From 0d18a3a441a5465a6a1775576bb0815419643aa9 Mon Sep 17 00:00:00 2001
From: Max Audron <audron@cocaine.farm>
Date: Thu, 5 Oct 2023 14:42:50 +0200
Subject: deploy powerdns and bgp config

---
 modules/bgp/default.nix              | 105 ++++++++++++++++++++++++++++-------
 modules/default.nix                  |   1 +
 modules/postgresql/default.nix       |   6 +-
 modules/powerdns/default.nix         |  66 ++++++++++++++++++++++
 modules/powerdns/pdns-primary.conf   |  18 ++++++
 modules/powerdns/pdns-secondary.conf |   7 +++
 6 files changed, 182 insertions(+), 21 deletions(-)
 create mode 100644 modules/powerdns/default.nix
 create mode 100644 modules/powerdns/pdns-primary.conf
 create mode 100644 modules/powerdns/pdns-secondary.conf

(limited to 'modules')

diff --git a/modules/bgp/default.nix b/modules/bgp/default.nix
index 712f003..5a5f88a 100644
--- a/modules/bgp/default.nix
+++ b/modules/bgp/default.nix
@@ -1,25 +1,90 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.interfaces.eth0.ipv4.addresses = [
-    {
-      address = "217.163.29.14";
-      prefixLength = 32;
-    }
-    {
-      address = "209.250.238.254";
-      prefixLength = 32;
-    }
-  ];
+  networking.interfaces.lo = {
+    ipv4.addresses = [
+      {
+        address = "217.163.29.14";
+        prefixLength = 32;
+      }
+      {
+        address = "209.250.238.254";
+        prefixLength = 32;
+      }
+    ];
+    ipv6.addresses = [
+      {
+        address = "2a0f:9400:8020::200";
+        prefixLength = 128;
+      }
+      {
+        address = "2a0f:9400:8020::100";
+        prefixLength = 128;
+      }
+      {
+        address = "2a0f:9400:8020::";
+        prefixLength = 48;
+      }
+    ];
+  };
 
-  networking.interfaces.eth0.ipv6.addresses = [
-    {
-      address = "2a0f:9400:8020::200";
-      prefixLength = 128;
-    }
-    {
-      address = "2a0f:9400:8020::100";
-      prefixLength = 128;
-    }
-  ];
+  services.frr = {
+    bgp = {
+      enable = true;
+      config = ''
+        router bgp 64716
+          bgp ebgp-requires-policy
+          no bgp default ipv4-unicast
+          no bgp network import-check
+
+          neighbor V4 peer-group
+          neighbor V4 remote-as 64515
+          neighbor V4 ebgp-multihop 2
+          neighbor 169.254.169.254 peer-group V4
+          neighbor 169.254.169.254 password IpXzIJIsJxABeNdi4mPBbt7XD
+
+          neighbor V6 peer-group
+          neighbor V6 remote-as 64515
+          neighbor V6 ebgp-multihop 2
+          neighbor 2001:19f0:ffff::1 peer-group V6
+          neighbor 2001:19f0:ffff::1 password IpXzIJIsJxABeNdi4mPBbt7XD
+          !
+          address-family ipv4 unicast
+            network 209.250.238.254/32
+            network 217.163.29.14/32
+            neighbor V4 activate
+            neighbor V4 route-map IMPORT in
+            neighbor V4 route-map EXPORT out
+            neighbor V6 activate
+            neighbor V6 route-map IMPORT in
+            neighbor V6 route-map EXPORT out
+          exit-address-family
+          !
+          address-family ipv6 unicast
+            network 2a0f:9400:8020::/48
+            neighbor V4 activate
+            neighbor V4 route-map IMPORT in
+            neighbor V4 route-map EXPORT out
+            neighbor V6 activate
+            neighbor V6 route-map IMPORT in
+            neighbor V6 route-map EXPORT out
+          exit-address-family
+          !
+          ip prefix-list internal seq 5 permit 209.250.238.254/32
+          ip prefix-list internal seq 10 permit 217.163.29.14/32
+          ipv6 prefix-list external seq 5 permit 2a0f:9400:8020::/48
+          !
+          route-map EXPORT deny 100
+          !
+          route-map EXPORT permit 2
+            match ipv6 address prefix-list external
+          !
+          route-map EXPORT permit 1
+            match ip address prefix-list internal
+          !
+          route-map IMPORT deny 1
+          !
+      '';
+    };
+  };
 }
diff --git a/modules/default.nix b/modules/default.nix
index bf9787e..2e48583 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -15,4 +15,5 @@
   teamspeak = import ./teamspeak;
   postgresql = import ./postgresql;
   quassel = import ./quassel;
+  powerdns = import ./powerdns;
 }
diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix
index 98169a0..a02e6ce 100644
--- a/modules/postgresql/default.nix
+++ b/modules/postgresql/default.nix
@@ -3,12 +3,16 @@
 {
   services.postgresql = {
     enable = true;
-    ensureDatabases = [ "quassel" ];
+    ensureDatabases = [ "quassel" "pdns" ];
     ensureUsers = [
       {
         name = "quassel";
         ensurePermissions = { "DATABASE quassel" = "ALL PRIVILEGES"; };
       }
+      {
+        name = "pdns";
+        ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; };
+      }
       {
         name = "audron";
         ensureClauses.superuser = true;
diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix
new file mode 100644
index 0000000..ae9b497
--- /dev/null
+++ b/modules/powerdns/default.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+let
+  primary = ''
+    allow-axfr-ips = 10.0.0.0/8,127.0.0.0/8
+    allow-dnsupdate-from = 10.0.0.0/8,127.0.0.0/8
+    also-notify = 10.10.0.3 10.10.0.4 10.10.0.5
+    only-notify =
+
+    default-soa-content = primary.ns.vapor.systems hostmaster.@ 0 10800 3600 604800 3600
+
+    gpgsql-dbname = pdns
+    gpgsql-host = /var/run/postgresql
+    gpgsql-port = 5432
+    gpgsql-user = pdns
+    launch = gpgsql
+
+    api = yes
+    local-address = 0.0.0.0 [::]
+    primary = yes
+    webserver = yes
+    webserver-address = 10.10.0.1
+    webserver-allow-from = 10.0.0.0/8,127.0.0.0/8
+  '';
+
+  autoprimary = pkgs.writeText "autoprimary.conf" ''
+    10.10.0.1
+  '';
+
+  bind = pkgs.writeText "named.conf" ''
+    include "/var/lib/pdns/named-autosecondary.conf";
+  '';
+
+  secondary = ''
+    autosecondary = yes
+    bind-config = ${bind}
+    bind-supermaster-config = /var/lib/pdns/named-autosecondary.conf
+    bind-supermaster-destdir = /var/lib/pdns/zones
+    bind-supermasters = ${autoprimary}
+    guardian = yes
+    launch = bind
+    local-address = 0.0.0.0 [::]
+    secondary = yes
+
+    allow-notify-from = 10.10.0.1/32
+  '';
+in
+{
+  options.services.powerdns = {
+    role = lib.mkOption {
+      type = lib.types.enum [ "primary" "secondary" ];
+    };
+  };
+
+  config = {
+    environment.systemPackages = [ pkgs.powerdns ];
+    services.powerdns = {
+      enable = true;
+      extraConfig =
+        if config.services.powerdns.role == "primary"
+        then primary
+        else secondary;
+      secretFile = null;
+    };
+  };
+}
diff --git a/modules/powerdns/pdns-primary.conf b/modules/powerdns/pdns-primary.conf
new file mode 100644
index 0000000..0d76e7a
--- /dev/null
+++ b/modules/powerdns/pdns-primary.conf
@@ -0,0 +1,18 @@
+allow-axfr-ips = 10.0.0.0/8,127.0.0.0/8
+allow-dnsupdate-from = 10.0.0.0/8,127.0.0.0/8
+also-notify =
+
+default-soa-content = primary.ns.vapor.systems hostmaster.@ 0 10800 3600 604800 3600
+
+gpgsql-dbname = pdns
+gpgsql-host = /var/run/postgresql
+gpgsql-port = 5432
+gpgsql-user = pdns
+launch = gpgsql
+
+api = yes
+local-address = 0.0.0.0 [::]
+primary = yes
+webserver = yes
+webserver-address = 10.10.0.1
+webserver-allow-from = 10.0.0.0/8,127.0.0.0/8
diff --git a/modules/powerdns/pdns-secondary.conf b/modules/powerdns/pdns-secondary.conf
new file mode 100644
index 0000000..5c9c769
--- /dev/null
+++ b/modules/powerdns/pdns-secondary.conf
@@ -0,0 +1,7 @@
+autosecondary = yes
+bind-supermaster-config = /var/lib/pdns/named-autosecondary.conf
+bind-supermasters = /var/lib/pdns/autoprimary.conf
+guardian = yes
+launch = bind
+local-address = 0.0.0.0 [::]
+secondary = yes
-- 
cgit v1.2.3