Testing out new DNS setup

KubqoA · Oct 8, 2024 · eedabc3 · eedabc3
1 parent c2b5fda
commit eedabc3
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 74 deletions.
diff --git a/hosts/organ/default.nix b/hosts/organ/default.nix
@@ -6,7 +6,6 @@
 }: {
   imports =
     [
-      ./dns.nix
       ./git.nix
       ./hardware-configuration.nix
       ./mail.nix
@@ -16,8 +15,11 @@
     ]
     ++ lib._.moduleImports [
       "common/nix"
+      "server/dns"
     ];
 
+  server.dns.zones."jakubarbet.me" = ./jakubarbet.me.zone;
+
   age.secrets = lib._.defineSecrets ["organ-jakub-password-hash"] {};
 
   users.users = {

diff --git a/hosts/organ/dns.nix b/hosts/organ/dns.nix
diff --git a/hosts/organ/jakubarbet.me.conf → hosts/organ/jakubarbet.me.zone b/hosts/organ/jakubarbet.me.conf → hosts/organ/jakubarbet.me.zone
diff --git a/modules/server/dns/default.nix b/modules/server/dns/default.nix
@@ -0,0 +1,94 @@
+# DNS master setup with dns.he.net as slave, with TSIG signed zone transfers,
+# with automatic zone increments and dnssec signing, and multiple zone support.
+#
+# Usage:
+#
+# imports = lib._.moduleImports ["server/dns"]
+# server.dns.zones."jakubarbet.me" = ./jakubarbet.me.zone;
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  options = {
+    server.dns.zones = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {};
+      description = "An attribute set of zone names to zone files";
+    };
+  };
+
+  config = {
+    # Creates 3 activation scripts for each zone:
+    # - dns-tsig-${zoneName} - generates TSIG key if it doesn't exist
+    # - dns-dnssec-${zoneName} - generates DNSSEC key if it doesn't exist
+    # - dns-zone-${zoneName} - increments zone serial, and signs the zone
+    system.activationScripts = let
+      mkActivationScripts = zoneName: zoneFile: {
+        "dns-tsig-${zoneName}".text = ''
+          mkdir -p /etc/named
+          # Generate TSIG key if it doesn't exist
+          if [ ! -f /etc/named/${zoneName}.tsig ]; then
+            echo "[dns-tsig] Generating TSIG key for ${zoneName}:"
+            ${pkgs.bind}/bin/tsig-keygen ${zoneName} > /etc/named/${zoneName}.tsig
+            chmod 640 /etc/named/${zoneName}.tsig
+            chown root:named /etc/named/${zoneName}.tsig
+            cat /etc/named/${zoneName}.tsig
+          fi
+        '';
+        "dns-dnssec-${zoneName}".text = ''
+          mkdir -p /etc/named
+          # Generate DNSSEC key if it doesn't exist
+          if ls /etc/named/K${zoneName}*.key >/dev/null 2>/dev/null; then
+            echo "[dns-dnssec] Generating DNSSEC key for ${zoneName}"
+            ${pkgs.bind}/bin/dnssec-keygen -a NSEC3RSASHA1 -b 2048 -K /etc/named -n ZONE "${zoneName}" 2>/dev/null
+            ${pkgs.bind}/bin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/named -n ZONE "${zoneName}"  2>/dev/null
+          fi
+        '';
+        "dns-zone-${zoneName}" = {
+          deps = ["dns-dnssec-${zoneName}"];
+          text =
+            builtins.replaceStrings
+            ["cmp" "dnssec-signzone" "named-checkzone" "sed" "$ZONE" "$ZONE_PATH"]
+            ["${pkgs.diffutils}/bin/cmp" "${pkgs.bind}/bin/dnssec-keygen" "${pkgs.bind}/bin/named-checkzone" "${pkgs.gnused}/bin/sed" "${zoneName}" "${zoneFile}"]
+            (builtins.readFile ./increment-and-sign-zone.sh);
+        };
+      };
+    in
+      lib.mkMerge (
+        lib.mapAttrsToList mkActivationScripts config.server.dns.zones
+      );
+
+    services.bind = {
+      enable = true;
+      listenOn = ["any"];
+      listenOnIpv6 = ["any"];
+      extraConfig = lib.concatMapStrings (zoneName: ''
+        include "/etc/named/${zoneName}.tsig";
+      '') (builtins.attrNames config.server.dns.zones);
+      extraOptions = ''
+        dnssec-validation yes;
+      '';
+      zones = let
+        mkZoneConfig = zoneName: zoneFile: {
+          master = true;
+          file = "/etc/named/${zoneName}.zone.signed";
+          slaves = ["key ${zoneName}"];
+          extraConfig = ''
+            also-notify {
+              216.218.130.2 key ${zoneName};
+              2001:470:100::2 key ${zoneName};
+            };
+          '';
+        };
+      in
+        lib.mapAttrs mkZoneConfig config.server.dns.zones;
+    };
+
+    # Bind ports:
+    # - 53 TCP/UDP for zone transfers
+    networking.firewall.allowedTCPPorts = [53];
+    networking.firewall.allowedUDPPorts = [53];
+  };
+}
diff --git a/hosts/organ/increment-and-sign-zone.sh → ...les/server/dns/increment-and-sign-zone.sh b/hosts/organ/increment-and-sign-zone.sh → ...les/server/dns/increment-and-sign-zone.sh
@@ -2,8 +2,6 @@
 
 set -e
 
-ZONE="jakubarbet.me"
-
 increment_serial() {
   local current_serial=$1
   local current_date=$(date +%Y%m%d)
@@ -24,37 +22,30 @@ increment_serial() {
   echo $new_serial
 }
 
-if [ ! -d /etc/named ]; then
-  echo "[dnssec] /etc/named not found generating dnssec keys"
-  mkdir -p /etc/named
-  dnssec-keygen -a NSEC3RSASHA1 -b 2048 -K /etc/named -n ZONE "$ZONE" 2>/dev/null
-  dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/named -n ZONE "$ZONE" 2>/dev/null
-fi
-
-if [ -f "/etc/named/$ZONE.conf.orig" ] && $(cmp -s ./jakubarbet.me.conf "/etc/named/$ZONE.conf.orig"); then
-  echo "[dnssec] Zone not changed"
+if [ -f "/etc/named/$ZONE.zone.orig" ] && $(cmp -s "$ZONE_PATH" "/etc/named/$ZONE.zone.orig"); then
+  echo "[dnssec] Zone $ZONE not changed"
   exit
 fi
 
 cd /etc/named
 current_serial="0000000000"
-if [ -f "/etc/named/$ZONE.conf" ]; then
-  current_serial=$(named-checkzone "$ZONE" "/etc/named/$ZONE.conf" | egrep -ho '[0-9]{10}')
+if [ -f "/etc/named/$ZONE.zone" ]; then
+  current_serial=$(named-checkzone "$ZONE" "/etc/named/$ZONE.zone" | egrep -ho '[0-9]{10}')
 fi
 new_serial=$(increment_serial $current_serial)
 
-cp ./jakubarbet.me.conf "/etc/named/$ZONE.conf"
-cp "/etc/named/$ZONE.conf"{,.orig}
-sed -i "s/\$SERIAL/$new_serial/" "$ZONE.conf"
+cp "$ZONE_PATH" "/etc/named/$ZONE.zone"
+cp "/etc/named/$ZONE.zone"{,.orig}
+sed -i "s/\$SERIAL/$new_serial/" "$ZONE.zone"
 echo "[dnssec] Zone $ZONE with serial $new_serial"
 
 for key in `ls K$ZONE*.key`
 do
-  echo "\$INCLUDE $key">> "$ZONE.conf"
+  echo "\$INCLUDE $key">> "$ZONE.zone"
 done
 
 echo "[dnssec] Signing zone"
-dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE" -t "$ZONE.conf" >/dev/null
+dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE" -t "$ZONE.zone" >/dev/null
 
 echo "[dnssec] Please set the following DS records at the registrar"
 cat "dsset-$ZONE."
diff --git a/secrets/organ-jakubarbetme-tsig.age b/secrets/organ-jakubarbetme-tsig.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -2,7 +2,6 @@ let
   organ = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnWZPJ3Rll6Hxver8iH6TpM0EmNx75+zLuXENGT4fHG";
 in {
   "organ-jakub-password-hash.age".publicKeys = [organ];
-  "organ-jakubarbetme-tsig.age".publicKeys = [organ];
   "organ-sasl-passwd.age".publicKeys = [organ];
   "organ-tailscale-auth-key.age".publicKeys = [organ];
   "organ-git-ssh-key.age".publicKeys = [organ];