colin
97044bf70e
although the systemd wantedBy directive is working, `before` seems to be ignored when the unit fails. so on first run, dyn-dns runs, fails (poor net connectivity), then trust-dns starts (fails), then they both restart 10s later. it's not great, but good enough. also, wan IP is persisted, so this likely won't happen much in practice.
70 lines
2.7 KiB
Nix
70 lines
2.7 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
sane.services.trust-dns.enable = true;
|
|
|
|
sane.services.trust-dns.listenAddrsIPv4 = [
|
|
# specify each address explicitly, instead of using "*".
|
|
# this ensures responses are sent from the address at which the request was received.
|
|
"192.168.0.5"
|
|
"10.0.1.5"
|
|
];
|
|
|
|
sane.services.trust-dns.zones."uninsane.org".TTL = 900;
|
|
|
|
# SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
|
|
# SOA MNAME RNAME (... rest)
|
|
# MNAME = Master name server for this zone. this is where update requests should be sent.
|
|
# RNAME = admin contact (encoded email address)
|
|
# Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
|
|
# Refresh = how frequently secondary NS should query master
|
|
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
|
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
|
SOA."@" = [''
|
|
ns1.uninsane.org. admin-dns.uninsane.org. (
|
|
2022121601 ; Serial
|
|
4h ; Refresh
|
|
30m ; Retry
|
|
7d ; Expire
|
|
5m) ; Negative response TTL
|
|
''];
|
|
TXT."rev" = [ "2022121801" ];
|
|
|
|
# XXX NS records must also not be CNAME
|
|
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
|
|
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
|
|
# A."ns1" = [ "%NATIVE%" ];
|
|
A."ns2" = [ "185.157.162.178" ];
|
|
A."ns3" = [ "185.157.162.178" ];
|
|
A."ovpns" = [ "185.157.162.178" ];
|
|
NS."@" = [
|
|
"ns1.uninsane.org."
|
|
"ns2.uninsane.org."
|
|
"ns3.uninsane.org."
|
|
];
|
|
};
|
|
|
|
sane.services.trust-dns.zones."uninsane.org".include = [
|
|
"/var/lib/trust-dns/native.uninsane.org.zone"
|
|
];
|
|
|
|
systemd.services.trust-dns.preStart = let
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
zone-dir = "/var/lib/trust-dns";
|
|
zone-out = "${zone-dir}/native.uninsane.org.zone";
|
|
zone-template = pkgs.writeText "native.uninsane.org.zone.in" ''
|
|
@ A %NATIVE%
|
|
ns1 A %NATIVE%
|
|
native A %NATIVE%
|
|
'';
|
|
in ''
|
|
# make WAN records available to trust-dns
|
|
mkdir -p ${zone-dir}
|
|
ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
|
|
${sed} s/%NATIVE%/$ip/ ${zone-template} > ${zone-out}
|
|
'';
|
|
|
|
sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
|
|
}
|