diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix new file mode 100644 index 00000000..5b585d65 --- /dev/null +++ b/hosts/containers/dnscache/configuration.nix @@ -0,0 +1,184 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ]; + nix.useSandbox = false; + nix.maxJobs = lib.mkDefault 4; + + boot.isContainer = true; + # /sbin/init + boot.loader.initScript.enable = true; + boot.loader.grub.enable = false; + #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; + + fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; + + networking.hostName = "dnscache"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.useNetworkd = true; + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + services.resolved.enable = false; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ]; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim + traceroute tcpdump bind + ]; + + # Create a few files early before packing tarball for Proxmox + # architecture/OS detection. + system.extraSystemBuilderCmds = + '' + mkdir -m 0755 -p $out/bin + ln -s ${pkgs.bash}/bin/bash $out/bin/sh + mkdir -m 0755 -p $out/sbin + ln -s ../init $out/sbin/init + ''; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "19.09"; # Did you read the comment? + + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 22 53 ]; + # For NixOps: + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + services.unbound = { + enable = true; + interfaces = [ "0.0.0.0" "::0" ]; + allowedAccess = [ + "fd23:42:c3d2:500::/56" + "2a02:8106:208:5200::/56" + "2a02:8106:211:e900::/56" + "::172.20.72.0/117" + "::172.22.99.0/120" + "::1/128" + "172.20.72.0/21" + "10.0.0.0/24" + "172.22.99.0/24" + "127.0.0.0/8" + ]; + forwardAddresses = [ + # Quad9 + "9.9.9.9@853" #dns.quad9.net + "2620:fe::fe@853" #dns.quad9.net + "149.112.112.112@853" #dns.quad9.net + "2620:fe::9@853" #dns.quad9.net + # Cloudflare DNS + "1.1.1.1@853" #cloudflare-dns.com + "2606:4700:4700::1111@853" #cloudflare-dns.com + "1.0.0.1@853" #cloudflare-dns.com + "2606:4700:4700::1001@853" #cloudflare-dns.com + ]; + extraConfig = '' + server: + ssl-upstream: yes + domain-insecure: "dn42" + domain-insecure: "20.172.in-addr.arpa" + domain-insecure: "21.172.in-addr.arpa" + domain-insecure: "22.172.in-addr.arpa" + domain-insecure: "23.172.in-addr.arpa" + domain-insecure: "d.f.ip6.arpa" + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "d.f.ip6.arpa." nodefault + + remote-control: + control-enable: yes + server-key-file: /var/lib/unbound/unbound_server.key + server-cert-file: /var/lib/unbound/unbound_server.pem + control-key-file: /var/lib/unbound/unbound_control.key + control-cert-file: /var/lib/unbound/unbound_control.pem + + + forward-zone: + name: "dn42" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + + forward-zone: + name: "20.172.in-addr.arpa" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + + forward-zone: + name: "21.172.in-addr.arpa" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + + forward-zone: + name: "22.172.in-addr.arpa" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + + forward-zone: + name: "23.172.in-addr.arpa" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + + forward-zone: + name: "d.f.ip6.arpa" + forward-addr: fd42:d42:d42:53::1 + forward-addr: 172.23.0.53 + ''; + }; + + services.collectd = { + enable = true; + autoLoadPlugin = true; + buildMinimalPackage = true; + plugins = { + cpu = ""; + memory = ""; + interface = ""; + load = ""; + exec = + let + unboundScript = builtins.toFile "unbound.rb" '' + loop do + `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` + .lines + .filter { |l| l =~ /^total\./ } + .each { |l| + if l =~ /total\.(.+?)=([\d\.]+)/ + name = $1 + value = $2.to_f + ty = (name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/) ? "gauge" : "derive" + puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}" + end + } + + sleep 10 + end + ''; + in '' + Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" + ''; + network = '' + Server "grafana.hq.c3d2.de" "25826" + ''; + }; + extraConfig = '' + Interval 10 + ''; + }; +} diff --git a/hq.nixops b/hq.nixops index b38daa87..23c4c6ae 100644 --- a/hq.nixops +++ b/hq.nixops @@ -151,4 +151,17 @@ }; }; + "dnscache" = { + deployment.nix_path = { + nixpkgs = "https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"; + }; + imports = [ + hosts/containers/dnscache/configuration.nix + ]; + deployment = { + targetHost = "dnscache.serv.zentralwerk.org"; + storeKeysOnMachine = true; + }; + }; + }