depot/ops/nixos/lib/coredns/default.nix

65 lines
1.5 KiB
Nix

{ depot, lib, ... }:
{
config = {
environment.etc."coredns-zones" = {
source = "${./zones}";
};
networking.firewall.allowedTCPPorts = [
53 # DNS
];
networking.firewall.allowedUDPPorts = [
53 # DNS
];
services.coredns = {
enable = true;
config = let
zones = [
"as205479.net"
"28.118.92.in-addr.arpa"
"29.118.92.in-addr.arpa"
"30.118.92.in-addr.arpa"
"31.118.92.in-addr.arpa"
"0.4.4.a.9.0.a.2.ip6.arpa"
"1.4.4.a.9.0.a.2.ip6.arpa"
"2.4.4.a.9.0.a.2.ip6.arpa"
"3.4.4.a.9.0.a.2.ip6.arpa"
"4.4.4.a.9.0.a.2.ip6.arpa"
"5.4.4.a.9.0.a.2.ip6.arpa"
"6.4.4.a.9.0.a.2.ip6.arpa"
"7.4.4.a.9.0.a.2.ip6.arpa"
];
mkZone = zone: ''
${zone} {
import zonehdr
file /etc/coredns-zones/db.${zone} ${zone}
}
'';
in ''
. {
chaos
log
errors
acl {
allow net 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 100.64.0.0/10
allow net 92.118.28.0/22
allow net 2a09:a440::/29 ::1/128
block
}
forward . 2001:4860:4860::8888 2001:4860:4860::8844 8.8.8.8 8.8.4.4
}
(zonehdr) {
prometheus
log
errors
loadbalance round_robin
}
${lib.concatMapStringsSep "\n" mkZone zones}
'';
};
};
}