2023-10-02 21:30:51 +00:00
# TODO: split this file apart into smaller files to make it easier to understand
2023-06-07 23:34:00 +00:00
{ config , lib , pkgs , . . . }:
2022-12-15 11:16:07 +00:00
2023-09-22 14:36:56 +00:00
let
2024-04-29 11:19:21 +00:00
dyn-dns = config . sane . services . dyn-dns ;
2023-10-02 22:33:54 +00:00
nativeAddrs = lib . mapAttrs ( _name : builtins . head ) config . sane . dns . zones . " u n i n s a n e . o r g " . inet . A ;
2024-04-29 11:19:21 +00:00
in
2022-12-15 11:16:07 +00:00
{
2023-07-02 08:21:33 +00:00
sane . ports . ports . " 5 3 " = {
protocol = [ " u d p " " t c p " ] ;
visibleTo . lan = true ;
visibleTo . wan = true ;
2024-06-17 06:54:27 +00:00
visibleTo . ovpns = true ;
2024-06-17 07:01:12 +00:00
visibleTo . doof = true ;
2023-07-02 08:21:33 +00:00
description = " c o l i n - d n s - h o s t i n g " ;
} ;
2022-12-15 11:16:07 +00:00
2023-06-07 23:34:00 +00:00
sane . dns . zones . " u n i n s a n e . o r g " . TTL = 900 ;
2022-12-19 04:00:27 +00:00
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
# SOA MNAME RNAME (... rest)
# MNAME = Master name server for this zone. this is where update requests should be sent.
# RNAME = admin contact (encoded email address)
# Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
# Refresh = how frequently secondary NS should query master
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
2023-06-07 23:34:00 +00:00
sane . dns . zones . " u n i n s a n e . o r g " . inet = {
2023-01-02 13:23:52 +00:00
SOA . " @ " = ''
2022-12-19 04:38:41 +00:00
ns1 . uninsane . org . admin-dns . uninsane . org . (
2023-09-22 12:36:48 +00:00
2023092101 ; Serial
2022-12-19 04:38:41 +00:00
4 h ; Refresh
3 0 m ; Retry
7 d ; Expire
5 m ) ; Negative response TTL
2023-01-02 13:23:52 +00:00
'' ;
2023-09-22 12:36:48 +00:00
TXT . " r e v " = " 2 0 2 3 0 9 2 1 0 1 " ;
2023-05-30 12:00:30 +00:00
CNAME . " n a t i v e " = " % C N A M E N A T I V E % " ;
A . " @ " = " % A N A T I V E % " ;
2023-10-02 22:33:54 +00:00
A . " s e r v o . w a n " = " % A W A N % " ;
2024-06-17 22:36:01 +00:00
A . " s e r v o . d o o f " = " % A D O O F % " ;
2023-05-30 12:00:30 +00:00
A . " s e r v o . l a n " = config . sane . hosts . by-name . " s e r v o " . lan-ip ;
2023-09-22 12:36:48 +00:00
A . " s e r v o . h n " = config . sane . hosts . by-name . " s e r v o " . wg-home . ip ;
2022-12-17 01:29:12 +00:00
2022-12-19 04:38:41 +00:00
# XXX NS records must also not be CNAME
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
2023-05-30 12:00:30 +00:00
A . " n s 1 " = " % A N A T I V E % " ;
2024-06-17 22:19:36 +00:00
A . " n s 2 " = " % A D O O F % " ;
2024-06-17 22:00:39 +00:00
A . " n s 3 " = " % A O V P N S % " ;
A . " o v p n s " = " % A O V P N S % " ;
2022-12-19 04:38:41 +00:00
NS . " @ " = [
" n s 1 . u n i n s a n e . o r g . "
" n s 2 . u n i n s a n e . o r g . "
" n s 3 . u n i n s a n e . o r g . "
] ;
} ;
2022-12-15 11:16:07 +00:00
2023-07-13 10:04:20 +00:00
services . trust-dns . settings . zones = [ " u n i n s a n e . o r g " ] ;
2023-05-30 12:00:30 +00:00
2023-05-31 00:56:52 +00:00
networking . nat . enable = true ;
networking . nat . extraCommands = ''
# redirect incoming DNS requests from LAN addresses
# to the LAN-specialized DNS service
# N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
# because they get cleanly reset across activations or `systemctl restart firewall`
# instead of accumulating cruft
iptables - t nat - A nixos-nat-pre - p udp - - dport 53 \
- m iprange - - src-range 10 .78 .76 . 0 -10 .78 .79 .255 \
- j DNAT - - to-destination : 1053
iptables - t nat - A nixos-nat-pre - p tcp - - dport 53 \
- m iprange - - src-range 10 .78 .76 . 0 -10 .78 .79 .255 \
- j DNAT - - to-destination : 1053
'' ;
2023-05-31 04:25:39 +00:00
sane . ports . ports . " 1 0 5 3 " = {
# because the NAT above redirects in nixos-nat-pre, LAN requests behave as though they arrived on the external interface at the redirected port.
# TODO: try nixos-nat-post instead?
2023-09-22 14:36:56 +00:00
# TODO: or, don't NAT from port 53 -> port 1053, but rather nat from LAN addr to a loopback addr.
# - this is complicated in that loopback is a different interface than eth0, so rewriting the destination address would cause the packets to just be dropped by the interface
2023-05-31 04:25:39 +00:00
protocol = [ " u d p " " t c p " ] ;
visibleTo . lan = true ;
description = " c o l i n - r e d i r e c t e d - d n s - f o r - l a n - n a m e s p a c e " ;
} ;
2023-10-02 21:30:51 +00:00
2023-10-02 22:33:54 +00:00
2024-04-29 11:19:21 +00:00
sane . services . trust-dns . enable = true ;
sane . services . trust-dns . instances = let
mkSubstitutions = flavor : {
2024-06-17 22:19:36 +00:00
" % A D O O F % " = config . sane . netns . doof . netnsPubIpv4 ;
2024-06-17 22:36:01 +00:00
" % A N A T I V E % " = nativeAddrs . " s e r v o . ${ flavor } " ;
2024-06-17 22:00:39 +00:00
" % A O V P N S % " = config . sane . netns . ovpns . netnsPubIpv4 ;
2024-06-17 22:36:01 +00:00
" % A W A N % " = " $ ( c a t ' ${ dyn-dns . ipPath } ' ) " ;
" % C N A M E N A T I V E % " = " s e r v o . ${ flavor } " ;
2024-04-29 11:19:21 +00:00
} ;
in
{
2024-06-17 22:36:01 +00:00
doof = {
substitutions = mkSubstitutions " d o o f " ;
2024-06-17 23:14:21 +00:00
listenAddrsIpv4 = [
config . sane . netns . doof . hostVethIpv4
config . sane . netns . ovpns . hostVethIpv4
] ;
2024-06-17 22:36:01 +00:00
} ;
hn = {
substitutions = mkSubstitutions " h n " ;
listenAddrsIpv4 = [ nativeAddrs . " s e r v o . h n " ] ;
2024-04-29 11:19:21 +00:00
} ;
lan = {
substitutions = mkSubstitutions " l a n " ;
2024-05-14 23:22:50 +00:00
listenAddrsIpv4 = [ nativeAddrs . " s e r v o . l a n " ] ;
2024-04-29 11:19:21 +00:00
port = 1053 ;
} ;
2024-06-17 22:36:01 +00:00
wan = {
substitutions = mkSubstitutions " w a n " ;
listenAddrsIpv4 = [
nativeAddrs . " s e r v o . l a n "
] ;
2024-04-29 11:19:21 +00:00
} ;
2024-05-14 23:20:19 +00:00
# hn-resolver = {
# # don't need %AWAN% here because we forward to the hn instance.
2024-05-14 23:22:50 +00:00
# listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
2024-05-14 23:20:19 +00:00
# extraConfig = {
# zones = [
# {
# zone = "uninsane.org";
# zone_type = "Forward";
# stores = {
# type = "forward";
# name_servers = [
# {
# socket_addr = "${nativeAddrs."servo.hn"}:1053";
# protocol = "udp";
# trust_nx_responses = true;
# }
# ];
# };
# }
# {
# # forward the root zone to the local DNS resolver
# zone = ".";
# zone_type = "Forward";
# stores = {
# type = "forward";
# name_servers = [
# {
# socket_addr = "127.0.0.53:53";
# protocol = "udp";
# trust_nx_responses = true;
# }
# ];
# };
# }
# ];
# };
# };
2024-04-29 11:19:21 +00:00
} ;
2023-10-02 21:30:51 +00:00
sane . services . dyn-dns . restartOnChange = [
2024-06-17 22:36:01 +00:00
" t r u s t - d n s - d o o f . s e r v i c e "
2023-10-02 21:30:51 +00:00
" t r u s t - d n s - h n . s e r v i c e "
2024-06-17 22:36:01 +00:00
" t r u s t - d n s - l a n . s e r v i c e "
" t r u s t - d n s - w a n . s e r v i c e "
2023-10-02 21:30:51 +00:00
# "trust-dns-hn-resolver.service" # doesn't need restart because it doesn't know about WAN IP
] ;
2022-12-15 11:16:07 +00:00
}