use bind for local dns

This commit is contained in:
Noah Masur 2023-07-18 03:52:37 +00:00
parent 9e8bac6834
commit 22cba9acac
7 changed files with 88 additions and 61 deletions

View File

@ -126,7 +126,6 @@
mail.smtpHost = "smtp.purelymail.com"; mail.smtpHost = "smtp.purelymail.com";
dotfilesRepo = "git@github.com:nmasur/dotfiles"; dotfilesRepo = "git@github.com:nmasur/dotfiles";
hostnames = { hostnames = {
zone = baseName;
git = "git.${baseName}"; git = "git.${baseName}";
metrics = "metrics.${baseName}"; metrics = "metrics.${baseName}";
prometheus = "prom.${baseName}"; prometheus = "prom.${baseName}";

View File

@ -53,6 +53,7 @@ inputs.nixpkgs.lib.nixosSystem {
dotfiles.enable = true; dotfiles.enable = true;
arrs.enable = true; arrs.enable = true;
services.bind.enable = true;
services.caddy.enable = true; services.caddy.enable = true;
services.jellyfin.enable = true; services.jellyfin.enable = true;
services.nextcloud.enable = true; services.nextcloud.enable = true;

View File

@ -10,6 +10,9 @@
services.avahi = { services.avahi = {
enable = true; enable = true;
domainName = "local"; domainName = "local";
ipv6 = false; # Should work either way
# Resolve local hostnames using Avahi DNS
nssmdns = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
@ -17,10 +20,6 @@
workstation = true; workstation = true;
}; };
}; };
# Resolve local hostnames using Avahi DNS
services.avahi.nssmdns = true;
}; };
} }

View File

@ -1,12 +1,27 @@
{ pkgs, ... }: { { config, pkgs, lib, ... }:
config = { let
localIp = "192.168.1.218";
localServices = [
config.hostnames.stream
config.hostnames.content
config.hostnames.books
config.hostnames.download
];
mkRecord = service: "${service} A ${localIp}";
localRecords = lib.concatLines (map mkRecord localServices);
in {
config = lib.mkIf config.services.bind.enable {
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
services.bind = { services.bind = {
cacheNetworks = [ "127.0.0.0/24" "192.168.0.0/16" ];
cacheNetworks = [ "192.168.0.0/16" ];
forwarders = [ "1.1.1.1" "1.0.0.1" ]; forwarders = [ "1.1.1.1" "1.0.0.1" ];
ipv4Only = true;
# Use rpz zone as an override # Use rpz zone as an override
extraOptions = ''response-policy { zone "rpz"; };''; extraOptions = ''response-policy { zone "rpz"; };'';
@ -25,13 +40,16 @@
) )
IN NS localhost. IN NS localhost.
localhost A 127.0.0.1 localhost A 127.0.0.1
stream A 192.168.0.218 ${localRecords}
''; '';
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
}; };
} }

View File

@ -1,55 +1,70 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
options = { options = {
caddy.tlsPolicies = lib.mkOption { caddy = {
type = lib.types.listOf lib.types.attrs; tlsPolicies = lib.mkOption {
description = "Caddy JSON TLS policies"; type = lib.types.listOf lib.types.attrs;
default = [ ]; description = "Caddy JSON TLS policies";
}; default = [ ];
caddy.routes = lib.mkOption { };
type = lib.types.listOf lib.types.attrs; routes = lib.mkOption {
description = "Caddy JSON routes for http servers"; type = lib.types.listOf lib.types.attrs;
default = [ ]; description = "Caddy JSON routes for http servers";
}; default = [ ];
caddy.blocks = lib.mkOption { };
type = lib.types.listOf lib.types.attrs; blocks = lib.mkOption {
description = "Caddy JSON error blocks for http servers"; type = lib.types.listOf lib.types.attrs;
default = [ ]; description = "Caddy JSON error blocks for http servers";
default = [ ];
};
cidrAllowlist = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "CIDR blocks to allow for requests";
default = [ "127.0.0.1/32" ];
};
}; };
}; };
config = config = lib.mkIf config.services.caddy.enable {
lib.mkIf (config.services.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = { # Force Caddy to 403 if not coming from allowlisted source
adapter = "''"; # Required to enable JSON caddy.routes = [{
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON { match = [{ not = [{ remote_ip.ranges = config.caddy.cidrAllowlist; }]; }];
apps.http.servers.main = { handle = [{
listen = [ ":443" ]; handler = "static_response";
routes = config.caddy.routes; status_code = "403";
errors.routes = config.caddy.blocks; }];
# logs = { }; # Uncomment to collect access logs }];
services.caddy = {
adapter = "''"; # Required to enable JSON
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
routes = config.caddy.routes;
errors.routes = config.caddy.blocks;
# logs = { }; # Uncomment to collect access logs
};
apps.http.servers.metrics = { }; # Enables Prometheus metrics
apps.tls.automation.policies = config.caddy.tlsPolicies;
logging.logs.main = {
encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
}; };
apps.http.servers.metrics = { }; # Enables Prometheus metrics level = "INFO";
apps.tls.automation.policies = config.caddy.tlsPolicies; };
logging.logs.main = { });
encoder = { format = "console"; };
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/caddy.log";
roll = true;
};
level = "INFO";
};
});
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
};
} }

View File

@ -41,13 +41,7 @@ in {
config = lib.mkIf config.cloudflare.enable { config = lib.mkIf config.cloudflare.enable {
# Forces Caddy to error if coming from a non-Cloudflare IP # Forces Caddy to error if coming from a non-Cloudflare IP
caddy.routes = [{ caddy.cidrAllowlist = cloudflareIpRanges;
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
handle = [{
handler = "static_response";
status_code = "403";
}];
}];
# Tell Caddy to use Cloudflare DNS for ACME challenge validation # Tell Caddy to use Cloudflare DNS for ACME challenge validation
services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix { services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {

View File

@ -3,6 +3,7 @@
imports = [ imports = [
./arr.nix ./arr.nix
./backups.nix ./backups.nix
./bind.nix
./caddy.nix ./caddy.nix
./calibre.nix ./calibre.nix
./cloudflare-tunnel.nix ./cloudflare-tunnel.nix