services/dns: init

This commit is contained in:
hexchen 2021-02-21 11:45:45 +00:00
parent 0c076f9805
commit 584460b1c7
8 changed files with 199 additions and 92 deletions

View file

@ -19,6 +19,7 @@
./services/hasenloch.nix ./services/hasenloch.nix
./services/syncthing.nix ./services/syncthing.nix
./services/monitoring.nix ./services/monitoring.nix
../../services/dns
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;
@ -54,6 +55,11 @@
interface = "enp6s0"; interface = "enp6s0";
}; };
hexchen.dns.zones."hacc.space".subdomains.hainich = {
A = [ (lib.head config.networking.interfaces.enp6s0.ipv4.addresses).address ];
AAAA = [ (lib.head config.networking.interfaces.enp6s0.ipv6.addresses).address ];
};
hacc.nftables.nat.enable = true; hacc.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ]; networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."hacc.space".subdomains."pad".CNAME = [ "hainich.hacc.space" ];
containers.codimd = { containers.codimd = {
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.100.1"; hostAddress = "192.168.100.1";

View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."4future.dev".subdomains.waszumfff.CNAME = [ "hainich.hacc.space." ];
virtualisation.oci-containers.containers."ghost-waszumfff" = { virtualisation.oci-containers.containers."ghost-waszumfff" = {
autoStart = true; autoStart = true;
environment = { environment = {

View file

@ -1,12 +1,32 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
sources = import ../../../nix/sources.nix; sources = import ../../../nix/sources.nix;
defaultDns = with pkgs.dns.combinators; {
MX = [ (mx.mx 10 "mail.hacc.space.") ];
TXT = [ (spf.strict [ "+mx" ]) ];
};
dkim = txt: { subdomains."mail._domainkey".TXT = [ txt ]; };
in { in {
imports = [ imports = [
sources.nixos-mailserver.outPath sources.nixos-mailserver.outPath
]; ];
hexchen.dns.zones = {
"hacc.space" = {
inherit (defaultDns) MX TXT;
subdomains."mail".CNAME = [ "hainich.hacc.space" ];
} // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bIWqIW2WO5jLy2oZbvAqfCAkO6y64HiQ1lI50M36zn7xaJlRAaXo9FNdEYW09TY2dUC2dNVT7AG6EypfjHN9WNwAYoZVQOBLigZW2h47gy3LV8/GoaJLhAMfJEyTdgQUJf+ScnLKD30CLpezcVChYWljRBE1NSAHyymS9Ty/1wIDAQAB");
"infra4future.de" = {
inherit (defaultDns) MX TXT;
subdomains.discuss = defaultDns;
} // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1KO8EiAcR57TbiVW/T57GVllZp1Kk7wlqXyRAPLqf4huk3S+KBlUtkv/6JW14jiaEnvZSWnh2B0HCdX11EdrCt9sprvbirYssUZdn2j7f4MN0fhQAxRqEFcN+zzVl90T6gqhH8Apu2LlYtFos2YisKNZcgUiuYT/Ba9bCwjnMbwIDAQAB");
"4future.dev" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWQM4k4kvqoEZDEAo+li7URJ+k4aFI4C7XTIqwBT7UAXL2wHPWUmHftudK7VfemdmHdSwVdiFqAs3fMZFXTgbctc5+zG0hB03yOpm42pcf+kkYb4lvXlRoloEorN+XP9PmyNdW14p6ikQGCV//v/nliiraOSrqPaCciB0C6bD7bwIDAQAB";
# "4futu.re" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIORy3U05TE0yU/778OaXZ4JDQ5ztK8Set6mClIs8s4Wrtx53Fsq3ahmnglE7ypucsQ1N87Vfv+YjI/X/ndMAYcs8ZjuJRwUqFJnMADAPkPa4lwg3+AgNQYLQsjVpKTZAz83NWWQAZ9QwukgML8sU0cP33eJkiQJ27C/L7kQNlXQIDAQAB";
# "hacc.earth" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwFuOQLtDRJU+0Q63GWZocTHwh3bSVjCV4ebgVTBmLxR48RmFqoz1LnYyTBqOGZTq5lvzJuoFcvpBGyJ+jBYNeQKsMY32BHJ0ju2e4nqTPR7SL8x5fBIAj0z2C5DFUnr5S0g+yPbwziQyos9qeJMy7XdtnrLboh635qPSGTgEY/QIDAQAB";
};
mailserver = { mailserver = {
mailDirectory = "/data/mail"; mailDirectory = "/data/mail";
enable = true; enable = true;
@ -14,110 +34,110 @@ in {
domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ]; domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
loginAccounts = { loginAccounts = {
"hexchen@hacc.space" = { "hexchen@hacc.space" = {
hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/"; hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
aliases = [ aliases = [
"postmaster@hacc.space" "postmaster@hacc.space"
"abuse@hacc.space" "abuse@hacc.space"
]; ];
}; };
"octycs@hacc.space" = { "octycs@hacc.space" = {
hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg."; hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
aliases = [ aliases = [
"markus@hacc.space" "markus@hacc.space"
]; ];
}; };
"raphael@hacc.space" = { "raphael@hacc.space" = {
hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
}; };
"engelsystem@hacc.space" = { "engelsystem@hacc.space" = {
hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/"; hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/";
}; };
"schweby@hacc.space" = { "schweby@hacc.space" = {
hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
}; };
"zauberberg@hacc.space" = { "zauberberg@hacc.space" = {
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0"; hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
aliases = [ aliases = [
"lukas@hacc.space" "lukas@hacc.space"
]; ];
}; };
"talx@hacc.space" = { "talx@hacc.space" = {
hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31"; hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31";
}; };
"unms@hacc.space" = { "unms@hacc.space" = {
hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1"; hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1";
}; };
"noreply@hacc.space" = { "noreply@hacc.space" = {
hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
}; };
"stuebinm@hacc.space" = { "stuebinm@hacc.space" = {
hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB."; hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
}; };
"newsletter@hacc.space" = { "newsletter@hacc.space" = {
hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1"; hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
}; };
"lenny@hacc.space" = { "lenny@hacc.space" = {
hashedPassword = "$6$dR.lhYiJDpsR4.dw$n7bCbyTm97v/O8Ue44n58YwOmmct..Gt5TeAmen8C5FWyPTwTh65XCjwc27gNFVGnZLwsRJwMJ.E9D0oJEzUh0"; hashedPassword = "$6$dR.lhYiJDpsR4.dw$n7bCbyTm97v/O8Ue44n58YwOmmct..Gt5TeAmen8C5FWyPTwTh65XCjwc27gNFVGnZLwsRJwMJ.E9D0oJEzUh0";
}; };
# service accounts # service accounts
"gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1"; "gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1";
"noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV."; "noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
"discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/"; "discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/";
}; };
extraVirtualAliases = { extraVirtualAliases = {
# address = forward address; # address = forward address;
"info@hacc.space" = [ "info@hacc.space" = [
"hexchen@hacc.space" "hexchen@hacc.space"
"octycs@hacc.space" "octycs@hacc.space"
"raphael@hacc.space" "raphael@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
"stuebinm@hacc.space" "stuebinm@hacc.space"
"lenny@hacc.space" "lenny@hacc.space"
]; ];
"himmel@hacc.space" = [ "himmel@hacc.space" = [
"hexchen@hacc.space" "hexchen@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
]; ];
"admin@hacc.space" = [ "admin@hacc.space" = [
"hexchen@hacc.space" "hexchen@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
]; ];
"voc@hacc.space" = [ "voc@hacc.space" = [
"hexchen@hacc.space" "hexchen@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"octycs@hacc.space" "octycs@hacc.space"
"stuebinm@hacc.space" "stuebinm@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
"lenny@hacc.space" "lenny@hacc.space"
]; ];
"vorstand@hacc.space" = [ "vorstand@hacc.space" = [
"raphael@hacc.space" "raphael@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
]; ];
"mitglieder@hacc.space" = [ "mitglieder@hacc.space" = [
"raphael@hacc.space" "raphael@hacc.space"
"schweby@hacc.space" "schweby@hacc.space"
"zauberberg@hacc.space" "zauberberg@hacc.space"
"lenny@hacc.space" "lenny@hacc.space"
"octycs@hacc.space" "octycs@hacc.space"
]; ];
}; };
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."hacc.space".subdomains."mumble".CNAME = [ "hainich.hacc.space" ];
services.murmur = { services.murmur = {
enable = true; enable = true;
logDays = -1; logDays = -1;

View file

@ -5,5 +5,6 @@ in {
imports = [ imports = [
./nftnat ./nftnat
./decklink.nix ./decklink.nix
"${sources.nix-hexchen}/modules/dns"
]; ];
} }

View file

@ -13,6 +13,13 @@ let
extraPath = super.extraPath + ":${pkgs.zfs}/bin"; extraPath = super.extraPath + ":${pkgs.zfs}/bin";
}); });
dns = import (pkgs.fetchFromGitHub {
owner = "kirelagin";
repo = "nix-dns";
rev = "v0.3.1";
sha256 = "1ykmx6b7al1sh397spnpqis7c9bp0yfmgxxp3v3j7qq45fa5fs09";
} + "/dns") { inherit pkgs; };
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: { linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
decklink = callPackage ./decklink { kernel = ksuper.kernel; }; decklink = callPackage ./decklink { kernel = ksuper.kernel; };
}); });

69
services/dns/default.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
{
hexchen.deploy.groups = [ "dns" ];
services.kresd.enable = lib.mkForce false;
hexchen.dns = {
enable = true;
dnssec = {
enable = true;
doSplitSigning = true;
};
symlinkZones = true;
allZones = with pkgs.dns.combinators; let
common = {
SOA = {
nameServer = "ns1.infra4future.de.";
adminEmail = "admin@infra4future.de";
serial = 2020022102;
};
} // delegateTo [ "ns1.infra4future.de." "ns2.infra4future.de." ];
pages = a "95.217.84.3";
minecraftSRV = port: target: { service = "minecraft"; proto = "tcp"; inherit port target; };
allZones = config.hexchen.dns.allZones;
in {
"infra4future.de" = common // {
A = [ pages ];
subdomains = {
libocedrus.A = [ (a "95.217.84.23") ];
www.CNAME = [ (cname "hacc.4future.dev") ];
auth.CNAME = [ (cname "libocedrus.infra4future.de.") ];
cloud.CNAME = [ (cname "libocedrus.infra4future.de.") ];
discuss.CNAME = [ (cname "libocedrus.infra4future.de.") ];
listmonk.CNAME = [ (cname "libocedrus.infra4future.de.") ];
mattermost.CNAME = [ (cname "libocedrus.infra4future.de.") ];
onlyoffice.CNAME = [ (cname "libocedrus.infra4future.de.") ];
survey.CNAME = [ (cname "libocedrus.infra4future.de.") ];
wiki.CNAME = [ (cname "libocedrus.infra4future.de.") ];
gitlab.CNAME = [ (cname "libocedrus.infra4future.de.") ];
registry.CNAME = [ (cname "gitlab.infra4future.de.") ];
ssh.CNAME = [ (cname "gitlab.infra4future.de.") ];
"_gitlab-pages-verification-code".TXT = [ "gitlab-pages-verification-code=3d9e1d733851cd8f7178330b62a5b783" ];
"_gitlab-pages-verification-code.www".TXT = [ "gitlab-pages-verification-code=c0472d3d954e4586def9b20a237aa141" ];
};
};
"hacc.space" = common // {
inherit (allZones."infra4future.de".subdomains.libocedrus) A;
subdomains = {
wink.CNAME = [ (cname "infra4future.de.") ];
};
};
"4future.dev" = common // {
A = [ pages ];
SRV = [ (minecraftSRV 25565 "minecraft.4future.dev.") ];
subdomains = {
"*".CNAME = [ (cname "libocedrus.4future.dev.") ];
libocedrus.A = [ pages ];
minecraft.A = [ (a "95.217.84.23") ];
};
};
};
};
}