2022-12-15 11:16:07 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
sane.services.trust-dns.enable = true;
|
|
|
|
|
|
|
|
sane.services.trust-dns.listenAddrsIPv4 = [
|
|
|
|
# specify each address explicitly, instead of using "*".
|
|
|
|
# this ensures responses are sent from the address at which the request was received.
|
|
|
|
"192.168.0.5"
|
|
|
|
"10.0.1.5"
|
|
|
|
];
|
|
|
|
|
|
|
|
sane.services.trust-dns.zones."uninsane.org".TTL = 900;
|
2022-12-19 04:00:27 +00:00
|
|
|
|
|
|
|
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
|
|
|
|
# SOA MNAME RNAME (... rest)
|
|
|
|
# MNAME = Master name server for this zone. this is where update requests should be sent.
|
|
|
|
# RNAME = admin contact (encoded email address)
|
|
|
|
# Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
|
|
|
|
# Refresh = how frequently secondary NS should query master
|
|
|
|
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
|
|
|
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
2022-12-19 04:38:41 +00:00
|
|
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
|
|
|
SOA."@" = [''
|
|
|
|
ns1.uninsane.org. admin-dns.uninsane.org. (
|
|
|
|
2022121601 ; Serial
|
|
|
|
4h ; Refresh
|
|
|
|
30m ; Retry
|
|
|
|
7d ; Expire
|
|
|
|
5m) ; Negative response TTL
|
|
|
|
''];
|
|
|
|
TXT."rev" = [ "2022121801" ];
|
2022-12-17 01:29:12 +00:00
|
|
|
|
2022-12-19 04:38:41 +00:00
|
|
|
# XXX NS records must also not be CNAME
|
|
|
|
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
|
|
|
|
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
|
|
|
|
# A."ns1" = [ "%NATIVE%" ];
|
|
|
|
A."ns2" = [ "185.157.162.178" ];
|
|
|
|
A."ns3" = [ "185.157.162.178" ];
|
|
|
|
A."ovpns" = [ "185.157.162.178" ];
|
|
|
|
NS."@" = [
|
|
|
|
"ns1.uninsane.org."
|
|
|
|
"ns2.uninsane.org."
|
|
|
|
"ns3.uninsane.org."
|
|
|
|
];
|
|
|
|
};
|
2022-12-15 11:16:07 +00:00
|
|
|
|
2022-12-19 04:38:41 +00:00
|
|
|
sane.services.trust-dns.zones."uninsane.org".include = [
|
|
|
|
"/var/lib/trust-dns/native.uninsane.org.zone"
|
|
|
|
];
|
2022-12-15 11:16:07 +00:00
|
|
|
|
|
|
|
systemd.services.ddns-trust-dns = {
|
|
|
|
description = "update dynamic DNS entries for self-hosted trust-dns";
|
|
|
|
after = [ "network.target" ];
|
|
|
|
wantedBy = [ "trust-dns.service" ];
|
|
|
|
restartTriggers = [(
|
|
|
|
builtins.toJSON config.sane.services.trust-dns
|
|
|
|
)];
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
script = let
|
2022-12-19 08:24:11 +00:00
|
|
|
check-ip = "${pkgs.sane-scripts}/bin/sane-ip-check-router-wan";
|
2022-12-15 11:16:07 +00:00
|
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
|
|
zone-dir = "/var/lib/trust-dns";
|
|
|
|
zone-out = "${zone-dir}/native.uninsane.org.zone";
|
|
|
|
diff = "${pkgs.diffutils}/bin/diff";
|
|
|
|
systemctl = "${pkgs.systemd}/bin/systemctl";
|
|
|
|
zone-template = pkgs.writeText "native.uninsane.org.zone.in" ''
|
|
|
|
@ A %NATIVE%
|
|
|
|
ns1 A %NATIVE%
|
|
|
|
native A %NATIVE%
|
|
|
|
'';
|
|
|
|
in ''
|
|
|
|
set -ex
|
|
|
|
mkdir -p ${zone-dir}
|
2022-12-19 08:24:11 +00:00
|
|
|
ip=$(${check-ip})
|
2022-12-15 11:16:07 +00:00
|
|
|
|
|
|
|
${sed} s/%NATIVE%/$ip/ ${zone-template} > ${zone-out}.new
|
|
|
|
|
|
|
|
# see if anything changed
|
|
|
|
# TODO: instead of diffing, we could `dig` against the actual deployment.
|
|
|
|
# - that could be more resilient to races.
|
|
|
|
touch ${zone-out} # in case it didn't exist yet
|
|
|
|
cp ${zone-out} ${zone-out}.old
|
|
|
|
mv ${zone-out}.new ${zone-out}
|
|
|
|
# if so, restart trust-dns
|
|
|
|
if [ ${diff} -u ${zone-out}.old ${zone-out} ]
|
|
|
|
then
|
|
|
|
echo "zone unchanged. ip: $ip"
|
|
|
|
else
|
|
|
|
echo "zone changed."
|
|
|
|
status=$(${systemctl} is-active trust-dns.service || true)
|
|
|
|
echo $status
|
|
|
|
if [ "$status" = "active" ]
|
|
|
|
then
|
|
|
|
echo "restarting trust-dns."
|
|
|
|
${systemctl} restart trust-dns.service
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.timers.ddns-trust-dns = {
|
|
|
|
# wantedBy = [ "multi-user.target" ];
|
|
|
|
wantedBy = [ "trust-dns.service" ];
|
|
|
|
timerConfig = {
|
|
|
|
OnStartupSec = "10min";
|
|
|
|
OnUnitActiveSec = "10min";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|