nix-config/hosts/containers/dnscache/configuration.nix

230 lines
6.7 KiB
Nix

{ config, pkgs, lib, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4;
boot.isContainer = true;
# /sbin/init
boot.loader.initScript.enable = true;
boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
networking.hostName = "dnscache"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
traceroute tcpdump bind
];
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.09"; # Did you read the comment?
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 22 53 ];
# For NixOps:
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
services.unbound = {
enable = true;
interfaces = [ "0.0.0.0" "::0" ];
allowedAccess = [
"fd23:42:c3d2:500::/56"
"2a02:8106:208:5200::/56"
"2a02:8106:211:e900::/56"
"::172.20.72.0/117"
"::172.22.99.0/120"
"::1/128"
"172.20.72.0/21"
"10.0.0.0/24"
"10.200.0.0/15"
"172.22.99.0/24"
"127.0.0.0/8"
];
forwardAddresses = [
# Quad9
"9.9.9.9@853" #dns.quad9.net
"2620:fe::fe@853" #dns.quad9.net
"149.112.112.112@853" #dns.quad9.net
"2620:fe::9@853" #dns.quad9.net
# Cloudflare DNS
"1.1.1.1@853" #cloudflare-dns.com
"2606:4700:4700::1111@853" #cloudflare-dns.com
"1.0.0.1@853" #cloudflare-dns.com
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
];
extraConfig = ''
server:
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "ffdd." nodefault
local-zone: "200.10.in-addr.arpa." nodefault
remote-control:
control-enable: yes
server-key-file: /var/lib/unbound/unbound_server.key
server-cert-file: /var/lib/unbound/unbound_server.pem
control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem
forward-zone:
name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de"
forward-zone:
name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "dn42"
forward-addr: 172.23.0.53
forward-zone:
name: "20.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "21.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "22.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "23.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "d.f.ip6.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "ffdd"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
'';
};
services.collectd = {
enable = true;
autoLoadPlugin = true;
plugins = {
cpu = "";
memory = "";
interface = "";
load = "";
exec =
let
unboundScript = builtins.toFile "unbound.rb" ''
loop do
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
.lines
.filter { |l| l =~ /^total\./ }
.each { |l|
if l =~ /total\.(.+?)=([\d\.]+)/
name = $1
value = $2.to_f
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
ty = "gauge"
else
ty = "derive"
value = value.to_i
end
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
end
}
sleep 10
end
'';
in ''
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
'';
network = ''
Server "grafana.serv.zentralwerk.dn42" "25826"
'';
};
extraConfig = ''
Interval 10
'';
};
}