nixos-config/config/domain-config/fudo.org/nameserver.nix

{ hostInterface, servedDomains, stateDirectory, ipHostMap, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  inherit (pkgs.lib) getSiteGatewayV4;

  zoneName = "fudo.org";
  zone = config.fudo.zones."${zoneName}";
  nameserverDeets = zone.hosts."nameserver";
  siteName = config.instance.local-site;

in {
  config = {
    systemd.tmpfiles.rules = [ "d ${stateDirectory} 700 root root - -" ];

    containers.nameserver = {
      autoStart = true;
      # Needs to be able to set it's own IP(s)
      additionalCapabilities = [ "CAP_NET_ADMIN" ];
      macvlans = [ hostInterface ];
      bindMounts."/var/lib/nsd".hostPath = stateDirectory;

      config = {
        imports = [ pkgs.moduleRegistry.authoritativeDns ];

        networking = {
          defaultGateway = getSiteGatewayV4 siteName;
          firewall = {
            enable = true;
            allowedTCPPorts = [ 53 ];
            allowedUDPPorts = [ 53 ];
          };
          interfaces."mv-${hostInterface}" = {
            ipv4.addresses = optional (nameserverDeets.ipv4-address != null) {
              address = nameserverDeets.ipv4-address;
              prefixLength = getSiteV4PrefixLength siteName;
            };
            ipv6.addresses = optional (nameserverDeets.ipv6-address != null) {
              address = nameserverDeets.ipv6-address;
              prefixLength = getSiteV6PrefixLength siteName;
            };
          };
        };

        services.authoritative-dns = {
          enable = true;
          identity = "nameserver.${zoneName}";
          listen-ips = [ nameserverDeets.ipv4-address ];
          state-directory = "/var/lib/nsd";
          timestamp = toString config.instance.build-timestamp;
          ip-host-map = ipHostMap;
          domains = servedDomains;
        };
      };
    };
  };
}