From 584460b1c7d179d13d76d8642524c024c8256b68 Mon Sep 17 00:00:00 2001 From: hexchen Date: Sun, 21 Feb 2021 11:45:45 +0000 Subject: [PATCH] services/dns: init --- hosts/hainich/configuration.nix | 6 + hosts/hainich/services/codimd.nix | 1 + hosts/hainich/services/docker.nix | 2 + hosts/hainich/services/mail.nix | 204 ++++++++++++++++-------------- hosts/hainich/services/murmur.nix | 1 + modules/default.nix | 1 + pkgs/default.nix | 7 + services/dns/default.nix | 69 ++++++++++ 8 files changed, 199 insertions(+), 92 deletions(-) create mode 100644 services/dns/default.nix diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 952e741..bfef7e4 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -19,6 +19,7 @@ ./services/hasenloch.nix ./services/syncthing.nix ./services/monitoring.nix + ../../services/dns ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; @@ -54,6 +55,11 @@ interface = "enp6s0"; }; + hexchen.dns.zones."hacc.space".subdomains.hainich = { + A = [ (lib.head config.networking.interfaces.enp6s0.ipv4.addresses).address ]; + AAAA = [ (lib.head config.networking.interfaces.enp6s0.ipv6.addresses).address ]; + }; + hacc.nftables.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ]; diff --git a/hosts/hainich/services/codimd.nix b/hosts/hainich/services/codimd.nix index b4ea6ba..90d7291 100644 --- a/hosts/hainich/services/codimd.nix +++ b/hosts/hainich/services/codimd.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { + hexchen.dns.zones."hacc.space".subdomains."pad".CNAME = [ "hainich.hacc.space" ]; containers.codimd = { privateNetwork = true; hostAddress = "192.168.100.1"; diff --git a/hosts/hainich/services/docker.nix b/hosts/hainich/services/docker.nix index bd58791..4d91e7b 100644 --- a/hosts/hainich/services/docker.nix +++ b/hosts/hainich/services/docker.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: { + hexchen.dns.zones."4future.dev".subdomains.waszumfff.CNAME = [ "hainich.hacc.space." ]; + virtualisation.oci-containers.containers."ghost-waszumfff" = { autoStart = true; environment = { diff --git a/hosts/hainich/services/mail.nix b/hosts/hainich/services/mail.nix index b6ea1a4..fbb0cdb 100644 --- a/hosts/hainich/services/mail.nix +++ b/hosts/hainich/services/mail.nix @@ -1,12 +1,32 @@ { config, pkgs, lib, ... }: let - sources = import ../../../nix/sources.nix; + sources = import ../../../nix/sources.nix; + + defaultDns = with pkgs.dns.combinators; { + MX = [ (mx.mx 10 "mail.hacc.space.") ]; + TXT = [ (spf.strict [ "+mx" ]) ]; + }; + + dkim = txt: { subdomains."mail._domainkey".TXT = [ txt ]; }; in { imports = [ - sources.nixos-mailserver.outPath + sources.nixos-mailserver.outPath ]; + hexchen.dns.zones = { + "hacc.space" = { + inherit (defaultDns) MX TXT; + subdomains."mail".CNAME = [ "hainich.hacc.space" ]; + } // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bIWqIW2WO5jLy2oZbvAqfCAkO6y64HiQ1lI50M36zn7xaJlRAaXo9FNdEYW09TY2dUC2dNVT7AG6EypfjHN9WNwAYoZVQOBLigZW2h47gy3LV8/GoaJLhAMfJEyTdgQUJf+ScnLKD30CLpezcVChYWljRBE1NSAHyymS9Ty/1wIDAQAB"); + "infra4future.de" = { + inherit (defaultDns) MX TXT; + subdomains.discuss = defaultDns; + } // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1KO8EiAcR57TbiVW/T57GVllZp1Kk7wlqXyRAPLqf4huk3S+KBlUtkv/6JW14jiaEnvZSWnh2B0HCdX11EdrCt9sprvbirYssUZdn2j7f4MN0fhQAxRqEFcN+zzVl90T6gqhH8Apu2LlYtFos2YisKNZcgUiuYT/Ba9bCwjnMbwIDAQAB"); + "4future.dev" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWQM4k4kvqoEZDEAo+li7URJ+k4aFI4C7XTIqwBT7UAXL2wHPWUmHftudK7VfemdmHdSwVdiFqAs3fMZFXTgbctc5+zG0hB03yOpm42pcf+kkYb4lvXlRoloEorN+XP9PmyNdW14p6ikQGCV//v/nliiraOSrqPaCciB0C6bD7bwIDAQAB"; + # "4futu.re" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIORy3U05TE0yU/778OaXZ4JDQ5ztK8Set6mClIs8s4Wrtx53Fsq3ahmnglE7ypucsQ1N87Vfv+YjI/X/ndMAYcs8ZjuJRwUqFJnMADAPkPa4lwg3+AgNQYLQsjVpKTZAz83NWWQAZ9QwukgML8sU0cP33eJkiQJ27C/L7kQNlXQIDAQAB"; + # "hacc.earth" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwFuOQLtDRJU+0Q63GWZocTHwh3bSVjCV4ebgVTBmLxR48RmFqoz1LnYyTBqOGZTq5lvzJuoFcvpBGyJ+jBYNeQKsMY32BHJ0ju2e4nqTPR7SL8x5fBIAj0z2C5DFUnr5S0g+yPbwziQyos9qeJMy7XdtnrLboh635qPSGTgEY/QIDAQAB"; + }; mailserver = { mailDirectory = "/data/mail"; enable = true; @@ -14,110 +34,110 @@ in { domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ]; loginAccounts = { - "hexchen@hacc.space" = { - hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; + "hexchen@hacc.space" = { + hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; - aliases = [ - "postmaster@hacc.space" - "abuse@hacc.space" - ]; - }; + aliases = [ + "postmaster@hacc.space" + "abuse@hacc.space" + ]; + }; - "octycs@hacc.space" = { - hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; + "octycs@hacc.space" = { + hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; - aliases = [ - "markus@hacc.space" - ]; - }; + aliases = [ + "markus@hacc.space" + ]; + }; - "raphael@hacc.space" = { - hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - }; + "raphael@hacc.space" = { + hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; + }; - "engelsystem@hacc.space" = { - hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/"; - }; + "engelsystem@hacc.space" = { + hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/"; + }; - "schweby@hacc.space" = { - hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; - }; + "schweby@hacc.space" = { + hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; + }; - "zauberberg@hacc.space" = { - hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; - aliases = [ - "lukas@hacc.space" - ]; - }; + "zauberberg@hacc.space" = { + hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; + aliases = [ + "lukas@hacc.space" + ]; + }; - "talx@hacc.space" = { - hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31"; - }; + "talx@hacc.space" = { + hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31"; + }; - "unms@hacc.space" = { - hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1"; - }; + "unms@hacc.space" = { + hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1"; + }; - "noreply@hacc.space" = { - hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; - }; - "stuebinm@hacc.space" = { - hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB."; - }; - "newsletter@hacc.space" = { - hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1"; - }; - "lenny@hacc.space" = { - hashedPassword = "$6$dR.lhYiJDpsR4.dw$n7bCbyTm97v/O8Ue44n58YwOmmct..Gt5TeAmen8C5FWyPTwTh65XCjwc27gNFVGnZLwsRJwMJ.E9D0oJEzUh0"; - }; + "noreply@hacc.space" = { + hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; + }; + "stuebinm@hacc.space" = { + hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB."; + }; + "newsletter@hacc.space" = { + hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1"; + }; + "lenny@hacc.space" = { + hashedPassword = "$6$dR.lhYiJDpsR4.dw$n7bCbyTm97v/O8Ue44n58YwOmmct..Gt5TeAmen8C5FWyPTwTh65XCjwc27gNFVGnZLwsRJwMJ.E9D0oJEzUh0"; + }; - # service accounts - "gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1"; - "noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV."; - "discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/"; + # service accounts + "gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1"; + "noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV."; + "discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/"; }; extraVirtualAliases = { - # address = forward address; - "info@hacc.space" = [ - "hexchen@hacc.space" - "octycs@hacc.space" - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - "stuebinm@hacc.space" - "lenny@hacc.space" - ]; - "himmel@hacc.space" = [ - "hexchen@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - ]; - "admin@hacc.space" = [ - "hexchen@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - ]; - "voc@hacc.space" = [ - "hexchen@hacc.space" - "schweby@hacc.space" - "octycs@hacc.space" - "stuebinm@hacc.space" - "zauberberg@hacc.space" - "lenny@hacc.space" - ]; - "vorstand@hacc.space" = [ - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - ]; - "mitglieder@hacc.space" = [ - "raphael@hacc.space" - "schweby@hacc.space" - "zauberberg@hacc.space" - "lenny@hacc.space" - "octycs@hacc.space" - ]; + # address = forward address; + "info@hacc.space" = [ + "hexchen@hacc.space" + "octycs@hacc.space" + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "stuebinm@hacc.space" + "lenny@hacc.space" + ]; + "himmel@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + ]; + "admin@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + ]; + "voc@hacc.space" = [ + "hexchen@hacc.space" + "schweby@hacc.space" + "octycs@hacc.space" + "stuebinm@hacc.space" + "zauberberg@hacc.space" + "lenny@hacc.space" + ]; + "vorstand@hacc.space" = [ + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + ]; + "mitglieder@hacc.space" = [ + "raphael@hacc.space" + "schweby@hacc.space" + "zauberberg@hacc.space" + "lenny@hacc.space" + "octycs@hacc.space" + ]; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped diff --git a/hosts/hainich/services/murmur.nix b/hosts/hainich/services/murmur.nix index 82e0718..a505b00 100644 --- a/hosts/hainich/services/murmur.nix +++ b/hosts/hainich/services/murmur.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { + hexchen.dns.zones."hacc.space".subdomains."mumble".CNAME = [ "hainich.hacc.space" ]; services.murmur = { enable = true; logDays = -1; diff --git a/modules/default.nix b/modules/default.nix index a6b276e..a6a44b4 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,5 +5,6 @@ in { imports = [ ./nftnat ./decklink.nix + "${sources.nix-hexchen}/modules/dns" ]; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 74ea8e6..8918976 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -13,6 +13,13 @@ let extraPath = super.extraPath + ":${pkgs.zfs}/bin"; }); + dns = import (pkgs.fetchFromGitHub { + owner = "kirelagin"; + repo = "nix-dns"; + rev = "v0.3.1"; + sha256 = "1ykmx6b7al1sh397spnpqis7c9bp0yfmgxxp3v3j7qq45fa5fs09"; + } + "/dns") { inherit pkgs; }; + linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: { decklink = callPackage ./decklink { kernel = ksuper.kernel; }; }); diff --git a/services/dns/default.nix b/services/dns/default.nix new file mode 100644 index 0000000..205fec5 --- /dev/null +++ b/services/dns/default.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +{ + hexchen.deploy.groups = [ "dns" ]; + services.kresd.enable = lib.mkForce false; + hexchen.dns = { + enable = true; + dnssec = { + enable = true; + doSplitSigning = true; + }; + symlinkZones = true; + allZones = with pkgs.dns.combinators; let + common = { + SOA = { + nameServer = "ns1.infra4future.de."; + adminEmail = "admin@infra4future.de"; + serial = 2020022102; + }; + } // delegateTo [ "ns1.infra4future.de." "ns2.infra4future.de." ]; + + pages = a "95.217.84.3"; + minecraftSRV = port: target: { service = "minecraft"; proto = "tcp"; inherit port target; }; + + allZones = config.hexchen.dns.allZones; + in { + "infra4future.de" = common // { + A = [ pages ]; + subdomains = { + libocedrus.A = [ (a "95.217.84.23") ]; + + www.CNAME = [ (cname "hacc.4future.dev") ]; + + auth.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + cloud.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + discuss.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + listmonk.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + mattermost.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + onlyoffice.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + survey.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + wiki.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + + gitlab.CNAME = [ (cname "libocedrus.infra4future.de.") ]; + registry.CNAME = [ (cname "gitlab.infra4future.de.") ]; + ssh.CNAME = [ (cname "gitlab.infra4future.de.") ]; + + "_gitlab-pages-verification-code".TXT = [ "gitlab-pages-verification-code=3d9e1d733851cd8f7178330b62a5b783" ]; + "_gitlab-pages-verification-code.www".TXT = [ "gitlab-pages-verification-code=c0472d3d954e4586def9b20a237aa141" ]; + }; + }; + "hacc.space" = common // { + inherit (allZones."infra4future.de".subdomains.libocedrus) A; + subdomains = { + wink.CNAME = [ (cname "infra4future.de.") ]; + }; + }; + "4future.dev" = common // { + A = [ pages ]; + SRV = [ (minecraftSRV 25565 "minecraft.4future.dev.") ]; + subdomains = { + "*".CNAME = [ (cname "libocedrus.4future.dev.") ]; + libocedrus.A = [ pages ]; + + minecraft.A = [ (a "95.217.84.23") ]; + }; + }; + }; + }; +}