nixos-config/config/host-config/nutboy3/cashew.nix

{ config, lib, pkgs, ... }:

with lib;
let
  parent-config = config;

  host-ipv4 = "199.87.154.175";

  local-packages = with pkgs; [ bind emacs-nox mtr vim ];

  fudo-zone =
    pkgs.lib.dns.zoneToZonefile config.instance.build-timestamp "fudo.org"
    config.fudo.zones."fudo.org";

  selby-zone =
    pkgs.lib.dns.zoneToZonefile config.instance.build-timestamp "selby.ca"
    config.fudo.zones."selby.ca";

in {
  environment.etc = {
    "generated-zones/fudo.org".text = fudo-zone;
    "generated-zones/selby.ca".text = selby-zone;
  };

  fudo = {
    services.dns.zones = let
    in {
      "fudo.org" = {
        enable = true;
        external-nameservers = [
          {
            ipv4-address = "209.177.102.102";
            ipv6-address = "2001:470:1f16:40::2";
            description =
              "Nameserver 2, Musashi.100percenthost.net, in Winnipeg, MB, CA";
          }
          {
            ipv4-address = "104.131.53.95";
            ipv6-address = "2604:a880:800:10::8:7001";
            description =
              "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
          }
          {
            ipv4-address = "204.42.254.5";
            ipv6-address = "2001:418:3f4::5";
            description = "Nameserver 4, puck.nether.net, in Chicago, IL, US";
          }
        ];
      };
      "selby.ca" = {
        enable = true;
        external-nameservers = map (n:
          let i = toString n;
          in {
            authoritative-hostname = "ns${i}.fudo.org";
            description = "Nameserver ${i}, ns${i}.fudo.org.";
          }) [ 2 3 4 ];
      };
    };

    domains."selby.ca" = {
      local-networks = config.fudo.domains."fudo.org".local-networks;
    };

    zones = {
      "fudo.org" = {
        verbatim-dns-records = [
          # TODO: create these automatically
          "node._metrics._tcp IN SRV 0 0 443 france.fudo.org."
          "node._metrics._tcp IN SRV 0 0 9900 hanover.fudo.org."
          "node._metrics._tcp IN SRV 0 0 443 paris.fudo.org."

          "node._metrics._tcp IN SRV 0 0 443 legatus.fudo.org."
          "node._metrics._tcp IN SRV 0 0 443 nutboy3.fudo.org."

          "dovecot._metrics._tcp IN SRV 0 0 443 mail.fudo.org."
          "postfix._metrics._tcp IN SRV 0 0 443 mail.fudo.org."
          "rspamd._metrics._tcp IN SRV 0 0 443 mail.fudo.org."
        ];
      };
      "selby.ca" = { };
    };
  };

  containers.cashew = {
    autoStart = true;

    bindMounts = {
      "/state" = {
        hostPath = "/state/cashew";
        isReadOnly = false;
      };
      "/etc/bind" = {
        hostPath = "/state/cashew/bind";
        isReadOnly = false;
      };
      "/var/log" = {
        hostPath = "/state/cashew/logs";
        isReadOnly = false;
      };
      "/home" = {
        hostPath = "/state/cashew/home";
        isReadOnly = false;
      };
      "/etc/dns-root-data" = {
        hostPath = "${pkgs.dns-root-data}/";
        isReadOnly = true;
      };
    };

    interfaces = [ "eno2" ];

    config = { config, ... }: {
      boot.kernelModules = [ "veth" ];

      nixpkgs.pkgs = pkgs;

      environment = {
        systemPackages = local-packages;
        etc = {
          "generated-zones/fudo.org" = { text = fudo-zone; };
          "generated-zones/selby.ca" = { text = selby-zone; };
        };
      };

      users = {
        users = {
          niten = parent-config.users.users.niten;
          reaper = parent-config.users.users.reaper // {
            openssh.authorizedKeys.keys = [
              "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
            ];
          };
          root.openssh.authorizedKeys.keys = [
            "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
          ];
        };
        groups = {
          wheel.members = [ "niten" "reaper" ];
          dns = { members = [ "niten" "reaper" "named" ]; };
          fudo.members = [ "niten" "reaper" ];
        };
      };

      networking = {
        defaultGateway = {
          address = "208.81.4.81";
          interface = "eno2";
        };

        interfaces.eno2 = {
          ipv4.addresses = [
            {
              address = "208.81.4.82";
              prefixLength = 29;
            }
            {
              address = "208.81.1.141";
              prefixLength = 32;
            }
          ];
        };

        firewall.enable = false;
      };

      # /etc/bind ended up not belonging to the correct user/group
      systemd.services.bind-perms = {
        requiredBy = [ "bind.service" ];
        before = [ "bind.service" ];
        script = "chown -R named:named /etc/bind";
      };

      services = {
        bind = {
          enable = true;
          configFile = "/etc/bind/named.conf";
        };

        openssh = {
          enable = true;
          startWhenNeeded = true;
          useDns = true;
          permitRootLogin = "prohibit-password";
          hostKeys = [
            {
              path = "/state/ssh/ssh_host_ed25519_key";
              type = "ed25519";
            }
            {
              path = "/state/ssh/ssh_host_rsa_key";
              type = "rsa";
              bits = 4096;
            }
          ];
        };
      };
    };
  };
}