diff --git a/flake.lock b/flake.lock index 32fe23c..8af43d6 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "betterfox": { "flake": false, "locked": { - "lastModified": 1769104536, - "narHash": "sha256-D2MIFdYMS3xrfO2vDYjCmC3Ah96jg5XUzvwMX3xJQBo=", + "lastModified": 1772315048, + "narHash": "sha256-rUuEfbjIXox5x5ul/4VarIm7bii/SCcDJjocEbHA1kM=", "owner": "yokoffing", "repo": "Betterfox", - "rev": "310cbdee6ca20eb881749a559cb572ce9272a981", + "rev": "f1c8e3809dbd23f4f9aa1e5e70805c61734b1f14", "type": "github" }, "original": { @@ -25,11 +25,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1772015457, - "narHash": "sha256-F59AGLXs/kLBYK8kfvev5OPoLmpb6G9XF/1vk27Gzu4=", + "lastModified": 1772353697, + "narHash": "sha256-d9puAIgmq0emWPwHjGFklWoie9b9Qghy4GSL1YpgxIU=", "owner": "nlewo", "repo": "comin", - "rev": "d5bbf20a7e3afe492ab5b05e0250635f4e51da44", + "rev": "f3125c37f85bc0752930bb66a72f532e9ff9eb82", "type": "github" }, "original": { @@ -88,11 +88,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1772251378, - "narHash": "sha256-hZ5TwCAxef1e3S2V/BCL3LYaXYDyhXXu3SJjpmIxc/s=", + "lastModified": 1772424169, + "narHash": "sha256-mhv7yclJj+qCagNv0WOuob5yQNV1aTqKcJLfBMUqsVA=", "owner": "rycee", "repo": "nur-expressions", - "rev": "80fa37b486765fc20784b7e3028a3eda04ce0067", + "rev": "701de032cc247a1c309a34f0ed646e824efd7ac6", "type": "gitlab" }, "original": { @@ -123,11 +123,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1769996383, - "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "type": "github" }, "original": { @@ -179,11 +179,11 @@ ] }, "locked": { - "lastModified": 1772020340, - "narHash": "sha256-aqBl3GNpCadMoJ/hVkWTijM1Aeilc278MjM+LA3jK6g=", + "lastModified": 1772380125, + "narHash": "sha256-8C+y46xA9bxcchj9GeDPJaRUDApaA3sy2fhJr1bTbUw=", "owner": "nix-community", "repo": "home-manager", - "rev": "36e38ca0d9afe4c55405fdf22179a5212243eecc", + "rev": "a07a44a839eb036e950bf397d9b782916f8dcab3", "type": "github" }, "original": { @@ -267,11 +267,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1769909678, - "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", + "lastModified": 1772328832, + "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "72716169fe93074c333e8d0173151350670b824c", + "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", "type": "github" }, "original": { @@ -282,11 +282,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1771848320, - "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", "type": "github" }, "original": { @@ -371,11 +371,11 @@ ] }, "locked": { - "lastModified": 1772048434, - "narHash": "sha256-/wA0OaH6kZ/pFA+nXR/tvg5oupOmEDmMS5us79JT60o=", + "lastModified": 1772401007, + "narHash": "sha256-YHykQg0h9hrlZGpMcywnaFzQ1Kn/5YNCCOSaaAl6z7Q=", "owner": "Mic92", "repo": "sops-nix", - "rev": "334daa7c273dd8bf7a0cd370e4e16022b64e55e9", + "rev": "d8be5ea4cd3bc363492ab5bc6e874ccdc5465fe4", "type": "github" }, "original": { @@ -467,11 +467,11 @@ ] }, "locked": { - "lastModified": 1772245870, - "narHash": "sha256-MkcFNrEGekMhQRUB0/F6Jacp/LBUgNvZuacAwhPt7I0=", + "lastModified": 1772419365, + "narHash": "sha256-+IjvRKrbSQX9/ikWy1ptPJBqG+RildNl7Cd9yypyzU0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "71308308af11faffcace34b6512579c59ce45bcd", + "rev": "96e284c58556366535781d9a476121b2b5e839f1", "type": "github" }, "original": { diff --git a/hosts/homeserver/default.nix b/hosts/homeserver/default.nix index e8ff995..12b1f8b 100644 --- a/hosts/homeserver/default.nix +++ b/hosts/homeserver/default.nix @@ -21,7 +21,7 @@ }; services = { - nameservers.overlay.enable = true; + private-nameserver.enable = true; syncthing = { enable = true; diff --git a/hosts/vps-ns/default.nix b/hosts/vps-ns/default.nix index 98fdcce..c7c73ea 100644 --- a/hosts/vps-ns/default.nix +++ b/hosts/vps-ns/default.nix @@ -20,9 +20,9 @@ }; }; - services.nameservers = { - overlay.enable = true; - public = { + services = { + private-nameserver.enable = true; + public-nameserver = { enable = true; zones = [ "sprouted.cloud" diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index 4991e42..c2bac90 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -21,7 +21,7 @@ }; }; - services.nameservers.public = { + services.public-nameserver = { enable = true; zones = [ "sprouted.cloud" diff --git a/modules/nixos/networking/overlay.nix b/modules/nixos/networking/overlay.nix index d67c7ed..3783352 100644 --- a/modules/nixos/networking/overlay.nix +++ b/modules/nixos/networking/overlay.nix @@ -63,7 +63,7 @@ in default = allHosts |> lib.attrValues - |> lib.filter (host: host.config.custom.services.nameservers.overlay.enable) + |> lib.filter (host: host.config.custom.services.private-nameserver.enable) |> lib.map (host: host.config.custom.networking.overlay.address); }; diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix index 20f9efa..1c928ae 100644 --- a/modules/nixos/networking/underlay.nix +++ b/modules/nixos/networking/underlay.nix @@ -56,6 +56,11 @@ in Gateway = cfg.gateway; GatewayOnLink = true; }; + dns = lib.mkIf (!cfg.useDhcp) [ + "1.1.1.1#cloudflare-dns.com" + "8.8.8.8#dns.google" + "9.9.9.9#dns.quad9.net" + ]; }; }; diff --git a/modules/nixos/services/nameservers/overlay.nix b/modules/nixos/services/nameservers/private.nix similarity index 89% rename from modules/nixos/services/nameservers/overlay.nix rename to modules/nixos/services/nameservers/private.nix index 54e9f32..b19982e 100644 --- a/modules/nixos/services/nameservers/overlay.nix +++ b/modules/nixos/services/nameservers/private.nix @@ -7,7 +7,7 @@ ... }: let - cfg = config.custom.services.nameservers.overlay; + cfg = config.custom.services.private-nameserver; netCfg = config.custom.networking; zoneData = inputs.dns.lib.toString netCfg.overlay.domain { @@ -20,7 +20,7 @@ let NS = allHosts |> lib.attrValues - |> lib.filter (host: host.config.custom.services.nameservers.overlay.enable) + |> lib.filter (host: host.config.custom.services.private-nameserver.enable) |> lib.map (host: "${host.config.custom.networking.overlay.fqdn}."); subdomains = @@ -58,7 +58,7 @@ let }; in { - options.custom.services.nameservers.overlay.enable = lib.mkEnableOption ""; + options.custom.services.private-nameserver.enable = lib.mkEnableOption ""; config = lib.mkIf cfg.enable { services = { diff --git a/modules/nixos/services/nameservers/public.nix b/modules/nixos/services/nameservers/public.nix index 0841d75..79dbd6d 100644 --- a/modules/nixos/services/nameservers/public.nix +++ b/modules/nixos/services/nameservers/public.nix @@ -6,7 +6,7 @@ ... }: let - cfg = config.custom.services.nameservers.public; + cfg = config.custom.services.public-nameserver; netCfg = config.custom.networking; zoneData = @@ -38,7 +38,7 @@ let nsRecords = allHosts |> lib.attrValues - |> lib.filter (host: host.config.custom.services.nameservers.public.enable) + |> lib.filter (host: host.config.custom.services.public-nameserver.enable) |> lib.map (host: { name = host.config.custom.networking.hostName; inherit (host.config.custom.networking.underlay) address; @@ -64,7 +64,7 @@ let }; in { - options.custom.services.nameservers.public = { + options.custom.services.public-nameserver = { enable = lib.mkEnableOption ""; zones = lib.mkOption { type = lib.types.nonEmptyListOf lib.types.nonEmptyStr; @@ -73,6 +73,11 @@ in }; config = lib.mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + services.nsd = { enable = true; interfaces = [ netCfg.underlay.interface ]; diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix index 2fa908f..45e2a7c 100644 --- a/modules/nixos/services/nebula/default.nix +++ b/modules/nixos/services/nebula/default.nix @@ -133,6 +133,7 @@ in address = [ netCfg.overlay.cidr ]; dns = netCfg.overlay.dnsServers; domains = [ netCfg.overlay.domain ]; + networkConfig.DNSSEC = false; }; }; }; diff --git a/tests/infrastructure/default.nix b/tests/infrastructure/default.nix index ee077bf..0838d71 100644 --- a/tests/infrastructure/default.nix +++ b/tests/infrastructure/default.nix @@ -58,7 +58,7 @@ }; }; - services.nameservers.overlay.enable = true; + services.private-nameserver.enable = true; }; };