felixalb/PVV-DNS
0
0
Fork 1
Code Issues Pull Requests Releases Activity

Add nsd.conf, document deployment

Browse Source
This commit is contained in:
Felix Albrigtsen
2026-01-24 01:11:29 +01:00
parent 21e97f63cb
commit 75c8ecfe02
4 changed files with 124 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
README.md
View File

@@ -5,15 +5,11 @@ This repository contains both the code and data needed to generate PVVs DNS conf
> [!NOTE]
> This is currently very WIP, and not in production use. At the minute, DNS is still managed manually in /etc/bind/zones on ameno.
Normal PVV "hosts" (servers, mostly) should be defined in ./hosts.nix, and configuration and additional records can be placed in each zone configuration file in ./zones, such as ./zones/pvv.ntnu.no.nix.
Normal PVV "hosts" (servers, mostly) should be defined in `./hosts.nix`, additional configuration and records for pvv.ntnu.no and pvv.org lives in `./pvv-domain.nix`, and configuration for all other domains are found in their respective files in `./zones/`.
The code in this repository is basically a whole heap of pre-processing to turn the hosts-file and zone-specific options into the format used by [nix-community/dns.nix](https://github.com/nix-community/dns.nix), that in turn generates zone files.
## Building DNS zone files
Provided you have nix on your system, you should be able to run `nix build .#`, and the resulting config is placed in `./result/zones`.
## Examples;
## Examples
A host configuration like
@@ -54,14 +50,74 @@ roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::202
```
## Building zone files
Provided you have nix on your system, you should be able to run `nix build .#zoneFiles`, and the resulting zone files are placed in `./result`.
## Deployment
Automatic deployment through CI/CD is not yet implemented. See subsections for manual installation.
### nsd on OpenBSD
`nsd`, the high-performance authoritative-only DNS server developed by NLnet Labs, is included in the base OpenBSD system.
The default output, built with `nix build .#`, includes configuration for nsd:
```
result
├── etc
│ └── nsd
│ └── nsd.conf
└── zones
├── 9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone
├── 128-255.210.241.129.in-addr.arpa.zone
├── 210.241.129.in-addr.arpa.zone
├── nucc.org.zone
├── pvv.no.zone
├── pvv.ntnu.no.zone
└── pvv.org.zone
```
#### First time setup
- Enable nsd
- `rcctl enable nsd`
- Start nsd
- `rcctl start nsd`
- Follow the steps below for updating zones and configuration
#### Updating zones and configuration
(**TLDR: Files in /var/nsd, run `nsd-control reload`**)
- If applicable, make changes to `./hosts.nix` or the appropriate file in `./zones/`
- ... and update the corresponding serial number(s)
- Build this project (anywhere, on any host with nix)
- `nix build .#`
- Install the contents of `./result` into `/var/nsd`
- `./result/etc/nsd/nsd.conf` becomes `/var/nsd/etc/nsd/nsd.conf`, `./result/zones` becomes `/var/nsd/zones`
- Verify the configuration
- `nsd-checkconf /var/nsd/etc/nsd.conf`
- Reload the config file
- `nsd-control reconfig`
- Reload the zonefiles
- `nsd-control reload`
- Verify operation
- `dig @smask.pvv.ntnu.no SOA pvv.ntnu.no.`
- If something is not working, see `/var/log/nsd.log`
---
## Future plans
- Automate serial generation
- Build and verify with CI/CD
- Automatically push updated configurations to the DNS server
- Also generate DNS server configuration files
- [NSD](https://nlnetlabs.nl/projects/nsd/about/), included in OpenBSD
- [Bind9](https://www.isc.org/bind/), common alternative
- [x] [NSD](https://nlnetlabs.nl/projects/nsd/about/), included in OpenBSD
- [ ] [Bind9](https://www.isc.org/bind/), common alternative
- Per-record or per-host customizable TTL (e.g. for moving a CNAME around when replacing a service/server)
- Improve dns.nix or replace it with a homemade zonefile generator to make the output more human readable
- Also generate DHCP server configurations

13
flake.nix
View File

@@ -28,10 +28,19 @@
pkgs = nixpkgs.legacyPackages.${system};
in
rec {
zoneConfig = pkgs.callPackage ./zoneConfig.nix {
zoneFiles = pkgs.callPackage ./zoneConfig.nix {
inherit dns;
};
default = zoneConfig;
nsdConfig = pkgs.callPackage ./nsd.conf.nix { inherit pkgs; };
default = pkgs.runCommand "pvv-dns" { } ''
mkdir -p $out/zones
mkdir -p $out/etc/nsd
cp -r ${zoneFiles}/* $out/zones/
cp -r ${nsdConfig} $out/etc/nsd/nsd.conf
'';
}
);
};

47
nsd.conf.nix Normal file
View File

@@ -0,0 +1,47 @@
{ pkgs, ... }:
pkgs.writeText "nsd.conf" (
''
# Generated by https://git.pvv.ntnu.no/felixalb/PVV-DNS
# See man 5 nsd.conf
server:
hide-version: yes
verbosity: 1
logfile: /var/log/nsd.log
database: "" # disable database
minimal-responses: yes
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
''
+ (builtins.concatStringsSep "\n" (
map
(name: ''
zone:
name: "${name}"
zonefile: "${name}.zone"
# Allow transfers:
# ns1.ntnu.no
provide-xfr: 129.241.0.208 NOKEY
provide-xfr: 2001:700:300::208 NOKEY
# ns2.ntnu.no
provide-xfr: 129.241.0.209 NOKEY
provide-xfr: 2001:700:300::209 NOKEY
# swix.nvg.ntnu.no
provide-xfr: 129.241.210.66 NOKEY
provide-xfr: 2001:700:300:2000:a00:20ff:fec0:be40 NOKEY
# nn.uninett.no
provide-xfr: 153.38.0.181 NOKEY
provide-xfr: 2001:700:0:503::aa:5302 NOKEY
'')
[
"128-255.210.241.129.in-addr.arpa"
"210.241.129.in-addr.arpa"
"9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone"
"pvv.ntnu.no"
"pvv.org"
]
))
)

5
zoneConfig.nix
View File

@@ -30,8 +30,7 @@ stdenvNoCC.mkDerivation {
dontUnpack = true;
installPhase = ''
mkdir -p $out/zones
mkdir -p $out
''
+ (lib.concatMapAttrsStringSep "\n" (name: path: "cp ${path} $out/zones/${name}.zone") zoneConfigs);
+ (lib.concatMapAttrsStringSep "\n" (name: path: "cp ${path} $out/${name}.zone") zoneConfigs);
}