depot/ops/nixos/lib/coredns/default.nix

78 lines
1.8 KiB
Nix
Raw Permalink Normal View History

{ depot, lib, config, ... }:
2021-03-20 02:03:23 +00:00
{
options.my.coredns.bind = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
};
2021-03-20 02:03:23 +00:00
config = {
environment.etc."coredns-zones" = {
2021-08-16 02:32:44 +00:00
source = "${./zones}";
2021-03-20 02:03:23 +00:00
};
2021-03-20 02:06:08 +00:00
networking.firewall.allowedTCPPorts = [
2021-03-20 02:03:23 +00:00
53 # DNS
];
2021-03-20 02:06:08 +00:00
networking.firewall.allowedUDPPorts = [
2021-03-20 02:03:23 +00:00
53 # DNS
];
systemd.services.coredns.unitConfig.StartLimitIntervalSec = "0";
2021-03-20 02:03:23 +00:00
services.coredns = {
enable = true;
config = let
zones = [
"as205479.net"
"28.118.92.in-addr.arpa"
"29.118.92.in-addr.arpa"
"30.118.92.in-addr.arpa"
"31.118.92.in-addr.arpa"
"0.4.4.a.9.0.a.2.ip6.arpa"
"1.4.4.a.9.0.a.2.ip6.arpa"
"2.4.4.a.9.0.a.2.ip6.arpa"
"3.4.4.a.9.0.a.2.ip6.arpa"
"4.4.4.a.9.0.a.2.ip6.arpa"
"5.4.4.a.9.0.a.2.ip6.arpa"
"6.4.4.a.9.0.a.2.ip6.arpa"
"7.4.4.a.9.0.a.2.ip6.arpa"
];
mkZone = zone: ''
${zone} {
import zonehdr
file /etc/coredns-zones/db.${zone} ${zone}
}
'';
in ''
(global) {
bind ${lib.concatStringsSep " " config.my.coredns.bind}
}
2021-03-20 02:03:23 +00:00
. {
import global
2021-03-20 02:03:23 +00:00
chaos
log
errors
acl {
2021-07-16 01:32:54 +00:00
allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10
2021-03-20 02:03:23 +00:00
allow net 92.118.28.0/22
allow net 2a09:a440::/29 ::1/128
block
}
forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4
}
(zonehdr) {
import global
2021-03-20 02:03:23 +00:00
prometheus
log
errors
loadbalance round_robin
}
${lib.concatMapStringsSep "\n" mkZone zones}
'';
};
};
}