From 4f05052bd5691c8b51cfcb3aafd5a68446696d4b Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Thu, 8 Feb 2024 20:36:26 +0000 Subject: [PATCH] Experimental DNS with Nix+octodns --- dns/dns.nix | 58 +++++++++++++++++++++++++++++++++++ flake.lock | 40 +++++++++++++++++++++++- flake.nix | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 dns/dns.nix diff --git a/dns/dns.nix b/dns/dns.nix new file mode 100644 index 0000000..7e2e368 --- /dev/null +++ b/dns/dns.nix @@ -0,0 +1,58 @@ +{lib, ...}: { + defaultTTL = 86400; + zones = { + "gmem.ca" = + { + "test" = { + aaaa = { + ttl = 0; + data = ["100::"]; + }; + }; + "cluster" = { + a = { + data = ["100.77.43.133" "100.121.5.8" "100.106.229.20"]; + }; + aaaa = { + data = [ + "fd7a:115c:a1e0:ab12:4843:cd96:624d:2b85" + "fd7a:115c:a1e0:ab12:4843:cd96:626a:e514" + "fd7a:115c:a1e0::ad79:508" + ]; + }; + }; + } + // lib.attrsets.genAttrs [ + # Internally hosted applications + "atuin" + "dref" + "freshrss" + "hb" + "home" + "hue" + "netboot" + "pipedapi" + "piped" + "request-media" + "tools" + "ytproxy" + ] (name: {cname.data = "cluster";}) + // lib.attrsets.genAttrs [ + # Externally hosted applications with Tunnels + "git" + "authentik" + "games" + "ibiza" + "matrix" + "photos" + "proxmox" + "pw" + "tokyo" + ] (name: { + cname = { + ttl = 0; + data = "b325b440-3d49-43e4-a028-be516e8f9bc3.cfargotunnel.com."; + }; + }); + }; +} diff --git a/flake.lock b/flake.lock index 830943f..869bef7 100644 --- a/flake.lock +++ b/flake.lock @@ -127,6 +127,22 @@ } }, "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -428,6 +444,27 @@ "type": "github" } }, + "nixos-dns": { + "inputs": { + "flake-compat": "flake-compat_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702487346, + "narHash": "sha256-JmHXcmosac70d9LGYQ7/RNGru2idWC669StnFlxLpdU=", + "owner": "Janik-Haag", + "repo": "nixos-dns", + "rev": "9f311873475479497e33709be826dc47917d3ee3", + "type": "github" + }, + "original": { + "owner": "Janik-Haag", + "repo": "nixos-dns", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -498,7 +535,7 @@ }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -666,6 +703,7 @@ "kde2nix": "kde2nix", "kubenix": "kubenix", "nixinate": "nixinate", + "nixos-dns": "nixos-dns", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_6", "nixpkgs-wayland": "nixpkgs-wayland", diff --git a/flake.nix b/flake.nix index cf5b2a5..3f6ab3b 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,8 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixinate.url = "github:matthewcroughan/nixinate"; kde2nix.url = "github:nix-community/kde2nix"; + nixos-dns.url = "github:Janik-Haag/nixos-dns"; + nixos-dns.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-wayland = { url = "github:nix-community/nixpkgs-wayland"; inputs.nixpkgs.follows = "nixpkgs"; @@ -34,12 +36,43 @@ nixpkgs-wayland, kubenix, kde2nix, + nixos-dns, } @ inputs: let pkgs = nixpkgs.legacyPackages.x86_64-linux; tf = terranix.lib.terranixConfiguration { system = "x86_64-linux"; modules = [./terraform/main.nix]; }; + dnsConfig = { + extraConfig = import ./dns/dns.nix; + }; + generate = nixos-dns.utils.generate nixpkgs.legacyPackages.x86_64-linux; + octodns-cloudflare = pkgs.python311Packages.buildPythonPackage rec { + pname = "octodns-cloudflare"; + version = "0.0.4"; + src = pkgs.fetchFromGitHub { + owner = "gmemstr"; + repo = pname; + rev = "processor"; + sha256 = "sha256-fxJGozeSMXuF9o4JZtGLODE8Di6V4P21wKi7O0i9NDk="; + }; + doCheck = false; + propagatedBuildInputs = with pkgs.python3Packages; [ + pyyaml + certifi + charset-normalizer + dnspython + fqdn + idna + natsort + pkgs.octodns + requests + python-dateutil + six + urllib3 + # Specify dependencies + ]; + }; in { devShells.x86_64-linux.default = with pkgs; mkShell { @@ -56,9 +89,15 @@ terraform-ls kubernetes-helm nil + (octodns.withProviders (ps: [ + octodns-providers.bind + octodns-cloudflare + ])) ]; buildInputs = []; }; + dnsDebugConfig = nixos-dns.utils.debug.config dnsConfig; + packages.aarch64-linux = { raspberry-pi = nixos-generators.nixosGenerate { system = "aarch64-linux"; @@ -82,11 +121,60 @@ .config .kubernetes .result; + dns = generate.octodnsConfig { + inherit dnsConfig; + config = { + processors = { + ownership = { + class = "octodns.processor.ownership.OwnershipProcessor"; + }; + ttl-to-proxy = { + class = "octodns_cloudflare.processor.ttl.TtlToProxy"; + ttl = 0; + }; + }; + providers = { + config = { + check_origin = false; + }; + cloudflare = { + class = "octodns_cloudflare.CloudflareProvider"; + token = "env/CLOUDFLARE_API_TOKEN"; + min_ttl = 0; + }; + }; + }; + zones = { + "gmem.ca." = { + processors = ["ownership" "ttl-to-proxy"]; + sources = ["config"]; + targets = ["cloudflare"]; + }; + }; + }; }; apps = nixinate.nixinate.x86_64-linux self // { x86_64-linux = { + dns = { + type = "app"; + program = toString (pkgs.writers.writeBash "diff" '' + ${pkgs.octodns.withProviders (ps: [ + pkgs.octodns-providers.bind + octodns-cloudflare + ])}/bin/octodns-sync --config-file ${self.packages.x86_64-linux.dns} + ''); + }; + dns-do = { + type = "app"; + program = toString (pkgs.writers.writeBash "diff" '' + ${pkgs.octodns.withProviders (ps: [ + pkgs.octodns-providers.bind + octodns-cloudflare + ])}/bin/octodns-sync --config-file ${self.packages.x86_64-linux.dns} --doit + ''); + }; kube-apply = { type = "app"; program = toString (pkgs.writers.writeBash "diff" ''