ad26bde os/host/seed: Initialize knot DNS — radicle-infra

radicle-infra

rad:z254T5p17bdFPmzfDojsdjo4HjpoZ

Radicle Infrastructure as Code (NixOS, OpenTofu, …)

os/host/seed: Initialize knot DNS

Lorenz Leutgeb committed 6 months ago

commit ad26bdef5c082216328fb4e899913a45263a1afa
parent d44d096

4 files changed +236 -0

modified os/host/seed/default.nix

@@ -16,6 +16,7 @@

     ../../mixin/users.nix
     ./attic.nix
     ./knot.nix
     ./ssh.nix
     ./tor.nix
     ./radicle.nix

added os/host/seed/knot.nix

@@ -0,0 +1,201 @@

 {
   pkgs,
   config,
   inputs,
   ...
 }: let
   writeZone = name: text: pkgs.writeText "${name}.zone" text;
   acme = domain: ns:
     writeZone "_acme-challenge.${domain}" ''
       $TTL 600
       @ IN SOA _acme-challenge.${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}.
     '';
   update = domain: ns:
     writeZone "${domain}" ''
       $TTL 600
       @ IN SOA ${domain}. ${ns}. 2024060801 7200 3600 86400 3600
         IN NS  ${ns}
     '';
   path = ./. + "/zone";
 in {
   environment.etc."knot/common.zone".source = ./zone/common.zone;
   environment.etc."knot/secondaries.zone".source = ./zone/secondaries.zone;
   environment.etc."knot/bootstrap.radicle.xyz.zone".text = ''
     $TTL 3600
     @ SOA ns1 lorenz\.leutgeb.radicle.xyz. 2025101002 14400 3600 1209600 3600
     $INCLUDE common.zone
     $INCLUDE dns-sd.zone
   '';
   networking.firewall = let
     dns = [53];
   in {
     allowedTCPPorts = dns;
     allowedUDPPorts = dns;
   };
   services = {
     knot = {
       enable = true;
       settings = {
         server = {
           listen = [
             "65.108.87.205" # Hetzner
             "2a01:4f9:c011:b666::1" # Hetzner
           ];
           automatic-acl = true;
         };
         remote = [
           {
             id = "slave.dns.he.net";
             address = ["2001:470:600::2" "216.218.133.2"];
           }
           {
             id = "ns1.he.net";
             address = [
               # NOTE: Looks like ns1.he.net prefers to receive zone updates via IPv4?
               # "2001:470:100::2"
               "216.218.130.2"
             ];
           }
           {
             id = "ns2.afraid.org";
             address = [
               "69.65.50.192"
               # NOTE: afraid.org seems to only pull and allow our A, but not AAAA records.
               #"2001:1850:1:5:800::6b"
             ];
           }
           {
             id = "puck.nether.net";
             address = [
               "2602:fe55:5::5"
               # NOTE: Only our IPv6 is allowlisted on their end.
               #"204.42.254.5"
             ];
           }
           {
             id = "1984.is";
             address = "93.95.224.6";
           }
           {
             id = "quad9";
             address = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
           }
           {
             id = "hetzner";
             address = [
               "213.239.242.238"
               "213.133.100.103"
               "193.47.99.3"
               "2a01:4f8:0:a101::a:1"
               "2a01:4f8:0:1::5ddc:2"
               "2001:67c:192c::add:a3"
             ];
           }
         ];
         remotes = [
           {
             id = "notify";
             remote = [
               "ns1.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
           {
             id = "transfer";
             remote = [
               "slave.dns.he.net"
               "ns2.afraid.org"
               "puck.nether.net"
               "1984.is"
               "hetzner"
             ];
           }
         ];
         log = [
           {
             target = "syslog";
             any = "debug";
           }
         ];
         acl = [
           {
             id = "transfer";
             action = [
               "query"
               "transfer"
             ];
             remote = "transfer";
           }
           /*
           {
             id = "acme";
             action = "update";
             key = "acme";
           }
           */
         ];
         mod-rrl = [
           {
             id = "default";
             rate-limit = 500;
             slip = 2;
           }
         ];
         mod-dnsproxy = [
           {
             id = "default";
             remote = "quad9";
             fallback = true;
           }
         ];
         template = [
           {
             id = "default";
             semantic-checks = "on";
             global-module = [
               "mod-rrl/default"
             ];
             zonefile-load = "difference-no-serial";
             zonefile-sync = "-1";
             journal-content = "all";
           }
           {
             id = "primary";
             acl = [
               "transfer"
             ];
           }
         ];
         zone = [
           {
             file = "/etc/knot/bootstrap.zone";
             domain = "bootstrap.radicle.xyz";
             template = "primary";
             dnssec-signing = true;
           }
         ];
       };
     };
   };
 }

added os/host/seed/zone/common.zone

@@ -0,0 +1,17 @@

 $TTL 3600
 @	CAA	0 issue "letsencrypt.org"
 	NS	seed.radicle.xyz
 	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 *	A	65.108.87.205
 	AAAA	2a01:4f9:c011:b666::1
 b._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 db._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 lb._dns-sd._udp		86400 PTR bootstrap.radicle.xyz.
 _services._dns-sd._udp	86400 PTR _radicle-node._tcp

added os/host/seed/zone/secondaries.zone

@@ -0,0 +1,17 @@

 @	NS	ns2.he.net.
 	NS	ns3.he.net.
 	NS	ns4.he.net.
 	NS	ns5.he.net.
 	NS	ns1.afraid.org.
 	NS	ns2.afraid.org.
 	NS	ns0.1984.is.
 	NS	ns1.1984.is.
 	NS	ns2.1984.is.
 	NS	ns1.1984hosting.com.
 	NS	ns2.1984hosting.com.
 	NS	ns1.first-ns.de.
 	NS	robotns2.second-ns.de.
 	NS	robotns3.second-ns.de.