nixos-config/config/services/named.nix

{
  pkgs,
  config,
  dns,
  hosts-list,
  ...
}: let
  darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;};
  chir-rs = import ../../zones/chir.rs.nix {inherit dns;};
  int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};
  rpz-int-chir-rs = import ../../zones/rpz.int.chir.rs.nix {inherit pkgs hosts-list;};
  signzone = import ../../zones/signzone.nix;
  shitallover-me = import ../../zones/shitallover.me.nix {inherit dns;};
in {
  imports = [
    (signzone {
      inherit dns;
      ksk = "services/dns/rs/chir/32969";
      zsk = "services/dns/rs/chir/51207";
      zone = chir-rs;
      zonename = "chir.rs";
    })
    (signzone {
      inherit dns;
      ksk = "services/dns/rs/chir/int/35133";
      zsk = "services/dns/rs/chir/int/19631";
      zone = int-chir-rs;
      zonename = "int.chir.rs";
    })
    (signzone {
      inherit dns;
      ksk = "services/dns/de/darkkirb/53136";
      zsk = "services/dns/de/darkkirb/61825";
      zone = darkkirb-de;
      zonename = "darkkirb.de";
    })
    (signzone {
      inherit dns;
      zsk = "services/dns/me/shitallover/30477";
      ksk = "services/dns/me/shitallover/38310";
      zone = shitallover-me;
      zonename = "shitallover.me";
    })
  ];

  services.bind = {
    enable = true;
    zones = {
      "darkkirb.de" = {
        master = true;
        file = "/var/lib/named/darkkirb.de";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.darkkirb.de" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.darkkirb.de";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.darkkirb.de. txt;
          };
        '';
      };
      "chir.rs" = {
        master = true;
        file = "/var/lib/named/chir.rs";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.chir.rs" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.chir.rs";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.chir.rs. txt;
          };
        '';
      };
      "int.chir.rs" = {
        master = true;
        file = "/var/lib/named/int.chir.rs";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.int.chir.rs" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.int.chir.rs";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.int.chir.rs. txt;
          };
        '';
      };
      "shitallover.me" = {
        master = true;
        file = "/var/lib/named/shitallover.me";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
      "_acme-challenge.shitallover.me" = {
        master = true;
        file = "/var/lib/named/_acme-challenge.shitallover.me";
        extraConfig = ''
          update-policy {
            grant certbot. name _acme-challenge.shitallover.me. txt;
          };
        '';
      };
      "rpz.int.chir.rs" = {
        master = true;
        file = "${rpz-int-chir-rs}";
        slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];
        extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";
      };
    };
    extraConfig = ''
      statistics-channels {
        inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
      };
      include "/run/secrets/services/dns/named-keys";
    '';
    extraOptions = ''
      allow-recursion {
        127.0.0.1;
        ::1;
        fc00::/7;
        100.0.0.0/8;
      };
      recursion yes;
      dnssec-validation yes;
      allow-transfer {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};
      notify-delay 0;
      response-policy {zone "rpz.int.chir.rs";};
    '';
  };
  networking.firewall.allowedTCPPorts = [53];
  networking.firewall.allowedUDPPorts = [53];
  services.prometheus.exporters.bind = {
    enable = true;
    bindGroups = ["server" "view" "tasks"];
    bindURI = "http://127.0.0.1:8653/";
  };
  sops.secrets."services/dns/named-keys" = {owner = "named";};
}
reformat repo 2022-06-12 15:39:15 +00:00			`{`
			`pkgs,`
			`config,`
			`dns,`
			`hosts-list,`
			`...`
			`}: let`
			`darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;};`
			`chir-rs = import ../../zones/chir.rs.nix {inherit dns;};`
			`int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};`
			`rpz-int-chir-rs = import ../../zones/rpz.int.chir.rs.nix {inherit pkgs hosts-list;};`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`signzone = import ../../zones/signzone.nix;`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`shitallover-me = import ../../zones/shitallover.me.nix {inherit dns;};`
reformat repo 2022-06-12 15:39:15 +00:00			`in {`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`imports = [`
			`(signzone {`
			`inherit dns;`
add ksk and zsk, fix the file names, etc 2022-02-09 08:27:19 +00:00			`ksk = "services/dns/rs/chir/32969";`
			`zsk = "services/dns/rs/chir/51207";`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`zone = chir-rs;`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`zonename = "chir.rs";`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`})`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`(signzone {`
			`inherit dns;`
			`ksk = "services/dns/rs/chir/int/35133";`
			`zsk = "services/dns/rs/chir/int/19631";`
			`zone = int-chir-rs;`
			`zonename = "int.chir.rs";`
			`})`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`(signzone {`
			`inherit dns;`
			`ksk = "services/dns/de/darkkirb/53136";`
			`zsk = "services/dns/de/darkkirb/61825";`
			`zone = darkkirb-de;`
			`zonename = "darkkirb.de";`
			`})`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`(signzone {`
			`inherit dns;`
Hotfix dns 2022-12-14 18:50:12 +00:00			`zsk = "services/dns/me/shitallover/30477";`
			`ksk = "services/dns/me/shitallover/38310";`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`zone = shitallover-me;`
			`zonename = "shitallover.me";`
			`})`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`];`

Make named a service 2022-01-14 19:56:02 +00:00			`services.bind = {`
			`enable = true;`
			`zones = {`
			`"darkkirb.de" = {`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`master = true;`
			`file = "/var/lib/named/darkkirb.de";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`};`
			`"_acme-challenge.darkkirb.de" = {`
			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.darkkirb.de";`
feat: Move over the darkkirb.de zone 2022-03-20 09:06:39 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.darkkirb.de. txt;`
			`};`
			`'';`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
			`"chir.rs" = {`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`master = true;`
			`file = "/var/lib/named/chir.rs";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`"_acme-challenge.chir.rs" = {`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.chir.rs";`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.chir.rs. txt;`
add missing semicolon 2022-02-09 08:54:55 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`'';`
Add authorative zones hopefully 2022-02-08 21:01:33 +00:00			`};`
Make named a service 2022-01-14 19:56:02 +00:00			`"int.chir.rs" = {`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`master = true;`
			`file = "/var/lib/named/int.chir.rs";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`};`
			`"_acme-challenge.int.chir.rs" = {`
			`master = true;`
set acme challenge path explicitely 2022-05-24 08:58:12 +00:00			`file = "/var/lib/named/_acme-challenge.int.chir.rs";`
feat: Move the int.chir.rs zone to nix fix #43 2022-03-06 17:25:54 +00:00			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.int.chir.rs. txt;`
			`};`
			`'';`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`};`
			`"shitallover.me" = {`
			`master = true;`
			`file = "/var/lib/named/shitallover.me";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
Add named on instance-20221213-1915 2022-12-14 17:02:17 +00:00			`};`
			`"_acme-challenge.shitallover.me" = {`
			`master = true;`
			`file = "/var/lib/named/_acme-challenge.shitallover.me";`
			`extraConfig = ''`
			`update-policy {`
			`grant certbot. name _acme-challenge.shitallover.me. txt;`
			`};`
			`'';`
Various dns update and fix _acme-challenge hopefully 2022-12-15 16:07:28 +00:00			`};`
			`"rpz.int.chir.rs" = {`
			`master = true;`
			`file = "${rpz-int-chir-rs}";`
move named to tailscale 2023-02-02 19:15:16 +00:00			`slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"];`
			`extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};";`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
			`};`
add bind_exporter 2022-01-15 13:44:34 +00:00			`extraConfig = ''`
			`statistics-channels {`
move named to tailscale 2023-02-02 19:15:16 +00:00			`inet 127.0.0.1 port 8653 allow { 127.0.0.1; };`
Add missing semicolon 2022-01-15 13:46:28 +00:00			`};`
move chir.rs zone to the server 2022-02-09 08:47:35 +00:00			`include "/run/secrets/services/dns/named-keys";`
add bind_exporter 2022-01-15 13:44:34 +00:00			`'';`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`extraOptions = ''`
			`allow-recursion {`
			`127.0.0.1;`
			`::1;`
			`fc00::/7;`
move named to tailscale 2023-02-02 19:15:16 +00:00			`100.0.0.0/8;`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`};`
			`recursion yes;`
			`dnssec-validation yes;`
hotfix named 2023-02-04 08:30:17 +00:00			`allow-transfer {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};`
Update DNS config 2022-12-15 10:13:10 +00:00			`notify-delay 0;`
Various dns update and fix _acme-challenge hopefully 2022-12-15 16:07:28 +00:00			`response-policy {zone "rpz.int.chir.rs";};`
Use a local caching rdns 2022-01-15 14:03:51 +00:00			`'';`
Make named a service 2022-01-14 19:56:02 +00:00			`};`
reformat repo 2022-06-12 15:39:15 +00:00			`networking.firewall.allowedTCPPorts = [53];`
			`networking.firewall.allowedUDPPorts = [53];`
add bind_exporter 2022-01-15 13:44:34 +00:00			`services.prometheus.exporters.bind = {`
			`enable = true;`
reformat repo 2022-06-12 15:39:15 +00:00			`bindGroups = ["server" "view" "tasks"];`
move named to tailscale 2023-02-02 19:15:16 +00:00			`bindURI = "http://127.0.0.1:8653/";`
add bind_exporter 2022-01-15 13:44:34 +00:00			`};`
reformat repo 2022-06-12 15:39:15 +00:00			`sops.secrets."services/dns/named-keys" = {owner = "named";};`
Make named a service 2022-01-14 19:56:02 +00:00			`}`