gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(extern): dns

Browse source
This commit is contained in:
arcnmx 2024-04-06 10:48:26 -07:00
parent 6db8e4e304
commit 510be2a5bb
6 changed files with 153 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib.nix
View file

@ -87,7 +87,7 @@ in {
gensokyo-zone = {
inherit inputs;
inherit (inputs) self;
inherit (inputs.self.lib) tree meta lib;
inherit (inputs.self.lib) tree meta lib systems;
};
generate = import ./generate.nix {inherit inputs tree;};
}

140
modules/extern/nixos/dns.nix vendored Normal file
View file

@ -0,0 +1,140 @@
{
config,
lib,
gensokyo-zone,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkOrder mkBefore mkOptionDefault;
inherit (lib.lists) optionals;
inherit (gensokyo-zone.lib) unmerged;
cfg = config.gensokyo-zone.dns;
dnsModule = {
gensokyo-zone,
nixosConfig,
config,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) unmerged;
inherit (nixosConfig.gensokyo-zone) access;
inherit (nixosConfig.networking) enableIPv6;
enabled = {
resolved = nixosConfig.services.resolved.enable;
avahiResolver = nixosConfig.services.avahi.enable && (nixosConfig.services.avahi.nssmdns4 || nixosConfig.services.avahi.nssmdns4);
tailscale = access.tail.enabled;
};
in {
options = with lib.types; {
enable = mkEnableOption "dns settings";
prioritise = mkOption {
type = bool;
description = "prioritize our resolver over systemd-resolved";
};
fixHostname = mkOption {
type = bool;
default = true;
description = "work around https://github.com/NixOS/nixpkgs/issues/132646";
};
nameservers = mkOption {
type = listOf str;
};
fallback = mkOption {
type = nullOr (enum [ "cloudflare" "google" ]);
default = "cloudflare";
};
fallbackNameservers = mkOption {
type = listOf str;
description = "set by config.fallback";
};
set = {
resolvedSettings = mkOption {
type = unmerged.type;
default = {};
};
nssSettings = mkOption {
type = unmerged.type;
default = {};
};
};
};
config = {
prioritise = mkMerge [
(mkOptionDefault false)
(mkIf (access.local.enable && (enabled.resolved || enabled.avahiResolver)) (mkAlmostOptionDefault true))
];
nameservers = let
inherit (gensokyo-zone.systems) utsuho hakurei;
in mkMerge [
(mkIf access.local.enable [
(mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
utsuho.config.access.address4ForNetwork.local
])
# TODO: mirror or tunnel on hakurei or something .-.
(mkIf (access.tail.enabled && false) [
(mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
hakurei.config.access.address4ForNetwork.tail
])
];
fallbackNameservers = mkOptionDefault {
cloudflare = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
];
google = optionals enableIPv6 [
"[2001:4860:4860::8888]#dns.google"
"[2001:4860:4860::8844]#dns.google"
] ++ [
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
];
${toString null} = [ ];
}.${toString config.fallback};
set = {
nssSettings = {
hosts = mkMerge [
(mkIf config.prioritise (mkOrder 475 ["dns"]))
(mkIf (config.fixHostname && nixosConfig.services.resolved.enable) (mkOrder 450 ["files"]))
];
};
resolvedSettings = {
# TODO: enable = mkIf (!resolved.enable) false;
extraConfig = mkIf config.prioritise ''
DNSStubListener=no
'';
};
};
};
};
in {
imports = [
./access.nix
];
options.gensokyo-zone.dns = mkOption {
type = lib.types.submoduleWith {
modules = [dnsModule];
specialArgs = {
inherit gensokyo-zone pkgs;
inherit (gensokyo-zone) inputs;
nixosConfig = config;
};
};
default = { };
};
config = {
networking.nameservers = mkIf (cfg.enable && cfg.nameservers != [ ]) (mkMerge [
(mkBefore cfg.nameservers)
cfg.fallbackNameservers
]);
services.resolved = mkIf cfg.enable (unmerged.merge cfg.set.resolvedSettings);
system.nssDatabases = mkIf cfg.enable (unmerged.merge cfg.set.nssSettings);
# TODO: networking.hosts? many served by dnsmasq are statically determined anyway...
lib.gensokyo-zone.dns = {
inherit cfg dnsModule;
};
};
}

7
modules/extern/nixos/krb5.nix vendored
View file

@ -350,6 +350,13 @@ in {
services.ntp.enable = mkIf (cfg.enable && cfg.ntp.enable) (mkAlmostOptionDefault true);
networking = {
timeServers = mkIf (cfg.enable && cfg.ntp.enable) cfg.ntp.servers;
hosts = let
inherit (gensokyo-zone.systems) freeipa;
# TODO: consider hakurei instead...
in mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [ cfg.host ]);
${freeipa.config.access.address4ForNetwork.local} = mkBefore [ cfg.host ];
};
};
${if options ? sops.secrets then "sops" else null}.secrets = let
sopsFile = mkDefault ../secrets/krb5.yaml;

2
nixos/base/network.nix
View file

@ -21,6 +21,6 @@ in {
# work around https://github.com/NixOS/nixpkgs/issues/132646
system.nssDatabases.hosts = mkIf config.services.resolved.enable (
mkOrder 500 [ "files" ]
mkOrder 450 [ "files" ]
);
}

2
nixos/reisen-ct/network.nix
View file

@ -32,7 +32,7 @@ in {
# prioritize our resolver over systemd-resolved!
system.nssDatabases.hosts = let
avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4);
in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 499 ["dns"]);
in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
services.resolved.extraConfig = mkIf enableDns ''
DNSStubListener=no
'';

3
systems/extern-test/nixos.nix
View file

@ -28,6 +28,9 @@ in {
sssd.enable = true;
nfs.enable = true;
};
dns = {
# TODO: enable = true;
};
# TODO: users?
};