depot/ops/nixos/lib/coredns/default.nix

{ depot, lib, ... }:

{
  config = {
    environment.etc."coredns-zones" = {
      source = ./zones;
    };

    networking.firewall.allowedTCPPorts = [
      53  # DNS
    ];
    networking.firewall.allowedUDPPorts = [
      53  # DNS
    ];

    services.coredns = {
      enable = true;
      config = let
        zones = [
          "as205479.net"
          "28.118.92.in-addr.arpa"
          "29.118.92.in-addr.arpa"
          "30.118.92.in-addr.arpa"
          "31.118.92.in-addr.arpa"
          "0.4.4.a.9.0.a.2.ip6.arpa"
          "1.4.4.a.9.0.a.2.ip6.arpa"
          "2.4.4.a.9.0.a.2.ip6.arpa"
          "3.4.4.a.9.0.a.2.ip6.arpa"
          "4.4.4.a.9.0.a.2.ip6.arpa"
          "5.4.4.a.9.0.a.2.ip6.arpa"
          "6.4.4.a.9.0.a.2.ip6.arpa"
          "7.4.4.a.9.0.a.2.ip6.arpa"
        ];
        mkZone = zone: ''
          ${zone} {
            import zonehdr
            file /etc/coredns-zones/db.${zone} ${zone}
          }
        '';
      in ''
        . {
          chaos
          log
          errors
          acl {
            allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10
            allow net 92.118.28.0/22
            allow net 2a09:a440::/29 ::1/128
            block
          }
          forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4
        }

        (zonehdr) {
          prometheus
          log
          errors
          loadbalance round_robin
        }

        ${lib.concatMapStringsSep "\n" mkZone zones}
      '';
    };
  };
}
ops/nixos: add coredns 2021-03-20 02:03:23 +00:00			`{ depot, lib, ... }:`

			`{`
			`config = {`
			`environment.etc."coredns-zones" = {`
			`source = ./zones;`
			`};`

lib/coredns: fix firewall 2021-03-20 02:06:08 +00:00			`networking.firewall.allowedTCPPorts = [`
ops/nixos: add coredns 2021-03-20 02:03:23 +00:00			`53 # DNS`
			`];`
lib/coredns: fix firewall 2021-03-20 02:06:08 +00:00			`networking.firewall.allowedUDPPorts = [`
ops/nixos: add coredns 2021-03-20 02:03:23 +00:00			`53 # DNS`
			`];`

			`services.coredns = {`
			`enable = true;`
			`config = let`
			`zones = [`
			`"as205479.net"`
			`"28.118.92.in-addr.arpa"`
			`"29.118.92.in-addr.arpa"`
			`"30.118.92.in-addr.arpa"`
			`"31.118.92.in-addr.arpa"`
			`"0.4.4.a.9.0.a.2.ip6.arpa"`
			`"1.4.4.a.9.0.a.2.ip6.arpa"`
			`"2.4.4.a.9.0.a.2.ip6.arpa"`
			`"3.4.4.a.9.0.a.2.ip6.arpa"`
			`"4.4.4.a.9.0.a.2.ip6.arpa"`
			`"5.4.4.a.9.0.a.2.ip6.arpa"`
			`"6.4.4.a.9.0.a.2.ip6.arpa"`
			`"7.4.4.a.9.0.a.2.ip6.arpa"`
			`];`
			`mkZone = zone: ''`
			`${zone} {`
			`import zonehdr`
			`file /etc/coredns-zones/db.${zone} ${zone}`
			`}`
			`'';`
			`in ''`
			`. {`
			`chaos`
			`log`
			`errors`
			`acl {`
coredns: allow tailscale net 2021-07-16 01:32:54 +00:00			`allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10`
ops/nixos: add coredns 2021-03-20 02:03:23 +00:00			`allow net 92.118.28.0/22`
			`allow net 2a09:a440::/29 ::1/128`
			`block`
			`}`
			`forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4`
			`}`

			`(zonehdr) {`
			`prometheus`
			`log`
			`errors`
			`loadbalance round_robin`
			`}`

			`${lib.concatMapStringsSep "\n" mkZone zones}`
			`'';`
			`};`
			`};`
			`}`