Compare commits

...

2 commits

Author SHA1 Message Date
hexchen
584460b1c7 services/dns: init 2021-02-21 11:59:32 +00:00
hexchen
0c076f9805 sources: update nix-hexchen 2021-02-21 08:55:09 +00:00
10 changed files with 246 additions and 113 deletions

View file

@ -19,6 +19,7 @@
./services/hasenloch.nix ./services/hasenloch.nix
./services/syncthing.nix ./services/syncthing.nix
./services/monitoring.nix ./services/monitoring.nix
../../services/dns
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;
@ -54,6 +55,11 @@
interface = "enp6s0"; interface = "enp6s0";
}; };
hexchen.dns.zones."hacc.space".subdomains.hainich = {
A = [ (lib.head config.networking.interfaces.enp6s0.ipv4.addresses).address ];
AAAA = [ (lib.head config.networking.interfaces.enp6s0.ipv6.addresses).address ];
};
hacc.nftables.nat.enable = true; hacc.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ]; networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."hacc.space".subdomains."pad".CNAME = [ "hainich.hacc.space" ];
containers.codimd = { containers.codimd = {
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.100.1"; hostAddress = "192.168.100.1";

View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."4future.dev".subdomains.waszumfff.CNAME = [ "hainich.hacc.space." ];
virtualisation.oci-containers.containers."ghost-waszumfff" = { virtualisation.oci-containers.containers."ghost-waszumfff" = {
autoStart = true; autoStart = true;
environment = { environment = {

View file

@ -2,11 +2,31 @@
let let
sources = import ../../../nix/sources.nix; sources = import ../../../nix/sources.nix;
defaultDns = with pkgs.dns.combinators; {
MX = [ (mx.mx 10 "mail.hacc.space.") ];
TXT = [ (spf.strict [ "+mx" ]) ];
};
dkim = txt: { subdomains."mail._domainkey".TXT = [ txt ]; };
in { in {
imports = [ imports = [
sources.nixos-mailserver.outPath sources.nixos-mailserver.outPath
]; ];
hexchen.dns.zones = {
"hacc.space" = {
inherit (defaultDns) MX TXT;
subdomains."mail".CNAME = [ "hainich.hacc.space" ];
} // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1bIWqIW2WO5jLy2oZbvAqfCAkO6y64HiQ1lI50M36zn7xaJlRAaXo9FNdEYW09TY2dUC2dNVT7AG6EypfjHN9WNwAYoZVQOBLigZW2h47gy3LV8/GoaJLhAMfJEyTdgQUJf+ScnLKD30CLpezcVChYWljRBE1NSAHyymS9Ty/1wIDAQAB");
"infra4future.de" = {
inherit (defaultDns) MX TXT;
subdomains.discuss = defaultDns;
} // (dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1KO8EiAcR57TbiVW/T57GVllZp1Kk7wlqXyRAPLqf4huk3S+KBlUtkv/6JW14jiaEnvZSWnh2B0HCdX11EdrCt9sprvbirYssUZdn2j7f4MN0fhQAxRqEFcN+zzVl90T6gqhH8Apu2LlYtFos2YisKNZcgUiuYT/Ba9bCwjnMbwIDAQAB");
"4future.dev" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWQM4k4kvqoEZDEAo+li7URJ+k4aFI4C7XTIqwBT7UAXL2wHPWUmHftudK7VfemdmHdSwVdiFqAs3fMZFXTgbctc5+zG0hB03yOpm42pcf+kkYb4lvXlRoloEorN+XP9PmyNdW14p6ikQGCV//v/nliiraOSrqPaCciB0C6bD7bwIDAQAB";
# "4futu.re" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIORy3U05TE0yU/778OaXZ4JDQ5ztK8Set6mClIs8s4Wrtx53Fsq3ahmnglE7ypucsQ1N87Vfv+YjI/X/ndMAYcs8ZjuJRwUqFJnMADAPkPa4lwg3+AgNQYLQsjVpKTZAz83NWWQAZ9QwukgML8sU0cP33eJkiQJ27C/L7kQNlXQIDAQAB";
# "hacc.earth" = defaultDns // dkim "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwFuOQLtDRJU+0Q63GWZocTHwh3bSVjCV4ebgVTBmLxR48RmFqoz1LnYyTBqOGZTq5lvzJuoFcvpBGyJ+jBYNeQKsMY32BHJ0ju2e4nqTPR7SL8x5fBIAj0z2C5DFUnr5S0g+yPbwziQyos9qeJMy7XdtnrLboh635qPSGTgEY/QIDAQAB";
};
mailserver = { mailserver = {
mailDirectory = "/data/mail"; mailDirectory = "/data/mail";
enable = true; enable = true;

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.dns.zones."hacc.space".subdomains."mumble".CNAME = [ "hainich.hacc.space" ];
services.murmur = { services.murmur = {
enable = true; enable = true;
logDays = -1; logDays = -1;

View file

@ -5,5 +5,6 @@ in {
imports = [ imports = [
./nftnat ./nftnat
./decklink.nix ./decklink.nix
"${sources.nix-hexchen}/modules/dns"
]; ];
} }

View file

@ -27,7 +27,7 @@
"branch": "main", "branch": "main",
"ref": "main", "ref": "main",
"repo": "https://gitlab.com/hexchen/nixfiles.git", "repo": "https://gitlab.com/hexchen/nixfiles.git",
"rev": "c87f132c9d3932e61ddfeea50a6f810a19d41f79", "rev": "c1575d780087a90cf38a29198aafd0139efd599f",
"type": "git" "type": "git"
}, },
"nixos-mailserver": { "nixos-mailserver": {

View file

@ -6,25 +6,33 @@ let
# The fetchers. fetch_<type> fetches specs of type <type>. # The fetchers. fetch_<type> fetches specs of type <type>.
# #
fetch_file = pkgs: spec: fetch_file = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; } builtins_fetchurl { inherit (spec) url sha256; name = name'; }
else else
pkgs.fetchurl { inherit (spec) url sha256; }; pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
fetch_tarball = pkgs: name: spec: fetch_tarball = pkgs: name: spec:
let let
ok = str: ! builtins.isNull (builtins.match "[a-zA-Z0-9+-._?=]" str); name' = sanitizeName name + "-src";
# sanitize the name, though nix will still fail if name starts with period
name' = stringAsChars (x: if ! ok x then "-" else x) "${name}-src";
in in
if spec.builtin or true then if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; } builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = spec: fetch_git = name: spec:
builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; }; let
ref =
if spec ? ref then spec.ref else
if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
in
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
fetch_local = spec: spec.path; fetch_local = spec: spec.path;
@ -40,11 +48,21 @@ let
# Various helpers # Various helpers
# #
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName = name:
(
concatMapStrings (s: if builtins.isList s then "-" else s)
(
builtins.split "[^[:alnum:]+._?=-]+"
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
)
);
# The set of packages used when specs are fetched using non-builtins. # The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources: mkPkgs = sources: system:
let let
sourcesNixpkgs = sourcesNixpkgs =
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) {}; import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.; hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in in
@ -64,9 +82,9 @@ let
if ! builtins.hasAttr "type" spec then if ! builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute" abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then fetch_file pkgs spec else if spec.type == "file" then fetch_file pkgs name spec
else if spec.type == "tarball" then fetch_tarball pkgs name spec else if spec.type == "tarball" then fetch_tarball pkgs name spec
else if spec.type == "git" then fetch_git spec else if spec.type == "git" then fetch_git name spec
else if spec.type == "local" then fetch_local spec else if spec.type == "local" then fetch_local spec
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
else if spec.type == "builtin-url" then fetch_builtin-url name else if spec.type == "builtin-url" then fetch_builtin-url name
@ -80,7 +98,10 @@ let
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in in
if ersatz == "" then drv else ersatz; if ersatz == "" then drv else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions # Ports of functions for older nix versions
@ -98,25 +119,29 @@ let
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep ""; concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else {};
# fetchTarball version that is compatible between all the versions of Nix # fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name, sha256 }@attrs: builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
let let
inherit (builtins) lessThan nixVersion fetchTarball; inherit (builtins) lessThan nixVersion fetchTarball;
in in
if lessThan nixVersion "1.12" then if lessThan nixVersion "1.12" then
fetchTarball { inherit name url; } fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else else
fetchTarball attrs; fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix # fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, sha256 }@attrs: builtins_fetchurl = { url, name ? null, sha256 }@attrs:
let let
inherit (builtins) lessThan nixVersion fetchurl; inherit (builtins) lessThan nixVersion fetchurl;
in in
if lessThan nixVersion "1.12" then if lessThan nixVersion "1.12" then
fetchurl { inherit url; } fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else else
fetchurl attrs; fetchurl attrs;
@ -135,7 +160,8 @@ let
mkConfig = mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
, pkgs ? mkPkgs sources , system ? builtins.currentSystem
, pkgs ? mkPkgs sources system
}: rec { }: rec {
# The sources, i.e. the attribute set of spec name to spec # The sources, i.e. the attribute set of spec name to spec
inherit sources; inherit sources;

View file

@ -13,6 +13,13 @@ let
extraPath = super.extraPath + ":${pkgs.zfs}/bin"; extraPath = super.extraPath + ":${pkgs.zfs}/bin";
}); });
dns = import (pkgs.fetchFromGitHub {
owner = "kirelagin";
repo = "nix-dns";
rev = "v0.3.1";
sha256 = "1ykmx6b7al1sh397spnpqis7c9bp0yfmgxxp3v3j7qq45fa5fs09";
} + "/dns") { inherit pkgs; };
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: { linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
decklink = callPackage ./decklink { kernel = ksuper.kernel; }; decklink = callPackage ./decklink { kernel = ksuper.kernel; };
}); });

69
services/dns/default.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
{
hexchen.deploy.groups = [ "dns" ];
services.kresd.enable = lib.mkForce false;
hexchen.dns = {
enable = true;
dnssec = {
enable = true;
doSplitSigning = true;
};
symlinkZones = true;
allZones = with pkgs.dns.combinators; let
common = {
SOA = {
nameServer = "ns1.infra4future.de.";
adminEmail = "admin@infra4future.de";
serial = 2020022102;
};
} // delegateTo [ "ns1.infra4future.de." "ns2.infra4future.de." ];
pages = a "95.217.84.3";
minecraftSRV = port: target: { service = "minecraft"; proto = "tcp"; inherit port target; };
allZones = config.hexchen.dns.allZones;
in {
"infra4future.de" = common // {
A = [ pages ];
subdomains = {
libocedrus.A = [ (a "95.217.84.23") ];
www.CNAME = [ (cname "hacc.4future.dev") ];
auth.CNAME = [ (cname "libocedrus.infra4future.de.") ];
cloud.CNAME = [ (cname "libocedrus.infra4future.de.") ];
discuss.CNAME = [ (cname "libocedrus.infra4future.de.") ];
listmonk.CNAME = [ (cname "libocedrus.infra4future.de.") ];
mattermost.CNAME = [ (cname "libocedrus.infra4future.de.") ];
onlyoffice.CNAME = [ (cname "libocedrus.infra4future.de.") ];
survey.CNAME = [ (cname "libocedrus.infra4future.de.") ];
wiki.CNAME = [ (cname "libocedrus.infra4future.de.") ];
gitlab.CNAME = [ (cname "libocedrus.infra4future.de.") ];
registry.CNAME = [ (cname "gitlab.infra4future.de.") ];
ssh.CNAME = [ (cname "gitlab.infra4future.de.") ];
"_gitlab-pages-verification-code".TXT = [ "gitlab-pages-verification-code=3d9e1d733851cd8f7178330b62a5b783" ];
"_gitlab-pages-verification-code.www".TXT = [ "gitlab-pages-verification-code=c0472d3d954e4586def9b20a237aa141" ];
};
};
"hacc.space" = common // {
inherit (allZones."infra4future.de".subdomains.libocedrus) A;
subdomains = {
wink.CNAME = [ (cname "infra4future.de.") ];
};
};
"4future.dev" = common // {
A = [ pages ];
SRV = [ (minecraftSRV 25565 "minecraft.4future.dev.") ];
subdomains = {
"*".CNAME = [ (cname "libocedrus.4future.dev.") ];
libocedrus.A = [ pages ];
minecraft.A = [ (a "95.217.84.23") ];
};
};
};
};
}