forked from M-Labs/it-infra
nixbld: DNS server (WIP)
This commit is contained in:
parent
70ad63ca56
commit
3909d7428d
|
@ -64,7 +64,7 @@ in
|
||||||
hostName = "nixbld";
|
hostName = "nixbld";
|
||||||
hostId = "e423f012";
|
hostId = "e423f012";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [ 80 443 7402 ];
|
allowedTCPPorts = [ 53 80 443 7402 ];
|
||||||
allowedUDPPorts = [ 53 67 ];
|
allowedUDPPorts = [ 53 67 ];
|
||||||
trustedInterfaces = [ netifLan ];
|
trustedInterfaces = [ netifLan ];
|
||||||
};
|
};
|
||||||
|
@ -145,11 +145,25 @@ in
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
||||||
|
|
||||||
services.unbound = {
|
# https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
|
||||||
|
# dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
||||||
|
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
||||||
|
# cat *.key >> m-labs.zone
|
||||||
|
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone
|
||||||
|
# cat dsset* --> update DS at registrar
|
||||||
|
# check results at https://dnsviz.net/
|
||||||
|
services.bind = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
listenOn = [ "42.200.147.171" ];
|
||||||
server = {
|
listenOnIpv6 = [ "2001:470:18:629::2" ];
|
||||||
port = 5353;
|
forwarders = [];
|
||||||
|
extraOptions = "listen-on-v6 port 5354 { ::1; };";
|
||||||
|
cacheNetworks = [ "::1/128" ];
|
||||||
|
zones = {
|
||||||
|
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
|
||||||
|
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
|
||||||
|
master = true;
|
||||||
|
file = "/etc/nixos/m-labs.zone.signed";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -172,7 +186,7 @@ in
|
||||||
};
|
};
|
||||||
services.dnsmasq = {
|
services.dnsmasq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
servers = ["::1#5353"];
|
servers = ["::1#5354"];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
interface=${netifLan}
|
interface=${netifLan}
|
||||||
interface=${netifWifi}
|
interface=${netifWifi}
|
||||||
|
@ -553,8 +567,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# https://github.com/NixOS/nixpkgs/issues/106862
|
# https://github.com/NixOS/nixpkgs/issues/106862
|
||||||
systemd.services."acme-fixperms".wants = [ "unbound.service" "dnsmasq.service" ];
|
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
|
||||||
systemd.services."acme-fixperms".after = [ "unbound.service" "dnsmasq.service" ];
|
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
|
|
|
@ -0,0 +1,66 @@
|
||||||
|
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||||
|
$TTL 86400
|
||||||
|
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN SOA 42-200-147-171.static.imsbiz.com. sb.m-labs.hk. (
|
||||||
|
2022050801
|
||||||
|
10800
|
||||||
|
3600
|
||||||
|
604800
|
||||||
|
86400 )
|
||||||
|
|
||||||
|
|
||||||
|
NS 42-200-147-171.static.imsbiz.com.
|
||||||
|
NS m-labs.science.
|
||||||
|
|
||||||
|
A 42.200.147.171
|
||||||
|
AAAA 2001:470:18:629::2
|
||||||
|
|
||||||
|
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||||
|
$TTL 10800
|
||||||
|
lab A 42.200.147.171
|
||||||
|
lab AAAA 2001:470:18:629::2
|
||||||
|
www A 42.200.147.171
|
||||||
|
www AAAA 2001:470:18:629::2
|
||||||
|
nixbld A 42.200.147.171
|
||||||
|
nixbld AAAA 2001:470:18:629::2
|
||||||
|
call A 42.200.147.171
|
||||||
|
call AAAA 2001:470:18:629::2
|
||||||
|
conda A 42.200.147.171
|
||||||
|
conda AAAA 2001:470:18:629::2
|
||||||
|
git A 42.200.147.171
|
||||||
|
git AAAA 2001:470:18:629::2
|
||||||
|
chat A 42.200.147.171
|
||||||
|
chat AAAA 2001:470:18:629::2
|
||||||
|
hooks A 42.200.147.171
|
||||||
|
hooks AAAA 2001:470:18:629::2
|
||||||
|
forum A 42.200.147.171
|
||||||
|
forum AAAA 2001:470:18:629::2
|
||||||
|
perso A 42.200.147.171
|
||||||
|
perso AAAA 2001:470:18:629::2
|
||||||
|
rt A 42.200.147.171
|
||||||
|
rt AAAA 2001:470:18:629::2
|
||||||
|
|
||||||
|
rpi-1 AAAA 2001:470:f821:1:dea6:32ff:fe8a:6a93
|
||||||
|
rpi-2 AAAA 2001:470:f821:1:ba27:ebff:fef0:e9e6
|
||||||
|
rpi-3 AAAA 2001:470:f821:1:dea6:32ff:fe14:fd67
|
||||||
|
rpi-4 AAAA 2001:470:f821:1:dea6:32ff:fe14:fce9
|
||||||
|
rpi-ext AAAA 2001:470:f821:1:dea6:32ff:fe95:2fcf
|
||||||
|
juno AAAA 2001:470:f821:1:2fcb:b47b:1b5f:eac4
|
||||||
|
cnc AAAA 2001:470:f821:1:021e:c9ff:fe75:b6d3
|
||||||
|
zeus AAAA 2001:470:f821:1:9a72:a418:5466:0b9a
|
||||||
|
hera AAAA 2001:470:f821:1:8406:1390:2110:5825
|
||||||
|
chiron AAAA 2001:470:f821:1:addc:01ca:febc:a468
|
||||||
|
hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c
|
||||||
|
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
|
||||||
|
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
|
||||||
|
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
|
||||||
|
|
||||||
|
; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||||
|
; Created: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||||
|
; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||||
|
; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||||
|
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP
|
||||||
|
; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||||
|
; Created: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||||
|
; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||||
|
; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||||
|
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk
|
Loading…
Reference in New Issue