feat[client,server]: add remote builds, confLib

2025-12-06 09:07:21 +01:00 · 2025-12-02 00:57:35 +01:00 · 2025-12-02 00:57:35 +01:00 · f2674bee48
commit f2674bee48
parent 626d990b4a
133 changed files with 4297 additions and 3249 deletions
--- a/modules/nixos/server/nsd/default.nix
+++ b/modules/nixos/server/nsd/default.nix
@ -1,10 +1,7 @@
-{ inputs, lib, config, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
-  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName;
-  # servicePort = 53;
-  # serviceDomain = config.repo.secrets.common.services.domains."${serviceName}";
-  # serviceAddress = globals.networks."${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}".hosts.${config.node.name}.ipv4;
-
+  inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
+  inherit (config.swarselsystems) sopsFile;
 in
 {
  options = {
@ -14,7 +11,7 @@ in
        lib.types.submodule {
          options = {
            subdomainRecords = lib.mkOption {
-              type = lib.types.attrsOf inputs.dns.subzone;
+              type = lib.types.attrsOf dns.lib.types.subzone;
              default = { };
            };
          };
@ -23,14 +20,69 @@ in
    };
  };
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    sops.secrets = {
+      tsig-key = { inherit sopsFile; };
+    };
+
+    # services.resolved.enable = false;
+    networking = {
+      # nameservers = [ "1.1.1.1" "8.8.8.8" ];
+      firewall = {
+        allowedUDPPorts = [ servicePort ];
+        allowedTCPPorts = [ servicePort ];
+      };
+    };
+
    services.nsd = {
      enable = true;
-      zones = {
-        "${globals.domains.main}" = {
-          # provideXFR = [ ... ];
-          # notify = [ ... ];
-          data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns; });
+      keys = {
+        "${globals.domains.main}.${proxyAddress4}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
        };
+        "${globals.domains.main}.${proxyAddress6}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+        "${globals.domains.main}" = {
+          algorithm = "hmac-sha256";
+          keyFile = config.sops.secrets.tsig-key.path;
+        };
+      };
+      interfaces = [
+        "10.1.2.157"
+        "2603:c020:801f:a0cc::9d"
+      ];
+      zones = {
+        "${globals.domains.main}" =
+          let
+            keyName4 = "${globals.domains.main}.${proxyAddress4}";
+            keyName6 = "${globals.domains.main}.${proxyAddress6}";
+            keyName = "${globals.domains.main}";
+            transferList = [
+              "213.239.242.238 ${keyName4}"
+              "2a01:4f8:0:a101::a:1 ${keyName6}"
+              "213.133.100.103 ${keyName4}"
+              "2a01:4f8:0:1::5ddc:2 ${keyName6}"
+              "193.47.99.3 ${keyName4}"
+              "2001:67c:192c::add:a3 ${keyName6}"
+            ];
+
+          in
+          {
+            outgoingInterface = "2603:c020:801f:a0cc::9d";
+            notify = transferList ++ [
+              "216.218.130.2 ${keyName}"
+            ];
+            provideXFR = transferList ++ [
+              "216.218.133.2 ${keyName}"
+              "2001:470:600::2 ${keyName}"
+            ];
+
+            # dnssec = true;
+            data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
+          };
      };
    };