diff --git a/README.md b/README.md index 22deb9c..3dbb377 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,11 @@ This repository contains both the code and data needed to generate PVVs DNS conf > [!NOTE] > This is currently very WIP, and not in production use. At the minute, DNS is still managed manually in /etc/bind/zones on ameno. -Normal PVV "hosts" (servers, mostly) should be defined in ./hosts.nix, and configuration and additional records can be placed in each zone configuration file in ./zones, such as ./zones/pvv.ntnu.no.nix. +Normal PVV "hosts" (servers, mostly) should be defined in `./hosts.nix`, additional configuration and records for pvv.ntnu.no and pvv.org lives in `./pvv-domain.nix`, and configuration for all other domains are found in their respective files in `./zones/`. The code in this repository is basically a whole heap of pre-processing to turn the hosts-file and zone-specific options into the format used by [nix-community/dns.nix](https://github.com/nix-community/dns.nix), that in turn generates zone files. -## Building DNS zone files - -Provided you have nix on your system, you should be able to run `nix build .#`, and the resulting config is placed in `./result/zones`. - -## Examples; +## Examples A host configuration like @@ -54,14 +50,74 @@ roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::202 ``` +## Building zone files + +Provided you have nix on your system, you should be able to run `nix build .#zoneFiles`, and the resulting zone files are placed in `./result`. + +## Deployment + +Automatic deployment through CI/CD is not yet implemented. See subsections for manual installation. + +### nsd on OpenBSD + +`nsd`, the high-performance authoritative-only DNS server developed by NLnet Labs, is included in the base OpenBSD system. + +The default output, built with `nix build .#`, includes configuration for nsd: + +``` +result +├── etc +│ └── nsd +│ └── nsd.conf +└── zones + ├── 9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone + ├── 128-255.210.241.129.in-addr.arpa.zone + ├── 210.241.129.in-addr.arpa.zone + ├── nucc.org.zone + ├── pvv.no.zone + ├── pvv.ntnu.no.zone + └── pvv.org.zone +``` + + +#### First time setup + +- Enable nsd + - `rcctl enable nsd` +- Start nsd + - `rcctl start nsd` +- Follow the steps below for updating zones and configuration + +#### Updating zones and configuration + +(**TLDR: Files in /var/nsd, run `nsd-control reload`**) + +- If applicable, make changes to `./hosts.nix` or the appropriate file in `./zones/` + - ... and update the corresponding serial number(s) +- Build this project (anywhere, on any host with nix) + - `nix build .#` +- Install the contents of `./result` into `/var/nsd` + - `./result/etc/nsd/nsd.conf` becomes `/var/nsd/etc/nsd/nsd.conf`, `./result/zones` becomes `/var/nsd/zones` +- Verify the configuration + - `nsd-checkconf /var/nsd/etc/nsd.conf` +- Reload the config file + - `nsd-control reconfig` +- Reload the zonefiles + - `nsd-control reload` +- Verify operation + - `dig @smask.pvv.ntnu.no SOA pvv.ntnu.no.` + - If something is not working, see `/var/log/nsd.log` + +--- + ## Future plans - Automate serial generation - Build and verify with CI/CD - Automatically push updated configurations to the DNS server - Also generate DNS server configuration files - - [NSD](https://nlnetlabs.nl/projects/nsd/about/), included in OpenBSD - - [Bind9](https://www.isc.org/bind/), common alternative + - [x] [NSD](https://nlnetlabs.nl/projects/nsd/about/), included in OpenBSD + - [ ] [Bind9](https://www.isc.org/bind/), common alternative - Per-record or per-host customizable TTL (e.g. for moving a CNAME around when replacing a service/server) - Improve dns.nix or replace it with a homemade zonefile generator to make the output more human readable - Also generate DHCP server configurations diff --git a/flake.nix b/flake.nix index 3e36df5..7e60698 100644 --- a/flake.nix +++ b/flake.nix @@ -28,10 +28,19 @@ pkgs = nixpkgs.legacyPackages.${system}; in rec { - zoneConfig = pkgs.callPackage ./zoneConfig.nix { + zoneFiles = pkgs.callPackage ./zoneConfig.nix { inherit dns; }; - default = zoneConfig; + + nsdConfig = pkgs.callPackage ./nsd.conf.nix { inherit pkgs; }; + + default = pkgs.runCommand "pvv-dns" { } '' + mkdir -p $out/zones + mkdir -p $out/etc/nsd + + cp -r ${zoneFiles}/* $out/zones/ + cp -r ${nsdConfig} $out/etc/nsd/nsd.conf + ''; } ); }; diff --git a/nsd.conf.nix b/nsd.conf.nix new file mode 100644 index 0000000..6ded981 --- /dev/null +++ b/nsd.conf.nix @@ -0,0 +1,47 @@ +{ pkgs, ... }: +pkgs.writeText "nsd.conf" ( + '' + # Generated by https://git.pvv.ntnu.no/felixalb/PVV-DNS + # See man 5 nsd.conf + + server: + hide-version: yes + verbosity: 1 + logfile: /var/log/nsd.log + database: "" # disable database + minimal-responses: yes + + remote-control: + control-enable: yes + control-interface: /var/run/nsd.sock + + '' + + (builtins.concatStringsSep "\n" ( + map + (name: '' + zone: + name: "${name}" + zonefile: "${name}.zone" + # Allow transfers: + # ns1.ntnu.no + provide-xfr: 129.241.0.208 NOKEY + provide-xfr: 2001:700:300::208 NOKEY + # ns2.ntnu.no + provide-xfr: 129.241.0.209 NOKEY + provide-xfr: 2001:700:300::209 NOKEY + # swix.nvg.ntnu.no + provide-xfr: 129.241.210.66 NOKEY + provide-xfr: 2001:700:300:2000:a00:20ff:fec0:be40 NOKEY + # nn.uninett.no + provide-xfr: 153.38.0.181 NOKEY + provide-xfr: 2001:700:0:503::aa:5302 NOKEY + '') + [ + "128-255.210.241.129.in-addr.arpa" + "210.241.129.in-addr.arpa" + "9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone" + "pvv.ntnu.no" + "pvv.org" + ] + )) +) diff --git a/zoneConfig.nix b/zoneConfig.nix index 4243ec7..2e621dd 100644 --- a/zoneConfig.nix +++ b/zoneConfig.nix @@ -30,8 +30,7 @@ stdenvNoCC.mkDerivation { dontUnpack = true; installPhase = '' - mkdir -p $out/zones - + mkdir -p $out '' - + (lib.concatMapAttrsStringSep "\n" (name: path: "cp ${path} $out/zones/${name}.zone") zoneConfigs); + + (lib.concatMapAttrsStringSep "\n" (name: path: "cp ${path} $out/${name}.zone") zoneConfigs); }