commit 3671308fa9933ea96247252498692345f3abe02e
parent 37fd09124b5bbc1410c0fd7ef88b01f0ef9b653a
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Fri, 20 Jun 2025 19:13:57 +0200
parent 37fd09124b5bbc1410c0fd7ef88b01f0ef9b653a
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Fri, 20 Jun 2025 19:13:57 +0200
hosts/novus/dn42: add recursive dns-server
5 files changed, 109 insertions(+), 71 deletions(-)
M
|
69
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config/nixos/modules/presets/zaphyra/dn42.nix b/config/nixos/modules/presets/zaphyra/dn42.nix @@ -40,8 +40,77 @@ in }; }; + services.resolved = { + enable = true; + fallbackDns = [ + "8.8.8.8" + "2001:4860:4860::8844" + ]; + }; + + systemd.network = { + networks."20-dn42" = { + matchConfig.Name = "dn42"; + routes = [ { Destination = "fd00::/8"; } ]; + networkConfig = { + DNSDefaultRoute = false; + DNS = [ "fd6b:6174:6a61::1" ]; + Domains = [ + "~dn42" + "d.f.ip6.arpa" + ]; + }; + }; + }; + modules.services.prometheusExporters.domain = "${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42"; + security.pki.certificates = [ + #dn42 root ca + '' + -----BEGIN CERTIFICATE----- + MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC + WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 + aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx + NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE + CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd + BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA + A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR + VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx + 6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS + FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu + y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw + GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P + AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J + bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud + HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA + //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 + S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl + aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu + P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI + 9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC + 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ + C0IKqQ== + -----END CERTIFICATE----- + '' + ]; + + + environment.etc."whois.conf".text = '' + \.dn42$ whois.dn42 + \-DN42$ whois.dn42 + # dn42 range 64512-65534 + ^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ whois.dn42 + # dn42 range 76100-76199 + ^as761[0-9][0-9]$ whois.dn42 + # dn42 range 4242420000-4242429999 + ^as424242[0-9]{4}$ whois.dn42 + # dn42 ipv4 address space + ^172\.2[0-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ whois.dn42 + + # dn42 ula ipv6 address space + ^fd**:****:****:****:****:****:****:**** whois.dn42 + ''; }; }
diff --git a/config/nixos/modules/presets/zaphyra/enable.nix b/config/nixos/modules/presets/zaphyra/enable.nix @@ -100,34 +100,6 @@ in ); }; }; - pki.certificates = [ - '' - -----BEGIN CERTIFICATE----- - MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC - WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 - aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx - NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE - CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd - BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA - A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR - VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx - 6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS - FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu - y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw - GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P - AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J - bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud - HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA - //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 - S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl - aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu - P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI - 9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC - 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ - C0IKqQ== - -----END CERTIFICATE----- - '' - ]; }; services = {
diff --git a/config/nixos/modules/presets/zaphyra/networkManagerProfiles/dn42.nix b/config/nixos/modules/presets/zaphyra/networkManagerProfiles/dn42.nix @@ -38,7 +38,7 @@ in ipv6 = { addr-gen-mode = "default"; address1 = "fd6b:6174:6a61::3/128"; - dns = "fd42:d42:d42:54::1;fd42:d42:d42:53::1;"; + dns = "fd6b:6174:6a61::1;"; dns-search = "~dn42;"; method = "manual"; };
diff --git a/hosts/morio/dn42.nix b/hosts/morio/dn42.nix @@ -13,7 +13,6 @@ "fd6b:6174:6a61:53::2" ]; - systemd.network = { netdevs."20-dn42" = { netdevConfig = { @@ -41,22 +40,10 @@ networks."20-dn42" = { matchConfig.Name = "dn42"; linkConfig.RequiredForOnline = false; - routes = [ { Destination = "fd00::/8"; } ]; address = [ "fd6b:6174:6a61::2/128" "fd6b:6174:6a61:53::2/128" ]; - networkConfig = { - DNSDefaultRoute = false; - DNS = [ - "fd42:d42:d42:54::1" - "fd42:d42:d42:53::1" - ]; - Domains = [ - "~dn42" - "d.f.ip6.arpa" - ]; - }; }; };
diff --git a/hosts/novus/dn42.nix b/hosts/novus/dn42.nix @@ -4,10 +4,6 @@ dns.zones."zaphyra.eu".subdomains."router-a.dn42".AAAA = [ hostConfig.networking.ip6Address ]; - services.knot.settings.server.listen = [ - "fd6b:6174:6a61:53::1" - ]; - sops.secrets."dn42/wgPrivateKey" = { owner = "systemd-network"; group = "systemd-network"; @@ -119,31 +115,56 @@ }; }; + services.kresd = { + enable = true; + listenPlain = [ "[fd6b:6174:6a61::1]:53" ]; + extraConfig = '' + modules = { + 'hints > iterate', -- Allow loading /etc/hosts or custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records + } + + log_level('info') + + -- Cache size + cache.size = 100 * MB + + dn42 = { + 'dn42.', + '20.172.in-addr.arpa.', + '21.172.in-addr.arpa.', + '22.172.in-addr.arpa.', + '23.172.in-addr.arpa.', + '10.in-addr.arpa.', + 'd.f.in-addr.arpa.', + } + + -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching. + policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), dn42)) + + policy.add(policy.suffix(policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1'}), policy.todnames(dn42))) + -- policy.add(policy.FORWARD({'1.1.1.1'})) + + -- trust_anchors.remove('.') + trust_anchors.set_insecure(dn42) -- Disable DNSSEC for these domains + + modules.load('nsid') + nsid.name(hostname() .. ':' .. os.getenv("SYSTEMD_INSTANCE")) + ''; + }; + networking.firewall = { checkReversePath = "loose"; allowedUDPPorts = [ config.systemd.network.netdevs."20-dn42".wireguardConfig.ListenPort ]; trustedInterfaces = [ - # "vlan" "dn42" ]; - # filterForward = true; - # extraForwardRules = "iifname dn42 accept"; }; systemd.network = { - # links."10-vlan" = { - # matchConfig.PermanentMACAddress = "56:ca:a0:fa:fa:2b"; - # linkConfig.Name = "vlan"; - # }; - # - # networks."10-vlan" = { - # matchConfig.Name = "vlan"; - # linkConfig.RequiredForOnline = "no"; - # networkConfig.IPv6Forwarding = true; - # }; - config.networkConfig = { IPv6Forwarding = true; }; @@ -206,17 +227,6 @@ "fd6b:6174:6a61::1/48" "fd6b:6174:6a61:53::1/128" ]; - networkConfig = { - DNSDefaultRoute = false; - DNS = [ - "fd42:d42:d42:54::1" - "fd42:d42:d42:53::1" - ]; - Domains = [ - "~dn42" - "d.f.ip6.arpa" - ]; - }; }; };