2022-12-15 11:16:07 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
sane.services.trust-dns.enable = true;
|
|
|
|
|
|
|
|
sane.services.trust-dns.listenAddrsIPv4 = [
|
|
|
|
# specify each address explicitly, instead of using "*".
|
|
|
|
# this ensures responses are sent from the address at which the request was received.
|
|
|
|
"192.168.0.5"
|
|
|
|
"10.0.1.5"
|
|
|
|
];
|
2023-01-25 08:18:29 +00:00
|
|
|
sane.services.trust-dns.quiet = true;
|
2022-12-15 11:16:07 +00:00
|
|
|
|
|
|
|
sane.services.trust-dns.zones."uninsane.org".TTL = 900;
|
2022-12-19 04:00:27 +00:00
|
|
|
|
|
|
|
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
|
|
|
|
# SOA MNAME RNAME (... rest)
|
|
|
|
# MNAME = Master name server for this zone. this is where update requests should be sent.
|
|
|
|
# RNAME = admin contact (encoded email address)
|
|
|
|
# Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
|
|
|
|
# Refresh = how frequently secondary NS should query master
|
|
|
|
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
|
|
|
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
2022-12-19 04:38:41 +00:00
|
|
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
2023-01-02 13:23:52 +00:00
|
|
|
SOA."@" = ''
|
2022-12-19 04:38:41 +00:00
|
|
|
ns1.uninsane.org. admin-dns.uninsane.org. (
|
2022-12-22 13:13:09 +00:00
|
|
|
2022122101 ; Serial
|
2022-12-19 04:38:41 +00:00
|
|
|
4h ; Refresh
|
|
|
|
30m ; Retry
|
|
|
|
7d ; Expire
|
|
|
|
5m) ; Negative response TTL
|
2023-01-02 13:23:52 +00:00
|
|
|
'';
|
|
|
|
TXT."rev" = "2022122101";
|
2022-12-17 01:29:12 +00:00
|
|
|
|
2022-12-19 04:38:41 +00:00
|
|
|
# XXX NS records must also not be CNAME
|
|
|
|
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
|
|
|
|
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
|
2023-01-02 13:23:52 +00:00
|
|
|
A."ns1" = "%NATIVE%";
|
|
|
|
A."ns2" = "185.157.162.178";
|
|
|
|
A."ns3" = "185.157.162.178";
|
|
|
|
A."ovpns" = "185.157.162.178";
|
|
|
|
A."native" = "%NATIVE%";
|
|
|
|
A."@" = "%NATIVE%";
|
2022-12-19 04:38:41 +00:00
|
|
|
NS."@" = [
|
|
|
|
"ns1.uninsane.org."
|
|
|
|
"ns2.uninsane.org."
|
|
|
|
"ns3.uninsane.org."
|
|
|
|
];
|
|
|
|
};
|
2022-12-15 11:16:07 +00:00
|
|
|
|
2022-12-21 08:50:41 +00:00
|
|
|
sane.services.trust-dns.zones."uninsane.org".file =
|
|
|
|
"/var/lib/trust-dns/uninsane.org.zone";
|
2022-12-15 11:16:07 +00:00
|
|
|
|
2022-12-19 13:12:21 +00:00
|
|
|
systemd.services.trust-dns.preStart = let
|
|
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
|
|
zone-dir = "/var/lib/trust-dns";
|
2022-12-21 08:50:41 +00:00
|
|
|
zone-out = "${zone-dir}/uninsane.org.zone";
|
|
|
|
zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.services.trust-dns.generatedZones."uninsane.org";
|
2022-12-19 13:12:21 +00:00
|
|
|
in ''
|
|
|
|
# make WAN records available to trust-dns
|
|
|
|
mkdir -p ${zone-dir}
|
|
|
|
ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
|
|
|
|
${sed} s/%NATIVE%/$ip/ ${zone-template} > ${zone-out}
|
|
|
|
'';
|
2022-12-15 11:16:07 +00:00
|
|
|
|
2022-12-19 13:12:21 +00:00
|
|
|
sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
|
2022-12-15 11:16:07 +00:00
|
|
|
}
|