Compare commits
3 Commits
57ca79dc02
...
721e6959b3
Author | SHA1 | Date | |
---|---|---|---|
721e6959b3 | |||
3c5fe9c1df | |||
858d6b170f |
|
@ -4,7 +4,11 @@ rec {
|
||||||
ns = "dns.serv.zentralwerk.org";
|
ns = "dns.serv.zentralwerk.org";
|
||||||
internalNS = [ ns ];
|
internalNS = [ ns ];
|
||||||
# public servers (slaves)
|
# public servers (slaves)
|
||||||
publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ];
|
publicNS = [
|
||||||
|
"ns.c3d2.de"
|
||||||
|
"ns.spaceboyz.net"
|
||||||
|
# "ns1.supersandro.de" # TODO: enable
|
||||||
|
];
|
||||||
|
|
||||||
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
|
publicIPv4 = config.site.hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address;
|
||||||
|
|
||||||
|
|
|
@ -83,6 +83,8 @@ in
|
||||||
config.site.net.serv.hosts6.up4.knot
|
config.site.net.serv.hosts6.up4.knot
|
||||||
# ns.spaceboyz.net
|
# ns.spaceboyz.net
|
||||||
"172.22.24.4" "2a01:4f9:4b:39ec::4"
|
"172.22.24.4" "2a01:4f9:4b:39ec::4"
|
||||||
|
# ns1.supersandro.de
|
||||||
|
"188.34.196.104" "2a01:4f8:1c1c:1d38::1"
|
||||||
];
|
];
|
||||||
file =
|
file =
|
||||||
if dynamic
|
if dynamic
|
||||||
|
@ -100,6 +102,9 @@ in
|
||||||
172.22.24.4;
|
172.22.24.4;
|
||||||
95.217.229.209;
|
95.217.229.209;
|
||||||
2a01:4f9:4b:39ec::4;
|
2a01:4f9:4b:39ec::4;
|
||||||
|
# ns1.supersandro.de
|
||||||
|
188.34.196.104;
|
||||||
|
2a01:4f8:1c1c:1d38::1;
|
||||||
};
|
};
|
||||||
notify-source ${config.site.net.serv.hosts4.dns};
|
notify-source ${config.site.net.serv.hosts4.dns};
|
||||||
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
|
notify-source-v6 ${config.site.net.serv.hosts6.up4.dns};
|
||||||
|
|
|
@ -1,124 +1,95 @@
|
||||||
{ hostName, config, lib, pkgs, ... }:
|
{ hostName, config, lib, pkgs, ... }:
|
||||||
|
|
||||||
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
services.unbound = {
|
services.kresd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
instances = 4;
|
||||||
remote-control = {
|
listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
|
||||||
control-enable = true;
|
extraConfig = /* lua */ ''
|
||||||
control-use-cert = false;
|
modules = {
|
||||||
};
|
'http',
|
||||||
server = {
|
'predict',
|
||||||
num-threads = 4;
|
'prefill',
|
||||||
verbosity = 1;
|
'serve_stale < cache', -- servce stail records while refreshing the record
|
||||||
prefetch = true;
|
'workarounds < iterate', -- solve problems around specific broken subdomains, mainly disables case randomization
|
||||||
prefetch-key = true;
|
'view'
|
||||||
serve-expired = true;
|
}
|
||||||
cache-min-ttl = 60;
|
|
||||||
cache-max-ttl = 3600;
|
|
||||||
infra-cache-slabs = "8";
|
|
||||||
key-cache-slabs = "8";
|
|
||||||
msg-cache-slabs = "8";
|
|
||||||
rrset-cache-slabs = "8";
|
|
||||||
msg-cache-size = "256m"; # half again 128m?
|
|
||||||
rrset-cache-size = "512m"; # half again 256m?
|
|
||||||
|
|
||||||
interface = [ "0.0.0.0" "'::0'" ];
|
cache.size = 500 * MB
|
||||||
# TODO: generate
|
cache.min_ttl(60)
|
||||||
access-control = builtins.concatLists [
|
|
||||||
[ # localhost
|
|
||||||
"::1/128 allow"
|
|
||||||
"127.0.0.0/8 allow"
|
|
||||||
]
|
|
||||||
[ # mgmt
|
|
||||||
"${config.site.net.mgmt.subnet4} allow"
|
|
||||||
]
|
|
||||||
[ # dn42
|
|
||||||
"fd23:42:c3d2:500::/56 allow"
|
|
||||||
"::172.20.72.0/117 allow"
|
|
||||||
"::172.22.99.0/120 allow"
|
|
||||||
"172.20.72.0/21 allow"
|
|
||||||
"172.22.99.0/24 allow"
|
|
||||||
]
|
|
||||||
[ # freifunk
|
|
||||||
"10.200.0.0/15 allow"
|
|
||||||
]
|
|
||||||
[ # DSI
|
|
||||||
"2a00:8180:2000:37::1/128 allow"
|
|
||||||
"2a00:8180:2c00:200::/56 allow"
|
|
||||||
]
|
|
||||||
[ # flpk
|
|
||||||
"${config.site.net.flpk.subnet4} allow"
|
|
||||||
"2a0f:5382:acab:1400::/56 allow"
|
|
||||||
]
|
|
||||||
[ # default
|
|
||||||
"0.0.0.0/0 deny"
|
|
||||||
"::/0 deny"
|
|
||||||
]
|
|
||||||
];
|
|
||||||
# For DNS over TLS
|
|
||||||
tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
|
||||||
|
|
||||||
# allow reverse lookup of rfc1918 space, which includes the DN42 address space
|
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
|
||||||
unblock-lan-zones = true;
|
http.prometheus.namespace = 'resolver_'
|
||||||
insecure-lan-zones = true;
|
|
||||||
|
|
||||||
domain-insecure = [
|
-- dns42
|
||||||
"dn42"
|
policy.add(policy.suffix(
|
||||||
"d.f.ip6.arpa"
|
policy.STUB({'fd42:d42:d42:54::1', 'fd42:d42:d42:53::1', '172.20.0.53', '172.23.0.53'}),
|
||||||
"ffdd"
|
policy.todnames({'dn42.', 'd.f.ip6.arpa', '20.172.in-addr.arpa', '21.172.in-addr.arpa', '22.172.in-addr.arpa', '23.172.in-addr.arpa'})
|
||||||
];
|
))
|
||||||
};
|
|
||||||
|
|
||||||
forward-zone = let
|
-- freifunk
|
||||||
mkFfddZone = name: {
|
policy.add(policy.suffix(
|
||||||
inherit name;
|
policy.STUB({'10.200.0.4', '10.200.0.16'}),
|
||||||
forward-addr = [ "10.200.0.4" "10.200.0.16" ];
|
policy.todnames({'ffdd.', '200.10.in-addr.arpa', '201.10.in-addr.arpa'})
|
||||||
};
|
))
|
||||||
in [ {
|
|
||||||
name = ".";
|
-- size.dns.localZones
|
||||||
forward-tls-upstream = true;
|
policy.add(policy.suffix(
|
||||||
forward-addr = [
|
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}})
|
||||||
# Quad9
|
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
|
||||||
"2620:fe::fe@853#dns.quad9.net"
|
))
|
||||||
"9.9.9.9@853#dns.quad9.net"
|
|
||||||
"2620:fe::9@853#dns.quad9.net"
|
-- forward to dns caches
|
||||||
"149.112.112.112@853#dns.quad9.net"
|
policy.add(policy.slice(
|
||||||
# Cloudflare DNS
|
policy.slice_randomize_psl(),
|
||||||
"2606:4700:4700::1111@853#cloudflare-dns.com"
|
-- quad9
|
||||||
"1.1.1.1@853#cloudflare-dns.com"
|
policy.TLS_FORWARD({
|
||||||
"2606:4700:4700::1001@853#cloudflare-dns.com"
|
{'2620:fe::fe', hostname='dns.quad9.net'},
|
||||||
"1.0.0.1@853#cloudflare-dns.com"
|
{'2620:fe::9', hostname='dns.quad9.net'},
|
||||||
];
|
{'9.9.9.9', hostname='dns.quad9.net'}
|
||||||
} ] ++
|
})
|
||||||
# Local networks
|
-- cloudflare
|
||||||
map ({ name, ... }: {
|
policy.TLS_FORWARD({
|
||||||
name = "${name}";
|
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
|
||||||
forward-addr = [ "${config.site.net.serv.hosts4.dns}" ] ++
|
{'2606:4700:4700::1001', hostname='cloudflare-dns.com'},
|
||||||
map (hosts6: hosts6.dns)
|
{'1.1.1.1', hostname='cloudflare-dns.com'},
|
||||||
(builtins.attrValues config.site.net.serv.hosts6);
|
{'1.0.0.1', hostname='cloudflare-dns.com'}
|
||||||
}) config.site.dns.localZones
|
})
|
||||||
# Freifunk
|
})))
|
||||||
++ (map mkFfddZone [
|
|
||||||
"ffdd"
|
-- allow access from our networks
|
||||||
"200.10.in-addr.arpa"
|
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
|
||||||
"201.10.in-addr.arpa"
|
# localhost
|
||||||
]);
|
"::1/128" "127.0.0.0/8"
|
||||||
# DN42
|
# mgmt
|
||||||
stub-zone = let
|
"${config.site.net.mgmt.subnet4}"
|
||||||
mkDn42Zone = name: {
|
# dn42
|
||||||
inherit name;
|
"fd23:42:c3d2:500::/56" "::172.20.72.0/117" "::172.22.99.0/120"
|
||||||
stub-prime = true;
|
"172.20.72.0/21" "172.22.99.0/24"
|
||||||
stub-addr = [
|
# freifunk
|
||||||
"172.20.0.53" "fd42:d42:d42:54::1"
|
"10.200.0.0/15"
|
||||||
"172.23.0.53" "fd42:d42:d42:53::1"
|
# DSI
|
||||||
];
|
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
|
||||||
};
|
# flpk
|
||||||
in map mkDn42Zone [
|
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
|
||||||
"dn42" "d.f.ip6.arpa"
|
] + /* lua */ ''
|
||||||
"20.172.in-addr.arpa" "21.172.in-addr.arpa"
|
|
||||||
"22.172.in-addr.arpa" "23.172.in-addr.arpa"
|
|
||||||
];
|
-- drop everything that hasn't matched
|
||||||
};
|
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||||
|
view:addr('::/0', policy.all(policy.DROP))
|
||||||
|
|
||||||
|
predict = {
|
||||||
|
window = 15, -- sampling window
|
||||||
|
period = 24*(60/15) -- track last X hours, divide through sampling window
|
||||||
|
},
|
||||||
|
|
||||||
|
prefill.config({
|
||||||
|
['.'] = {
|
||||||
|
url = 'https://www.internic.net/domain/root.zone',
|
||||||
|
interval = 86400, -- seconds
|
||||||
|
}
|
||||||
|
})
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -66,7 +66,24 @@
|
||||||
|
|
||||||
networking.hostName = hostName;
|
networking.hostName = hostName;
|
||||||
|
|
||||||
programs.fzf.keybindings = true;
|
programs = {
|
||||||
|
fzf.keybindings = true;
|
||||||
|
git = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
alias = {
|
||||||
|
co = "checkout";
|
||||||
|
lg = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold y
|
||||||
|
ow)%d%C(reset)'";
|
||||||
|
remote = "remote -v";
|
||||||
|
st = "status";
|
||||||
|
undo = "reset --soft HEAD^";
|
||||||
|
};
|
||||||
|
pull.rebase = true;
|
||||||
|
rebase.autoStash = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.users.root.initialHashedPassword = "";
|
users.users.root.initialHashedPassword = "";
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user