zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit 3671308fa9933ea96247252498692345f3abe02e
parent 37fd09124b5bbc1410c0fd7ef88b01f0ef9b653a
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Fri, 20 Jun 2025 19:13:57 +0200

hosts/novus/dn42: add recursive dns-server
5 files changed, 109 insertions(+), 71 deletions(-)
M
config/nixos/modules/presets/zaphyra/dn42.nix
|
69
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
config/nixos/modules/presets/zaphyra/enable.nix
|
28
----------------------------
M
config/nixos/modules/presets/zaphyra/networkManagerProfiles/dn42.nix
|
2
+-
M
hosts/morio/dn42.nix
|
13
-------------
M
hosts/novus/dn42.nix
|
68
+++++++++++++++++++++++++++++++++++++++-----------------------------
diff --git a/config/nixos/modules/presets/zaphyra/dn42.nix b/config/nixos/modules/presets/zaphyra/dn42.nix
@@ -40,8 +40,77 @@ in
       };
     };
 
+    services.resolved = {
+      enable = true;
+      fallbackDns = [
+        "8.8.8.8"
+        "2001:4860:4860::8844"
+      ];
+    };
+
+    systemd.network = {
+      networks."20-dn42" = {
+        matchConfig.Name = "dn42";
+        routes = [ { Destination = "fd00::/8"; } ];
+        networkConfig = {
+          DNSDefaultRoute = false;
+          DNS = [ "fd6b:6174:6a61::1" ];
+          Domains = [
+            "~dn42"
+            "d.f.ip6.arpa"
+          ];
+        };
+      };
+    };
+
     modules.services.prometheusExporters.domain = "${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42";
 
+    security.pki.certificates = [
+      #dn42 root ca
+      ''
+        -----BEGIN CERTIFICATE-----
+        MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
+        WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
+        aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
+        NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
+        CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
+        BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+        A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
+        VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
+        6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
+        FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
+        y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
+        GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
+        AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
+        bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
+        HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
+        //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
+        S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
+        aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
+        P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
+        9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
+        1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
+        C0IKqQ==
+        -----END CERTIFICATE-----
+      ''
+    ];
+
+
+    environment.etc."whois.conf".text = ''
+      \.dn42$           whois.dn42
+      \-DN42$           whois.dn42
+      # dn42 range 64512-65534
+      ^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ whois.dn42
+      # dn42 range 76100-76199
+      ^as761[0-9][0-9]$   whois.dn42
+      # dn42 range 4242420000-4242429999
+      ^as424242[0-9]{4}$ whois.dn42
+      # dn42 ipv4 address space
+      ^172\.2[0-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ whois.dn42
+
+      # dn42 ula ipv6 address space
+      ^fd**:****:****:****:****:****:****:**** whois.dn42
+    '';
   };
 
 }
diff --git a/config/nixos/modules/presets/zaphyra/enable.nix b/config/nixos/modules/presets/zaphyra/enable.nix
@@ -100,34 +100,6 @@ in
               );
             };
           };
-          pki.certificates = [
-            ''
-              -----BEGIN CERTIFICATE-----
-              MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
-              WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
-              aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
-              NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
-              CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
-              BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
-              A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
-              VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
-              6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
-              FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
-              y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
-              GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
-              AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
-              bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
-              HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
-              //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
-              S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
-              aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
-              P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
-              9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
-              1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
-              C0IKqQ==
-              -----END CERTIFICATE-----
-            ''
-          ];
         };
 
         services = {
diff --git a/config/nixos/modules/presets/zaphyra/networkManagerProfiles/dn42.nix b/config/nixos/modules/presets/zaphyra/networkManagerProfiles/dn42.nix
@@ -38,7 +38,7 @@ in
         ipv6 = {
           addr-gen-mode = "default";
           address1 = "fd6b:6174:6a61::3/128";
-          dns = "fd42:d42:d42:54::1;fd42:d42:d42:53::1;";
+          dns = "fd6b:6174:6a61::1;";
           dns-search = "~dn42;";
           method = "manual";
         };
diff --git a/hosts/morio/dn42.nix b/hosts/morio/dn42.nix
@@ -13,7 +13,6 @@
     "fd6b:6174:6a61:53::2"
   ];
 
-
   systemd.network = {
     netdevs."20-dn42" = {
       netdevConfig = {

@@ -41,22 +40,10 @@
     networks."20-dn42" = {
       matchConfig.Name = "dn42";
       linkConfig.RequiredForOnline = false;
-      routes = [ { Destination = "fd00::/8"; } ];
       address = [
         "fd6b:6174:6a61::2/128"
         "fd6b:6174:6a61:53::2/128"
       ];
-      networkConfig = {
-        DNSDefaultRoute = false;
-        DNS = [
-          "fd42:d42:d42:54::1"
-          "fd42:d42:d42:53::1"
-        ];
-        Domains = [
-          "~dn42"
-          "d.f.ip6.arpa"
-        ];
-      };
     };
   };
 
diff --git a/hosts/novus/dn42.nix b/hosts/novus/dn42.nix
@@ -4,10 +4,6 @@
 
   dns.zones."zaphyra.eu".subdomains."router-a.dn42".AAAA = [ hostConfig.networking.ip6Address ];
 
-  services.knot.settings.server.listen = [
-    "fd6b:6174:6a61:53::1"
-  ];
-
   sops.secrets."dn42/wgPrivateKey" = {
     owner = "systemd-network";
     group = "systemd-network";

@@ -119,31 +115,56 @@
     };
   };
 
+  services.kresd = {
+    enable = true;
+    listenPlain = [ "[fd6b:6174:6a61::1]:53" ];
+    extraConfig = ''
+      modules = {
+        'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
+        'stats',            -- Track internal statistics
+        'predict',          -- Prefetch expiring/frequent records
+      }
+
+      log_level('info')
+
+      -- Cache size
+      cache.size = 100 * MB
+
+      dn42 = {
+        'dn42.',
+        '20.172.in-addr.arpa.',
+        '21.172.in-addr.arpa.',
+        '22.172.in-addr.arpa.',
+        '23.172.in-addr.arpa.',
+        '10.in-addr.arpa.',
+        'd.f.in-addr.arpa.',
+      }
+
+      -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching.
+      policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), dn42))
+
+      policy.add(policy.suffix(policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1'}), policy.todnames(dn42)))
+      -- policy.add(policy.FORWARD({'1.1.1.1'}))
+
+      -- trust_anchors.remove('.')
+      trust_anchors.set_insecure(dn42) -- Disable DNSSEC for these domains
+
+      modules.load('nsid')
+      nsid.name(hostname() .. ':' .. os.getenv("SYSTEMD_INSTANCE"))
+    '';
+  };
+
   networking.firewall = {
     checkReversePath = "loose";
     allowedUDPPorts = [
       config.systemd.network.netdevs."20-dn42".wireguardConfig.ListenPort
     ];
     trustedInterfaces = [
-      #      "vlan"
       "dn42"
     ];
-    # filterForward = true;
-    # extraForwardRules = "iifname dn42 accept";
   };
 
   systemd.network = {
-    #     links."10-vlan" = {
-    #       matchConfig.PermanentMACAddress = "56:ca:a0:fa:fa:2b";
-    #       linkConfig.Name = "vlan";
-    #     };
-    #
-    #     networks."10-vlan" = {
-    #       matchConfig.Name = "vlan";
-    #       linkConfig.RequiredForOnline = "no";
-    #       networkConfig.IPv6Forwarding = true;
-    #     };
-
     config.networkConfig = {
       IPv6Forwarding = true;
     };

@@ -206,17 +227,6 @@
         "fd6b:6174:6a61::1/48"
         "fd6b:6174:6a61:53::1/128"
       ];
-      networkConfig = {
-        DNSDefaultRoute = false;
-        DNS = [
-          "fd42:d42:d42:54::1"
-          "fd42:d42:d42:53::1"
-        ];
-        Domains = [
-          "~dn42"
-          "d.f.ip6.arpa"
-        ];
-      };
     };
   };