nixos-config/config/services/named.nix

{
  pkgs,
  config,
  dns,
  ...
}: let
  darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;};
  chir-rs = import ../../zones/chir.rs.nix {inherit dns;};
  int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};
  signzone = import ../../zones/signzone.nix;
in {
  imports = [
    (signzone {
      inherit dns;
      ksk = "services/dns/rs/chir/32969";
      zsk = "services/dns/rs/chir/51207";
      zone = chir-rs;
      zonename = "chir.rs";
    })
    (signzone {
      inherit dns;
      ksk = "services/dns/rs/chir/int/35133";
      zsk = "services/dns/rs/chir/int/19631";
      zone = int-chir-rs;
      zonename = "int.chir.rs";
    })
    (signzone {
      inherit dns;
      ksk = "services/dns/de/darkkirb/53136";
      zsk = "services/dns/de/darkkirb/61825";
      zone = darkkirb-de;
      zonename = "darkkirb.de";
    })
  ];

  services.bind = {
    enable = true;
    zones = {
      "darkkirb.de" = {
        master = true;
        file = "/var/lib/named/darkkirb.de";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.darkkirb.de" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.darkkirb.de";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.darkkirb.de. txt;
          };
        '';
      };
      "chir.rs" = {
        master = true;
        file = "/var/lib/named/chir.rs";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.chir.rs" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.chir.rs";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.chir.rs. txt;
          };
        '';
      };
      "int.chir.rs" = {
        master = true;
        file = "/var/lib/named/int.chir.rs";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.int.chir.rs" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.int.chir.rs";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.int.chir.rs. txt;
          };
        '';
      };
    };
    extraConfig = ''
      statistics-channels {
        inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
      };
      include "/run/secrets/services/dns/named-keys";
    '';
    extraOptions = ''
      allow-recursion {
        127.0.0.1;
        ::1;
        fc00::/7;
        100.0.0.0/8;
      };
      recursion yes;
      dnssec-validation yes;
      allow-transfer {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};
      notify-delay 0;
    '';
  };
  networking.firewall.allowedTCPPorts = [53];
  networking.firewall.allowedUDPPorts = [53];
  services.prometheus.exporters.bind = {
    enable = true;
    bindGroups = ["server" "view" "tasks"];
    bindURI = "http://127.0.0.1:8653/";
    port = 1533;
  };
  services.prometheus.scrapeConfigs = [
    {
      job_name = "bind";
      static_configs = [
        {
          targets = [
            "127.0.0.1:${toString config.services.prometheus.exporters.bind.port}"
          ];
        }
      ];
    }
  ];
  sops.secrets."services/dns/named-keys" = {owner = "named";};
}
reformat repo 2022-06-12 15:39:15 +00:00			`{`
			`pkgs,`
			`config,`
			`dns,`
			`...`
			`}: let`
			`darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;};`
			`chir-rs = import ../../zones/chir.rs.nix {inherit dns;};`
			`int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`signzone = import ../../zones/signzone.nix;`
reformat repo 2022-06-12 15:39:15 +00:00			`in {`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`imports = [`
			`(signzone {`
			`inherit dns;`
add ksk and zsk, fix the file names, etc 2022-02-09 08:27:19 +00:00			`ksk = "services/dns/rs/chir/32969";`
			`zsk = "services/dns/rs/chir/51207";`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`zone = chir-rs;`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`zonename = "chir.rs";`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`})`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`(signzone {`
			`inherit dns;`
			`ksk = "services/dns/rs/chir/int/35133";`
			`zsk = "services/dns/rs/chir/int/19631";`
			`zone = int-chir-rs;`
			`zonename = "int.chir.rs";`
			`})`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`(signzone {`
			`inherit dns;`
			`ksk = "services/dns/de/darkkirb/53136";`
			`zsk = "services/dns/de/darkkirb/61825";`
			`zone = darkkirb-de;`
			`zonename = "darkkirb.de";`
			`})`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`];`

Make named a service 2022-01-14 19:56:02 +00:00			`services.bind = {`
			`enable = true;`
			`zones = {`
			`"darkkirb.de" = {`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`master = true;`
			`file = "/var/lib/named/darkkirb.de";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`};`
			`"_acme-challenge.darkkirb.de" = {`
			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.darkkirb.de";`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.darkkirb.de. txt;`
			`};`
			`'';`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
			`"chir.rs" = {`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`master = true;`
			`file = "/var/lib/named/chir.rs";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`"_acme-challenge.chir.rs" = {`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.chir.rs";`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.chir.rs. txt;`
add missing semicolon 2022-02-09 08:54:55 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`'';`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`};`
Make named a service 2022-01-14 19:56:02 +00:00			`"int.chir.rs" = {`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`master = true;`
			`file = "/var/lib/named/int.chir.rs";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`};`
			`"_acme-challenge.int.chir.rs" = {`
			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.int.chir.rs";`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.int.chir.rs. txt;`
			`};`
			`'';`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`};`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
add bind_exporter 2022-01-15 13:44:34 +00:00			`extraConfig = ''`
			`statistics-channels {`
move named to tailscale 2023-02-02 19:15:16 +00:00			`inet 127.0.0.1 port 8653 allow { 127.0.0.1; };`
Add missing semicolon 2022-01-15 13:46:28 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`include "/run/secrets/services/dns/named-keys";`
add bind_exporter 2022-01-15 13:44:34 +00:00			`'';`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`extraOptions = ''`
			`allow-recursion {`
			`127.0.0.1;`
			`::1;`
			`fc00::/7;`
move named to tailscale 2023-02-02 19:15:16 +00:00			`100.0.0.0/8;`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`};`
			`recursion yes;`
			`dnssec-validation yes;`
hotfix named 2023-02-04 08:30:17 +00:00			`allow-transfer {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};`
Update DNS config 2022-12-15 10:13:10 +00:00			`notify-delay 0;`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`'';`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
reformat repo 2022-06-12 15:39:15 +00:00			`networking.firewall.allowedTCPPorts = [53];`
			`networking.firewall.allowedUDPPorts = [53];`
add bind_exporter 2022-01-15 13:44:34 +00:00			`services.prometheus.exporters.bind = {`
			`enable = true;`
reformat repo 2022-06-12 15:39:15 +00:00			`bindGroups = ["server" "view" "tasks"];`
move named to tailscale 2023-02-02 19:15:16 +00:00			`bindURI = "http://127.0.0.1:8653/";`
make prometheus/loki system-local 2023-12-10 09:36:28 +00:00			`port = 1533;`
add bind_exporter 2022-01-15 13:44:34 +00:00			`};`
make prometheus/loki system-local 2023-12-10 09:36:28 +00:00			`services.prometheus.scrapeConfigs = [`
			`{`
			`job_name = "bind";`
			`static_configs = [`
			`{`
			`targets = [`
fix bind and gitea eval 2023-12-10 10:37:09 +00:00			`"127.0.0.1:${toString config.services.prometheus.exporters.bind.port}"`
make prometheus/loki system-local 2023-12-10 09:36:28 +00:00			`];`
			`}`
			`];`
			`}`
			`];`
reformat repo 2022-06-12 15:39:15 +00:00			`sops.secrets."services/dns/named-keys" = {owner = "named";};`
Make named a service 2022-01-14 19:56:02 +00:00			`}`