add dns

flake.nix

@@ -150,6 +150,19 @@
             ];
           };
 
+          "dns01" = mkNixosConfig {
+            # DNS 01
+
+            hostname = "dns01";
+            system = "x86_64-linux";
+            hardwareModules = [
+              ./nixos/profiles/hw-generic-x86.nix
+            ];
+            profileModules = [
+              ./nixos/profiles/role-server.nix
+              { home-manager.users.spiceratops = ./nixos/home/spiceratops/server.nix; }
+            ];
+          };
 
         };
 

nixos/hosts/bootstrap.nix

@@ -18,11 +18,10 @@
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     packages = with pkgs; [
     ];
-    # TODO
-    # openssh.authorizedKeys.keys = [
-    #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
-    # ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcbIqtYV7xyO1+sP1sCx+/Z6HYTsh+1gYG+5VF1pCW3 Spiceratops"
+    ];
   };
-  #TODO networking.hostId = "0a90730f";
+  networking.hostId = "3de58d94814393ed16548678c8aae1bc";
   system.stateVersion = "24.05";
 }

nixos/hosts/dns01/default.nix

@@ -0,0 +1,93 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+{ config
+, lib
+, pkgs
+, ...
+}: {
+  imports = [
+
+
+  ];
+
+  mySystem.services = {
+
+    openssh.enable = true;
+    cfDdns.enable = true;
+    powerdns = {
+      enable = true;
+      admin-ui = false;
+    };
+    adguardhome.enable = true;
+  };
+
+    mySystem.system = {
+      zfs.enable = true;
+      zfs.mountPoolsAtBoot = [ "rpool" ];
+    };
+
+  # no mutable state I care about
+  mySystem.system.resticBackup =
+    {
+      local.enable = false;
+      remote.enable = false;
+    };
+  mySystem.system.autoUpgrade = {
+    enable = true;
+  };
+
+
+
+    boot = {
+
+      initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "mpt3sas" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+      initrd.kernelModules = [ ];
+      kernelModules = [ "kvm-intel" ];
+      extraModulePackages = [ ];
+
+      # for managing/mounting ntfs
+      supportedFilesystems = [ "ntfs" ];
+
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+        # why not ensure we can memtest workstatons easily?
+        grub.memtest86.enable = true;
+
+      };
+    };
+
+    networking.hostName = "dns01"; # Define your hostname.
+    networking.hostId = "e3657900"; # for zfs, helps stop importing to wrong machine
+    networking.useDHCP = lib.mkDefault true;
+
+    fileSystems."/" =
+      {
+        device = "rpool/local/root";
+        fsType = "zfs";
+      };
+
+    fileSystems."/boot" =
+      {
+        device = "/dev/disk/by-label/EFI";
+        fsType = "vfat";
+        options = [ "fmask=0077" "dmask=0077" ];
+      };
+
+    fileSystems."/nix" =
+      {
+        device = "rpool/local/nix";
+        fsType = "zfs";
+      };
+
+    fileSystems."/persist" =
+      {
+        device = "rpool/safe/persist";
+        fsType = "zfs";
+        neededForBoot = true; # for impermanence
+      };
+
+
+
+}

nixos/modules/nixos/services/default.nix

@@ -6,5 +6,6 @@
     # ./nix-serve
     ./restic
     # ./minio
+    ./powerdns
   ];
 }

nixos/modules/nixos/services/powerdns/default.nix

@@ -0,0 +1,110 @@
+{ lib
+, config
+, pkgs
+, ...
+}:
+with lib;
+let
+  cfg = config.mySystem.services.powerdns;
+  persistentFolder = "${config.mySystem.persistentFolder}/nixos/pdns"; # TODO refactor using bind mounts
+  user = "pdns";
+  group = "pdns";
+  portDns = 5353; # avoiding conflict with adguardhome
+  portWebUI = 8081;
+  configDir = pkgs.writeTextDir "pdns.conf" "${pdnsConfig}";
+
+  # $APIKEY is replaced via envsubst in the pdns module
+  pdnsConfig = ''
+    expand-alias=yes
+    resolver=9.9.9.9:53
+    local-address=0.0.0.0:${builtins.toString portDns}
+    launch=gsqlite3
+    gsqlite3-database=${persistentFolder}/pdns.sqlite3
+    webserver=yes
+    webserver-address=0.0.0.0:${builtins.toString portWebUI}
+    webserver-allow-from=192.168.0.0/16
+    api=yes
+    api-key=$APIKEY
+  '';
+in
+{
+  options.mySystem.services.powerdns =
+    {
+      enable = mkEnableOption "powerdns";
+      openFirewall = mkEnableOption "Open firewall for ${app}" // {
+        default = true;
+      };
+      admin-ui = mkEnableOption "Powerdns-admin UI";
+    };
+
+  config = mkIf cfg.enable {
+
+    # ensure folder exist and has correct owner/group
+    systemd.tmpfiles.rules = [
+      "d ${persistentFolder} 0750 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
+    ];
+
+    services.powerdns = {
+      enable = true;
+      extraConfig = pdnsConfig;
+      secretFile = config.sops.secrets."system/services/powerdns/apiKey".path;
+    };
+    sops.secrets."system/services/powerdns/apiKey" = {
+      sopsFile = ./secrets.sops.yaml;
+      restartUnits = [ "pdns.service" ];
+    };
+
+    # powerdns doesnt create the sqlite database for us
+    # so we gotta either do it manually once-off or do the below to ensure its created
+    # if the file is missing before service start
+    systemd.services.pdns.serviceConfig.ExecStartPre = lib.mkBefore [
+      (pkgs.writeScript "pdns-sqlite-init.sh"
+        ''
+          #!${pkgs.bash}/bin/bash
+
+          pdns_folder="${persistentFolder}"
+          echo "INIT: Checking if pdns sqlite exists"
+          # Check if the pdns.sqlite3 file exists in the pdns folder
+          if [ ! -f "${persistentFolder}/pdns.sqlite3" ]; then
+              echo "INIT: No sqlite db found, initializing from pdns github schema..."
+
+              ${pkgs.wget}/bin/wget -O "${persistentFolder}/schema.sqlite3.sql" https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gsqlite3backend/schema.sqlite3.sql
+              ${pkgs.sqlite}/bin/sqlite3 "${persistentFolder}/pdns.sqlite3" < "${persistentFolder}/schema.sqlite3.sql"
+              ${pkgs.busybox}/bin/chown pdns:pdns ${persistentFolder}/pdns.sqlite3
+              ${pkgs.busybox}/bin/rm "${persistentFolder}/schema.sqlite3.sql"
+          fi
+
+          # Exit successfully
+          exit 0
+
+        ''
+      )
+    ];
+
+    networking.firewall = mkIf cfg.openFirewall {
+
+      allowedTCPPorts = [ portWebUI portDns ];
+      allowedUDPPorts = [ portDns ];
+
+    };
+
+    # mySystem.services.gatus.monitors = [
+
+    #   {
+    #     name = "${config.networking.hostName} split DNS";
+    #     group = "dns";
+    #     url = "${config.networking.hostName}.${config.mySystem.internalDomain}:${builtins.toString portDns}";
+    #     dns = {
+    #       query-name = "canary.trux.dev"; # special domain always present for testing
+    #       query-type = "A";
+    #     };
+    #     interval = "1m";
+    #     alerts = [{ type = "pushover"; }];
+    #     conditions = [ "[DNS_RCODE] == NOERROR" ];
+    #   }
+    # ];
+
+
+
+  };
+}

nixos/modules/nixos/services/powerdns/secrets.sops.yaml

@@ -0,0 +1,33 @@
+system:
+    services:
+        powerdns:
+            apiKey: ENC[AES256_GCM,data:7LWBszo88BgkhCUxFBBXP/Bj7y5Iw9/a,iv:BALdLV7N6J1iD9A2ONCFPlKnFZeqHvasn875+YSNNpM=,tag:WPRbU4iInvEhyHQVlxNQFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153gpfdw58csvgxj3vn9ym2g3zx7mfhaldyz5uvvrfajne8htj3asjqrp7h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySXdJOC9kOXpUeTBBZVRX
+            UEI0VkNrbjhScnBvVHdlSDUxME1RVXBFY2tJCktoUEhpVDVLQVB2aGtIaXBVVDNZ
+            d3JzZ2twOGgzeHltcVRSLzRMMFdvalEKLS0tIDZiTGtYbW12OSs3U25MeFE0ZElq
+            Y1hOVlpvblBGcjFqY1pZbGdPaldEZ0kKxOmqaPXWKIFwLypOahnohAc/dKVAgHAX
+            jSuvCPKa79atEu5r7r/fq9bJs1/XVy6hA4ry4TfBcjiNmimyAdDmLw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1etyreuzxhj3j7hem6wt7jlra5a9lgy9d94fp09sp58p4stwlyunqt5n4hv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJeU5zYjJpcnBZOHZ5Vk15
+            eEtWbkZpdXlpbTQ2c2QvQ3d4ZVg2MjlNaURzCi9jbTBnMTEwYXJIdFFqaWZpalZt
+            ekZDTEFXZFczQS9ldktmYld3N0xmeGsKLS0tIDVXaHk0bzhFTWYySjdxeEpETVM1
+            c3ZyZkM0K0htUnBqUE1BTDdBNUZwVUkKY61XuzvEu4GxmTUK84vkEgWteBJUVhOv
+            cipMwd34wjj88c+mUzhdphCaR0xtfgsh6xct2sTSLEy6n4ywwivvCA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-30T02:42:42Z"
+    mac: ENC[AES256_GCM,data:pbxoLJlfebbxDW3yWdDgGDDQkwFCLatW7m2gfo7TYm9RS4ACjDvEizRF59rgcYWQZz3ElYC5L9UV/UDlawKQTiRh53guDLd4hCgnawzMNS9xJkMgZBboK/+vn3eG3G3by6+zK8iP103AFISTlWI1dtoFBy2Y7tyu22hy6HXmjmc=,iv:I0wcfW2Sz8LXjwRuWUAjkeCAxuccwrMPIM+wq6nwL7g=,tag:5yMWtmWmX/Gih2/3gqDNnw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.0