From 3909d7428d8a1135a25040dd2da8d176dec98cdb Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Sun, 26 Jun 2022 16:57:17 +0800 Subject: [PATCH] nixbld: DNS server (WIP) --- nixbld-etc-nixos/configuration.nix | 30 ++++++++++---- nixbld-etc-nixos/m-labs.zone | 66 ++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+), 8 deletions(-) create mode 100644 nixbld-etc-nixos/m-labs.zone diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index 11394a9..49c7544 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -64,7 +64,7 @@ in hostName = "nixbld"; hostId = "e423f012"; firewall = { - allowedTCPPorts = [ 80 443 7402 ]; + allowedTCPPorts = [ 53 80 443 7402 ]; allowedUDPPorts = [ 53 67 ]; trustedInterfaces = [ netifLan ]; }; @@ -145,11 +145,25 @@ in boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; - services.unbound = { + # https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 + # dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk + # dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk + # cat *.key >> m-labs.zone + # dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone + # cat dsset* --> update DS at registrar + # check results at https://dnsviz.net/ + services.bind = { enable = true; - settings = { - server = { - port = 5353; + listenOn = [ "42.200.147.171" ]; + listenOnIpv6 = [ "2001:470:18:629::2" ]; + forwarders = []; + extraOptions = "listen-on-v6 port 5354 { ::1; };"; + cacheNetworks = [ "::1/128" ]; + zones = { + "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = { + name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G"; + master = true; + file = "/etc/nixos/m-labs.zone.signed"; }; }; }; @@ -172,7 +186,7 @@ in }; services.dnsmasq = { enable = true; - servers = ["::1#5353"]; + servers = ["::1#5354"]; extraConfig = '' interface=${netifLan} interface=${netifWifi} @@ -553,8 +567,8 @@ in }; }; # https://github.com/NixOS/nixpkgs/issues/106862 - systemd.services."acme-fixperms".wants = [ "unbound.service" "dnsmasq.service" ]; - systemd.services."acme-fixperms".after = [ "unbound.service" "dnsmasq.service" ]; + systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; + systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ]; services.nginx = { enable = true; recommendedProxySettings = true; diff --git a/nixbld-etc-nixos/m-labs.zone b/nixbld-etc-nixos/m-labs.zone new file mode 100644 index 0000000..9bd273a --- /dev/null +++ b/nixbld-etc-nixos/m-labs.zone @@ -0,0 +1,66 @@ +$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. +$TTL 86400 +XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN SOA 42-200-147-171.static.imsbiz.com. sb.m-labs.hk. ( + 2022050801 + 10800 + 3600 + 604800 + 86400 ) + + + NS 42-200-147-171.static.imsbiz.com. + NS m-labs.science. + + A 42.200.147.171 + AAAA 2001:470:18:629::2 + +$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. +$TTL 10800 +lab A 42.200.147.171 +lab AAAA 2001:470:18:629::2 +www A 42.200.147.171 +www AAAA 2001:470:18:629::2 +nixbld A 42.200.147.171 +nixbld AAAA 2001:470:18:629::2 +call A 42.200.147.171 +call AAAA 2001:470:18:629::2 +conda A 42.200.147.171 +conda AAAA 2001:470:18:629::2 +git A 42.200.147.171 +git AAAA 2001:470:18:629::2 +chat A 42.200.147.171 +chat AAAA 2001:470:18:629::2 +hooks A 42.200.147.171 +hooks AAAA 2001:470:18:629::2 +forum A 42.200.147.171 +forum AAAA 2001:470:18:629::2 +perso A 42.200.147.171 +perso AAAA 2001:470:18:629::2 +rt A 42.200.147.171 +rt AAAA 2001:470:18:629::2 + +rpi-1 AAAA 2001:470:f821:1:dea6:32ff:fe8a:6a93 +rpi-2 AAAA 2001:470:f821:1:ba27:ebff:fef0:e9e6 +rpi-3 AAAA 2001:470:f821:1:dea6:32ff:fe14:fd67 +rpi-4 AAAA 2001:470:f821:1:dea6:32ff:fe14:fce9 +rpi-ext AAAA 2001:470:f821:1:dea6:32ff:fe95:2fcf +juno AAAA 2001:470:f821:1:2fcb:b47b:1b5f:eac4 +cnc AAAA 2001:470:f821:1:021e:c9ff:fe75:b6d3 +zeus AAAA 2001:470:f821:1:9a72:a418:5466:0b9a +hera AAAA 2001:470:f821:1:8406:1390:2110:5825 +chiron AAAA 2001:470:f821:1:addc:01ca:febc:a468 +hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c +vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db +old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170 +franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2 + +; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. +; Created: 20220626080122 (Sun Jun 26 16:01:22 2022) +; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022) +; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022) +XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP +; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. +; Created: 20220626080139 (Sun Jun 26 16:01:39 2022) +; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022) +; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022) +XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk