vidhar/dns/key.gup new file mode 100644 index 00000000..83c36b0e --- /dev/null +++ b/hosts/vidhar/dns/key.gup @@ -0,0 +1,6 @@ +#!/usr/bin/env zsh + +keyName=${${2:t}%.yaml}_key + +keymgr -t ${keyName} > $1 +sops -p 'A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary --output-type=binary -e -i $1 diff --git a/hosts/vidhar/dns/keys/local.yaml b/hosts/vidhar/dns/keys/local.yaml new file mode 100644 index 00000000..e66f4b61 --- /dev/null +++ b/hosts/vidhar/dns/keys/local.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:hpWdnmsmBmO01PkTlmRLHdmXrPX6POuU/PWrOUMgH6glThzsFdk84tskUExnsl3N39ryCmgZwotIZ8zCWduPBn+nN3VTEP5Z4xltC8I82C6F283gWC3gxpTXFSwF7JetRM5uBQV0FFd9iXHUySEHdzoRqsGuZTMYdT44Bm6gGQHyt7N3/EeLHyJKa7MH+SLLznjlaTnmrAxEyGP8Talda0s/mkh4nRqQnbxX6aOTQpQ=,iv:eRQuxRNQGU2Zwudaqjr+QvLLpJ5QqrjvAN/uL6x8hUs=,tag:CYEt1K+gOGiOX9qQR/Q9jw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-15T13:30:32Z", + "mac": "ENC[AES256_GCM,data:PG4ywF/U6ITmdRB4OU5uXu54YabYt9Yyy2oYEMx0XpMlpKWH5bmg2qQNFakxBD6wCy2H6e3LmwcUl2N692crm3n/qQRNPQ0ETHVlaPlRFG85tiz/Ngi6tasoKG+ciLAXMy05c+yY6oENN7grm1TTMZRGSIyxo27ZU+k4kmz4eVM=,iv:fluwCnXHAJ/z2oGWCLXbjooymXbViPrZdVJOnoSrn1g=,tag:QtNGIKMBDtKnb3JPuRqmiA==,type:str]", + "pgp": [ + { + "created_at": "2022-03-15T13:30:31Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAQAK54tXtgsLn6MmWQC/4irGRJd160lpAxCIT+nt/MBUw\nznjpLnbZXSft1RQI6/B95udkm0U/MBKt7wSMe9I/Po44qJrqHqb4jofz6NCeqxD3\n0l4Bl/DpnWfam9knZFQ9NIEaKYWXSmVuxVduhpYYGopXUrKol8BVTdXU6qHaPKgV\nQc72FvezgyHngZwXNEggvS1IWPq4m6pamLi77e8hNGiQx5CiaFXWwCP4gY6A80pS\n=FNi5\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-03-15T13:30:31Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+/lLWPxgadpnWQlbAVbdzpbevoVKuaGrQmp79m4wKycw\nBeErMZugDNzHWXkTHXez5SpS94RYlGzhLcVLGfMg7C0h3wN192QaMrcH01udnjhK\n0l4BRYt9+9CCZL+Nb/ss+BIyOAFCZi2RkwzvXl9wVk+mb1As9/UYml9zqh/juU5F\nBZXqwNPA5RSNCoB0wy3A5yIB3uniMuYczTs67VHJ5cw2VVSQvXF5zue90i2F4mC4\n=IsU1\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa new file mode 100644 index 00000000..75e6b3a8 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.0.soa @@ -0,0 +1,12 @@ +$ORIGIN 0.141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. +1 IN PTR vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa new file mode 100644 index 00000000..2d535d56 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.1.soa @@ -0,0 +1,14 @@ +$ORIGIN 1.141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.mgmt.yggdrasil. +1 IN PTR vidhar.mgmt.yggdrasil. +2 IN PTR switch01.mgmt.yggdrasil. +4 IN PTR ap01.mgmt.yggdrasil. diff --git a/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa new file mode 100644 index 00000000..ea5a35f3 --- /dev/null +++ b/hosts/vidhar/dns/zones/arpa.in-addr.10.141.soa @@ -0,0 +1,11 @@ +$ORIGIN 141.10.in-addr.arpa. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. diff --git a/hosts/vidhar/dns/zones/yggdrasil.lan.soa b/hosts/vidhar/dns/zones/yggdrasil.lan.soa new file mode 100644 index 00000000..c58b9a13 --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.lan.soa @@ -0,0 +1,13 @@ +$ORIGIN lan.yggdrasil. +$TTL 300 +@ IN SOA vidhar.lan.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.lan.yggdrasil. + +vidhar IN A 10.141.0.1 diff --git a/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa new file mode 100644 index 00000000..8a630a9a --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.mgmt.soa @@ -0,0 +1,15 @@ +$ORIGIN mgmt.yggdrasil. +$TTL 300 +@ IN SOA vidhar.mgmt.yggdrasil. root.yggdrasil.li. ( + 2022031505 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.mgmt.yggdrasil. + +vidhar IN A 10.141.1.1 +switch01 IN A 10.141.1.2 +ap01 IN A 10.141.1.4 diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa new file mode 100644 index 00000000..6e66a063 --- /dev/null +++ b/hosts/vidhar/dns/zones/yggdrasil.soa @@ -0,0 +1,21 @@ +$ORIGIN yggdrasil. +$TTL 300 +@ IN SOA vidhar.yggdrasil. root.yggdrasil.li. ( + 2022031504 ; serial + 300 ; refresh + 300 ; retry + 300 ; expire + 300 ; min TTL +) + + IN NS vidhar.yggdrasil. + +surtr IN AAAA 2a03:4000:52:ada:1:: +vidhar IN AAAA 2a03:4000:52:ada:1:1:: +sif IN AAAA 2a03:4000:52:ada:1:2:: + +grafana.vidhar IN CNAME vidhar.yggdrasil. + + +vidhar.lan IN A 10.141.0.1 +vidhar.mgmt IN A 10.141.1.1 -- cgit v1.2.3