From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 21 Apr 2024 02:15:42 +0300 Subject: 2024-04-21 --- modules/nsd.nix | 229 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 modules/nsd.nix (limited to 'modules/nsd.nix') diff --git a/modules/nsd.nix b/modules/nsd.nix new file mode 100644 index 0000000..f44a2a0 --- /dev/null +++ b/modules/nsd.nix @@ -0,0 +1,229 @@ +{ + config, + inputs, + lib, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.nsd; +in +{ + options.nixfiles.modules.nsd = { + enable = mkEnableOption "NSD"; + + fqdn = mkOption { + description = "FQDN of this nameserver."; + type = with types; str; + default = "ns.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + nixfiles.modules.nginx = + let + domain = my.domain.shire; + in + { + enable = true; + virtualHosts = mapAttrs' ( + _: v: + nameValuePair "mta-sts.${v}" { + locations."= /.well-known/mta-sts.txt" = { + extraConfig = '' + add_header default_type text/plain; + ''; + return = "200 '${ + concatStringsSep "\\r\\n" [ + "version: STSv1" + "mode: enforce" + "max_age: 2419200" + "mx: ${domain}" + ] + }'"; + }; + } + ) my.domain; + }; + + services = { + nsd = { + enable = true; + interfaces = with this; [ + ipv4.address + ipv6.address + ]; + ipTransparent = true; + ratelimit.enable = true; + + zones = + let + dns = inputs.dns.lib; + in + with dns.combinators; + let + ips = + hostname: with my.configurations.${hostname}; { + A = [ (a ipv4.address) ]; + AAAA = [ (aaaa ipv6.address) ]; + }; + + mkEmailEntries = + { + domain ? my.domain.shire, + dkimKey ? null, + }: + { + MX = [ (mx.mx 10 "${my.domain.shire}.") ]; + TXT = [ (spf.soft [ "a" ]) ]; + DMARC = [ + { + p = "quarantine"; + sp = "quarantine"; + rua = [ "mailto:admin+rua@${domain}" ]; + ruf = [ "mailto:admin+ruf@${domain}" ]; + } + ]; + DKIM = optional (dkimKey != null) { + selector = "mail"; + p = dkimKey; + }; + subdomains._mta-sts.TXT = [ "v=STSv1; id=20230506134541Z" ]; + }; + + mkZone = + { + domain, + sldIps ? (ips "manwe"), + extra ? { }, + }: + { + ${domain}.data = dns.toString domain (mkMerge [ + { + TTL = 60 * 60; + + SOA = { + nameServer = "${cfg.fqdn}."; + adminEmail = "admin+dns@${my.domain.shire}"; + serial = 2022091601; # Don't forget to bump the revision! + }; + + NS = with my.domain; [ + "ns1.${shire}" + # "ns2.${shire}" + ]; + + CAA = letsEncrypt "admin+caa@${my.domain.shire}"; + } + sldIps + extra + ]); + }; + + # https://ariadne.id/ + # https://docs.keyoxide.org/service-providers/dns/ + ariadneIdProof.TXT = [ "openpgp4fpr:${my.pgp.fingerprint}" ]; + in + mkMerge [ + (mkZone rec { + domain = my.domain.shire; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = rec { + manwe = ips "manwe"; + "*.manwe" = manwe; + varda = ips "varda"; + "*.varda" = varda; + yavanna = ips "yavanna"; + "*.yavanna" = yavanna; + + mta-sts = manwe; + + ns1 = manwe; + # ns2 = varda; + + alertmanager = manwe; + bitwarden = manwe; + git = manwe; + grafana = manwe; + loki = manwe; + ntfy = manwe; + plausible = manwe; + prometheus = manwe; + radicale = manwe; + rss-bridge = manwe; + vaultwarden = manwe; + + flood = yavanna; + jackett = yavanna; + lidarr = yavanna; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.azahi; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + ariadneIdProof + { + subdomains = { + mta-sts = ips "manwe"; + + git = ips "manwe"; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.gondor; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.rohan; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = { + mta-sts = ips "manwe"; + + frodo = ips "manwe" // ariadneIdProof; + }; + } + ]; + }) + ]; + }; + + fail2ban.jails.nsd.enabled = true; + }; + + networking.firewall = rec { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = allowedTCPPorts; + }; + }; +} -- cgit v1.2.3