{ config, lib, pkgs, ... }: with lib; let parent-config = config; host-ipv4 = "199.87.154.175"; local-packages = with pkgs; [ bind emacs-nox mtr vim ]; fudo-zone = pkgs.lib.dns.zoneToZonefile config.instance.build-timestamp "fudo.org" config.fudo.zones."fudo.org"; selby-zone = pkgs.lib.dns.zoneToZonefile config.instance.build-timestamp "selby.ca" config.fudo.zones."selby.ca"; in { environment.etc = { "generated-zones/fudo.org".text = fudo-zone; "generated-zones/selby.ca".text = selby-zone; }; fudo = { services.dns.zones = let in { "fudo.org" = { enable = true; external-nameservers = [ { ipv4-address = "209.177.102.102"; ipv6-address = "2001:470:1f16:40::2"; description = "Nameserver 2, Musashi.100percenthost.net, in Winnipeg, MB, CA"; } { ipv4-address = "104.131.53.95"; ipv6-address = "2604:a880:800:10::8:7001"; description = "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US"; } { ipv4-address = "204.42.254.5"; ipv6-address = "2001:418:3f4::5"; description = "Nameserver 4, puck.nether.net, in Chicago, IL, US"; } ]; }; "selby.ca" = { enable = true; external-nameservers = map (n: let i = toString n; in { authoritative-hostname = "ns${i}.fudo.org"; description = "Nameserver ${i}, ns${i}.fudo.org."; }) [ 2 3 4 ]; }; }; domains."selby.ca" = { local-networks = config.fudo.domains."fudo.org".local-networks; }; zones = { "fudo.org" = { default-host = host-ipv4; verbatim-dns-records = [ # TODO: create these automatically "node._metrics._tcp IN SRV 0 0 443 france.fudo.org." "node._metrics._tcp IN SRV 0 0 9900 hanover.fudo.org." "node._metrics._tcp IN SRV 0 0 443 paris.fudo.org." "node._metrics._tcp IN SRV 0 0 443 legatus.fudo.org." "node._metrics._tcp IN SRV 0 0 443 nutboy3.fudo.org." "dovecot._metrics._tcp IN SRV 0 0 443 mail.fudo.org." "postfix._metrics._tcp IN SRV 0 0 443 mail.fudo.org." "rspamd._metrics._tcp IN SRV 0 0 443 mail.fudo.org." ]; }; "selby.ca" = { default-host = host-ipv4; }; }; }; containers.cashew = { autoStart = true; bindMounts = { "/state" = { hostPath = "/state/cashew"; isReadOnly = false; }; "/etc/bind" = { hostPath = "/state/cashew/bind"; isReadOnly = false; }; "/var/log" = { hostPath = "/state/cashew/logs"; isReadOnly = false; }; "/home" = { hostPath = "/state/cashew/home"; isReadOnly = false; }; "/etc/dns-root-data" = { hostPath = "${pkgs.dns-root-data}/"; isReadOnly = true; }; }; interfaces = [ "eno2" ]; config = { config, ... }: { boot.kernelModules = [ "veth" ]; nixpkgs.pkgs = pkgs; environment = { systemPackages = local-packages; etc = { "generated-zones/fudo.org" = { text = fudo-zone; }; "generated-zones/selby.ca" = { text = selby-zone; }; }; }; users = { users = { niten = parent-config.users.users.niten; reaper = parent-config.users.users.reaper // { openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q==" ]; }; root.openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q==" ]; }; groups = { wheel.members = [ "niten" "reaper" ]; dns = { members = [ "niten" "reaper" "named" ]; }; }; }; networking = { defaultGateway = { address = "208.81.4.81"; interface = "eno2"; }; interfaces.eno2 = { ipv4.addresses = [ { address = "208.81.4.82"; prefixLength = 29; } { address = "208.81.1.141"; prefixLength = 32; } ]; }; firewall.enable = false; }; # /etc/bind ended up not belonging to the correct user/group systemd.services.bind-perms = { requiredBy = [ "bind.service" ]; before = [ "bind.service" ]; script = "chown -R named:named /etc/bind"; }; services = { bind = { enable = true; configFile = "/etc/bind/named.conf"; }; openssh = { enable = true; startWhenNeeded = true; useDns = true; permitRootLogin = "prohibit-password"; hostKeys = [ { path = "/state/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "/state/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; }; }; }; }; }