1
0
Fork 0

nixbld: DNS server (WIP)

This commit is contained in:
Sebastien Bourdeauducq 2022-06-26 16:57:17 +08:00
parent 70ad63ca56
commit 3909d7428d
2 changed files with 88 additions and 8 deletions

View File

@ -64,7 +64,7 @@ in
hostName = "nixbld"; hostName = "nixbld";
hostId = "e423f012"; hostId = "e423f012";
firewall = { firewall = {
allowedTCPPorts = [ 80 443 7402 ]; allowedTCPPorts = [ 53 80 443 7402 ];
allowedUDPPorts = [ 53 67 ]; allowedUDPPorts = [ 53 67 ];
trustedInterfaces = [ netifLan ]; trustedInterfaces = [ netifLan ];
}; };
@ -145,11 +145,25 @@ in
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
services.unbound = { # https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
# dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk
# cat *.key >> m-labs.zone
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone
# cat dsset* --> update DS at registrar
# check results at https://dnsviz.net/
services.bind = {
enable = true; enable = true;
settings = { listenOn = [ "42.200.147.171" ];
server = { listenOnIpv6 = [ "2001:470:18:629::2" ];
port = 5353; forwarders = [];
extraOptions = "listen-on-v6 port 5354 { ::1; };";
cacheNetworks = [ "::1/128" ];
zones = {
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
master = true;
file = "/etc/nixos/m-labs.zone.signed";
}; };
}; };
}; };
@ -172,7 +186,7 @@ in
}; };
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
servers = ["::1#5353"]; servers = ["::1#5354"];
extraConfig = '' extraConfig = ''
interface=${netifLan} interface=${netifLan}
interface=${netifWifi} interface=${netifWifi}
@ -553,8 +567,8 @@ in
}; };
}; };
# https://github.com/NixOS/nixpkgs/issues/106862 # https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "unbound.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
systemd.services."acme-fixperms".after = [ "unbound.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;

View File

@ -0,0 +1,66 @@
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
$TTL 86400
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN SOA 42-200-147-171.static.imsbiz.com. sb.m-labs.hk. (
2022050801
10800
3600
604800
86400 )
NS 42-200-147-171.static.imsbiz.com.
NS m-labs.science.
A 42.200.147.171
AAAA 2001:470:18:629::2
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
$TTL 10800
lab A 42.200.147.171
lab AAAA 2001:470:18:629::2
www A 42.200.147.171
www AAAA 2001:470:18:629::2
nixbld A 42.200.147.171
nixbld AAAA 2001:470:18:629::2
call A 42.200.147.171
call AAAA 2001:470:18:629::2
conda A 42.200.147.171
conda AAAA 2001:470:18:629::2
git A 42.200.147.171
git AAAA 2001:470:18:629::2
chat A 42.200.147.171
chat AAAA 2001:470:18:629::2
hooks A 42.200.147.171
hooks AAAA 2001:470:18:629::2
forum A 42.200.147.171
forum AAAA 2001:470:18:629::2
perso A 42.200.147.171
perso AAAA 2001:470:18:629::2
rt A 42.200.147.171
rt AAAA 2001:470:18:629::2
rpi-1 AAAA 2001:470:f821:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f821:1:ba27:ebff:fef0:e9e6
rpi-3 AAAA 2001:470:f821:1:dea6:32ff:fe14:fd67
rpi-4 AAAA 2001:470:f821:1:dea6:32ff:fe14:fce9
rpi-ext AAAA 2001:470:f821:1:dea6:32ff:fe95:2fcf
juno AAAA 2001:470:f821:1:2fcb:b47b:1b5f:eac4
cnc AAAA 2001:470:f821:1:021e:c9ff:fe75:b6d3
zeus AAAA 2001:470:f821:1:9a72:a418:5466:0b9a
hera AAAA 2001:470:f821:1:8406:1390:2110:5825
chiron AAAA 2001:470:f821:1:addc:01ca:febc:a468
hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
; Created: 20220626080122 (Sun Jun 26 16:01:22 2022)
; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022)
; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022)
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP
; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
; Created: 20220626080139 (Sun Jun 26 16:01:39 2022)
; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022)
; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022)
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk