wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix: extract {net,coredns} stuff into a module

Browse Source 
* set up global secrets (sops)
* import common network (lan/tailscale) settings in pertinent places
* use common coredns module for both nixpi and loki
This commit is contained in:
surtur 2023-11-17 22:15:11 +01:00
parent fc20cc832b
commit d125d70562
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
7 changed files with 455 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

380
nix/hosts/loki/modules/coredns.nix
View File

@ -1,380 +1,18 @@
{ {config, ...}:
lib, let
config,
pkgs,
sops-nix,
...
}: let
serial = toString 15;
svc = "coredns.service"; svc = "coredns.service";
usr = "${toString config.users.users.coredns.name}"; usr = "${toString config.users.users.coredns.name}";
domain = p.domainName;
p = config.sops.placeholder;
in { in {
networking.firewall = { imports = [../../../modules/coredns.nix];
allowedTCPPorts = [53];
allowedUDPPorts = [53]; sops.secrets = {
"coredns/ifaces".restartUnits = [svc];
"coredns/iptailscale".restartUnits = [svc];
"coredns/ifaces".owner = usr;
"coredns/iptailscale".owner = usr;
}; };
age = {
secrets.zoneInternal.file = ../secrets/zoneInternal.age;
secrets.zoneInternal.owner = "${toString config.users.users.coredns.name}";
secrets.zoneExternal.file = ../secrets/zoneExternal.age;
secrets.zoneExternal.owner = "${toString config.users.users.coredns.name}";
# secrets.corednsEnv.file = ../secrets/corednsEnv.age;
};
sops = {
secrets = {
"coredns/cidrHomenet".restartUnits = [svc];
"coredns/cidrTailnet".restartUnits = [svc];
"coredns/ip".restartUnits = [svc];
"coredns/ipwlan".restartUnits = [svc];
"coredns/iptailscale".restartUnits = [svc];
"coredns/localDNSCryptResolver".restartUnits = [svc];
"net/ethLoki".restartUnits = [svc];
"net/ethCaelum".restartUnits = [svc];
"net/ethCarina".restartUnits = [svc];
"net/ethNixpi".restartUnits = [svc];
"net/ethSurtur".restartUnits = [svc];
"net/wlanLoki".restartUnits = [svc];
"net/wlanCarina".restartUnits = [svc];
"coredns/cidrHomenet".owner = usr;
"coredns/cidrTailnet".owner = usr;
"coredns/ip".owner = usr;
"coredns/ipwlan".owner = usr;
"coredns/iptailscale".owner = usr;
"coredns/localDNSCryptResolver".owner = usr;
"net/ethLoki".owner = usr;
"net/ethCaelum".owner = usr;
"net/ethCarina".owner = usr;
"net/ethNixpi".owner = usr;
"net/ethSurtur".owner = usr;
"net/wlanLoki".owner = usr;
"net/wlanCarina".owner = usr;
};
};
sops.templates.corednsZoneInternal = {
owner = usr;
content = ''
$ORIGIN ${domain}.
@ 1D IN SOA ${domain}. root.${domain}. (
${serial} ; serial (yyyymmdd##)
1m ; refresh
1m ; retry
1m ; expiry
1m ) ; minimum ttl
5m IN NS ${p."net/ethLoki"}.
5m IN NS ${p."net/wlanLoki"}.
5m IN NS ${p."net/ethCarina"}.
5m IN NS ${p."net/wlanCarina"}.
ns1 5m IN A ${p."net/ethCarina"}
ns2 5m IN A ${p."net/ethLoki"}
ns3 5m IN A ${p."net/wlanLoki"}
ns4 5m IN A ${p."net/wlanCarina"}
grocy 5m IN A ${p."net/ethCaelum"}
gonic 5m IN A ${p."net/ethLoki"}
cloud 5m IN A ${p."net/ethCaelum"}
media 5m IN A ${p."net/ethCaelum"}
llama 5m IN A ${p."net/ethCaelum"}
llama2 5m IN A ${p."net/ethCaelum"}
auth 5m IN A ${p."net/ethLoki"}
whoami 5m IN A ${p."net/ethLoki"}
ffsync 5m IN A ${p."net/ethLoki"}
cache 5m IN A ${p."net/ethLoki"}
nixcache 5m IN CNAME cache.${domain}
uptime 5m IN A ${p."net/ethLoki"}
carina 5m IN A ${p."net/ethCarina"}
loki 5m IN A ${p."net/ethLoki"}
caelum 5m IN A ${p."net/ethCaelum"}
nixpi 5m IN A ${p."net/ethNixpi"}
surtur.${domain}. 5m IN A ${p."net/ethSurtur"}
'';
};
sops.templates.corednsPls = {
owner = usr;
content = ''
. {
# TODO: listen on 853 and 443 and 1443 for DoT and DoH,
# certs will be courtesy of caddy (or acme).
# TODO: ad blocking?
# hosts /etc/coredns/blocklist.hosts {
# fallthrough
# }
reload
bufsize 1232
# TODO: add wlan and tailscale IPs
# bind {$IP} {$IPWLAN} {$IPTailscale}
bind ${p."coredns/ip"} ${p."coredns/ipwlan"}
acl {
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10
block
}
hosts {
reload 0
fallthrough
}
# loadbalance
# local dnscrypt-proxy.
forward . ${p."coredns/localDNSCryptResolver"} {
health_check 5s
expire 600s
policy sequential
}
#cache {
# success 4096
# success 10000
# denial 2048
# prefetch 512
#}
whoami
health
prometheus :9153
errors
log
local
any
}
# ${domain} {
# bind {$IPTailscale}
# view tailscale {
# expr incidr(server_ip(), '{$cidrTailnet}')
# }
# reload 300s
# file /etc/coredns/external-tailnet.zone
# cache {
# #success 1000
# success 4096
# denial 2048
# prefetch 512
# keepttl
# }
# errors
# log
#}
${domain} {
bind ${p."coredns/ip"} ${p."coredns/ipwlan"}
view homenet {
expr incidr(server_ip(), '${p."coredns/cidrHomenet"}')
}
reload 300s
# file ${config.age.secrets.zoneInternal.path}
file ${config.sops.templates.corednsZoneInternal.path}
cache {
success 4096
denial 2048
prefetch 512
keepttl
}
errors
log
local
any
}
# vim: noexpandtab:ft=Corefile
'';
};
sops.templates.corednsEnv = {
content = ''
cidrHomenet=${p."coredns/cidrHomenet"}
cidrTailnet=${p."coredns/cidrTailnet"}
domainName=${domain}
IP=${p."coredns/ip"}
IPWLAN=${p."coredns/ipwlan"}
IPTailscale=${p."coredns/iptailscale"}
localDNSCryptResolver=${p."coredns/localDNSCryptResolver"}
'';
};
services.coredns = {
enable = true;
config = "import ${config.sops.templates.corednsPls.path}";
#config = ''
# . {
# # TODO: listen on 853 and 443 and 1443 for DoT and DoH,
# # certs will be courtesy of caddy
# # TODO: ad blocking?
# # hosts /etc/coredns/blocklist.hosts {
# # fallthrough
# # }
# reload
# bufsize 1232
# # TODO: add wlan and tailscale IPs
# # bind {$IP} {$IPWLAN} {$IPTailscale}
# bind {$IP}
# acl {
# allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10
# block
# }
# hosts {
# reload 0
# fallthrough
# }
# # loadbalance
# # local dnscrypt-proxy.
# forward . {$localDNSCryptResolver} {
# health_check 5s
# expire 600s
# policy sequential
# }
# #cache {
# # success 4096
# # success 10000
# # denial 2048
# # prefetch 512
# #}
# whoami
# health
# prometheus :9153
# errors
# log
# }
# # {$domainName} {
# # bind {$IPTailscale}
# # view tailscale {
# # expr incidr(server_ip(), '{$cidrTailnet}')
# # }
# # reload 300s
# # file /etc/coredns/external-tailnet.zone
# # cache {
# # #success 1000
# # success 4096
# # denial 2048
# # prefetch 512
# # keepttl
# # }
# # errors
# # log
# #}
# {$domainName} {
# bind {$IP}
# view homenet {
# expr incidr(server_ip(), '{$cidrHomenet}')
# }
# reload 300s
# # file ${config.age.secrets.zoneInternal.path}
# file ${config.sops.templates.corednsZoneInternal.path}
# cache {
# success 4096
# denial 2048
# prefetch 512
# keepttl
# }
# errors
# log
# }
# # vim: noexpandtab:ft=Corefile
#'';
};
# systemd.services.coredns.unitConfig = {
# upholds = config.systemd.services.dnscrypt-proxy2;
# wants = config.systemd.services.dnscrypt-proxy2;
# };
# systemd.services.coredns.serviceConfig = {
systemd.services.coredns = { systemd.services.coredns = {
after = ["sops-nix.service"];
wants = ["dnscrypt-proxy2.service"]; wants = ["dnscrypt-proxy2.service"];
serviceConfig = {
# StateDirectory = "coredns";
# WorkingDirectory = "/etc/coredns";
WorkingDirectory = "/";
# StartLimitIntervalSec = 5;
StartLimitBurst = 10;
Restart = lib.mkDefault "always";
RestartSec = 10;
# PermissionsStartOnly = true;
ProtectSystem = "strict";
LimitNOFILE = 1048576;
LimitNPROC = 512;
User = "coredns";
# EnvironmentFile = config.age.secrets.corednsEnv.path;
EnvironmentFile = config.sops.templates.corednsEnv.path;
# LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials;
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# DynamicUser = true;
ProtectProc = "invisible";
RemoveIPC = true;
# RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@obsolete"
# "~@privileged"
"~@setuid"
];
UMask = 0027;
};
}; };
users.users.coredns = {
group = "coredns";
home = "/etc/coredns";
createHome = false;
isSystemUser = true;
extraGroups = ["users"];
};
users.groups.coredns = {};
} }

18
nix/hosts/loki/secrets.yaml
View File

@ -12,21 +12,9 @@ authentik:
emailFrom: ENC[AES256_GCM,data:aWpZR5jq1XSCYCDaSx8pE3Xx,iv:HAKQbnoA+uXNh/N3EjoIjId7MYu5ivZd5G7ccwmlz0I=,tag:yw9of9h8a+6annAi+rBdVA==,type:str] emailFrom: ENC[AES256_GCM,data:aWpZR5jq1XSCYCDaSx8pE3Xx,iv:HAKQbnoA+uXNh/N3EjoIjId7MYu5ivZd5G7ccwmlz0I=,tag:yw9of9h8a+6annAi+rBdVA==,type:str]
#ENC[AES256_GCM,data:7Ux8lB94gwD/7pab3THr8ExJ5DwsMBikqECFIRYEmIAIJh8RnGjORnGIk+Dx06NZ0yr16JMD3o0kyjNL,iv:bIfJmwB4Y/oS241keTPG7Ty9hT7U12ES3XV2vHKFKgI=,tag:qDTXF62SzpMqDNqklkZdsg==,type:comment] #ENC[AES256_GCM,data:7Ux8lB94gwD/7pab3THr8ExJ5DwsMBikqECFIRYEmIAIJh8RnGjORnGIk+Dx06NZ0yr16JMD3o0kyjNL,iv:bIfJmwB4Y/oS241keTPG7Ty9hT7U12ES3XV2vHKFKgI=,tag:qDTXF62SzpMqDNqklkZdsg==,type:comment]
emailPassword: ENC[AES256_GCM,data:Jr1lpggvsxO50dvQ/jWjinN9CtSA5KiVbIuisYtx+lzzkOZojBlYkOiX3aYNfxX1MOPlsA==,iv:Bl6siYZ6wneYOeZ2PivAUJS1JnLFRgYtdbjrmrKOOBI=,tag:YrsvF3Q1cs6w+bUlHA9Wgw==,type:str] emailPassword: ENC[AES256_GCM,data:Jr1lpggvsxO50dvQ/jWjinN9CtSA5KiVbIuisYtx+lzzkOZojBlYkOiX3aYNfxX1MOPlsA==,iv:Bl6siYZ6wneYOeZ2PivAUJS1JnLFRgYtdbjrmrKOOBI=,tag:YrsvF3Q1cs6w+bUlHA9Wgw==,type:str]
net:
ethSurtur: ENC[AES256_GCM,data:YvPqV8JDrkHtpqgW,iv:mI3vXwSlmsE/t6z68SovLmDRmKGQzGuxnFxHJOw7Fys=,tag:TrmFvuyGW9Smp5MJRzTPrg==,type:str]
ethNixpi: ENC[AES256_GCM,data:CiefW425x9pE24EJ,iv:dnWQNaNrvw4onfENV5t7kTrSKDxycNdHuAolwhKvS6w=,tag:jt205dplzDbqgetBcM/SMg==,type:str]
ethLoki: ENC[AES256_GCM,data:dP23Oj9pPPntNnx0,iv:kdfdkKhHQQED/iH1BDRUB/C3R/vdVgY4Pm8nZMc62uQ=,tag:8qb669FIhwI5AU/LHfj7wg==,type:str]
ethCaelum: ENC[AES256_GCM,data:KRiIHgqJVZHbMOEPlw==,iv:xbZBkEboi5B7M0PuWytkc6+Y2FoZ7LhDox39yX4ZTIk=,tag:Y2wElHZzxTn68kTK0e48UQ==,type:str]
ethCarina: ENC[AES256_GCM,data:IIzTlIdGo17ie1XA6w==,iv:v79kkPFbhj5x+8xTkxSKCS9xCaTzlMK+RaGQgiKnDn8=,tag:cFNDqag0JGLHgVFQ3tA9mA==,type:str]
wlanLoki: ENC[AES256_GCM,data:eSa++RH6t/W5yQWt,iv:xn6IEROjq6CLZ4mGBZB6vZCIAtVJmrjCTs66G+OzCcY=,tag:jLFogLZtyPbprXK2OhWXIw==,type:str]
wlanCarina: ENC[AES256_GCM,data:ugykYJujsQLk4RvwGw==,iv:Ge4c+bmUWcJCKv8cVXX1Wos14rCfUTA+AvLBLq4SsyM=,tag:9litWR7kWu8f+aml0MXzEQ==,type:str]
coredns: coredns:
cidrHomenet: ENC[AES256_GCM,data:Br7ixh52tVp4fqr9W6U=,iv:neSAnc66BXK++PhIIOQSrs5gyMtB2IX1nLwClTwemq8=,tag:bgqIL/nPOnbbRPjBXC0Azg==,type:str] ifaces: ENC[AES256_GCM,data:8r4R2lEfZpo+DeZbFig=,iv:kupaWBWuJQ0IHB5Sf8LRHYnNai1Tyhh+isD9HTEHrkY=,tag:w8zz7aJW1v4ArpzEsbWmRw==,type:str]
cidrTailnet: ENC[AES256_GCM,data:+ZqzEqfERBFHwTNV2w==,iv:9VZitgr4zvy3l/EwQx2M8P8fAo2UZ9sMQ7jp3Soblto=,tag:MWxn1PXtA3BLo/1WXRUrcg==,type:str]
ip: ENC[AES256_GCM,data:zucOcXk1dnGvhmlM,iv:rWIO6uMmMSNi+SvKtZGrCF1J/7hvvWzW6vZUqMkwQZg=,tag:/v93vM42IQJQJhd7kbGLbw==,type:str]
ipwlan: ENC[AES256_GCM,data:2aMXVAMm5TmPuPog,iv:B8Rl+udtRGBHSTij8w1xvxAaVcjyyuSwXJYwQKcqNQU=,tag:bp/EhvEGI0hK8+le0j8OKQ==,type:str]
iptailscale: ENC[AES256_GCM,data:eNAUjBp8Ad5E,iv:EOd/go9iW36tXjPr+T9J32RNIRk+oLG25GqWcUww2dI=,tag:03yCgvgSayY/gkQ73X74jA==,type:str] iptailscale: ENC[AES256_GCM,data:eNAUjBp8Ad5E,iv:EOd/go9iW36tXjPr+T9J32RNIRk+oLG25GqWcUww2dI=,tag:03yCgvgSayY/gkQ73X74jA==,type:str]
localDNSCryptResolver: ENC[AES256_GCM,data:ANwDFvg1dMFF77jJ,iv:yIZOhD1G78saflyeR7BBqeM1s/PBGbeb5zg0hYLmGTo=,tag:nM41w2n1cfbkrhPdPJfoyw==,type:str]
ffsync: ffsync:
masterSecret: ENC[AES256_GCM,data:os90pvduX4nni2pM6suYr7PODNitUSN3sqsu062eI9PE9XYM6aAVlCubFDBfzgDIs/UAZpULD5Q20ZXQF70gUllNS2QzEoaMU8NerrGWYufjZO8n4Xvm5K/zRTyZbjBcFgKwwC9pQ785oISnumX0EF7hWyfVv/XX5g0ietQOpgk=,iv:xSVg5QB9EzXmOWp+66Wu8tZQjQQ6DMJzYOT2lKNVFfM=,tag:XDmgsXNeP2lzTSVS2//kbg==,type:str] masterSecret: ENC[AES256_GCM,data:os90pvduX4nni2pM6suYr7PODNitUSN3sqsu062eI9PE9XYM6aAVlCubFDBfzgDIs/UAZpULD5Q20ZXQF70gUllNS2QzEoaMU8NerrGWYufjZO8n4Xvm5K/zRTyZbjBcFgKwwC9pQ785oISnumX0EF7hWyfVv/XX5g0ietQOpgk=,iv:xSVg5QB9EzXmOWp+66Wu8tZQjQQ6DMJzYOT2lKNVFfM=,tag:XDmgsXNeP2lzTSVS2//kbg==,type:str]
tokenserverMetricsHashSecret: ENC[AES256_GCM,data:OGMjG+JfWdfo8q38QbauVEpJOTZLkW1IsCJjHCPcEbMxjvhyIWhON9iczIdkALiQgjY7RK8YzE3Uss8U/caqmqNszy8uJ7X31XV6fIpM57vHn0X9vPhcthcNG7qLgKZ4kouYLA4ERtpOhpaBGL1FJbJsYoJi3oA9PprxkRoz65M=,iv:pPzK7D4UlvuRDqAwFcPnwy1rWc5zm091q0qKafT0IZ4=,tag:xlH8DRzBoICknSgkYuRJdA==,type:str] tokenserverMetricsHashSecret: ENC[AES256_GCM,data:OGMjG+JfWdfo8q38QbauVEpJOTZLkW1IsCJjHCPcEbMxjvhyIWhON9iczIdkALiQgjY7RK8YzE3Uss8U/caqmqNszy8uJ7X31XV6fIpM57vHn0X9vPhcthcNG7qLgKZ4kouYLA4ERtpOhpaBGL1FJbJsYoJi3oA9PprxkRoz65M=,iv:pPzK7D4UlvuRDqAwFcPnwy1rWc5zm091q0qKafT0IZ4=,tag:xlH8DRzBoICknSgkYuRJdA==,type:str]
@ -65,8 +53,8 @@ sops:
c200TjlWUnFqRCs4V0FjM25iT3YrZTQKfpfrN++o6SZerazvwpuiYLpvJL4Bb4U/ c200TjlWUnFqRCs4V0FjM25iT3YrZTQKfpfrN++o6SZerazvwpuiYLpvJL4Bb4U/
UIpMVS/rJhDrrBfMsCj253CRYRu73mbN28xnK+e68cl8l3EiMyEkEA== UIpMVS/rJhDrrBfMsCj253CRYRu73mbN28xnK+e68cl8l3EiMyEkEA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-13T21:36:25Z" lastmodified: "2023-11-17T21:09:07Z"
mac: ENC[AES256_GCM,data:LLXZTAAvR00tY0p6ANpP2SABwlI/hgcHlAArv5YkohykOaamWnHp4ehd248ouFjywPIFDu1YZYVcCPjATuKYv69I+qAD+Y2bApJQNkegthfR3oHQaU6eSpiloMx+Yqqvlb6XpoAB/ewgbPSDRBsQ8tibrNtwhOlX5nqIv5M2sIo=,iv:egsHl9G80EoDHIZannXE1KGJ4MJ/30cYCxfngJFRx7Q=,tag:FewLvSmbfNGyyTdZ2IPK/w==,type:str] mac: ENC[AES256_GCM,data:fj8V8BH2tOGXTrV/1ON5OKY3UIidmKEOx64PM9Bhat+Q+2eEFMvu9cMgp/mfm+xLi5nPaCRSoKqaFUHP6bGZBM2MU6zaGGbo8ltsLqhd884kRmqHLKWsXKm6SJ1kSmDNJq7+vnVa+1PxBrTQ8Te/xYyZq+DQFllDfaRBpFQ5htM=,iv:Mq5y0HQFSxYk9YgS50CCSuRA04q9C+xc7NY22407AxQ=,tag:oOvLMXYUx4qjbGj5GmMaug==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3

3
nix/hosts/nixpi/configuration.nix
View File

@ -5,9 +5,10 @@
... ...
}: { }: {
imports = [ imports = [
./modules/coredns.nix
../../modules/base.nix ../../modules/base.nix
../../modules/dnscrypt.nix ../../modules/dnscrypt.nix
# ../loki/modules/coredns.nix
]; ];
sops = { sops = {

18
nix/hosts/nixpi/modules/coredns.nix Normal file
View File

@ -0,0 +1,18 @@
{config, ...}:
let
svc = "coredns.service";
usr = "${toString config.users.users.coredns.name}";
in {
imports = [../../../modules/coredns.nix];
sops.secrets = {
"coredns/ifaces".restartUnits = [svc];
"coredns/iptailscale".restartUnits = [svc];
"coredns/ifaces".owner = usr;
"coredns/iptailscale".owner = usr;
};
systemd.services.coredns = {
wants = ["dnscrypt-proxy2.service"];
};
}

285
nix/modules/coredns.nix Normal file
View File

@ -0,0 +1,285 @@
{
lib,
config,
pkgs,
sops-nix,
...
}: let
serial = toString 15;
svc = "coredns.service";
usr = "${toString config.users.users.coredns.name}";
domain = p.domainName;
p = config.sops.placeholder;
in {
networking.firewall = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];
};
sops = {
secrets = {
"domainName".restartUnits = [svc];
"coredns/cidrHomenet".restartUnits = [svc];
"coredns/cidrTailnet".restartUnits = [svc];
"coredns/localDNSCryptResolver".restartUnits = [svc];
"eth/loki".restartUnits = [svc];
"eth/caelum".restartUnits = [svc];
"eth/carina".restartUnits = [svc];
"eth/nixpi".restartUnits = [svc];
"eth/surtur".restartUnits = [svc];
"wlan/loki".restartUnits = [svc];
"wlan/carina".restartUnits = [svc];
"domainName".owner = usr;
"coredns/cidrHomenet".owner = usr;
"coredns/cidrTailnet".owner = usr;
"coredns/localDNSCryptResolver".owner = usr;
"eth/loki".owner = usr;
"eth/caelum".owner = usr;
"eth/carina".owner = usr;
"eth/nixpi".owner = usr;
"eth/surtur".owner = usr;
"wlan/loki".owner = usr;
"wlan/carina".owner = usr;
"domainName".sopsFile = ../secrets/coredns.yaml;
"coredns/cidrHomenet".sopsFile = ../secrets/coredns.yaml;
"coredns/cidrTailnet".sopsFile = ../secrets/coredns.yaml;
"coredns/localDNSCryptResolver".sopsFile = ../secrets/coredns.yaml;
"eth/loki".sopsFile = ../secrets/net.yaml;
"eth/caelum".sopsFile = ../secrets/net.yaml;
"eth/carina".sopsFile = ../secrets/net.yaml;
"eth/nixpi".sopsFile = ../secrets/net.yaml;
"eth/surtur".sopsFile = ../secrets/net.yaml;
"wlan/loki".sopsFile = ../secrets/net.yaml;
"wlan/carina".sopsFile = ../secrets/net.yaml;
};
};
sops.templates = {
corednsZoneInternal = {
owner = usr;
content = ''
$ORIGIN ${domain}.
@ 1D IN SOA ${domain}. root.${domain}. (
${serial} ; serial (yyyymmdd##)
1m ; refresh
1m ; retry
1m ; expiry
1m ) ; minimum ttl
5m IN NS ${p."eth/loki"}.
5m IN NS ${p."wlan/loki"}.
5m IN NS ${p."eth/carina"}.
5m IN NS ${p."wlan/carina"}.
ns1 5m IN A ${p."eth/carina"}
ns2 5m IN A ${p."eth/loki"}
ns3 5m IN A ${p."wlan/loki"}
ns4 5m IN A ${p."wlan/carina"}
grocy 5m IN A ${p."eth/caelum"}
gonic 5m IN A ${p."eth/loki"}
cloud 5m IN A ${p."eth/caelum"}
media 5m IN A ${p."eth/caelum"}
llama 5m IN A ${p."eth/caelum"}
llama2 5m IN A ${p."eth/caelum"}
auth 5m IN A ${p."eth/loki"}
whoami 5m IN A ${p."eth/loki"}
ffsync 5m IN A ${p."eth/loki"}
cache 5m IN A ${p."eth/loki"}
nixcache 5m IN CNAME cache.${domain}
uptime 5m IN A ${p."eth/loki"}
carina 5m IN A ${p."eth/carina"}
loki 5m IN A ${p."eth/loki"}
caelum 5m IN A ${p."eth/caelum"}
nixpi 5m IN A ${p."eth/nixpi"}
surtur 5m IN A ${p."eth/surtur"}
'';
};
corednsCorefile = {
owner = usr;
content = ''
. {
# TODO: listen on 853 and 443 and 1443 for DoT and DoH,
# certs will be courtesy of caddy (or acme).
# TODO: ad blocking?
# hosts /etc/coredns/blocklist.hosts {
# fallthrough
# }
reload
bufsize 1232
# TODO: add wlan and tailscale IPs
# bind {$IP} {$IPWLAN} {$IPTailscale}
bind ${p."coredns/ifaces"}
acl {
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 192.0.0.0/24 100.64.0.0/10
block
}
hosts {
reload 0
fallthrough
}
# loadbalance
# local dnscrypt-proxy.
forward . ${p."coredns/localDNSCryptResolver"} {
health_check 5s
expire 600s
policy sequential
}
#cache {
# success 4096
# success 10000
# denial 2048
# prefetch 512
#}
whoami
health
prometheus :9153
errors
log
local
any
}
# ${domain} {
# bind {$IPTailscale}
# view tailscale {
# expr incidr(server_ip(), '{$cidrTailnet}')
# }
# reload 300s
# file /etc/coredns/external-tailnet.zone
# cache {
# #success 1000
# success 4096
# denial 2048
# prefetch 512
# keepttl
# }
# errors
# log
#}
${domain} {
bind ${p."coredns/ifaces"}
view homenet {
expr incidr(server_ip(), '${p."coredns/cidrHomenet"}')
}
reload 300s
file ${config.sops.templates.corednsZoneInternal.path}
cache {
success 4096
denial 2048
prefetch 512
keepttl
}
errors
log
local
any
}
# vim: noexpandtab:ft=Corefile
'';
};
corednsEnv = {
content = ''
cidrHomenet=${p."coredns/cidrHomenet"}
cidrTailnet=${p."coredns/cidrTailnet"}
domainName=${domain}
IPTailscale=${p."coredns/iptailscale"}
localDNSCryptResolver=${p."coredns/localDNSCryptResolver"}
'';
};
};
services.coredns = {
enable = true;
config = "import ${config.sops.templates.corednsCorefile.path}";
};
# systemd.services.coredns.unitConfig = {
# upholds = config.systemd.services.dnscrypt-proxy2;
# wants = config.systemd.services.dnscrypt-proxy2;
# };
# systemd.services.coredns.serviceConfig = {
systemd.services.coredns = {
after = ["sops-nix.service"];
# wants = ["dnscrypt-proxy2.service"];
serviceConfig = {
# StateDirectory = "coredns";
# WorkingDirectory = "/etc/coredns";
WorkingDirectory = "/";
# StartLimitIntervalSec = 5;
StartLimitBurst = 10;
Restart = lib.mkDefault "always";
RestartSec = 10;
# PermissionsStartOnly = true;
ProtectSystem = "strict";
LimitNOFILE = 1048576;
LimitNPROC = 512;
User = "coredns";
EnvironmentFile = config.sops.templates.corednsEnv.path;
# LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials;
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# DynamicUser = true;
ProtectProc = "invisible";
RemoveIPC = true;
# RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@obsolete"
# "~@privileged"
"~@setuid"
];
UMask = 0027;
};
};
users.users.coredns = {
group = "coredns";
home = "/etc/coredns";
createHome = false;
isSystemUser = true;
extraGroups = ["users"];
};
users.groups.coredns = {};
}

64
nix/secrets/coredns.yaml Normal file
View File

@ -0,0 +1,64 @@
domainName: ENC[AES256_GCM,data:ys23SBcHVDxjLqmN9rPqpk7V5A==,iv:mTOnNeZcoJHbvcIx4e3Xj8Km3gOyhr8uFeP5XFaYAto=,tag:Vm5yHRbccKBXSh3w2JztDg==,type:str]
coredns:
cidrHomenet: ENC[AES256_GCM,data:S7bgH+1tKhoUQICaRuI=,iv:kI75Yqm5uh1ruS1jr9+meiyqNIfatLc2grBbgj5KT/8=,tag:G9fHCKWrEki5jmVylpmJgg==,type:str]
cidrTailnet: ENC[AES256_GCM,data:foRfZ0pc9WeGp2Ljlg==,iv:Wg9n6ZB6QP6V4FaA1BvqhgFVAZ5jSk72EaZgv0Oed50=,tag:5r3ZYpYuw2U3QFbnrmQWMQ==,type:str]
ip: ENC[AES256_GCM,data:5pOpPfgLZ7jxSUPh,iv:4jCLP2259u2uCMEFb4/f03h0HDnSrw3lBcVZPlQ2Ifw=,tag:gMaPWIv/lmx3p3OL+LcNKA==,type:str]
ipwlan: ENC[AES256_GCM,data:NsdSshP9f+2sT/lx,iv:IzIhJH91oFuJPzOTxdtYlbOWTxgVjX9wbzdNgjP8/uQ=,tag:iI+6gC7zq2TffI0zyNN/gQ==,type:str]
iptailscale: ENC[AES256_GCM,data:9vmb6w+Q0NkD,iv:zljhbm97rrUWmviUdJNeek9h8qrujEn/MCEkHpKCusY=,tag:fkbzCiVQmV4U4sL0ZSUUKA==,type:str]
localDNSCryptResolver: ENC[AES256_GCM,data:0BO8bBspqGMhirvp,iv:7akm69vdALMzjXr74959TOH5qyqA2dtEp+rg3/z3YfM=,tag:UkNwqNd7HPUfACuYLexoKg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL011ZHpYTTNlOFNSYVB3
TElTL2w2SkNON3VhRGxPTGhLS0JYYWJwK2tNCjlwU0VlbEZZRnczbnAvRTRBbHl2
Q1lvSW5TTVZucHgydllKL1Z3OVZnL0kKLS0tIFp6U2tFNTlLdldOd0hja1phYTRj
Y0htYmRMRFJZSDFpbGxlWEJQTlpKRW8KChx6Aj8ICiMUOhH8Z/8secPe5Wj+w1Xf
2Y/Rwou4XzVqZ+fjqJhtJlp5CrD/cOP0ZZSv+8ReieaEilluMMetvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSllJNUJVdkNCOVZsdEhM
aGc5eU5CL0dPMU9UZ3BvdXNhWDlhdGpRK1hZCk9FS0l1OGFiUTJyYWFnQ0xmamdY
MU45MFltTjZJM2o4aDJpc0xuTzBvTVkKLS0tIHRNMDVFMk1TZlNuVmF0cnFEYk92
THhGd3ViaXZkeGhidThleFJ1VGs5ekUKl/Mqr/JMO/RnXWKN/UjRsZqVexc87ExQ
eQQE+xA4baYpXaDPINh6EeQuT06dIxTHoxnYxHQUc5DeI8auAgJ0bw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZmNoWHZGbEJGYXhvZExy
cGNsT0pPVGJnTVhQQkhUWThYN2tyaGxqVFdvCmR5YnVLOFZxTmh3QkxPLzd1dWlJ
NjBXeWMzK0s3akRyLzVZZE1sQ0lKTnMKLS0tIG1BWjE5ZFZTczBkY0h0TTkvT0dq
cXVSaVMrNWUxdERLSi8zanorOEdRT00Ke08Yc+g5AtL+P/jKnnxQztau2giHrLw6
0ielAsZanyp9Wlk06ke4IcPk1dJJWv0bOA9xk2hiDs96+U8yQG7zkQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3WWhxOHV3QldPNGp0STV6
SHppeENoT1AzWW9HdXRGd2tlWWI5UkVzR25zCm9uQ1BQNUdNOVYvam5WNGNtcXZj
VWRTT0lneVR5cmQ0TjZDQ3FJcHdqY3cKLS0tIDlsMlpaRDB2ekh4VVRrME1Yb2xE
S1MwS0lxOVg2Yk9OUGFXZTh5MXVKbG8KBnZ4HeSB55heX6Jg34wdPjcvolLZshJ2
Uqil4r6Tn7fuWEw29w0rKGleUm1duu9FcKVKBCs+Ctp/BiIUXDZ6Kw==
-----END AGE ENCRYPTED FILE-----
- recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKb0hNSlZqZnhiRjltMmha
azduZ0t2dG5WZ1k1ZDRuS0pSS2FsL2RFS213Clc5TExPYzZJZVcrUEpFQkxCaFJJ
bXJKZFZPdm5oK2M1dW1zbTV3Ni8zencKLS0tIERXRFd3cGRhR0Z1T2pXNlRpcVo1
TElBS2taRmVhOTRqSVgxSVpnUFBuTWMKZfMSW+9aUPozc1EPDr7FHbRcZn8jf0j8
a5XopiWgohlGz8zgwyyh5qStx0Fz4NS6gjm7L1Q7p7fWeUDvVxol9w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-14T22:36:13Z"
mac: ENC[AES256_GCM,data:Et1fjTEsjkYUMtcCdcLSpuXyJHm/SIKKxH4+PJnT3oiywwRBMWslFpe2WLFmgijncOwbShW+Q5Kw7ZrBScqkSTob8f2+nlMxRK9oeWhZ3XL2vn7aDcgEsexsnUPqJ8Dt160+r2PbC24L5h+rWs6WZ6Wq05K18KVa7Bya35vHQ1M=,iv:kvHnnzH6zey4MaXl+vct83MXgLbsEdF7I8GDvu13FJo=,tag:6olK8I6jlORtry5v8Ht3Yg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

74
nix/secrets/net.yaml Normal file
View File

@ -0,0 +1,74 @@
domainName: ENC[AES256_GCM,data:Xe/MC5rRDaFuUcGf3mhMmG7ILA==,iv:DHff0fqt5nbRiKpXtk6k9+6OFPyfcs8L1ho1eTs7Kfs=,tag:nppuElFh0DjFJ8A0Ak4dBQ==,type:str]
tailnet: ENC[AES256_GCM,data:HImJc93oPPri,iv:0K0i9X7x7TOVCOW1ipPukKhIO+miCzKp1X9sv0bVT0A=,tag:XnLw4RVmVCnX6pEb/zg6sw==,type:str]
eth:
loki: ENC[AES256_GCM,data:lZ2e5HxY7/XtiU+R,iv:apu1kCi5TvLsIWEaZQ2QNWcefoXmmrtgYy1DISp91lU=,tag:RQtbUagoiPXpJBE3O/ZA2w==,type:str]
caelum: ENC[AES256_GCM,data:cRTIdVc5tAMt1Js1SA==,iv:I6ZjjGTWF8kkkReqCDRRKZXR8N+GUrukuyXE+hQupyw=,tag:UOdopHOL2bs1KU3eXTHNDw==,type:str]
carina: ENC[AES256_GCM,data:xN09jOC1BKo0HBCTKQ==,iv:5DbvoV3F3ty0H/MDGEumXmEqmiWj9VhkvawJZDgxspM=,tag:F5Seap6tSxfy6PCHlWkEuw==,type:str]
nixpi: ENC[AES256_GCM,data:g0LlB1mXimcRQbC1,iv:RdLKFX18cgo9qMxQjwLiVSCqbv/zhWFrOmOaYT+1uK8=,tag:15USXTXPVfIEFMDeBD/LwA==,type:str]
surtur: ENC[AES256_GCM,data:kaoTjzskSy3BswJg,iv:ola/bEaM/eOjypQ/OPHG2Ho2lRo3nJZiInnTCG9HIWs=,tag:jM5cY3JdgXpQEJuMuJhKWg==,type:str]
wlan:
loki: ENC[AES256_GCM,data:OgOI5dcelAFrb8iB,iv:/Yn1SN05Nk8/Q1FWCVmFJU0cqrEU187eLWp68zjBwOw=,tag:qhCMFZ+5ByviVMxp3b3eIQ==,type:str]
carina: ENC[AES256_GCM,data:6JfZA7cKGCnuqJp4eg==,iv:qgMI14ZUgC0dw5OrGSZdxizaBvKZrorxFxM4tTNF6bA=,tag:QvL0x8D7snaByQGsx7TM6A==,type:str]
ts:
carina: ENC[AES256_GCM,data:A6BifPdxBaesu+aM5Q==,iv:hJKHdEo6iQDpp1UXFs6Hmm/pfvBFkzFPrI3sRUk87Gw=,tag:j7EE1WEzBrUXy7aA86WDMQ==,type:str]
loki: ENC[AES256_GCM,data:+hWpbdDtebxnRhxJSmg=,iv:suY6KJ/UI6OIiMv6jMW3Vjax659rBlzsHmn5fPo/qe8=,tag:Aj59VFC4Cb0tZb+bmkYnXA==,type:str]
nixpi: ENC[AES256_GCM,data:Qch5cOaTwr2GSQIP2Gg=,iv:lDdU7Vjo4iZiDp6iwMsi6yC01O+l00An0UcAYig7/so=,tag:nT6KYpElGl76GEyARDLoWw==,type:str]
caelum: ENC[AES256_GCM,data:mSZ2NApcS4x1auyVEoI=,iv:MtQ3RW6r7Jm3xn17F9UJj2rWEUChelt8OWOZpZp8SIs=,tag:KPtWbDo2Ya7WgIqqdse5Tw==,type:str]
vela: ENC[AES256_GCM,data:1g5QfUX5GyH9MifEjXL0,iv:vGERMdF4n4KJoNIsA69If3QJW5LGKvZjS5/yzTKubmk=,tag:09H7bWE1YmIq2nLIg8VOEA==,type:str]
surtur: ENC[AES256_GCM,data:hZxZj5xxAqqokBCY,iv:vvXoUknUzi4O/8HD4fmDxlYuGfJgCDi997jNqHi0Juw=,tag:TZX30rnf5An6xooQ/05qKg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZsZkRKQTdwNzVBdmFK
dW9VMjVHOWNDdG5NMDNPTDRQZVNMOW04YnhjCjdtRWs3cW9DeldSQmZ3WStzYmNu
RVBxSFM3c3UyTFNRVUQ5bUl3OVlEaFEKLS0tIGdXakpGTmtTUFljTy9aRUlMSkZt
UDZ2MmNqN0JuSWJCNnJqN0hsSllFVGMKh+mXWPVPI9vaG+CjRefRn9VUvomMtnQQ
ZhTZ3g0Y3OXUPFNxQAvjCjsjqbLI1OA6OKO50w9m284YS95D4GPcYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NHg0TW42SjVqQ1k3QXhi
bVVPR045ZUxtNm1EMWxySGx3RVZHWUhnd1ZjCmRkdE4zcjdmOTlnMTE3WWppSTNx
eVdVejBIQWFBb245R3FwUVRrVWFFK0kKLS0tIHRVbTJ6NUg0YjVVNUg4c3gvUy9y
UFJGWjhIc0JZcUNtblRLNXA4S0hhUWMKYEkumg2XYVpG+lOEUIk8SKWw4yB52fkJ
FKF1YrLszQHpbFytu7rv1HR/EGpQ8FlEVnrcviDti3D6MQOXeswhvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSVYyNW5nMUFIT0RvQVkw
dTZPcGFvWXFDZktYTW1KMWZUcHhBcUsraHdzClpOeTF0Q3hqTXZIUUk1QjhDbnVp
UkZtU0VaZWdWWU16cWJiVGJRTGZyQlkKLS0tIFoza1NhdkRBNjJTU0FVWVoveE9U
VXNTenJPeHJrb0JiSHBRWW1IT1lsMEUK1Pb2MM9E7MT3heXnRmf2U4VnsK775qBN
9E9MDygvbWMZnFyEq0t6Mk8jHRwyUHI1EMxD+m+KYPYDiLpdbFHBuQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXM2Y5MGpKdHVsY1M1OHh1
cmVhOERlSzRVaS85RTVmYnVIK0ZvbkZqU3pBCmgyK2t5LzN3cGpjbXNwZmhBYkI4
Q29xZkxoWXpzdGwxZVVOWVRmWXhNNkUKLS0tIHFtOVFmTnFvMWtBWmh3U3ljRy9i
eVlqSDJSSTk1dEdhUFlheU80L1A1Zm8Kag8Xi/si2ezZtWXZDP0DHYYZ0zuSihD+
SNAXuZ1US31G4I18I65XmhabBE+HFNpD/9dZWSlfzRiLznRyTKBJWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRFoyNmRwNVdwY0xIV0Nx
VXdVdVZTK2F3Vkk4MlA5ZXlnQXNIcXNEYVRrCkorSWZHeGxYK1M4VTF3cldmQnJl
aUpMUFJIV01jOEhucm81RkNEM3kySWMKLS0tIHNJQnJHbXE0N0JTYUZmSVpzaWhZ
RnV3QjNPQW8zUzZjRElYRy9OeXRvdHMKr3WmkO6RDi7cdRHS22E2uM0sgixS90jE
D1IHbrOUAmL7W1i4461SFzUEzfqv9IACtxwBSsTz9Z50MT9rB+FBJQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-14T22:34:49Z"
mac: ENC[AES256_GCM,data:Vh3Y0koRayFjHbvzqmjoGx+WGbuJZ9DqysY7juGvBNCtcsTlpuQz1+rZ3YglQ1oiP3l5pdHCOjUBNFk+TnOA2FJYggUvOzzUweQqmWNrg3jbjhnHpq0UyZO8UZ7sH8zYIqSRPc86H0uxyuhVDUe2Nrwa5+VxpJ2H5IYRcM61HWU=,iv:bxfppv2wqIaNcwi2pYNKIZk9G27itTpB5ovTpBXpHh8=,tag:X001tTdlTNE9gklbT7RjHg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3