2022-12-15 16:41:40 +00:00
9 changed files with 28 additions and 128 deletions
--- a/config/instance-20221213-1915.nix
+++ b/config/instance-20221213-1915.nix
@ -98,4 +98,5 @@
    path = "/etc/secrets/initrd/ssh_host_ed25519_key";
  };
  sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
+  services.bind.forwarders = lib.mkForce [];
 }
--- a/config/nixos-8gb-fsn1-1.nix
+++ b/config/nixos-8gb-fsn1-1.nix
@ -200,4 +200,7 @@
    max_parallel_workers = 2;
    max_parallel_maintenance_workers = 1;
  };
+
+  services.resolved.enable = false;
+  services.bind.forwarders = lib.mkForce [];
 }
--- a/config/services/named-submissive.nix
+++ b/config/services/named-submissive.nix
@ -18,13 +18,10 @@ in {
    enable = true;
    zones = {
      "darkkirb.de" = mkZone "darkkirb.de";
-      "_acme-challenge.darkkirb.de" = mkZone "_acme-challenge.darkkirb.de";
      "chir.rs" = mkZone "chir.rs";
-      "_acme-challenge.chir.rs" = mkZone "_acme-challenge.chir.rs";
      "int.chir.rs" = mkZone "int.chir.rs";
-      "_acme-challenge.int.chir.rs" = mkZone "_acme-challenge.int.chir.rs";
+      "rpz.int.chir.rs" = mkZone "rpz.int.chir.rs";
      "shitallover.me" = mkZone "shitallover.me";
-      "_acme-challenge.shitallover.me" = mkZone "_acme-challenge.shitallover.me";
    };
    extraConfig = ''
      statistics-channels {
@ -40,6 +37,7 @@ in {
      recursion yes;
      dnssec-validation yes;
      allow-notify { 130.162.60.127; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; 138.201.155.128; 2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49; fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49; };
+      response-policy {zone "rpz.int.chir.rs";};
    '';
  };
  networking.firewall.allowedTCPPorts = [53];
--- a/config/services/named.nix
+++ b/config/services/named.nix
@ -62,9 +62,7 @@ in {
          update-policy {
            grant certbot. name _acme-challenge.darkkirb.de. txt;
          };
-          also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};
        '';
-        slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
      };
      "chir.rs" = {
        master = true;
@ -79,9 +77,7 @@ in {
          update-policy {
            grant certbot. name _acme-challenge.chir.rs. txt;
          };
-          also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};
        '';
-        slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
      };
      "int.chir.rs" = {
        master = true;
@ -96,9 +92,7 @@ in {
          update-policy {
            grant certbot. name _acme-challenge.int.chir.rs. txt;
          };
-          also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};
        '';
-        slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
      };
      "shitallover.me" = {
        master = true;
@ -113,14 +107,14 @@ in {
          update-policy {
            grant certbot. name _acme-challenge.shitallover.me. txt;
          };
-          also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};
        '';
-        slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
      };
-      #"rpz.int.chir.rs" = {
-      #  master = true;
-      #  file = "${rpz-int-chir-rs}";
-      #};
+      "rpz.int.chir.rs" = {
+        master = true;
+        file = "${rpz-int-chir-rs}";
+        slaves = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
+        extraConfig = "also-notify {fd0d:a262:1fa6:e621:746d:4523:5c04:1453;};";
+      };
    };
    extraConfig = ''
      statistics-channels {
@ -138,6 +132,7 @@ in {
      dnssec-validation yes;
      allow-transfer { fd0d:a262:1fa6:e621:746d:4523:5c04:1453; };
      notify-delay 0;
+      response-policy {zone "rpz.int.chir.rs";};
    '';
  };
  networking.firewall.allowedTCPPorts = [53];
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@ -124,7 +124,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.chir.rs.";
      adminEmail = "lotte@chir.rs";
-      serial = 22;
+      serial = 23;
    };
    NS = [
      "ns1.chir.rs."
@ -248,12 +248,6 @@ with dns.lib.combinators; let
      _acme-challenge = delegateTo [
        "ns1.chir.rs."
        "ns2.chir.rs."
-        "ns3.chir.rs."
-        "ns4.chir.rs."
-        "ns1.darkkirb.de."
-        "ns2.darkkirb.de."
-        "ns1.shitallover.me."
-        "ns2.shitallover.me."
      ];
    };
  };
--- a/zones/darkkirb.de.nix
+++ b/zones/darkkirb.de.nix
@ -124,7 +124,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.darkkirb.de.";
      adminEmail = "lotte@chir.rs";
-      serial = 3;
+      serial = 4;
    };
    NS = [
      "ns1.chir.rs."
@ -207,12 +207,6 @@ with dns.lib.combinators; let
      _acme-challenge = delegateTo [
        "ns1.chir.rs."
        "ns2.chir.rs."
-        "ns3.chir.rs."
-        "ns4.chir.rs."
-        "ns1.darkkirb.de."
-        "ns2.darkkirb.de."
-        "ns1.shitallover.me."
-        "ns2.shitallover.me."
      ];
      www = createZone {};
      static = createZone {};
--- a/zones/int.chir.rs.nix
+++ b/zones/int.chir.rs.nix
@ -15,7 +15,7 @@ in {
  SOA = {
    nameServer = "ns1.chir.rs.";
    adminEmail = "lotte@chir.rs";
-    serial = 19;
+    serial = 20;
  };
  NS = [
    "ns1.chir.rs."
@ -195,7 +195,7 @@ in {
      ];
    };
    thinkrac.AAAA = [
-      (ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b"))
+      (ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:f45a:db9f:eb7c:1a3f"))
    ];
    nas = {
      AAAA = [
@ -274,12 +274,6 @@ in {
    _acme-challenge = delegateTo [
      "ns1.chir.rs."
      "ns2.chir.rs."
-      "ns3.chir.rs."
-      "ns4.chir.rs."
-      "ns1.darkkirb.de."
-      "ns2.darkkirb.de."
-      "ns1.shitallover.me."
-      "ns2.shitallover.me."
    ];
  };
 }
--- a/zones/rpz.int.chir.rs.nix
+++ b/zones/rpz.int.chir.rs.nix
@ -5,80 +5,8 @@
 }: let
  hostfiles-lists = [
    {
-      name = "Badd-Boyz-Hosts";
-      path = "${hosts-list}/data/Badd-Boyz-Hosts/hosts";
-    }
-    {
-      name = "KADhosts";
-      path = "${hosts-list}/data/KADhosts/hosts";
-    }
-    {
-      name = "MetaMask";
-      path = "${hosts-list}/data/MetaMask/hosts";
-    }
-    {
-      name = "StevenBlack";
-      path = "${hosts-list}/data/StevenBlack/hosts";
-    }
-    {
-      name = "URLHaus";
-      path = "${hosts-list}/data/URLHaus/hosts";
-    }
-    {
-      name = "UncheckyAds";
-      path = "${hosts-list}/data/UncheckyAds/hosts";
-    }
-    {
-      name = "adaway.org";
-      path = "${hosts-list}/data/adaway.org/hosts";
-    }
-    {
-      name = "add.2o7Net";
-      path = "${hosts-list}/data/add.2o7Net/hosts";
-    }
-    {
-      name = "add.Dead";
-      path = "${hosts-list}/data/add.Dead/hosts";
-    }
-    {
-      name = "add.Risk";
-      path = "${hosts-list}/data/add.Risk/hosts";
-    }
-    {
-      name = "add.Spam";
-      path = "${hosts-list}/data/add.Spam/hosts";
-    }
-    {
-      name = "hostsVN";
-      path = "${hosts-list}/data/hostsVN/hosts";
-    }
-    {
-      name = "mvps.org";
-      path = "${hosts-list}/data/mvps.org/hosts";
-    }
-    {
-      name = "shady-hosts";
-      path = "${hosts-list}/data/shady-hosts/hosts";
-    }
-    {
-      name = "someonewhocares.org";
-      path = "${hosts-list}/data/someonewhocares.org/hosts";
-    }
-    {
-      name = "tiuxo";
-      path = "${hosts-list}/data/tiuxo/hosts";
-    }
-    {
-      name = "yoyo.org";
-      path = "${hosts-list}/data/yoyo.org/hosts";
-    }
-    {
-      name = "fakenews";
-      path = "${hosts-list}/extensions/fakenews/hosts";
-    }
-    {
-      name = "gambling";
-      path = "${hosts-list}/extensions/gambling/hosts";
+      name = "Unified-fakenews-gambling";
+      path = "${hosts-list}/alternates/fakenews-gambling/hosts";
    }
  ];
  hostfile-to-hostname-list = hostfile: {
@ -99,14 +27,6 @@
  };
  hostname-lists =
    [
-      {
-        name = "Adguard-cname";
-        path = "${hosts-list}/data/Adguard-cname/hosts";
-      }
-      {
-        name = "minecraft-hosts";
-        path = "${hosts-list}/data/minecraft-hosts/hosts";
-      }
      {
        name = "no-application-dns";
        path = pkgs.writeText "no-application-dns" "use-application-dns.net";
@ -123,7 +43,14 @@
  '';
 in
  pkgs.runCommand "rpz.int.chir.rs" {} ''
-    echo "@ 3600 IN SOA ns2.darkkirb.de. lotte.chir.rs. 2 86400 7200 2592000 86400" > $out
+    echo "@ 3600 IN SOA ns1.chir.rs. lotte.chir.rs. ${toString hosts-list.lastModified} 86400 7200 2592000 86400" > $out
+    echo "@ 3600 IN NS ns1.chir.rs. " >> $out
+    echo "@ 3600 IN NS ns2.chir.rs. " >> $out
+    echo "@ 3600 IN NS ns3.chir.rs. " >> $out
+    echo "@ 3600 IN NS ns4.chir.rs. " >> $out
+    echo "@ 3600 IN NS ns1.darkkirb.de. " >> $out
    echo "@ 3600 IN NS ns2.darkkirb.de. " >> $out
+    echo "@ 3600 IN NS ns1.shitallover.me. " >> $out
+    echo "@ 3600 IN NS ns2.shitallover.me. " >> $out
    sed 's/$/ IN CNAME ./' ${concat-hostname-list} >> $out
  ''
--- a/zones/shitallover.me.nix
+++ b/zones/shitallover.me.nix
@ -124,7 +124,7 @@ with dns.lib.combinators; let
    SOA = {
      nameServer = "ns1.shitallover.me.";
      adminEmail = "lotte@chir.rs";
-      serial = 1;
+      serial = 2;
    };
    NS = [
      "ns1.chir.rs."
@ -193,12 +193,6 @@ with dns.lib.combinators; let
      _acme-challenge = delegateTo [
        "ns1.chir.rs."
        "ns2.chir.rs."
-        "ns3.chir.rs."
-        "ns4.chir.rs."
-        "ns1.darkkirb.de."
-        "ns2.darkkirb.de."
-        "ns1.shitallover.me."
-        "ns2.shitallover.me."
      ];
      www = createZone {};
      ns1 = createZone {};