diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index f54bea5..e714e4e 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,90 +1,24 @@ { config, pkgs, ... }: -with pkgs.lib; - -let - generateCoreDNSConfig = domains: - let - generateForDomain = domain: conf: - concatMapStrings - (iface: - let - architectIP = config.architect.networks.${iface}.devices.architect.address; - interfaceNet = config.architect.networks.${iface}.net; - deviceViews = concatMapStrings - ({ name, device }: - let - deviceIP = device.address; - in - '' - . { - view ${name} { - expr client_ip() == '${deviceIP}' - } - - forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::d6:5174 tls://2a07:a8c1::d6:5174 { - tls_servername ${name}-d65174.dns.nextdns.io - health_check 5s - } - } - '' - ) - (attrsets.mapAttrsToList - (name: device: { inherit name device; }) - config.architect.networks.${iface}.devices - ); - in - '' - ${domain} { - view ${iface} { - expr incidr(client_ip(), '${interfaceNet}') - } - - template IN A ${domain} { - answer "${domain}. 60 IN A ${architectIP}" - } - - template IN HTTPS ${domain} { - answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${architectIP}\"" - } - - cache - log - } - - ${deviceViews} - '' - ) - conf.dnsInterfaces; - in - concatStrings (mapAttrsToList generateForDomain domains); - - allDomains = config.architect.vhost // { - "architect.devs.giugl.io" = { dnsInterfaces = [ "lan" "tailscale" ]; }; - }; - domain = "adguard.giugl.io"; -in { - architect.vhost.${domain} = with config.architect.networks; { - dnsInterfaces = [ "tailscale" "lan" ]; - locations."/" = { - port = config.services.adguardhome.port; - allowLan = true; - allow = [ tailscale.net ]; + # Enable the DNS module + pepe.core.dns = { + enable = true; + nextDNSId = "d65174"; + extraDomains = { + "architect.devs.giugl.io" = { + dnsInterfaces = [ "lan" "tailscale" ]; + }; }; }; - services.coredns = { - enable = true; - config = '' - ${generateCoreDNSConfig allDomains} - - . { - forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::d6:5174 tls://2a07:a8c1::d6:5174 { - tls_servername lan-d65174.dns.nextdns.io - health_check 5s - } - } - ''; + # Configure AdGuard + pepe.core.vhost.hosts."adguard.giugl.io" = with config.pepe.core.network; { + dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; + locations."/" = { + port = config.services.adguardhome.port; + allowLAN = true; + allowVPN = true; + }; }; } diff --git a/modules/core/default.nix b/modules/core/default.nix index c557e03..e3f6434 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -5,5 +5,6 @@ ./network.nix ./vhost.nix ./firewall.nix + ./dns.nix ]; } diff --git a/modules/core/dns.nix b/modules/core/dns.nix new file mode 100644 index 0000000..dc5f2ba --- /dev/null +++ b/modules/core/dns.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkOption types mkIf concatMapStrings concatStrings mapAttrsToList attrsets; + cfg = config.pepe.core.dns; +in +{ + options.pepe.core.dns = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the DNS server."; + }; + + nextDNSId = mkOption { + type = types.str; + default = "d65174"; + description = "NextDNS ID for DNS over TLS."; + }; + + extraDomains = mkOption { + type = types.attrsOf (types.submodule { + options = { + dnsInterfaces = mkOption { + type = types.listOf types.str; + default = []; + description = "List of interfaces to add DNS entries for this domain."; + }; + }; + }); + default = {}; + description = "Additional domains to add to DNS configuration."; + }; + }; + + config = mkIf cfg.enable { + services.coredns = { + enable = true; + config = let + generateCoreDNSConfig = domains: + let + generateForDomain = domain: conf: + concatMapStrings + (ifaceName: + let + iface = config.pepe.core.network.interfaces.${ifaceName}; + serverIP = iface.devices.server.address or "127.0.0.1"; + interfaceNet = iface.net; + deviceViews = concatMapStrings + ({ name, device }: + let + deviceIP = device.address; + in + '' + . { + view ${name} { + expr client_ip() == '${deviceIP}' + } + + forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::${cfg.nextDNSId} tls://2a07:a8c1::${cfg.nextDNSId} { + tls_servername ${name}-${cfg.nextDNSId}.dns.nextdns.io + health_check 5s + } + } + '' + ) + (attrsets.mapAttrsToList + (name: device: { inherit name device; }) + iface.devices + ); + in + '' + ${domain} { + view ${ifaceName} { + expr incidr(client_ip(), '${interfaceNet}') + } + + template IN A ${domain} { + answer "${domain}. 60 IN A ${serverIP}" + } + + template IN HTTPS ${domain} { + answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${serverIP}\"" + } + + cache + log + } + + ${deviceViews} + '' + ) + conf.dnsInterfaces; + in + concatStrings (mapAttrsToList generateForDomain domains); + + allDomains = config.pepe.core.vhost.hosts // cfg.extraDomains; + in '' + ${generateCoreDNSConfig allDomains} + + . { + forward . tls://45.90.28.77 tls://45.90.30.77 tls://2a07:a8c0::${cfg.nextDNSId} tls://2a07:a8c1::${cfg.nextDNSId} { + tls_servername lan-${cfg.nextDNSId}.dns.nextdns.io + health_check 5s + } + } + ''; + }; + }; +}