Improve ns stuff
This commit is contained in:
parent
e40c987cd0
commit
5b838771e3
@ -1,12 +1,14 @@
|
||||
keys:
|
||||
- &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
|
||||
- &server_ns3 age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw
|
||||
- &server_ns4 age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_torjus
|
||||
- *server_ns3
|
||||
- *server_ns4
|
||||
- path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
|
||||
key_groups:
|
||||
- age:
|
||||
|
@ -28,6 +28,15 @@
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
};
|
||||
ns4 = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
specialArgs = { inherit inputs self sops-nix; };
|
||||
modules = [
|
||||
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
|
||||
./hosts/ns4
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
};
|
||||
template1 = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
specialArgs = { inherit inputs self sops-nix; };
|
||||
|
@ -7,6 +7,7 @@
|
||||
|
||||
../../system
|
||||
../../services/ns/master-authorative.nix
|
||||
../../services/ns/resolver.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
@ -18,7 +19,7 @@
|
||||
networking.domain = "home.2rjus.net";
|
||||
networking.useNetworkd = true;
|
||||
networking.useDHCP = false;
|
||||
services.resolved.enable = true;
|
||||
services.resolved.enable = false;
|
||||
networking.nameservers = [
|
||||
"10.69.13.5"
|
||||
"10.69.13.6"
|
||||
|
@ -1,6 +1,5 @@
|
||||
{ ... }: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
];
|
||||
}
|
||||
|
56
hosts/ns4/configuration.nix
Normal file
56
hosts/ns4/configuration.nix
Normal file
@ -0,0 +1,56 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
../template/hardware-configuration.nix
|
||||
|
||||
../../system
|
||||
../../services/ns/secondary-authorative.nix
|
||||
../../services/ns/resolver.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
networking.hostName = "ns4";
|
||||
networking.domain = "home.2rjus.net";
|
||||
networking.useNetworkd = true;
|
||||
networking.useDHCP = false;
|
||||
services.resolved.enable = false;
|
||||
networking.nameservers = [
|
||||
"10.69.13.5"
|
||||
"10.69.13.6"
|
||||
];
|
||||
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."ens18" = {
|
||||
matchConfig.Name = "ens18";
|
||||
address = [
|
||||
"10.69.13.8/24"
|
||||
];
|
||||
routes = [
|
||||
{ routeConfig.Gateway = "10.69.13.1"; }
|
||||
];
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
time.timeZone = "Europe/Oslo";
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
git
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
5
hosts/ns4/default.nix
Normal file
5
hosts/ns4/default.nix
Normal file
@ -0,0 +1,5 @@
|
||||
{ ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
}
|
36
hosts/ns4/hardware-configuration.nix
Normal file
36
hosts/ns4/hardware-configuration.nix
Normal file
@ -0,0 +1,36 @@
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
# boot.kernelModules = [ ];
|
||||
# boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/BC07-3B7A";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
@ -1,4 +1,5 @@
|
||||
root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str]
|
||||
ns_xfer_key: ENC[AES256_GCM,data:VFpK7GChgFeUgQm31tTvVC888bN0yt6BAnHQa6KUTg4iZGP1WL5Bx6Zp8dY=,iv:9RF1eEc7JBxBebDOKfcDjGS2U7XsHkOW/l52yIP+1LA=,tag:L6DR2QlHOfo02kzfWWCrvg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -8,23 +9,32 @@ sops:
|
||||
- recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV0NVK0gxOWo4SktsODZq
|
||||
ZzFSMlhyUHlrOVVZdENBWHR6SVBmRGt2U1hJCjd2dGo4R0t4dTdYL3ZVVnRSWHcz
|
||||
V01EM2NqaGdZQzNIZkpHOFB5bEZSMmMKLS0tIGs3Z1kwbjVkcW1vYkxPYlI1Vmw5
|
||||
WklXUTZ1VVRTRG1SeFNDclpMWWtYSTAKV/Z6aiXi630U6FOzaiEZ2QDAUD+xL8ss
|
||||
o8syuZqRA6c9yIs9hgzO8PeeJJ4/FuAp6ZCqv/U0goU3cd1WAyvjSw==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabWxBVlVRaXMyWkM1bVBx
|
||||
RGZCSmxweEpHNk5rUGlYVk1zaFdSS1hOVmpzCnNLbUhNU3JhdEpITnRGV2JCUE1X
|
||||
dmt0SEhKbm1QYzAzUGU0c1JJTmZKbXcKLS0tIFZ4RktSNzhDY213M2Qyd2lYK2xq
|
||||
d3BTZHFjUVpHZGdKaS9NTHNDK1BYSUkKizI6eoZu0fuUQSYtq+nDIwXU6vdpgGR3
|
||||
qYXF3ktzONvuVL6LL6fLnIUeAuHJPEM2AXCw8z8PraznlxCbhv9VYw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1uwsyvlhsuucnhadeq675pakp33a2jsdckf378wmudp2yjzy69u5sk822cw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUStBemVxNEhYQnUzK0dM
|
||||
enJIbCtjcmowbDRQTkE4Z2UyUkd0RXVkdm44CjNrYzM1YjhpTVpVQWlKUUk5ZFdm
|
||||
dkNNT3prRTlIR2RsVmpEMlh0U1E4Z1UKLS0tIDdpcU9CRGdrbEM5MGZuYkh1TFIr
|
||||
R0QzMkQwcWhOUXRmcXUrK0FkbDJ4S3cK8hbGg8uyRSpW1TcyAnP9yesh1tTyIVph
|
||||
wiZJeM1/kDBmVhN0RMsXDsleC2GAYTRUxoAHUBjQSjsi81zy/zZnAw==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSempjdm9MOXQyWVlEYU5q
|
||||
WGZGaG5kWk1jZzRpdDZqMXBlUXAyWUNxeVhnCmo4TGIvN3UwY0lpWFpCNktjQW9a
|
||||
UlQ0NHBKZkdqUGlZbDdHbkhUeWVoblkKLS0tIDhWUXkvZnR5SXBTTDRXcnVlcHRy
|
||||
Tmp0RGtkNUZwR0NxS0d1c0ttWmY2a0kKKDDQTKhKv5zJy9gNbtdCWJuV3slQWNSr
|
||||
T7plMHETUOkUIomRqFntN3u8Yn3dtV5BxhJcsA16jJJBDWAJwb35BQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-07T21:44:19Z"
|
||||
mac: ENC[AES256_GCM,data:iyDz5zhOf4sQ2js+azNz3hP8W8YcIVRA4xglcRkvPSEmj2EzLm3Zv8XLHXFNIIYDBo2oQasYXaQSOW6rdHt0qwRv7mwTGHKreimTUi0eUAzXLhE8Pfwxk7V3XyuevGWgQc4UnAmmy0FOKaP+Rb74LoVUrXBT/2/Jq2U1pA+IZCA=,iv:LrhI0KWR3YovkjWBltPTA1JFFO2CJMLfdilAWC9V0Wo=,tag:xafFJVGY1zFYnCnr4M0Xvw==,type:str]
|
||||
- recipient: age1tc8zdyrm6msghq35k9va4n7c3af2au84txf58ylxa0qyvnrcrdfspyy7mj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBES09qM3p1TzhZdG1jNHY5
|
||||
Z1hYRWQ3d3dTNGxoM2xRZTRpSEZqU1pMb1JBCkkxVHhoREluVWFteFM1eEI4ZG91
|
||||
Z016TGRwM2hadzVqSzFaaEFQRTMvK1UKLS0tIC90bXYwa0NkRmZ5TVBYcWEwelRN
|
||||
T3BlN0NpK2JqK2wzVFAxZFVoYi9zSnMKaK0XaN4eQ22ucQPXXnQzBT1c/9dViLHe
|
||||
nFVDm4gsUJFdb3DifhaEQXW0o9XanGiPQEaOGO6WbAQL8Pf09SLsSA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-11T19:25:54Z"
|
||||
mac: ENC[AES256_GCM,data:GbbdzjkjicbNPoiKXpeAXzkrmQlgLUg90B0ynYfbB9JX0m4W7hfogVJ4Fcx5t+iUeG2LPkCxq7vYnD1+uFJkND1xF0rc9dGi43SBtz74giQTJck8/mK/iWyDdgDlWxtO78ghHMS5OxyapOvk+K2+Ga9zJ1f3S64lc2xqhyVSFfk=,iv:jRDgu1lSuFRv8VeVbiyx+DfywaLlZJ0Xla++M277SBg=,tag:aV757MJJUNg77//tON7h1A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
@ -1,11 +1,31 @@
|
||||
{ ... }: {
|
||||
{ ... }:
|
||||
{
|
||||
sops.secrets.ns_xfer_key = {
|
||||
path = "/etc/nsd/xfer.key";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 8053 ];
|
||||
networking.firewall.allowedUDPPorts = [ 8053 ];
|
||||
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
port = 8053;
|
||||
ipv6 = false;
|
||||
verbosity = 2;
|
||||
identity = "test.2rjus.net server";
|
||||
interfaces = [ "0.0.0.0" ];
|
||||
|
||||
keys = {
|
||||
"xferkey" = {
|
||||
algorithm = "hmac-sha256";
|
||||
keyFile = "/etc/nsd/xfer.key";
|
||||
};
|
||||
};
|
||||
|
||||
zones = {
|
||||
"test.2rjus.net." = {
|
||||
provideXFR = [ "10.69.0.0/16 NOKEY" ];
|
||||
"test.2rjus.net" = {
|
||||
provideXFR = [ "10.69.13.8 xferkey" ];
|
||||
notify = [ "10.69.13.8@8053 xferkey" ];
|
||||
data = builtins.readFile ./zones-test-2rjus-net.conf;
|
||||
};
|
||||
};
|
||||
|
38
services/ns/resolver.nix
Normal file
38
services/ns/resolver.nix
Normal file
@ -0,0 +1,38 @@
|
||||
{ pkgs, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
53
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
53
|
||||
];
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
access-control = [
|
||||
"127.0.0.0/8 allow"
|
||||
"0.0.0.0/0 allow"
|
||||
];
|
||||
local-zone = "test.2rjus.net nodefault";
|
||||
domain-insecure = "test.2rjus.net";
|
||||
interface = "0.0.0.0";
|
||||
do-not-query-localhost = "no";
|
||||
port = "53";
|
||||
do-ip4 = "yes";
|
||||
do-ip6 = "no";
|
||||
do-udp = "yes";
|
||||
do-tcp = "yes";
|
||||
};
|
||||
stub-zone = {
|
||||
name = "test.2rjus.net";
|
||||
stub-addr = "127.0.0.1@8053";
|
||||
};
|
||||
forward-zone = {
|
||||
name = ".";
|
||||
forward-tls-upstream = "yes";
|
||||
forward-addr = "1.1.1.1@853#cloudflare-dns.com";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
31
services/ns/secondary-authorative.nix
Normal file
31
services/ns/secondary-authorative.nix
Normal file
@ -0,0 +1,31 @@
|
||||
{ ... }:
|
||||
{
|
||||
sops.secrets.ns_xfer_key = {
|
||||
path = "/etc/nsd/xfer.key";
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 8053 ];
|
||||
networking.firewall.allowedUDPPorts = [ 8053 ];
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
port = 8053;
|
||||
ipv6 = false;
|
||||
verbosity = 2;
|
||||
identity = "test.2rjus.net server";
|
||||
interfaces = [ "0.0.0.0" ];
|
||||
|
||||
keys = {
|
||||
"xferkey" = {
|
||||
algorithm = "hmac-sha256";
|
||||
keyFile = "/etc/nsd/xfer.key";
|
||||
};
|
||||
};
|
||||
|
||||
zones = {
|
||||
"test.2rjus.net" = {
|
||||
allowNotify = [ "10.69.13.7 xferkey" ];
|
||||
requestXFR = [ "AXFR 10.69.13.7@8053 xferkey" ];
|
||||
data = builtins.readFile ./zones-test-2rjus-net.conf;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
$ORIGIN test.2rjus.net.
|
||||
$TTL 1800
|
||||
@ IN SOA ns1.test.2rjus.net. admin.test.2rjus.net. (
|
||||
2023 ; serial number
|
||||
2024 ; serial number
|
||||
3600 ; refresh
|
||||
900 ; retry
|
||||
1209600 ; expire
|
||||
@ -36,4 +36,4 @@ media IN A 10.69.31.50
|
||||
|
||||
; 99_MGMT
|
||||
sw1 IN A 10.69.99.2
|
||||
|
||||
testing IN A 10.69.33.33
|
||||
|
Loading…
Reference in New Issue
Block a user