dotfiles/nixos/systems/hela/dns.nix

{
  lib,
  config,
  ...
}: let
in {
  services.bind = {
    enable = true;
    forward = "only";
    forwarders = [
      "127.0.0.1 port 5300"
    ];

    directory = "/var/lib/bind";

    cacheNetworks = [
      "127.0.0.0/8"
      "10.1.0.0/19"
      "10.0.0.1/32" # needed due to SNAT when redirecting DNS in border
      "192.168.1.0/24"
    ];

    extraConfig = ''
      logging {
        channel stderr_chan {
          print-category yes;
          print-severity yes;

          severity dynamic;

          stderr;
        };
        ${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")
        [
          "client"
          "cname"
          "config"
          "database"
          "default"
          "dispatch"
          "dnssec"
          "dnstap"
          "edns-disabled"
          "general"
          "lame-servers"
          "network"
          "notify"
          "nsid"
          "queries"
          "query-errors"
          "rate-limit"
          "resolver"
          "rpz"
          "rpz-passthru"
          "security"
          "serve-stale"
          "spill"
          "sslkeylog"
          "trust-anchor-telemetry"
          "unmatched"
          "update"
          "update-security"
          "xfer-in"
          "xfer-out"
          "zoneload"
        ]}
      };
    '';
    extraOptions = ''
      dnssec-validation auto;
      max-cache-size 512M;
      max-ncache-ttl 1M;
      allow-query-cache { cachenetworks; };

    '';
  };

  systemd.services.bind.serviceConfig = {
    StandardError = "journal";
  };

  services.dnscrypt-proxy2 = {
    enable = true;
    upstreamDefaults = true;
    settings = {
      listen_addresses = lib.singleton "127.0.0.1:5300";

      dnscrypt_servers = false;
      doh_servers = true;
      odoh_servers = false;

      block_ipv6 = true;

      static."mullvad".stamp = "sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kbnMubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ";
      sources = {};

      max_clients = 256;

      cache_size = 128;
    };
  };

  services.resolved.fallbackDns = lib.mkForce [];
  networking.nameservers = lib.mkForce [
    "10.1.0.1"
  ];
}
Add DNS resolver to `hela` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-10 15:25:21 +01:00			`{`
			`lib,`
			`config,`
			`...`
			`}: let`
			`in {`
			`services.bind = {`
			`enable = true;`
			`forward = "only";`
			`forwarders = [`
`hela`: implement captive DNS Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-14 16:23:28 +01:00			`"127.0.0.1 port 5300"`
Add DNS resolver to `hela` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-10 15:25:21 +01:00			`];`

			`directory = "/var/lib/bind";`

			`cacheNetworks = [`
`hela`: implement captive DNS Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-14 16:23:28 +01:00			`"127.0.0.0/8"`
Add DNS resolver to `hela` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-10 15:25:21 +01:00			`"10.1.0.0/19"`
`hela`: implement captive DNS Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-14 16:23:28 +01:00			`"10.0.0.1/32" # needed due to SNAT when redirecting DNS in border`
Add DNS resolver to `hela` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-10 15:25:21 +01:00			`"192.168.1.0/24"`
			`];`

			`extraConfig = ''`
			`logging {`
			`channel stderr_chan {`
			`print-category yes;`
			`print-severity yes;`

			`severity dynamic;`

			`stderr;`
			`};`
			`${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")`
			`[`
			`"client"`
			`"cname"`
			`"config"`
			`"database"`
			`"default"`
			`"dispatch"`
			`"dnssec"`
			`"dnstap"`
			`"edns-disabled"`
			`"general"`
			`"lame-servers"`
			`"network"`
			`"notify"`
			`"nsid"`
			`"queries"`
			`"query-errors"`
			`"rate-limit"`
			`"resolver"`
			`"rpz"`
			`"rpz-passthru"`
			`"security"`
			`"serve-stale"`
			`"spill"`
			`"sslkeylog"`
			`"trust-anchor-telemetry"`
			`"unmatched"`
			`"update"`
			`"update-security"`
			`"xfer-in"`
			`"xfer-out"`
			`"zoneload"`
			`]}`
			`};`
			`'';`
			`extraOptions = ''`
			`dnssec-validation auto;`
			`max-cache-size 512M;`
			`max-ncache-ttl 1M;`
			`allow-query-cache { cachenetworks; };`

			`'';`
			`};`

			`systemd.services.bind.serviceConfig = {`
			`StandardError = "journal";`
			`};`
`hela`: implement captive DNS Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-14 16:23:28 +01:00
			`services.dnscrypt-proxy2 = {`
			`enable = true;`
			`upstreamDefaults = true;`
			`settings = {`
			`listen_addresses = lib.singleton "127.0.0.1:5300";`

			`dnscrypt_servers = false;`
			`doh_servers = true;`
			`odoh_servers = false;`

			`block_ipv6 = true;`

			`static."mullvad".stamp = "sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kbnMubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ";`
			`sources = {};`

			`max_clients = 256;`

			`cache_size = 128;`
			`};`
			`};`
`hela`: set DNS properly to itself Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-15 14:04:33 +01:00
			`services.resolved.fallbackDns = lib.mkForce [];`
			`networking.nameservers = lib.mkForce [`
			`"10.1.0.1"`
			`];`
Add DNS resolver to `hela` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-11-10 15:25:21 +01:00			`}`