forked from M-Labs/it-infra
nixbld: DNS server (WIP)
This commit is contained in:
parent
70ad63ca56
commit
3909d7428d
@ -64,7 +64,7 @@ in
|
||||
hostName = "nixbld";
|
||||
hostId = "e423f012";
|
||||
firewall = {
|
||||
allowedTCPPorts = [ 80 443 7402 ];
|
||||
allowedTCPPorts = [ 53 80 443 7402 ];
|
||||
allowedUDPPorts = [ 53 67 ];
|
||||
trustedInterfaces = [ netifLan ];
|
||||
};
|
||||
@ -145,11 +145,25 @@ in
|
||||
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
||||
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
||||
|
||||
services.unbound = {
|
||||
# https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
|
||||
# dnssec-keygen -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
||||
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -n ZONE m-labs.hk
|
||||
# cat *.key >> m-labs.zone
|
||||
# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o m-labs.hk -t /etc/nixos/m-labs.zone
|
||||
# cat dsset* --> update DS at registrar
|
||||
# check results at https://dnsviz.net/
|
||||
services.bind = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
port = 5353;
|
||||
listenOn = [ "42.200.147.171" ];
|
||||
listenOnIpv6 = [ "2001:470:18:629::2" ];
|
||||
forwarders = [];
|
||||
extraOptions = "listen-on-v6 port 5354 { ::1; };";
|
||||
cacheNetworks = [ "::1/128" ];
|
||||
zones = {
|
||||
"XN--WBTZ5WPQAJ35CFXC.XN--J6W193G" = {
|
||||
name = "XN--WBTZ5WPQAJ35CFXC.XN--J6W193G";
|
||||
master = true;
|
||||
file = "/etc/nixos/m-labs.zone.signed";
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -172,7 +186,7 @@ in
|
||||
};
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
servers = ["::1#5353"];
|
||||
servers = ["::1#5354"];
|
||||
extraConfig = ''
|
||||
interface=${netifLan}
|
||||
interface=${netifWifi}
|
||||
@ -553,8 +567,8 @@ in
|
||||
};
|
||||
};
|
||||
# https://github.com/NixOS/nixpkgs/issues/106862
|
||||
systemd.services."acme-fixperms".wants = [ "unbound.service" "dnsmasq.service" ];
|
||||
systemd.services."acme-fixperms".after = [ "unbound.service" "dnsmasq.service" ];
|
||||
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
|
||||
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
|
66
nixbld-etc-nixos/m-labs.zone
Normal file
66
nixbld-etc-nixos/m-labs.zone
Normal file
@ -0,0 +1,66 @@
|
||||
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||
$TTL 86400
|
||||
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN SOA 42-200-147-171.static.imsbiz.com. sb.m-labs.hk. (
|
||||
2022050801
|
||||
10800
|
||||
3600
|
||||
604800
|
||||
86400 )
|
||||
|
||||
|
||||
NS 42-200-147-171.static.imsbiz.com.
|
||||
NS m-labs.science.
|
||||
|
||||
A 42.200.147.171
|
||||
AAAA 2001:470:18:629::2
|
||||
|
||||
$ORIGIN XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||
$TTL 10800
|
||||
lab A 42.200.147.171
|
||||
lab AAAA 2001:470:18:629::2
|
||||
www A 42.200.147.171
|
||||
www AAAA 2001:470:18:629::2
|
||||
nixbld A 42.200.147.171
|
||||
nixbld AAAA 2001:470:18:629::2
|
||||
call A 42.200.147.171
|
||||
call AAAA 2001:470:18:629::2
|
||||
conda A 42.200.147.171
|
||||
conda AAAA 2001:470:18:629::2
|
||||
git A 42.200.147.171
|
||||
git AAAA 2001:470:18:629::2
|
||||
chat A 42.200.147.171
|
||||
chat AAAA 2001:470:18:629::2
|
||||
hooks A 42.200.147.171
|
||||
hooks AAAA 2001:470:18:629::2
|
||||
forum A 42.200.147.171
|
||||
forum AAAA 2001:470:18:629::2
|
||||
perso A 42.200.147.171
|
||||
perso AAAA 2001:470:18:629::2
|
||||
rt A 42.200.147.171
|
||||
rt AAAA 2001:470:18:629::2
|
||||
|
||||
rpi-1 AAAA 2001:470:f821:1:dea6:32ff:fe8a:6a93
|
||||
rpi-2 AAAA 2001:470:f821:1:ba27:ebff:fef0:e9e6
|
||||
rpi-3 AAAA 2001:470:f821:1:dea6:32ff:fe14:fd67
|
||||
rpi-4 AAAA 2001:470:f821:1:dea6:32ff:fe14:fce9
|
||||
rpi-ext AAAA 2001:470:f821:1:dea6:32ff:fe95:2fcf
|
||||
juno AAAA 2001:470:f821:1:2fcb:b47b:1b5f:eac4
|
||||
cnc AAAA 2001:470:f821:1:021e:c9ff:fe75:b6d3
|
||||
zeus AAAA 2001:470:f821:1:9a72:a418:5466:0b9a
|
||||
hera AAAA 2001:470:f821:1:8406:1390:2110:5825
|
||||
chiron AAAA 2001:470:f821:1:addc:01ca:febc:a468
|
||||
hestia AAAA 2001:470:f821:1:ef18:fbec:2162:2c4c
|
||||
vulcan AAAA 2001:470:f821:1:a9aa:5da6:d8ee:84db
|
||||
old-nixbld AAAA 2001:470:f821:1:021f:bcff:fe12:9170
|
||||
franz AAAA 2001:470:f821:1:39a9:9221:da3d:f6e2
|
||||
|
||||
; This is a zone-signing key, keyid 18823, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||
; Created: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||
; Publish: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||
; Activate: 20220626080122 (Sun Jun 26 16:01:22 2022)
|
||||
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 256 3 14 ZFDSxnY5Pg92E7XuNDkOxFQUtdFtXmV339GjVxguEPbzbdEtGRghNzef qLHVNOCUIfYxI5efxegmINMWEEPpiJSf55bzM6EYeWw+colfTQIJ0E/p 2iF7vSKxogkZf/zP
|
||||
; This is a key-signing key, keyid 29869, for XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||
; Created: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||
; Publish: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||
; Activate: 20220626080139 (Sun Jun 26 16:01:39 2022)
|
||||
XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. IN DNSKEY 257 3 14 f/dkVlLL8LNWnbVE1nvEls24e/2Jz62fca5ZlJWnRaKpzMNbXFSX6+HT rH10WL4rwLY8Aa8AsogMbj9D8OS6Xalv9NwQKvoSZ1TwXun3N2RoNoXp xC7NXtT9H6l7ZPFk
|
Loading…
Reference in New Issue
Block a user