feat[server]: add dns server

2025-12-06 09:07:21 +01:00 · 2025-11-25 19:49:58 +01:00 · 2025-11-25 19:49:58 +01:00 · c26814f64e
commit c26814f64e
parent 4da44f134c
22 changed files with 478 additions and 38 deletions
--- a/modules/home/common/sops.nix
+++ b/modules/home/common/sops.nix
@ -6,8 +6,8 @@ in
  options.swarselmodules.sops = lib.mkEnableOption "sops settings";
  config = lib.optionalAttrs (inputs ? sops) {
    sops = {
-      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";

      validateSopsFiles = false;
    };
--- a/modules/nixos/client/sops.nix
+++ b/modules/nixos/client/sops.nix
@ -5,9 +5,8 @@
    sops = {

      # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
-      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
+      defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";

      validateSopsFiles = false;

--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@ -114,13 +114,31 @@ in

          services = mkOption {
            type = types.attrsOf (
-              types.submodule {
+              types.submodule (serviceSubmod: {
                options = {
                  domain = mkOption {
                    type = types.str;
                  };
+                  subDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain;
+                  };
+                  baseDomain = mkOption {
+                    readOnly = true;
+                    type = types.str;
+                    default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain;
+                  };
+                  proxyAddress4 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
+                  proxyAddress6 = mkOption {
+                    type = types.nullOr types.str;
+                    default = null;
+                  };
                };
-              }
+              })
            );
          };

@ -163,6 +181,12 @@ in
                  defaultGateway6 = mkOption {
                    type = types.nullOr types.net.ipv6;
                  };
+                  wanAddress4 = mkOption {
+                    type = types.nullOr types.net.ipv4;
+                  };
+                  wanAddress6 = mkOption {
+                    type = types.nullOr types.net.ipv6;
+                  };
                };
              }
            );
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@ -12,7 +12,6 @@
        inputs.nix-index-database.homeModules.nix-index
        inputs.sops-nix.homeManagerModules.sops
        inputs.spicetify-nix.homeManagerModules.default
-        # inputs.swarsel-modules.homeModules.default
        inputs.swarsel-nix.homeModules.default
        {
          imports = [
--- a/modules/nixos/common/impermanence.nix
+++ b/modules/nixos/common/impermanence.nix
@ -72,6 +72,7 @@ in
      hideMounts = true;
      directories =
        [
+          "/root/.dotfiles"
          "/etc/nix"
          "/etc/NetworkManager/system-connections"
          "/var/lib/nixos"
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@ -1,5 +1,6 @@
 { self, lib, pkgs, config, outputs, inputs, minimal, ... }:
 let
+  inherit (config.swarselsystems) mainUser;
  settings = if minimal then { } else {
    environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
      assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
@ -36,7 +37,8 @@ let
        channel.enable = false;
        registry = rec {
          nixpkgs.flake = inputs.nixpkgs;
-          swarsel.flake = inputs.swarsel;
+          # swarsel.flake = inputs.swarsel;
+          swarsel.flake = self;
          n = nixpkgs;
          s = swarsel;
        };
@ -57,7 +59,7 @@ in
    (lib.recursiveUpdate
      {
        sops.secrets.github-api-token = lib.mkIf (!minimal) {
-          sopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+          owner = mainUser;
        };

        nix =
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@ -1,11 +1,8 @@
-{ self, pkgs, config, lib, globals, minimal, ... }:
-let
-  sopsFile = self + /secrets/general/secrets.yaml;
-in
+{ pkgs, config, lib, globals, minimal, ... }:
 {
  options.swarselmodules.users = lib.mkEnableOption "user config";
  config = lib.mkIf config.swarselmodules.users {
-    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
+    sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };

    users = {
      mutableUsers = lib.mkIf (!minimal) false;
--- a/modules/nixos/server/nsd/default.nix
+++ b/modules/nixos/server/nsd/default.nix
@ -0,0 +1,38 @@
+{ inputs, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
+  # servicePort = 53;
+  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
+  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
+
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+    swarselsystems.server.dns = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule {
+          options = {
+            subdomainRecords = lib.mkOption {
+              type = lib.types.attrsOf inputs.dns.subzone;
+              default = { };
+            };
+          };
+        }
+      );
+    };
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+    services.nsd = {
+      enable = true;
+      zones = {
+        "${globals.domains.main}" = {
+          # provideXFR = [ ... ];
+          # notify = [ ... ];
+          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+        };
+      };
+    };
+
+  };
+}
--- a/modules/nixos/server/nsd/site1.nix
+++ b/modules/nixos/server/nsd/site1.nix
@ -0,0 +1,117 @@
+{ config, globals, dns, ... }:
+with dns.lib.combinators; {
+  SOA = {
+    nameServer = "soa";
+    adminEmail = "admin@${globals.domains.main}";
+    serial = 2025112101;
+  };
+
+  useOrigin = false;
+
+  NS = [
+    "soa.${globals.domains.name}."
+    "ns1.he.net"
+    "ns2.he.net"
+    "ns3.he.net"
+    "ns4.he.net"
+    "ns5.he.net"
+    "oxygen.ns.hetzner.com"
+    "pola.ns.cloudflare.com"
+  ];
+
+  A = [ "75.2.60.5" ];
+
+  SRV = [
+    {
+      service = "_matrix";
+      proto = "_tcp";
+      port = 443;
+      target = "${globals.services.matrix.baseDomain}.${globals.domains.main}";
+      priority = 10;
+      wweight = 5;
+    }
+    {
+      service = "_submissions";
+      proto = "_tcp";
+      port = 465;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_submission";
+      proto = "_tcp";
+      port = 587;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imap";
+      proto = "_tcp";
+      port = 143;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+    {
+      service = "_imaps";
+      proto = "_tcp";
+      port = 993;
+      target = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+      priority = 5;
+      weight = 0;
+      ttl = 3600;
+    }
+  ];
+
+  MX = [
+    {
+      preference = 10;
+      exchange = "${globals.services.mailserver.baseDomain}.${globals.domains.main}";
+    }
+  ];
+
+  CNAME = [
+    {
+      cname = "www.${glovals.domains.main}";
+    }
+  ];
+
+  DKIM = [
+    {
+      selector = "mail";
+      k = "rsa";
+      p = config.repo.secrets.local.dns.mailserver.dkim-public;
+      ttl = 10800;
+    }
+  ];
+
+  DMARC = [
+    {
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  TXT = [
+    (with spf; strict [ "a:${globals.services.mailserver.baseDomain}.${globals.domains.main}" ])
+    "google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
+  ];
+
+  DMARC = [
+    {
+      selector = "mail";
+      k = "rsa";
+      p = "none";
+      ttl = 10800;
+    }
+  ];
+
+  subdomains = config.swarselsystems.server.dns.${globals.domain.main}.subdomainRecords // {
+    "minecraft" = host "130.61.119.12" null;
+  };
+}
--- a/modules/shared/options.nix
+++ b/modules/shared/options.nix
@ -1,6 +1,14 @@
 { self, config, lib, ... }:
 {
  options.swarselsystems = {
+    proxyHost = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
+    isCloud = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
    withHomeManager = lib.mkOption {
      type = lib.types.bool;
      default = true;
@ -34,7 +42,7 @@
    isBtrfs = lib.mkEnableOption "use btrfs filesystem";
    sopsFile = lib.mkOption {
      type = lib.types.str;
-      default = "${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
+      default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
    };
    homeDir = lib.mkOption {
      type = lib.types.str;