Improve ns stuff

2024-03-11 18:23:01 +01:00
parent e40c987cd0
commit 5b838771e3
12 changed files with 226 additions and 19 deletions
--- a/services/ns/master-authorative.nix
+++ b/services/ns/master-authorative.nix
@@ -1,11 +1,31 @@
-{ ... }: {
+{ ... }:
+{
+  sops.secrets.ns_xfer_key = {
+    path = "/etc/nsd/xfer.key";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8053 ];
+  networking.firewall.allowedUDPPorts = [ 8053 ];
+
  services.nsd = {
    enable = true;
    port = 8053;
+    ipv6 = false;
+    verbosity = 2;
+    identity = "test.2rjus.net server";
+    interfaces = [ "0.0.0.0" ];
+
+    keys = {
+      "xferkey" = {
+        algorithm = "hmac-sha256";
+        keyFile = "/etc/nsd/xfer.key";
+      };
+    };

    zones = {
-      "test.2rjus.net." = {
-        provideXFR = [ "10.69.0.0/16 NOKEY" ];
+      "test.2rjus.net" = {
+        provideXFR = [ "10.69.13.8 xferkey" ];
+        notify = [ "10.69.13.8@8053 xferkey" ];
        data = builtins.readFile ./zones-test-2rjus-net.conf;
      };
    };
--- a/services/ns/resolver.nix
+++ b/services/ns/resolver.nix
@@ -0,0 +1,38 @@
+{ pkgs, ... }: {
+  networking.firewall.allowedTCPPorts = [
+    53
+  ];
+  networking.firewall.allowedUDPPorts = [
+    53
+  ];
+  services.unbound = {
+    enable = true;
+
+    settings = {
+      server = {
+        access-control = [
+          "127.0.0.0/8 allow"
+          "0.0.0.0/0 allow"
+        ];
+        local-zone = "test.2rjus.net nodefault";
+        domain-insecure = "test.2rjus.net";
+        interface = "0.0.0.0";
+        do-not-query-localhost = "no";
+        port = "53";
+        do-ip4 = "yes";
+        do-ip6 = "no";
+        do-udp = "yes";
+        do-tcp = "yes";
+      };
+      stub-zone = {
+        name = "test.2rjus.net";
+        stub-addr = "127.0.0.1@8053";
+      };
+      forward-zone = {
+        name = ".";
+        forward-tls-upstream = "yes";
+        forward-addr = "1.1.1.1@853#cloudflare-dns.com";
+      };
+    };
+  };
+}
--- a/services/ns/secondary-authorative.nix
+++ b/services/ns/secondary-authorative.nix
@@ -0,0 +1,31 @@
+{ ... }:
+{
+  sops.secrets.ns_xfer_key = {
+    path = "/etc/nsd/xfer.key";
+  };
+  networking.firewall.allowedTCPPorts = [ 8053 ];
+  networking.firewall.allowedUDPPorts = [ 8053 ];
+  services.nsd = {
+    enable = true;
+    port = 8053;
+    ipv6 = false;
+    verbosity = 2;
+    identity = "test.2rjus.net server";
+    interfaces = [ "0.0.0.0" ];
+
+    keys = {
+      "xferkey" = {
+        algorithm = "hmac-sha256";
+        keyFile = "/etc/nsd/xfer.key";
+      };
+    };
+
+    zones = {
+      "test.2rjus.net" = {
+        allowNotify = [ "10.69.13.7 xferkey" ];
+        requestXFR = [ "AXFR 10.69.13.7@8053 xferkey" ];
+        data = builtins.readFile ./zones-test-2rjus-net.conf;
+      };
+    };
+  };
+}
--- a/services/ns/zones-test-2rjus-net.conf
+++ b/services/ns/zones-test-2rjus-net.conf
@@ -1,7 +1,7 @@
 $ORIGIN test.2rjus.net.
 $TTL 1800
@       IN      SOA     ns1.test.2rjus.net.      admin.test.2rjus.net. (
-                        2023                    ; serial number
+                        2024                    ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
@@ -36,4 +36,4 @@ media               IN      A       10.69.31.50

 ; 99_MGMT
 sw1                 IN      A       10.69.99.2
-
+testing             IN      A       10.69.33.33