Compare commits
4 Commits
master
...
wip-trust-
Author | SHA1 | Date | |
---|---|---|---|
a8293f348c | |||
0fbf35e0a9 | |||
f037e6dc72 | |||
fe5af959f4 |
|
@ -23,26 +23,36 @@
|
||||||
# - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
|
# - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
{
|
{
|
||||||
# use systemd's stub resolver.
|
# # use systemd's stub resolver.
|
||||||
# /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
|
# # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
|
||||||
# instead, running the stub resolver on a known address in the root ns lets us rewrite packets
|
# # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
|
||||||
# in servo's ovnps namespace to use the provider's DNS resolvers.
|
# # in servo's ovnps namespace to use the provider's DNS resolvers.
|
||||||
# a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
|
# # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
|
||||||
# TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
|
# # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
|
||||||
services.resolved.enable = true; #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
|
# services.resolved.enable = true; #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
|
||||||
# without DNSSEC:
|
# # without DNSSEC:
|
||||||
# - dig matrix.org => works
|
# # - dig matrix.org => works
|
||||||
# - curl https://matrix.org => works
|
# # - curl https://matrix.org => works
|
||||||
# with default DNSSEC:
|
# # with default DNSSEC:
|
||||||
# - dig matrix.org => works
|
# # - dig matrix.org => works
|
||||||
# - curl https://matrix.org => fails
|
# # - curl https://matrix.org => fails
|
||||||
# i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
|
# # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
|
||||||
services.resolved.dnssec = "false";
|
# services.resolved.dnssec = "false";
|
||||||
|
# networking.nameservers = [
|
||||||
|
# # use systemd-resolved resolver
|
||||||
|
# # full resolver (which understands /etc/hosts) lives on 127.0.0.53
|
||||||
|
# # stub resolver (just forwards upstream) lives on 127.0.0.54
|
||||||
|
# "127.0.0.53"
|
||||||
|
# ];
|
||||||
|
|
||||||
|
services.resolved.enable = lib.mkForce false;
|
||||||
|
sane.services.trust-dns.enable = true;
|
||||||
|
sane.services.trust-dns.instances.localhost = {
|
||||||
|
listenAddrs = [ "127.0.0.1" ];
|
||||||
|
enableRecursiveResolver = true;
|
||||||
|
};
|
||||||
networking.nameservers = [
|
networking.nameservers = [
|
||||||
# use systemd-resolved resolver
|
"127.0.0.1"
|
||||||
# full resolver (which understands /etc/hosts) lives on 127.0.0.53
|
|
||||||
# stub resolver (just forwards upstream) lives on 127.0.0.54
|
|
||||||
"127.0.0.53"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# nscd -- the Name Service Caching Daemon -- caches DNS query responses
|
# nscd -- the Name Service Caching Daemon -- caches DNS query responses
|
||||||
|
|
|
@ -31,31 +31,38 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.etc = lib.mkIf cfg.enabled {
|
environment.etc = lib.mkIf cfg.enabled {
|
||||||
|
"NetworkManager/system-connections".source = "/var/lib/NetworkManager/system-connections";
|
||||||
"NetworkManager/NetworkManager.conf".text = ''
|
"NetworkManager/NetworkManager.conf".text = ''
|
||||||
# TODO: much of this is likely not needed.
|
|
||||||
[connection]
|
|
||||||
ethernet.cloned-mac-address=preserve
|
|
||||||
wifi.cloned-mac-address=preserve
|
|
||||||
wifi.powersave=null
|
|
||||||
|
|
||||||
[device]
|
[device]
|
||||||
|
# wifi.backend: wpa_supplicant or iwd
|
||||||
wifi.backend=wpa_supplicant
|
wifi.backend=wpa_supplicant
|
||||||
wifi.scan-rand-mac-address=true
|
wifi.scan-rand-mac-address=true
|
||||||
|
|
||||||
[keyfile]
|
|
||||||
# keyfile.path: where to check for connection credentials
|
|
||||||
path=/var/lib/NetworkManager/system-connections
|
|
||||||
unmanaged-devices=null
|
|
||||||
|
|
||||||
[logging]
|
[logging]
|
||||||
audit=false
|
audit=false
|
||||||
level=WARN
|
# level: TRACE, DEBUG, INFO, WARN, ERR, OFF
|
||||||
|
level=INFO
|
||||||
|
# domain=...
|
||||||
|
|
||||||
[main]
|
[main]
|
||||||
|
# dhcp:
|
||||||
|
# - `internal` (default)
|
||||||
|
# - `dhclient` (requires dhclient to be installed)
|
||||||
|
# - `dhcpcd` (requires dhcpcd to be installed)
|
||||||
dhcp=internal
|
dhcp=internal
|
||||||
dns=systemd-resolved
|
# dns:
|
||||||
|
# - `default`: update /etc/resolv.conf with nameservers provided by the active connection
|
||||||
|
# - `none`: NM won't update /etc/resolv.conf
|
||||||
|
# - `systemd-resolved`: push DNS config to systemd-resolved
|
||||||
|
# - `dnsmasq`: run a local caching nameserver
|
||||||
|
dns=none
|
||||||
plugins=keyfile
|
plugins=keyfile
|
||||||
|
# rc-manager: how NM should write to /etc/resolv.conf
|
||||||
|
# - may also write /var/lib/NetworkManager/resolv.conf
|
||||||
rc-manager=unmanaged
|
rc-manager=unmanaged
|
||||||
|
# systemd-resolved: send DNS config to systemd-resolved?
|
||||||
|
systemd-resolved=false
|
||||||
|
# debug=... (see also: NM_DEBUG env var)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
hardware.wirelessRegulatoryDatabase = lib.mkIf cfg.enabled true;
|
hardware.wirelessRegulatoryDatabase = lib.mkIf cfg.enabled true;
|
||||||
|
|
|
@ -84,7 +84,7 @@ let
|
||||||
"/etc" #< especially for /etc/profiles/per-user/$USER/bin
|
"/etc" #< especially for /etc/profiles/per-user/$USER/bin
|
||||||
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
|
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
|
||||||
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove!
|
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove!
|
||||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
|
# "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
||||||
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
|
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
|
||||||
"/run/opengl-driver"
|
"/run/opengl-driver"
|
||||||
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
|
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
|
||||||
|
|
|
@ -3,7 +3,7 @@ let
|
||||||
cfg = config.sane.services.trust-dns;
|
cfg = config.sane.services.trust-dns;
|
||||||
dns = config.sane.dns;
|
dns = config.sane.dns;
|
||||||
toml = pkgs.formats.toml { };
|
toml = pkgs.formats.toml { };
|
||||||
instanceModule = with lib; types.submodule {
|
instanceModule = with lib; types.submodule ({ config, ...}: {
|
||||||
options = {
|
options = {
|
||||||
port = mkOption {
|
port = mkOption {
|
||||||
type = types.port;
|
type = types.port;
|
||||||
|
@ -11,7 +11,7 @@ let
|
||||||
};
|
};
|
||||||
listenAddrs = mkOption {
|
listenAddrs = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [];
|
default = [ "127.0.0.1" ];
|
||||||
description = ''
|
description = ''
|
||||||
IP addresses to serve requests from.
|
IP addresses to serve requests from.
|
||||||
'';
|
'';
|
||||||
|
@ -27,17 +27,46 @@ let
|
||||||
"%AWAN%" = ''"$(cat /var/www/wan.txt)"'';
|
"%AWAN%" = ''"$(cat /var/www/wan.txt)"'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
enableRecursiveResolver = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
act as a recursive resolver
|
||||||
|
'';
|
||||||
|
};
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
type = types.attrs;
|
type = types.attrs;
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
mkSystemdService = flavor: { port, listenAddrs, substitutions, extraConfig }: let
|
config = {
|
||||||
|
extraConfig = lib.mkIf config.enableRecursiveResolver {
|
||||||
|
zones = [
|
||||||
|
{
|
||||||
|
zone = ".";
|
||||||
|
zone_type = "Hint";
|
||||||
|
stores = {
|
||||||
|
type = "recursor";
|
||||||
|
# contains the list of toplevel DNS servers, from which to recursively resolve entries.
|
||||||
|
roots = "${pkgs.dns-root-data}/root.hints";
|
||||||
|
|
||||||
|
# dnssec, see: <https://github.com/hickory-dns/hickory-dns/issues/2193>
|
||||||
|
# probably not needed: the default seems to be that dnssec is disabled
|
||||||
|
# enable_dnssec = false;
|
||||||
|
#
|
||||||
|
# defaults, untuned
|
||||||
|
# ns_cache_size = 1024;
|
||||||
|
# record_cache_size = 1048576;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
mkSystemdService = flavor: { port, listenAddrs, substitutions, extraConfig, ... }: let
|
||||||
sed = "${pkgs.gnused}/bin/sed";
|
sed = "${pkgs.gnused}/bin/sed";
|
||||||
zoneTemplate = pkgs.writeText
|
|
||||||
"uninsane.org.zone.in"
|
|
||||||
config.sane.dns.zones."uninsane.org".rendered;
|
|
||||||
configTemplate = toml.generate "trust-dns-${flavor}.toml" (
|
configTemplate = toml.generate "trust-dns-${flavor}.toml" (
|
||||||
(
|
(
|
||||||
lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
|
lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
|
||||||
|
@ -51,8 +80,8 @@ let
|
||||||
in {
|
in {
|
||||||
description = "trust-dns Domain Name Server (serving ${flavor})";
|
description = "trust-dns Domain Name Server (serving ${flavor})";
|
||||||
unitConfig.Documentation = "https://trust-dns.org/";
|
unitConfig.Documentation = "https://trust-dns.org/";
|
||||||
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "default.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
|
|
||||||
preStart = lib.concatStringsSep "\n" (
|
preStart = lib.concatStringsSep "\n" (
|
||||||
[''
|
[''
|
||||||
|
@ -66,7 +95,7 @@ let
|
||||||
|
|
||||||
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
|
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
|
||||||
ExecStart = lib.escapeShellArgs ([
|
ExecStart = lib.escapeShellArgs ([
|
||||||
"${pkgs.trust-dns}/bin/${pkgs.trust-dns.meta.mainProgram}"
|
"${config.services.trust-dns.package}/bin/${config.services.trust-dns.package.meta.mainProgram}"
|
||||||
"--port" (builtins.toString port)
|
"--port" (builtins.toString port)
|
||||||
"--zonedir" "/var/lib/trust-dns/${flavor}"
|
"--zonedir" "/var/lib/trust-dns/${flavor}"
|
||||||
"--config" "${configPath}"
|
"--config" "${configPath}"
|
||||||
|
@ -75,7 +104,10 @@ let
|
||||||
] ++ lib.optionals config.services.trust-dns.quiet [
|
] ++ lib.optionals config.services.trust-dns.quiet [
|
||||||
"--quiet"
|
"--quiet"
|
||||||
]);
|
]);
|
||||||
ReadOnlyPaths = [ "/var/lib/uninsane" ]; # for dyn-dns (wan.txt)
|
# servo/dyn-dns needs /var/lib/uninsane/wan.txt.
|
||||||
|
# this might not exist on other systems,
|
||||||
|
# so just bind the deepest path which is guaranteed to exist.
|
||||||
|
ReadOnlyPaths = [ "/var/lib" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
@ -97,6 +129,7 @@ in
|
||||||
# enable nixpkgs' trust-dns so that i get its config generation
|
# enable nixpkgs' trust-dns so that i get its config generation
|
||||||
# but don't actually enable the systemd service... i'll instantiate *multiple* instances per interface further below
|
# but don't actually enable the systemd service... i'll instantiate *multiple* instances per interface further below
|
||||||
services.trust-dns.enable = true;
|
services.trust-dns.enable = true;
|
||||||
|
services.trust-dns.settings.zones = []; #< TODO: remove once upstreamed (bad default)
|
||||||
|
|
||||||
# don't bind to IPv6 until i explicitly test that stack
|
# don't bind to IPv6 until i explicitly test that stack
|
||||||
services.trust-dns.settings.listen_addrs_ipv6 = [];
|
services.trust-dns.settings.listen_addrs_ipv6 = [];
|
||||||
|
@ -105,6 +138,25 @@ in
|
||||||
# - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
|
# - see: <https://github.com/hickory-dns/hickory-dns/issues/2082>
|
||||||
# services.trust-dns.debug = true;
|
# services.trust-dns.debug = true;
|
||||||
|
|
||||||
|
services.trust-dns.package = pkgs.trust-dns.override {
|
||||||
|
rustPlatform.buildRustPackage = args: pkgs.rustPlatform.buildRustPackage (args // {
|
||||||
|
buildFeatures = [
|
||||||
|
"recursor"
|
||||||
|
];
|
||||||
|
|
||||||
|
# fix enough bugs inside the recursive resolver that it's compatible with my infra.
|
||||||
|
# TODO: upstream these patches!
|
||||||
|
src = pkgs.fetchFromGitea {
|
||||||
|
domain = "git.uninsane.org";
|
||||||
|
owner = "colin";
|
||||||
|
repo = "hickory-dns";
|
||||||
|
rev = "67649863faf2e08f63963a96a491a4025aaf8ed6";
|
||||||
|
hash = "sha256-vmVY8C0cCCFxy/4+g1vKZsAD5lMaufIExnFaSVVAhGM=";
|
||||||
|
};
|
||||||
|
cargoHash = "sha256-FEjNxv1iu27SXQhz1+Aehs4es8VxT1BPz5uZq8TcG/k=";
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
users.groups.trust-dns = {};
|
users.groups.trust-dns = {};
|
||||||
users.users.trust-dns = {
|
users.users.trust-dns = {
|
||||||
group = "trust-dns";
|
group = "trust-dns";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user