feat: (nixos/network): swap bind for coredns

redxtech · redxtech · commit c2abd9659b8d · 2024-09-03T13:41:18.000-07:00
diff --git a/hosts/quasar/services/adguard.nix b/hosts/quasar/services/adguard.nix
@@ -14,6 +14,7 @@ let
   host = "${name}.${address}";
   hostDNS = "dns.${address}";
   port = toString cfg.ports.adguard;
+  portDNS = toString cfg.ports.adguarddns;
 
   webports = "${port}:${port}";
   mkTLstr = type: "traefik.http.${type}.${name}";
@@ -36,17 +37,17 @@ in {
 
       ports = [
         webports # frontend
-        "1053:53/tcp" # DNS
-        "1053:53/udp" # DNS
+        "${portDNS}:53/tcp" # DNS
+        "${portDNS}:53/udp" # DNS
         # "67:67/udp" # DHCP
         # "68:68/tcp" # DHCP
         # "68:68/udp" # DHCP
         # "80:80/tcp" # DNS over HTTPS
         "1443:1443/tcp" # DNS over HTTPS
         "1443:1443/udp" # DNS over HTTPS
-        "853:853/tcp" # DNS over TLS
         "784:784/udp" # DNS over QUIC
         "853:853/udp" # DNS over QUIC
+        "853:853/tcp" # DNS over TLS
         "8853:8853/udp" # DNS over QUIC
         # "5443:5443/tcp" # DNScrypt
         # "5443:5443/udp" # DNScrypt
@@ -69,6 +70,8 @@ in {
       inherit (config.services.traefik) group;
     };
   };
-
-  networking.firewall.allowedTCPPorts = [ 853 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 853 ];
+    allowedUDPPorts = [ 853 ];
+  };
 }
diff --git a/hosts/quasar/services/default.nix b/hosts/quasar/services/default.nix
@@ -13,6 +13,7 @@ in {
   # TODO: group by type & use consistent values
   nas.ports = {
     adguard = 9900;
+    adguarddns = 1053;
     apprise = 9005;
     bazarr = 6767;
     calibre = 8805;
diff --git a/modules/nixos/network/default.nix b/modules/nixos/network/default.nix
@@ -92,7 +92,7 @@ in {
         # host only
         dash = host 4000;
         grafana = host 3000;
-        prometheus = host 9090;
+        prometheus = host 3001;
         loki = host 3002;
       };
     };
diff --git a/modules/nixos/network/dns.nix b/modules/nixos/network/dns.nix
@@ -4,65 +4,66 @@ let
   cfg = config.network;
   enabled = cfg.enable && cfg.isHost;
 
-  inherit (cfg) domain;
+  inherit (cfg) address domain hostIP;
+
+  port = toString 53;
 in {
   config = lib.mkIf enabled {
-    services.bind = {
+    services.coredns = {
       enable = true;
 
-      forwarders = [
-        # local adguard home
-        "0.0.0.0 port 1053"
-      ];
+      config = let
+        enabledHosts = builtins.filter (host:
+          host != "nixiso"
+          && self.nixosConfigurations.${host}.config.network.enable) hostnames;
 
-      cacheNetworks = [
-        "192.168.1.0/24"
-        "192.168.50.0/24"
-        "10.0.0.0/24"
-        "127.0.0.0/24"
-        "::1/128"
-      ];
+        zonePairs = map (hostname: {
+          inherit hostname;
+          inherit (self.nixosConfigurations.${hostname}.config.network) ip;
+        }) enabledHosts;
 
-      zones = let
-        mkZone = { name, ip }: {
-          name = "${name}.${domain}";
-          master = true;
-          file = pkgs.writeText "${name}.${domain}.zone" ''
+        mkZoneFile = hostname: ip:
+          pkgs.writeText "${hostname}.${domain}.zone" ''
             $TTL 3600
 
-            $ORIGIN ${name}.${domain}.
-            @               IN      SOA     ns.${name}.${domain}. info.${domain}. (
-                                            2024082302      ; serial
-                                            12h             ; refresh
-                                            15m             ; retry
-                                            3w              ; expire
-                                            2h              ; minimum ttl
-                                            )
+            $ORIGIN ${hostname}.${domain}.
+            @     IN      SOA    ns.${hostname}.${domain}. info.${domain}. (
+                                 2024090300      ; serial
+                                 12h             ; refresh
+                                 15m             ; retry
+                                 3w              ; expire
+                                 2h              ; minimum ttl
+                                 )
 
-                            IN      NS      ns.${name}.${domain}.
+                  IN      NS     ns.${hostname}.${domain}.
 
-            ns              IN      A       ${ip}
+            ns    IN      A      ${ip}
 
             ; -- add dns records below
 
-            @               IN      A       ${ip}
-            *               IN      A       ${ip}
+            @     IN      A      ${ip}
+            *     IN      A      ${ip}
           '';
-        };
 
-        enabledHosts = builtins.filter (host:
-          host != "nixiso"
-          && self.nixosConfigurations.${host}.config.network.enable) hostnames;
-        zonePairs = map (host:
-          mkZone {
-            name = host;
-            inherit (self.nixosConfigurations.${host}.config.network) ip;
-          }) enabledHosts;
-      in zonePairs;
+        zoneEntries = map ({ hostname, ip }: ''
+          ${hostname}.${domain}:${port} {
+            file ${mkZoneFile hostname ip}
+            log
+          }
+        '') zonePairs;
+      in ''
+        .:${port} {
+          forward . tls://${hostIP} { tls_servername dns.${address} }
+          cache
+          log
+        }
+
+        ${lib.concatStringsSep "\n" zoneEntries}
+      '';
     };
 
     networking = {
-      resolvconf.useLocalResolver = true;
+      resolvconf.useLocalResolver = false;
 
       firewall.allowedTCPPorts = [ 53 ];
       firewall.allowedUDPPorts = [ 53 ];
