4.2 KiB
PVV-DNS
This repository contains both the code and data needed to generate PVVs DNS configuration.
Note
This is currently very WIP, and not in production use. At the minute, DNS is still managed manually in /etc/bind/zones on ameno.
Normal PVV "hosts" (servers, mostly) should be defined in ./hosts.nix, additional configuration and records for pvv.ntnu.no and pvv.org lives in ./pvv-domain.nix, and configuration for all other domains are found in their respective files in ./zones/.
The code in this repository is basically a whole heap of pre-processing to turn the hosts-file and zone-specific options into the format used by nix-community/dns.nix, that in turn generates zone files.
Examples
A host configuration like
drolsum = {
ipv4 = pvvv4 217;
ipv6 = pvvv6 217;
aliases = [ "login2" ];
};
roundrobin = {
ipv4 = [ (pvvv4 101) (pvvv4 202) ];
ipv6 = [ (pvvv6 101) (pvvv6 202) ];
};
... will generate zone files like
drolsum.pvv.ntnu.no. IN A 129.241.210.217
drolsum.pvv.ntnu.no. IN AAAA 2001:700:300:1900::217
login2.pvv.ntnu.no. IN CNAME drolsum
roundrobin.pvv.ntnu.no. IN A 129.241.210.201
roundrobin.pvv.ntnu.no. IN A 129.241.210.202
roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::201
roundrobin.pvv.ntnu.no. IN AAAA 2001:700:300:1900::202
201.128-255.210.241.129.in-addr.arpa. PTR roundrobin.pvv.ntnu.no
202.128-255.210.241.129.in-addr.arpa. PTR roundrobin.pvv.ntnu.no
217.128-255.210.241.129.in-addr.arpa. PTR drolsum.pvv.ntnu.no
1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR roundrobin.pvv.ntnu.no
2.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR roundrobin.pvv.ntnu.no
7.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa PTR drolsum.pvv.ntnu.no
Building zone files
Provided you have nix on your system, you should be able to run nix build .#zoneFiles, and the resulting zone files are placed in ./result.
Deployment
Automatic deployment through CI/CD is not yet implemented. See subsections for manual installation.
nsd on OpenBSD
nsd, the high-performance authoritative-only DNS server developed by NLnet Labs, is included in the base OpenBSD system.
The default output, built with nix build .#, includes configuration for nsd:
result
├── etc
│ └── nsd
│ └── nsd.conf
└── zones
├── 9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa.zone
├── 128-255.210.241.129.in-addr.arpa.zone
├── 210.241.129.in-addr.arpa.zone
├── nucc.org.zone
├── pvv.no.zone
├── pvv.ntnu.no.zone
└── pvv.org.zone
First time setup
- Enable nsd
rcctl enable nsd
- Start nsd
rcctl start nsd
- Follow the steps below for updating zones and configuration
Updating zones and configuration
(TLDR: Files in /var/nsd, run nsd-control reload)
- If applicable, make changes to
./hosts.nixor the appropriate file in./zones/- ... and update the corresponding serial number(s)
- Build this project (anywhere, on any host with nix)
nix build .#
- Install the contents of
./resultinto/var/nsd./result/etc/nsd/nsd.confbecomes/var/nsd/etc/nsd/nsd.conf,./result/zonesbecomes/var/nsd/zones
- Verify the configuration
nsd-checkconf /var/nsd/etc/nsd.conf
- Reload the config file
nsd-control reconfig
- Reload the zonefiles
nsd-control reload
- Verify operation
dig @smask.pvv.ntnu.no SOA pvv.ntnu.no.- If something is not working, see
/var/log/nsd.log
Future plans
- Automate serial generation
- Build and verify with CI/CD
- Automatically push updated configurations to the DNS server
- Per-record or per-host customizable TTL (e.g. for moving a CNAME around when replacing a service/server)
- Improve dns.nix or replace it with a homemade zonefile generator to make the output more human readable
- Also generate DHCP server configurations