From d125d705621a6f3c40a1539c1d02ed6602129bad Mon Sep 17 00:00:00 2001 From: surtur Date: Fri, 17 Nov 2023 22:15:11 +0100 Subject: [PATCH] nix: extract {net,coredns} stuff into a module * set up global secrets (sops) * import common network (lan/tailscale) settings in pertinent places * use common coredns module for both nixpi and loki --- nix/hosts/loki/modules/coredns.nix | 380 +--------------------------- nix/hosts/loki/secrets.yaml | 18 +- nix/hosts/nixpi/configuration.nix | 3 +- nix/hosts/nixpi/modules/coredns.nix | 18 ++ nix/modules/coredns.nix | 285 +++++++++++++++++++++ nix/secrets/coredns.yaml | 64 +++++ nix/secrets/net.yaml | 74 ++++++ 7 files changed, 455 insertions(+), 387 deletions(-) create mode 100644 nix/hosts/nixpi/modules/coredns.nix create mode 100644 nix/modules/coredns.nix create mode 100644 nix/secrets/coredns.yaml create mode 100644 nix/secrets/net.yaml diff --git a/nix/hosts/loki/modules/coredns.nix b/nix/hosts/loki/modules/coredns.nix index 5dafa11..c66a75b 100644 --- a/nix/hosts/loki/modules/coredns.nix +++ b/nix/hosts/loki/modules/coredns.nix @@ -1,380 +1,18 @@ -{ - lib, - config, - pkgs, - sops-nix, - ... -}: let - serial = toString 15; +{config, ...}: +let svc = "coredns.service"; usr = "${toString config.users.users.coredns.name}"; - domain = p.domainName; - p = config.sops.placeholder; in { - networking.firewall = { - allowedTCPPorts = [53]; - allowedUDPPorts = [53]; + imports = [../../../modules/coredns.nix]; + + sops.secrets = { + "coredns/ifaces".restartUnits = [svc]; + "coredns/iptailscale".restartUnits = [svc]; + "coredns/ifaces".owner = usr; + "coredns/iptailscale".owner = usr; }; - age = { - secrets.zoneInternal.file = ../secrets/zoneInternal.age; - secrets.zoneInternal.owner = "${toString config.users.users.coredns.name}"; - secrets.zoneExternal.file = ../secrets/zoneExternal.age; - secrets.zoneExternal.owner = "${toString config.users.users.coredns.name}"; - # secrets.corednsEnv.file = ../secrets/corednsEnv.age; - }; - - sops = { - secrets = { - "coredns/cidrHomenet".restartUnits = [svc]; - "coredns/cidrTailnet".restartUnits = [svc]; - "coredns/ip".restartUnits = [svc]; - "coredns/ipwlan".restartUnits = [svc]; - "coredns/iptailscale".restartUnits = [svc]; - "coredns/localDNSCryptResolver".restartUnits = [svc]; - "net/ethLoki".restartUnits = [svc]; - "net/ethCaelum".restartUnits = [svc]; - "net/ethCarina".restartUnits = [svc]; - "net/ethNixpi".restartUnits = [svc]; - "net/ethSurtur".restartUnits = [svc]; - "net/wlanLoki".restartUnits = [svc]; - "net/wlanCarina".restartUnits = [svc]; - - "coredns/cidrHomenet".owner = usr; - "coredns/cidrTailnet".owner = usr; - "coredns/ip".owner = usr; - "coredns/ipwlan".owner = usr; - "coredns/iptailscale".owner = usr; - "coredns/localDNSCryptResolver".owner = usr; - "net/ethLoki".owner = usr; - "net/ethCaelum".owner = usr; - "net/ethCarina".owner = usr; - "net/ethNixpi".owner = usr; - "net/ethSurtur".owner = usr; - "net/wlanLoki".owner = usr; - "net/wlanCarina".owner = usr; - }; - }; - - sops.templates.corednsZoneInternal = { - owner = usr; - content = '' - $ORIGIN ${domain}. - @ 1D IN SOA ${domain}. root.${domain}. ( - ${serial} ; serial (yyyymmdd##) - 1m ; refresh - 1m ; retry - 1m ; expiry - 1m ) ; minimum ttl - - 5m IN NS ${p."net/ethLoki"}. - 5m IN NS ${p."net/wlanLoki"}. - 5m IN NS ${p."net/ethCarina"}. - 5m IN NS ${p."net/wlanCarina"}. - - ns1 5m IN A ${p."net/ethCarina"} - ns2 5m IN A ${p."net/ethLoki"} - ns3 5m IN A ${p."net/wlanLoki"} - ns4 5m IN A ${p."net/wlanCarina"} - - grocy 5m IN A ${p."net/ethCaelum"} - gonic 5m IN A ${p."net/ethLoki"} - cloud 5m IN A ${p."net/ethCaelum"} - media 5m IN A ${p."net/ethCaelum"} - llama 5m IN A ${p."net/ethCaelum"} - llama2 5m IN A ${p."net/ethCaelum"} - auth 5m IN A ${p."net/ethLoki"} - whoami 5m IN A ${p."net/ethLoki"} - ffsync 5m IN A ${p."net/ethLoki"} - cache 5m IN A ${p."net/ethLoki"} - nixcache 5m IN CNAME cache.${domain} - uptime 5m IN A ${p."net/ethLoki"} - - carina 5m IN A ${p."net/ethCarina"} - loki 5m IN A ${p."net/ethLoki"} - caelum 5m IN A ${p."net/ethCaelum"} - nixpi 5m IN A ${p."net/ethNixpi"} - surtur.${domain}. 5m IN A ${p."net/ethSurtur"} - ''; - }; - - sops.templates.corednsPls = { - owner = usr; - content = '' - . { - # TODO: listen on 853 and 443 and 1443 for DoT and DoH, - # certs will be courtesy of caddy (or acme). - - # TODO: ad blocking? - # hosts /etc/coredns/blocklist.hosts { - # fallthrough - # } - - reload - - bufsize 1232 - - # TODO: add wlan and tailscale IPs - - # bind {$IP} {$IPWLAN} {$IPTailscale} - bind ${p."coredns/ip"} ${p."coredns/ipwlan"} - acl { - allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10 - block - } - - hosts { - reload 0 - fallthrough - } - - # loadbalance - # local dnscrypt-proxy. - forward . ${p."coredns/localDNSCryptResolver"} { - health_check 5s - expire 600s - policy sequential - } - - #cache { - # success 4096 - # success 10000 - # denial 2048 - # prefetch 512 - #} - - whoami - health - - prometheus :9153 - errors - log - local - any - } - - # ${domain} { - # bind {$IPTailscale} - # view tailscale { - # expr incidr(server_ip(), '{$cidrTailnet}') - # } - - # reload 300s - # file /etc/coredns/external-tailnet.zone - - # cache { - # #success 1000 - # success 4096 - # denial 2048 - # prefetch 512 - # keepttl - # } - # errors - # log - #} - - ${domain} { - bind ${p."coredns/ip"} ${p."coredns/ipwlan"} - view homenet { - expr incidr(server_ip(), '${p."coredns/cidrHomenet"}') - } - - reload 300s - # file ${config.age.secrets.zoneInternal.path} - file ${config.sops.templates.corednsZoneInternal.path} - - cache { - success 4096 - denial 2048 - prefetch 512 - keepttl - } - errors - log - local - any - } - - # vim: noexpandtab:ft=Corefile - ''; - }; - - sops.templates.corednsEnv = { - content = '' - cidrHomenet=${p."coredns/cidrHomenet"} - cidrTailnet=${p."coredns/cidrTailnet"} - domainName=${domain} - IP=${p."coredns/ip"} - IPWLAN=${p."coredns/ipwlan"} - IPTailscale=${p."coredns/iptailscale"} - localDNSCryptResolver=${p."coredns/localDNSCryptResolver"} - ''; - }; - - services.coredns = { - enable = true; - config = "import ${config.sops.templates.corednsPls.path}"; - #config = '' - # . { - # # TODO: listen on 853 and 443 and 1443 for DoT and DoH, - # # certs will be courtesy of caddy - - # # TODO: ad blocking? - # # hosts /etc/coredns/blocklist.hosts { - # # fallthrough - # # } - - # reload - - # bufsize 1232 - - # # TODO: add wlan and tailscale IPs - - # # bind {$IP} {$IPWLAN} {$IPTailscale} - # bind {$IP} - # acl { - # allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10 - # block - # } - - # hosts { - # reload 0 - # fallthrough - # } - - # # loadbalance - # # local dnscrypt-proxy. - # forward . {$localDNSCryptResolver} { - # health_check 5s - # expire 600s - # policy sequential - # } - - # #cache { - # # success 4096 - # # success 10000 - # # denial 2048 - # # prefetch 512 - # #} - - # whoami - # health - - # prometheus :9153 - # errors - # log - # } - - # # {$domainName} { - # # bind {$IPTailscale} - # # view tailscale { - # # expr incidr(server_ip(), '{$cidrTailnet}') - # # } - - # # reload 300s - # # file /etc/coredns/external-tailnet.zone - - # # cache { - # # #success 1000 - # # success 4096 - # # denial 2048 - # # prefetch 512 - # # keepttl - # # } - # # errors - # # log - # #} - - # {$domainName} { - # bind {$IP} - # view homenet { - # expr incidr(server_ip(), '{$cidrHomenet}') - # } - - # reload 300s - # # file ${config.age.secrets.zoneInternal.path} - # file ${config.sops.templates.corednsZoneInternal.path} - - # cache { - # success 4096 - # denial 2048 - # prefetch 512 - # keepttl - # } - # errors - # log - # } - - # # vim: noexpandtab:ft=Corefile - #''; - }; - - # systemd.services.coredns.unitConfig = { - # upholds = config.systemd.services.dnscrypt-proxy2; - # wants = config.systemd.services.dnscrypt-proxy2; - # }; - # systemd.services.coredns.serviceConfig = { systemd.services.coredns = { - after = ["sops-nix.service"]; wants = ["dnscrypt-proxy2.service"]; - serviceConfig = { - # StateDirectory = "coredns"; - # WorkingDirectory = "/etc/coredns"; - WorkingDirectory = "/"; - # StartLimitIntervalSec = 5; - StartLimitBurst = 10; - Restart = lib.mkDefault "always"; - RestartSec = 10; - # PermissionsStartOnly = true; - ProtectSystem = "strict"; - LimitNOFILE = 1048576; - LimitNPROC = 512; - User = "coredns"; - # EnvironmentFile = config.age.secrets.corednsEnv.path; - EnvironmentFile = config.sops.templates.corednsEnv.path; - # LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials; - DeviceAllow = ""; - LockPersonality = true; - MemoryDenyWriteExecute = false; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - # DynamicUser = true; - ProtectProc = "invisible"; - RemoveIPC = true; - # RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = [ - "@system-service" - "~@cpu-emulation" - "~@debug" - "~@keyring" - "~@memlock" - "~@obsolete" - # "~@privileged" - "~@setuid" - ]; - UMask = 0027; - }; }; - - users.users.coredns = { - group = "coredns"; - home = "/etc/coredns"; - createHome = false; - isSystemUser = true; - extraGroups = ["users"]; - }; - users.groups.coredns = {}; } diff --git a/nix/hosts/loki/secrets.yaml b/nix/hosts/loki/secrets.yaml index 8330e72..e001a03 100644 --- a/nix/hosts/loki/secrets.yaml +++ b/nix/hosts/loki/secrets.yaml @@ -12,21 +12,9 @@ authentik: emailFrom: ENC[AES256_GCM,data:aWpZR5jq1XSCYCDaSx8pE3Xx,iv:HAKQbnoA+uXNh/N3EjoIjId7MYu5ivZd5G7ccwmlz0I=,tag:yw9of9h8a+6annAi+rBdVA==,type:str] #ENC[AES256_GCM,data:7Ux8lB94gwD/7pab3THr8ExJ5DwsMBikqECFIRYEmIAIJh8RnGjORnGIk+Dx06NZ0yr16JMD3o0kyjNL,iv:bIfJmwB4Y/oS241keTPG7Ty9hT7U12ES3XV2vHKFKgI=,tag:qDTXF62SzpMqDNqklkZdsg==,type:comment] emailPassword: ENC[AES256_GCM,data:Jr1lpggvsxO50dvQ/jWjinN9CtSA5KiVbIuisYtx+lzzkOZojBlYkOiX3aYNfxX1MOPlsA==,iv:Bl6siYZ6wneYOeZ2PivAUJS1JnLFRgYtdbjrmrKOOBI=,tag:YrsvF3Q1cs6w+bUlHA9Wgw==,type:str] -net: - ethSurtur: ENC[AES256_GCM,data:YvPqV8JDrkHtpqgW,iv:mI3vXwSlmsE/t6z68SovLmDRmKGQzGuxnFxHJOw7Fys=,tag:TrmFvuyGW9Smp5MJRzTPrg==,type:str] - ethNixpi: ENC[AES256_GCM,data:CiefW425x9pE24EJ,iv:dnWQNaNrvw4onfENV5t7kTrSKDxycNdHuAolwhKvS6w=,tag:jt205dplzDbqgetBcM/SMg==,type:str] - ethLoki: ENC[AES256_GCM,data:dP23Oj9pPPntNnx0,iv:kdfdkKhHQQED/iH1BDRUB/C3R/vdVgY4Pm8nZMc62uQ=,tag:8qb669FIhwI5AU/LHfj7wg==,type:str] - ethCaelum: ENC[AES256_GCM,data:KRiIHgqJVZHbMOEPlw==,iv:xbZBkEboi5B7M0PuWytkc6+Y2FoZ7LhDox39yX4ZTIk=,tag:Y2wElHZzxTn68kTK0e48UQ==,type:str] - ethCarina: ENC[AES256_GCM,data:IIzTlIdGo17ie1XA6w==,iv:v79kkPFbhj5x+8xTkxSKCS9xCaTzlMK+RaGQgiKnDn8=,tag:cFNDqag0JGLHgVFQ3tA9mA==,type:str] - wlanLoki: ENC[AES256_GCM,data:eSa++RH6t/W5yQWt,iv:xn6IEROjq6CLZ4mGBZB6vZCIAtVJmrjCTs66G+OzCcY=,tag:jLFogLZtyPbprXK2OhWXIw==,type:str] - wlanCarina: ENC[AES256_GCM,data:ugykYJujsQLk4RvwGw==,iv:Ge4c+bmUWcJCKv8cVXX1Wos14rCfUTA+AvLBLq4SsyM=,tag:9litWR7kWu8f+aml0MXzEQ==,type:str] coredns: - cidrHomenet: ENC[AES256_GCM,data:Br7ixh52tVp4fqr9W6U=,iv:neSAnc66BXK++PhIIOQSrs5gyMtB2IX1nLwClTwemq8=,tag:bgqIL/nPOnbbRPjBXC0Azg==,type:str] - cidrTailnet: ENC[AES256_GCM,data:+ZqzEqfERBFHwTNV2w==,iv:9VZitgr4zvy3l/EwQx2M8P8fAo2UZ9sMQ7jp3Soblto=,tag:MWxn1PXtA3BLo/1WXRUrcg==,type:str] - ip: ENC[AES256_GCM,data:zucOcXk1dnGvhmlM,iv:rWIO6uMmMSNi+SvKtZGrCF1J/7hvvWzW6vZUqMkwQZg=,tag:/v93vM42IQJQJhd7kbGLbw==,type:str] - ipwlan: ENC[AES256_GCM,data:2aMXVAMm5TmPuPog,iv:B8Rl+udtRGBHSTij8w1xvxAaVcjyyuSwXJYwQKcqNQU=,tag:bp/EhvEGI0hK8+le0j8OKQ==,type:str] + ifaces: ENC[AES256_GCM,data:8r4R2lEfZpo+DeZbFig=,iv:kupaWBWuJQ0IHB5Sf8LRHYnNai1Tyhh+isD9HTEHrkY=,tag:w8zz7aJW1v4ArpzEsbWmRw==,type:str] iptailscale: ENC[AES256_GCM,data:eNAUjBp8Ad5E,iv:EOd/go9iW36tXjPr+T9J32RNIRk+oLG25GqWcUww2dI=,tag:03yCgvgSayY/gkQ73X74jA==,type:str] - localDNSCryptResolver: ENC[AES256_GCM,data:ANwDFvg1dMFF77jJ,iv:yIZOhD1G78saflyeR7BBqeM1s/PBGbeb5zg0hYLmGTo=,tag:nM41w2n1cfbkrhPdPJfoyw==,type:str] ffsync: masterSecret: ENC[AES256_GCM,data:os90pvduX4nni2pM6suYr7PODNitUSN3sqsu062eI9PE9XYM6aAVlCubFDBfzgDIs/UAZpULD5Q20ZXQF70gUllNS2QzEoaMU8NerrGWYufjZO8n4Xvm5K/zRTyZbjBcFgKwwC9pQ785oISnumX0EF7hWyfVv/XX5g0ietQOpgk=,iv:xSVg5QB9EzXmOWp+66Wu8tZQjQQ6DMJzYOT2lKNVFfM=,tag:XDmgsXNeP2lzTSVS2//kbg==,type:str] tokenserverMetricsHashSecret: ENC[AES256_GCM,data:OGMjG+JfWdfo8q38QbauVEpJOTZLkW1IsCJjHCPcEbMxjvhyIWhON9iczIdkALiQgjY7RK8YzE3Uss8U/caqmqNszy8uJ7X31XV6fIpM57vHn0X9vPhcthcNG7qLgKZ4kouYLA4ERtpOhpaBGL1FJbJsYoJi3oA9PprxkRoz65M=,iv:pPzK7D4UlvuRDqAwFcPnwy1rWc5zm091q0qKafT0IZ4=,tag:xlH8DRzBoICknSgkYuRJdA==,type:str] @@ -65,8 +53,8 @@ sops: c200TjlWUnFqRCs4V0FjM25iT3YrZTQKfpfrN++o6SZerazvwpuiYLpvJL4Bb4U/ UIpMVS/rJhDrrBfMsCj253CRYRu73mbN28xnK+e68cl8l3EiMyEkEA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-13T21:36:25Z" - mac: ENC[AES256_GCM,data:LLXZTAAvR00tY0p6ANpP2SABwlI/hgcHlAArv5YkohykOaamWnHp4ehd248ouFjywPIFDu1YZYVcCPjATuKYv69I+qAD+Y2bApJQNkegthfR3oHQaU6eSpiloMx+Yqqvlb6XpoAB/ewgbPSDRBsQ8tibrNtwhOlX5nqIv5M2sIo=,iv:egsHl9G80EoDHIZannXE1KGJ4MJ/30cYCxfngJFRx7Q=,tag:FewLvSmbfNGyyTdZ2IPK/w==,type:str] + lastmodified: "2023-11-17T21:09:07Z" + mac: ENC[AES256_GCM,data:fj8V8BH2tOGXTrV/1ON5OKY3UIidmKEOx64PM9Bhat+Q+2eEFMvu9cMgp/mfm+xLi5nPaCRSoKqaFUHP6bGZBM2MU6zaGGbo8ltsLqhd884kRmqHLKWsXKm6SJ1kSmDNJq7+vnVa+1PxBrTQ8Te/xYyZq+DQFllDfaRBpFQ5htM=,iv:Mq5y0HQFSxYk9YgS50CCSuRA04q9C+xc7NY22407AxQ=,tag:oOvLMXYUx4qjbGj5GmMaug==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/nix/hosts/nixpi/configuration.nix b/nix/hosts/nixpi/configuration.nix index bdc2659..f382f6a 100644 --- a/nix/hosts/nixpi/configuration.nix +++ b/nix/hosts/nixpi/configuration.nix @@ -5,9 +5,10 @@ ... }: { imports = [ + ./modules/coredns.nix + ../../modules/base.nix ../../modules/dnscrypt.nix - # ../loki/modules/coredns.nix ]; sops = { diff --git a/nix/hosts/nixpi/modules/coredns.nix b/nix/hosts/nixpi/modules/coredns.nix new file mode 100644 index 0000000..c66a75b --- /dev/null +++ b/nix/hosts/nixpi/modules/coredns.nix @@ -0,0 +1,18 @@ +{config, ...}: +let + svc = "coredns.service"; + usr = "${toString config.users.users.coredns.name}"; +in { + imports = [../../../modules/coredns.nix]; + + sops.secrets = { + "coredns/ifaces".restartUnits = [svc]; + "coredns/iptailscale".restartUnits = [svc]; + "coredns/ifaces".owner = usr; + "coredns/iptailscale".owner = usr; + }; + + systemd.services.coredns = { + wants = ["dnscrypt-proxy2.service"]; + }; +} diff --git a/nix/modules/coredns.nix b/nix/modules/coredns.nix new file mode 100644 index 0000000..a835b85 --- /dev/null +++ b/nix/modules/coredns.nix @@ -0,0 +1,285 @@ +{ + lib, + config, + pkgs, + sops-nix, + ... +}: let + serial = toString 15; + svc = "coredns.service"; + usr = "${toString config.users.users.coredns.name}"; + domain = p.domainName; + p = config.sops.placeholder; +in { + networking.firewall = { + allowedTCPPorts = [53]; + allowedUDPPorts = [53]; + }; + + sops = { + secrets = { + "domainName".restartUnits = [svc]; + "coredns/cidrHomenet".restartUnits = [svc]; + "coredns/cidrTailnet".restartUnits = [svc]; + "coredns/localDNSCryptResolver".restartUnits = [svc]; + "eth/loki".restartUnits = [svc]; + "eth/caelum".restartUnits = [svc]; + "eth/carina".restartUnits = [svc]; + "eth/nixpi".restartUnits = [svc]; + "eth/surtur".restartUnits = [svc]; + "wlan/loki".restartUnits = [svc]; + "wlan/carina".restartUnits = [svc]; + + "domainName".owner = usr; + "coredns/cidrHomenet".owner = usr; + "coredns/cidrTailnet".owner = usr; + "coredns/localDNSCryptResolver".owner = usr; + "eth/loki".owner = usr; + "eth/caelum".owner = usr; + "eth/carina".owner = usr; + "eth/nixpi".owner = usr; + "eth/surtur".owner = usr; + "wlan/loki".owner = usr; + "wlan/carina".owner = usr; + + "domainName".sopsFile = ../secrets/coredns.yaml; + "coredns/cidrHomenet".sopsFile = ../secrets/coredns.yaml; + "coredns/cidrTailnet".sopsFile = ../secrets/coredns.yaml; + "coredns/localDNSCryptResolver".sopsFile = ../secrets/coredns.yaml; + "eth/loki".sopsFile = ../secrets/net.yaml; + "eth/caelum".sopsFile = ../secrets/net.yaml; + "eth/carina".sopsFile = ../secrets/net.yaml; + "eth/nixpi".sopsFile = ../secrets/net.yaml; + "eth/surtur".sopsFile = ../secrets/net.yaml; + "wlan/loki".sopsFile = ../secrets/net.yaml; + "wlan/carina".sopsFile = ../secrets/net.yaml; + }; + }; + + sops.templates = { + corednsZoneInternal = { + owner = usr; + content = '' + $ORIGIN ${domain}. + @ 1D IN SOA ${domain}. root.${domain}. ( + ${serial} ; serial (yyyymmdd##) + 1m ; refresh + 1m ; retry + 1m ; expiry + 1m ) ; minimum ttl + + 5m IN NS ${p."eth/loki"}. + 5m IN NS ${p."wlan/loki"}. + 5m IN NS ${p."eth/carina"}. + 5m IN NS ${p."wlan/carina"}. + + ns1 5m IN A ${p."eth/carina"} + ns2 5m IN A ${p."eth/loki"} + ns3 5m IN A ${p."wlan/loki"} + ns4 5m IN A ${p."wlan/carina"} + + grocy 5m IN A ${p."eth/caelum"} + gonic 5m IN A ${p."eth/loki"} + cloud 5m IN A ${p."eth/caelum"} + media 5m IN A ${p."eth/caelum"} + llama 5m IN A ${p."eth/caelum"} + llama2 5m IN A ${p."eth/caelum"} + auth 5m IN A ${p."eth/loki"} + whoami 5m IN A ${p."eth/loki"} + ffsync 5m IN A ${p."eth/loki"} + cache 5m IN A ${p."eth/loki"} + nixcache 5m IN CNAME cache.${domain} + uptime 5m IN A ${p."eth/loki"} + + carina 5m IN A ${p."eth/carina"} + loki 5m IN A ${p."eth/loki"} + caelum 5m IN A ${p."eth/caelum"} + nixpi 5m IN A ${p."eth/nixpi"} + surtur 5m IN A ${p."eth/surtur"} + ''; + }; + + corednsCorefile = { + owner = usr; + content = '' + . { + # TODO: listen on 853 and 443 and 1443 for DoT and DoH, + # certs will be courtesy of caddy (or acme). + + # TODO: ad blocking? + # hosts /etc/coredns/blocklist.hosts { + # fallthrough + # } + + reload + + bufsize 1232 + + # TODO: add wlan and tailscale IPs + + # bind {$IP} {$IPWLAN} {$IPTailscale} + bind ${p."coredns/ifaces"} + acl { + allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10 + block + } + + hosts { + reload 0 + fallthrough + } + + # loadbalance + # local dnscrypt-proxy. + forward . ${p."coredns/localDNSCryptResolver"} { + health_check 5s + expire 600s + policy sequential + } + + #cache { + # success 4096 + # success 10000 + # denial 2048 + # prefetch 512 + #} + + whoami + health + + prometheus :9153 + errors + log + local + any + } + + # ${domain} { + # bind {$IPTailscale} + # view tailscale { + # expr incidr(server_ip(), '{$cidrTailnet}') + # } + + # reload 300s + # file /etc/coredns/external-tailnet.zone + + # cache { + # #success 1000 + # success 4096 + # denial 2048 + # prefetch 512 + # keepttl + # } + # errors + # log + #} + + ${domain} { + bind ${p."coredns/ifaces"} + view homenet { + expr incidr(server_ip(), '${p."coredns/cidrHomenet"}') + } + + reload 300s + file ${config.sops.templates.corednsZoneInternal.path} + + cache { + success 4096 + denial 2048 + prefetch 512 + keepttl + } + errors + log + local + any + } + + # vim: noexpandtab:ft=Corefile + ''; + }; + + corednsEnv = { + content = '' + cidrHomenet=${p."coredns/cidrHomenet"} + cidrTailnet=${p."coredns/cidrTailnet"} + domainName=${domain} + IPTailscale=${p."coredns/iptailscale"} + localDNSCryptResolver=${p."coredns/localDNSCryptResolver"} + ''; + }; + }; + + services.coredns = { + enable = true; + config = "import ${config.sops.templates.corednsCorefile.path}"; + }; + + # systemd.services.coredns.unitConfig = { + # upholds = config.systemd.services.dnscrypt-proxy2; + # wants = config.systemd.services.dnscrypt-proxy2; + # }; + # systemd.services.coredns.serviceConfig = { + systemd.services.coredns = { + after = ["sops-nix.service"]; + # wants = ["dnscrypt-proxy2.service"]; + serviceConfig = { + # StateDirectory = "coredns"; + # WorkingDirectory = "/etc/coredns"; + WorkingDirectory = "/"; + # StartLimitIntervalSec = 5; + StartLimitBurst = 10; + Restart = lib.mkDefault "always"; + RestartSec = 10; + # PermissionsStartOnly = true; + ProtectSystem = "strict"; + LimitNOFILE = 1048576; + LimitNPROC = 512; + User = "coredns"; + EnvironmentFile = config.sops.templates.corednsEnv.path; + # LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + # DynamicUser = true; + ProtectProc = "invisible"; + RemoveIPC = true; + # RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + # "~@privileged" + "~@setuid" + ]; + UMask = 0027; + }; + }; + + users.users.coredns = { + group = "coredns"; + home = "/etc/coredns"; + createHome = false; + isSystemUser = true; + extraGroups = ["users"]; + }; + users.groups.coredns = {}; +} diff --git a/nix/secrets/coredns.yaml b/nix/secrets/coredns.yaml new file mode 100644 index 0000000..7d49d0f --- /dev/null +++ b/nix/secrets/coredns.yaml @@ -0,0 +1,64 @@ +domainName: ENC[AES256_GCM,data:ys23SBcHVDxjLqmN9rPqpk7V5A==,iv:mTOnNeZcoJHbvcIx4e3Xj8Km3gOyhr8uFeP5XFaYAto=,tag:Vm5yHRbccKBXSh3w2JztDg==,type:str] +coredns: + cidrHomenet: ENC[AES256_GCM,data:S7bgH+1tKhoUQICaRuI=,iv:kI75Yqm5uh1ruS1jr9+meiyqNIfatLc2grBbgj5KT/8=,tag:G9fHCKWrEki5jmVylpmJgg==,type:str] + cidrTailnet: ENC[AES256_GCM,data:foRfZ0pc9WeGp2Ljlg==,iv:Wg9n6ZB6QP6V4FaA1BvqhgFVAZ5jSk72EaZgv0Oed50=,tag:5r3ZYpYuw2U3QFbnrmQWMQ==,type:str] + ip: ENC[AES256_GCM,data:5pOpPfgLZ7jxSUPh,iv:4jCLP2259u2uCMEFb4/f03h0HDnSrw3lBcVZPlQ2Ifw=,tag:gMaPWIv/lmx3p3OL+LcNKA==,type:str] + ipwlan: ENC[AES256_GCM,data:NsdSshP9f+2sT/lx,iv:IzIhJH91oFuJPzOTxdtYlbOWTxgVjX9wbzdNgjP8/uQ=,tag:iI+6gC7zq2TffI0zyNN/gQ==,type:str] + iptailscale: ENC[AES256_GCM,data:9vmb6w+Q0NkD,iv:zljhbm97rrUWmviUdJNeek9h8qrujEn/MCEkHpKCusY=,tag:fkbzCiVQmV4U4sL0ZSUUKA==,type:str] + localDNSCryptResolver: ENC[AES256_GCM,data:0BO8bBspqGMhirvp,iv:7akm69vdALMzjXr74959TOH5qyqA2dtEp+rg3/z3YfM=,tag:UkNwqNd7HPUfACuYLexoKg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL011ZHpYTTNlOFNSYVB3 + TElTL2w2SkNON3VhRGxPTGhLS0JYYWJwK2tNCjlwU0VlbEZZRnczbnAvRTRBbHl2 + Q1lvSW5TTVZucHgydllKL1Z3OVZnL0kKLS0tIFp6U2tFNTlLdldOd0hja1phYTRj + Y0htYmRMRFJZSDFpbGxlWEJQTlpKRW8KChx6Aj8ICiMUOhH8Z/8secPe5Wj+w1Xf + 2Y/Rwou4XzVqZ+fjqJhtJlp5CrD/cOP0ZZSv+8ReieaEilluMMetvg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSllJNUJVdkNCOVZsdEhM + aGc5eU5CL0dPMU9UZ3BvdXNhWDlhdGpRK1hZCk9FS0l1OGFiUTJyYWFnQ0xmamdY + MU45MFltTjZJM2o4aDJpc0xuTzBvTVkKLS0tIHRNMDVFMk1TZlNuVmF0cnFEYk92 + THhGd3ViaXZkeGhidThleFJ1VGs5ekUKl/Mqr/JMO/RnXWKN/UjRsZqVexc87ExQ + eQQE+xA4baYpXaDPINh6EeQuT06dIxTHoxnYxHQUc5DeI8auAgJ0bw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmNoWHZGbEJGYXhvZExy + cGNsT0pPVGJnTVhQQkhUWThYN2tyaGxqVFdvCmR5YnVLOFZxTmh3QkxPLzd1dWlJ + NjBXeWMzK0s3akRyLzVZZE1sQ0lKTnMKLS0tIG1BWjE5ZFZTczBkY0h0TTkvT0dq + cXVSaVMrNWUxdERLSi8zanorOEdRT00Ke08Yc+g5AtL+P/jKnnxQztau2giHrLw6 + 0ielAsZanyp9Wlk06ke4IcPk1dJJWv0bOA9xk2hiDs96+U8yQG7zkQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WWhxOHV3QldPNGp0STV6 + SHppeENoT1AzWW9HdXRGd2tlWWI5UkVzR25zCm9uQ1BQNUdNOVYvam5WNGNtcXZj + VWRTT0lneVR5cmQ0TjZDQ3FJcHdqY3cKLS0tIDlsMlpaRDB2ekh4VVRrME1Yb2xE + S1MwS0lxOVg2Yk9OUGFXZTh5MXVKbG8KBnZ4HeSB55heX6Jg34wdPjcvolLZshJ2 + Uqil4r6Tn7fuWEw29w0rKGleUm1duu9FcKVKBCs+Ctp/BiIUXDZ6Kw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb0hNSlZqZnhiRjltMmha + azduZ0t2dG5WZ1k1ZDRuS0pSS2FsL2RFS213Clc5TExPYzZJZVcrUEpFQkxCaFJJ + bXJKZFZPdm5oK2M1dW1zbTV3Ni8zencKLS0tIERXRFd3cGRhR0Z1T2pXNlRpcVo1 + TElBS2taRmVhOTRqSVgxSVpnUFBuTWMKZfMSW+9aUPozc1EPDr7FHbRcZn8jf0j8 + a5XopiWgohlGz8zgwyyh5qStx0Fz4NS6gjm7L1Q7p7fWeUDvVxol9w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-14T22:36:13Z" + mac: ENC[AES256_GCM,data:Et1fjTEsjkYUMtcCdcLSpuXyJHm/SIKKxH4+PJnT3oiywwRBMWslFpe2WLFmgijncOwbShW+Q5Kw7ZrBScqkSTob8f2+nlMxRK9oeWhZ3XL2vn7aDcgEsexsnUPqJ8Dt160+r2PbC24L5h+rWs6WZ6Wq05K18KVa7Bya35vHQ1M=,iv:kvHnnzH6zey4MaXl+vct83MXgLbsEdF7I8GDvu13FJo=,tag:6olK8I6jlORtry5v8Ht3Yg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/secrets/net.yaml b/nix/secrets/net.yaml new file mode 100644 index 0000000..1b4b63d --- /dev/null +++ b/nix/secrets/net.yaml @@ -0,0 +1,74 @@ +domainName: ENC[AES256_GCM,data:Xe/MC5rRDaFuUcGf3mhMmG7ILA==,iv:DHff0fqt5nbRiKpXtk6k9+6OFPyfcs8L1ho1eTs7Kfs=,tag:nppuElFh0DjFJ8A0Ak4dBQ==,type:str] +tailnet: ENC[AES256_GCM,data:HImJc93oPPri,iv:0K0i9X7x7TOVCOW1ipPukKhIO+miCzKp1X9sv0bVT0A=,tag:XnLw4RVmVCnX6pEb/zg6sw==,type:str] +eth: + loki: ENC[AES256_GCM,data:lZ2e5HxY7/XtiU+R,iv:apu1kCi5TvLsIWEaZQ2QNWcefoXmmrtgYy1DISp91lU=,tag:RQtbUagoiPXpJBE3O/ZA2w==,type:str] + caelum: ENC[AES256_GCM,data:cRTIdVc5tAMt1Js1SA==,iv:I6ZjjGTWF8kkkReqCDRRKZXR8N+GUrukuyXE+hQupyw=,tag:UOdopHOL2bs1KU3eXTHNDw==,type:str] + carina: ENC[AES256_GCM,data:xN09jOC1BKo0HBCTKQ==,iv:5DbvoV3F3ty0H/MDGEumXmEqmiWj9VhkvawJZDgxspM=,tag:F5Seap6tSxfy6PCHlWkEuw==,type:str] + nixpi: ENC[AES256_GCM,data:g0LlB1mXimcRQbC1,iv:RdLKFX18cgo9qMxQjwLiVSCqbv/zhWFrOmOaYT+1uK8=,tag:15USXTXPVfIEFMDeBD/LwA==,type:str] + surtur: ENC[AES256_GCM,data:kaoTjzskSy3BswJg,iv:ola/bEaM/eOjypQ/OPHG2Ho2lRo3nJZiInnTCG9HIWs=,tag:jM5cY3JdgXpQEJuMuJhKWg==,type:str] +wlan: + loki: ENC[AES256_GCM,data:OgOI5dcelAFrb8iB,iv:/Yn1SN05Nk8/Q1FWCVmFJU0cqrEU187eLWp68zjBwOw=,tag:qhCMFZ+5ByviVMxp3b3eIQ==,type:str] + carina: ENC[AES256_GCM,data:6JfZA7cKGCnuqJp4eg==,iv:qgMI14ZUgC0dw5OrGSZdxizaBvKZrorxFxM4tTNF6bA=,tag:QvL0x8D7snaByQGsx7TM6A==,type:str] +ts: + carina: ENC[AES256_GCM,data:A6BifPdxBaesu+aM5Q==,iv:hJKHdEo6iQDpp1UXFs6Hmm/pfvBFkzFPrI3sRUk87Gw=,tag:j7EE1WEzBrUXy7aA86WDMQ==,type:str] + loki: ENC[AES256_GCM,data:+hWpbdDtebxnRhxJSmg=,iv:suY6KJ/UI6OIiMv6jMW3Vjax659rBlzsHmn5fPo/qe8=,tag:Aj59VFC4Cb0tZb+bmkYnXA==,type:str] + nixpi: ENC[AES256_GCM,data:Qch5cOaTwr2GSQIP2Gg=,iv:lDdU7Vjo4iZiDp6iwMsi6yC01O+l00An0UcAYig7/so=,tag:nT6KYpElGl76GEyARDLoWw==,type:str] + caelum: ENC[AES256_GCM,data:mSZ2NApcS4x1auyVEoI=,iv:MtQ3RW6r7Jm3xn17F9UJj2rWEUChelt8OWOZpZp8SIs=,tag:KPtWbDo2Ya7WgIqqdse5Tw==,type:str] + vela: ENC[AES256_GCM,data:1g5QfUX5GyH9MifEjXL0,iv:vGERMdF4n4KJoNIsA69If3QJW5LGKvZjS5/yzTKubmk=,tag:09H7bWE1YmIq2nLIg8VOEA==,type:str] + surtur: ENC[AES256_GCM,data:hZxZj5xxAqqokBCY,iv:vvXoUknUzi4O/8HD4fmDxlYuGfJgCDi997jNqHi0Juw=,tag:TZX30rnf5An6xooQ/05qKg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZsZkRKQTdwNzVBdmFK + dW9VMjVHOWNDdG5NMDNPTDRQZVNMOW04YnhjCjdtRWs3cW9DeldSQmZ3WStzYmNu + RVBxSFM3c3UyTFNRVUQ5bUl3OVlEaFEKLS0tIGdXakpGTmtTUFljTy9aRUlMSkZt + UDZ2MmNqN0JuSWJCNnJqN0hsSllFVGMKh+mXWPVPI9vaG+CjRefRn9VUvomMtnQQ + ZhTZ3g0Y3OXUPFNxQAvjCjsjqbLI1OA6OKO50w9m284YS95D4GPcYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NHg0TW42SjVqQ1k3QXhi + bVVPR045ZUxtNm1EMWxySGx3RVZHWUhnd1ZjCmRkdE4zcjdmOTlnMTE3WWppSTNx + eVdVejBIQWFBb245R3FwUVRrVWFFK0kKLS0tIHRVbTJ6NUg0YjVVNUg4c3gvUy9y + UFJGWjhIc0JZcUNtblRLNXA4S0hhUWMKYEkumg2XYVpG+lOEUIk8SKWw4yB52fkJ + FKF1YrLszQHpbFytu7rv1HR/EGpQ8FlEVnrcviDti3D6MQOXeswhvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSVYyNW5nMUFIT0RvQVkw + dTZPcGFvWXFDZktYTW1KMWZUcHhBcUsraHdzClpOeTF0Q3hqTXZIUUk1QjhDbnVp + UkZtU0VaZWdWWU16cWJiVGJRTGZyQlkKLS0tIFoza1NhdkRBNjJTU0FVWVoveE9U + VXNTenJPeHJrb0JiSHBRWW1IT1lsMEUK1Pb2MM9E7MT3heXnRmf2U4VnsK775qBN + 9E9MDygvbWMZnFyEq0t6Mk8jHRwyUHI1EMxD+m+KYPYDiLpdbFHBuQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXM2Y5MGpKdHVsY1M1OHh1 + cmVhOERlSzRVaS85RTVmYnVIK0ZvbkZqU3pBCmgyK2t5LzN3cGpjbXNwZmhBYkI4 + Q29xZkxoWXpzdGwxZVVOWVRmWXhNNkUKLS0tIHFtOVFmTnFvMWtBWmh3U3ljRy9i + eVlqSDJSSTk1dEdhUFlheU80L1A1Zm8Kag8Xi/si2ezZtWXZDP0DHYYZ0zuSihD+ + SNAXuZ1US31G4I18I65XmhabBE+HFNpD/9dZWSlfzRiLznRyTKBJWg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRFoyNmRwNVdwY0xIV0Nx + VXdVdVZTK2F3Vkk4MlA5ZXlnQXNIcXNEYVRrCkorSWZHeGxYK1M4VTF3cldmQnJl + aUpMUFJIV01jOEhucm81RkNEM3kySWMKLS0tIHNJQnJHbXE0N0JTYUZmSVpzaWhZ + RnV3QjNPQW8zUzZjRElYRy9OeXRvdHMKr3WmkO6RDi7cdRHS22E2uM0sgixS90jE + D1IHbrOUAmL7W1i4461SFzUEzfqv9IACtxwBSsTz9Z50MT9rB+FBJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-14T22:34:49Z" + mac: ENC[AES256_GCM,data:Vh3Y0koRayFjHbvzqmjoGx+WGbuJZ9DqysY7juGvBNCtcsTlpuQz1+rZ3YglQ1oiP3l5pdHCOjUBNFk+TnOA2FJYggUvOzzUweQqmWNrg3jbjhnHpq0UyZO8UZ7sH8zYIqSRPc86H0uxyuhVDUe2Nrwa5+VxpJ2H5IYRcM61HWU=,iv:bxfppv2wqIaNcwi2pYNKIZk9G27itTpB5ovTpBXpHh8=,tag:X001tTdlTNE9gklbT7RjHg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3