nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modifications to DNS config

Browse Source
This commit is contained in:
root 2020-11-19 16:21:18 -06:00
parent 0605314e07
commit e6795d6d2e
9 changed files with 133 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
config/fudo/backplane/dns.nix
View File

@ -82,12 +82,21 @@ in {
default = 53; default = 53;
}; };
listen-addresses = mkOption { listen-v4-addresses = mkOption {
type = with types; listOf str; type = with types; listOf str;
description = "IP addresses on which to listen for dns requests."; description = "IPv4 addresses on which to listen for dns requests.";
default = [ "0.0.0.0" ]; default = [ "0.0.0.0" ];
}; };
listen-v6-addresses = mkOption {
type = with types; listOf str;
description = "IPv6 addresses on which to listen for dns requests.";
example = [
"[abcd::1]"
];
default = [];
};
required-services = mkOption { required-services = mkOption {
type = with types; listOf str; type = with types; listOf str;
description = "A list of services required before the DNS server can start."; description = "A list of services required before the DNS server can start.";
@ -152,7 +161,8 @@ in {
backplane-powerdns = let backplane-powerdns = let
configDir = pkgs.writeTextDir "pdns.conf" '' configDir = pkgs.writeTextDir "pdns.conf" ''
local-address=${lib.concatStringsSep ", " cfg.listen-addresses} local-address=${lib.concatStringsSep ", " cfg.listen-v4-addresses}
local-ipv6=${lib.concatStringsSep ", " cfg.listen-v6-addresses}
local-port=${toString cfg.port} local-port=${toString cfg.port}
launch= launch=
include-dir=${powerdns-conf-dir}/ include-dir=${powerdns-conf-dir}/

14
config/fudo/client/dns.nix
View File

@ -86,6 +86,19 @@ in {
}; };
}; };
services.backplane-dns-client-pw-file = {
enable = true;
requiredBy = [ "backplane-dns-client.services" ];
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
};
script = ''
chmod 600 ${cfg.password-file}
chown ${cfg.user} ${cfg.password-file}
'';
};
services.backplane-dns-client = { services.backplane-dns-client = {
enable = true; enable = true;
serviceConfig = { serviceConfig = {
@ -94,6 +107,7 @@ in {
User = cfg.user; User = cfg.user;
}; };
path = [ pkgs.openssh ]; path = [ pkgs.openssh ];
reloadIfChanged = true;
script = '' script = ''
${pkgs.backplane-dns-client}/bin/backplane-dns-client ${optionalString cfg.ipv4 "-4"} ${optionalString cfg.ipv6 "-6"} ${optionalString cfg.sshfp "-f"} ${optionalString (cfg.external-interface != null) "--interface=${cfg.external-interface}"} --domain=${cfg.domain} --server=${cfg.server} --password-file=${cfg.password-file} ${pkgs.backplane-dns-client}/bin/backplane-dns-client ${optionalString cfg.ipv4 "-4"} ${optionalString cfg.ipv6 "-6"} ${optionalString cfg.sshfp "-f"} ${optionalString (cfg.external-interface != null) "--interface=${cfg.external-interface}"} --domain=${cfg.domain} --server=${cfg.server} --password-file=${cfg.password-file}
''; '';

24
config/fudo/dns.nix
View File

@ -33,6 +33,18 @@ let
A list of DNS SSHFP records for this host. A list of DNS SSHFP records for this host.
''; '';
}; };
description = mkOption {
type = with types; nullOr str;
description = "Description of this host for a TXT record.";
default = null;
};
rp = mkOption {
type = with types; nullOr str;
description = "Responsible person.";
default = null;
};
}; };
}; };
@ -125,9 +137,12 @@ let
}; };
}; };
hostARecords = host: data: hostRecords = host: data:
join-lines ((map (ip: "${host} IN A ${ip}") data.ip-addresses) ++ join-lines ((map (ip: "${host} IN A ${ip}") data.ip-addresses) ++
(map (ip: "${host} IN AAAA ${ip}") data.ipv6-addresses)); (map (ip: "${host} IN AAAA ${ip}") data.ipv6-addresses) ++
(map (sshfp: "${host} IN SSHFP ${sshfp}") data.ssh-fingerprints) ++
(optional (data.rp != null) "${host} IN RP ${data.rp}") ++
(optional (data.description != null) "${host} IN TXT ${data.description}"));
makeSrvRecords = protocol: type: records: makeSrvRecords = protocol: type: records:
join-lines (map (record: "_${type}._${protocol} IN SRV ${toString record.priority} ${toString record.weight} ${toString record.port} ${toString record.host}.") join-lines (map (record: "_${type}._${protocol} IN SRV ${toString record.priority} ${toString record.weight} ${toString record.port} ${toString record.host}.")
@ -137,8 +152,6 @@ let
cnameRecord = alias: host: "${alias} IN CNAME ${host}"; cnameRecord = alias: host: "${alias} IN CNAME ${host}";
hostSshFpRecords = host: data: join-lines (map (sshfp: "${host} IN SSHFP ${sshfp}") data.ssh-fingerprints);
mxRecords = mxs: mxRecords = mxs:
concatStringsSep "\n" concatStringsSep "\n"
(map (mx: "@ IN MX 10 ${mx}.") mxs); (map (mx: "@ IN MX 10 ${mx}.") mxs);
@ -207,8 +220,7 @@ in {
${dmarcRecord dom-cfg.dmarc-report-address} ${dmarcRecord dom-cfg.dmarc-report-address}
${join-lines (mapAttrsToList makeSrvProtocolRecords dom-cfg.srv-records)} ${join-lines (mapAttrsToList makeSrvProtocolRecords dom-cfg.srv-records)}
${join-lines (mapAttrsToList hostARecords dom-cfg.hosts)} ${join-lines (mapAttrsToList hostRecords dom-cfg.hosts)}
${join-lines (mapAttrsToList hostSshFpRecords dom-cfg.hosts)}
${join-lines (mapAttrsToList cnameRecord dom-cfg.aliases)} ${join-lines (mapAttrsToList cnameRecord dom-cfg.aliases)}
${join-lines dom-cfg.extra-dns-records} ${join-lines dom-cfg.extra-dns-records}
''; '';

3
fudo/users.nix
View File

@ -75,7 +75,8 @@
uid = 10035; uid = 10035;
group = "selby"; group = "selby";
common-name = "Ken Selby"; common-name = "Ken Selby";
hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc"; hashed-password = "{SSHA}wUGV/9dr8inz/HyqSF/OWKxy0DCy5AI3";
# hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
}; };
reaper = { reaper = {

18
hosts/france.nix
View File

@ -7,7 +7,7 @@ let
mail-hostname = "mail.${domain}"; mail-hostname = "mail.${domain}";
host_ipv4 = "208.81.3.117"; host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able # Use a special IP for git.fudo.org, since it needs to be SSH-able
git_ipv4 = "208.81.3.126"; link_ipv4 = "208.81.3.126";
all-hostnames = []; all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
@ -40,6 +40,7 @@ in {
lxd lxd
multipath-tools multipath-tools
nix-prefetch-docker nix-prefetch-docker
powerdns
tshark tshark
]; ];
@ -259,9 +260,18 @@ in {
# TODO: not used yet # TODO: not used yet
fudo.acme.hostnames = all-hostnames; fudo.acme.hostnames = all-hostnames;
fudo.client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
fudo.mail-server = import ../fudo/email.nix { inherit config; } // { fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
enableContainer = true; enableContainer = true;
debug = true; # debug = true;
monitoring = true; monitoring = true;
hostname = mail-hostname; hostname = mail-hostname;
@ -392,7 +402,7 @@ in {
repository-dir = /srv/git/repo; repository-dir = /srv/git/repo;
state-dir = /srv/git/state; state-dir = /srv/git/state;
ssh = { ssh = {
listen-ip = git_ipv4; listen-ip = link_ipv4;
listen-port = 2222; listen-port = 2222;
}; };
}; };
@ -438,7 +448,7 @@ in {
macAddress = "02:6d:e2:e1:ad:ca"; macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [ ipv4.addresses = [
{ {
address = git_ipv4; address = link_ipv4;
prefixLength = 28; prefixLength = 28;
} }
]; ];

12
hosts/france/backplane.nix
View File

@ -58,8 +58,12 @@ in {
databases = { databases = {
backplane_dns = { backplane_dns = {
access = "CONNECT"; access = "CONNECT";
# entity-access = {
# "ALL TABLES IN SCHEMA public" = "SELECT";
# };
entity-access = { entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT"; "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
}; };
}; };
}; };
@ -70,7 +74,7 @@ in {
backplane_dns = { backplane_dns = {
access = "CONNECT"; access = "CONNECT";
entity-access = { entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE"; "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
}; };
}; };
@ -87,8 +91,8 @@ in {
backplane.dns = { backplane.dns = {
enable = true; enable = true;
port = 353; listen-v4-addresses = [ "208.81.3.126" ];
listen-addresses = [ "208.81.3.117" ]; listen-v6-addresses = [ "[2605:e200:d200:1:6d:e2ff:fee1:adca]" ];
required-services = [ "fudo-passwords.target" ]; required-services = [ "fudo-passwords.target" ];
user = "backplane-dns"; user = "backplane-dns";
group = "backplane-dns"; group = "backplane-dns";

80
hosts/france/jabber.nix
View File

@ -4,6 +4,9 @@ with lib;
let let
backplane-auth = "/etc/nixos/static/backplane-auth.scm"; backplane-auth = "/etc/nixos/static/backplane-auth.scm";
host-passwd-file = "/srv/jabber/secret/hosts-passwd.scm";
service-passwd-file = "/srv/jabber/secret/services-passwd.scm";
cert-basedir = "/var/lib/ejabberd/certs"; cert-basedir = "/var/lib/ejabberd/certs";
target-certs = ["key" "cert" "chain" "fullchain"]; target-certs = ["key" "cert" "chain" "fullchain"];
@ -50,30 +53,67 @@ in {
security.acme.certs."fudo.im".email = "admin@fudo.org"; security.acme.certs."fudo.im".email = "admin@fudo.org";
security.acme.certs."backplane.fudo.org".email = "admin@fudo.org"; security.acme.certs."backplane.fudo.org".email = "admin@fudo.org";
systemd.services = { systemd = {
ejabberd-generate-certs = { services = {
enable = true; ejabberd-generate-certs = {
description = "Generate required SSL certs for ejabberd."; enable = true;
wantedBy = [ "ejabberd.service" ]; description = "Generate required SSL certs for ejabberd.";
after = [ wantedBy = [ "ejabberd.service" ];
"acme-backplane.fudo.org.service" after = [
"acme-fudo.im.service" "acme-backplane.fudo.org.service"
]; "acme-fudo.im.service"
];
serviceConfig = {
Type = "oneshot";
ExecStart = "${move-server-certs ["fudo.im" "backplane.fudo.org"]}";
RemainAfterExit = true;
ExecStop = remove-server-certs;
StandardOutput = "journal";
};
};
serviceConfig = { ejabberd = {
Type = "oneshot"; requires = [ "ejabberd-generate-certs.service" ];
ExecStart = "${move-server-certs ["fudo.im" "backplane.fudo.org"]}"; environment = {
RemainAfterExit = true; FUDO_HOST_PASSWD_FILE = host-passwd-file;
ExecStop = remove-server-certs; FUDO_SERVICE_PASSWD_FILE = service-passwd-file;
StandardOutput = "journal"; };
};
ejabberd-hostfile-watcher = {
description = "Watch the ejabberd host file and restart if changes occur.";
serviceConfig.Type = "oneshot";
after = [ "ejabberd.service" ];
script = ''
SYSCTL=${pkgs.systemd}/bin/systemctl
if $SYSCTL is-active --quiet ejabberd.service; then
echo "restarting ejabberd.service because hostfile has changed."
$SYSCTL restart ejabberd.service
fi
'';
};
ejabberd-servicefile-watcher = {
description = "Watch the ejabberd service file and restart if changes occur.";
serviceConfig.Type = "oneshot";
after = [ "ejabberd.service" ];
script = ''
SYSCTL=${pkgs.systemd}/bin/systemctl
if $SYSCTL is-active --quiet ejabberd.service; then
echo "restarting ejabberd.service because servicefile has changed."
$SYSCTL restart ejabberd.service
fi
'';
}; };
}; };
ejabberd = { paths = {
requires = [ "ejabberd-generate-certs.service" ]; ejabberd-hostfile-watcher = {
environment = { pathConfig.PathChanged = host-passwd-file;
FUDO_HOST_PASSWD_FILE = "/srv/jabber/secret/hosts-passwd.scm"; };
FUDO_SERVICE_PASSWD_FILE = "/srv/jabber/secret/services-passwd.scm";
ejabberd-servicefile-watcher = {
pathConfig.PathChanged = service-passwd-file;
}; };
}; };
}; };

4
packages/backplane-dns.nix
View File

@ -9,8 +9,8 @@ in stdenv.mkDerivation {
src = fetchgit { src = fetchgit {
url = url; url = url;
rev = "543df72f3962cf91b0e0508d15cdc083a3cd7ed4"; rev = "c552394e55816541a9426974c5f8e6f1f83bf195";
sha256 = "0hda1wjf9wd4rvxchdlxw0af3i2cvl5plg37ric3ckma6gfzkmm0"; sha256 = "0r61bwj5a2dvzl41cwdf2pdnhdsmp3kzfyxa5x5hsg67al6s7vi8";
fetchSubmodules = false; fetchSubmodules = false;
}; };

4
static/backplane-auth.scm
View File

@ -16,8 +16,8 @@
(format (current-error-port "FUDO_SERVICE_PASSWD_FILE not set~%")) (format (current-error-port "FUDO_SERVICE_PASSWD_FILE not set~%"))
(exit 1)) (exit 1))
(define host-regex "^host-([a-zA-Z][a-zA-Z0-9_-]+)") (define host-regex "^host-([a-zA-Z][a-zA-Z0-9_-]+)$")
(define service-regex "^service-([a-zA-Z][a-zA-Z0-9_-]+)") (define service-regex "^service-([a-zA-Z][a-zA-Z0-9_-]+)$")
(define (make-verifier passwd-file) (define (make-verifier passwd-file)
(let ((passwds (load passwd-file))) (let ((passwds (load passwd-file)))