From 62fae6a5461f72092f985daca82c95538671ce17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Thu, 18 Apr 2024 21:59:29 +0200 Subject: [PATCH] dnscache: fix eval and start --- nix/nixos-module/container/dnscache.nix | 36 +++++++++++++------------ 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/nix/nixos-module/container/dnscache.nix b/nix/nixos-module/container/dnscache.nix index 8354b2c..88e9ae3 100644 --- a/nix/nixos-module/container/dnscache.nix +++ b/nix/nixos-module/container/dnscache.nix @@ -7,7 +7,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { listenPlain = [ "0.0.0.0:53" "[::0]:53" ]; extraConfig = /* lua */ '' modules = { - 'http', + -- 'http', -- module 'cqueues' not found + 'policy', 'predict', 'prefill', 'serve_stale < cache', -- servce stail records while refreshing the record @@ -18,8 +19,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { cache.size = 500 * MB cache.min_ttl(60) - net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) - http.prometheus.namespace = 'resolver_' + -- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) + -- http.prometheus.namespace = 'resolver_' -- dns42 policy.add(policy.suffix( @@ -35,19 +36,21 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { -- size.dns.localZones policy.add(policy.suffix( - policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}) + policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}), policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}}) )) -- forward to dns caches - policy.add(policy.slice( - policy.slice_randomize_psl(), + -- TODO: package psl + policy.add( --policy.slice( + policy.all( + --policy.slice_randomize_psl(), -- lua-psl is required for policy.slice_randomize_psl() -- quad9 policy.TLS_FORWARD({ {'2620:fe::fe', hostname='dns.quad9.net'}, {'2620:fe::9', hostname='dns.quad9.net'}, {'9.9.9.9', hostname='dns.quad9.net'} - }) + }), -- cloudflare policy.TLS_FORWARD({ {'2606:4700:4700::1111', hostname='cloudflare-dns.com'}, @@ -55,7 +58,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { {'1.1.1.1', hostname='cloudflare-dns.com'}, {'1.0.0.1', hostname='cloudflare-dns.com'} }) - }))) + )) -- allow access from our networks '' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [ @@ -72,8 +75,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { "2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56" # flpk "${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow" - ] + /* lua */ '' - + ] + "\n" + /* lua */ '' -- drop everything that hasn't matched view:addr('0.0.0.0/0', policy.all(policy.DROP)) @@ -82,14 +84,14 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable { predict = { window = 15, -- sampling window period = 24*(60/15) -- track last X hours, divide through sampling window - }, + } - prefill.config({ - ['.'] = { - url = 'https://www.internic.net/domain/root.zone', - interval = 86400, -- seconds - } - }) + -- prefill.config({ + -- ['.'] = { + -- url = 'https://www.internic.net/domain/root.zone', + -- interval = 86400, -- seconds + -- } + -- }) ''; }; }