feat(ddns): bind kea ddns for nwk3 (#42)

* feat: ddns wip

Signed-off-by: Anthony Rabbito <[email protected]>

* fix: remove avahi

Signed-off-by: Anthony Rabbito <[email protected]>

* push wip

Signed-off-by: Anthony Rabbito <[email protected]>

* push wip

Signed-off-by: Anthony Rabbito <[email protected]>

* push wip

Signed-off-by: Anthony Rabbito <[email protected]>

* push wip

Signed-off-by: Anthony Rabbito <[email protected]>

---------

Signed-off-by: Anthony Rabbito <[email protected]>

Author: anthr76

Diff for: nixos/hosts/fw1-nwk3/default.nix

@@ -1,4 +1,10 @@
-{ lib, inputs, pkgs, ... }:
+{
+  lib,
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
 let
   zoneSerial = toString inputs.self.lastModified;
 in
@@ -34,11 +40,56 @@ in
   '';
 
   networking.interfaces = {
-    vlan8 = { ipv4 = { addresses = [{ address = "192.168.17.1"; prefixLength = 24; }]; }; };
-    vlan10 = { ipv4 = { addresses = [{ address = "192.168.16.1"; prefixLength = 24; }]; }; };
-    vlan99 = { ipv4 = { addresses = [{ address = "10.40.99.1"; prefixLength = 24; }]; }; };
-    vlan100 = { ipv4 = { addresses = [{ address = "192.168.14.1"; prefixLength = 24; }]; }; };
-    vlan101 = { ipv4 = { addresses = [{ address = "192.168.13.1"; prefixLength = 24; }]; }; };
+    vlan8 = {
+      ipv4 = {
+        addresses = [
+          {
+            address = "192.168.17.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    vlan10 = {
+      ipv4 = {
+        addresses = [
+          {
+            address = "192.168.16.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    vlan99 = {
+      ipv4 = {
+        addresses = [
+          {
+            address = "10.40.99.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    vlan100 = {
+      ipv4 = {
+        addresses = [
+          {
+            address = "192.168.14.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
+    vlan101 = {
+      ipv4 = {
+        addresses = [
+          {
+            address = "192.168.13.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+    };
   };
   services.tailscale.extraUpFlags = [
     "--advertise-routes=192.168.14.0/24,10.40.99.0/24,192.168.13.0/24"
@@ -59,6 +110,10 @@ in
           name = "domain-name-servers";
           data = "10.40.99.1";
         }
+        {
+          name = "domain-search";
+          data = "nwk3.rabbito.tech,mole-bowfin.ts.net";
+        }
       ];
       subnet4 = [
         {
@@ -162,21 +217,164 @@ in
     zones = {
       "nwk3.rabbito.tech." = {
         master = true;
-            file = pkgs.writeText "nwk3.rabbito.tech" (lib.strings.concatStrings [
-              ''
-                $ORIGIN nwk3.rabbito.tech.
-                $TTL    86400
-                @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
-                ${zoneSerial}           ; serial number
-                3600                    ; refresh
-                900                     ; retry
-                1209600                 ; expire
-                1800                    ; ttl
-                )
-                                IN    NS      fw1.nwk3.rabbito.tech.
-                fw1             IN    A       10.40.99.1
-              ''
-            ]);
+        extraConfig = ''
+           allow-update { key "dhcp-update-key"; };
+           journal "${config.services.bind.directory}/db.nwk3.rabbito.tech.jnl";
+        '';
+        file = pkgs.writeText "nwk3.rabbito.tech" (
+          lib.strings.concatStrings [
+            ''
+              $ORIGIN nwk3.rabbito.tech.
+              $TTL    86400
+              @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
+              ${zoneSerial}           ; serial number
+              3600                    ; refresh
+              900                     ; retry
+              1209600                 ; expire
+              1800                    ; ttl
+              )
+                              IN    NS      fw1.nwk3.rabbito.tech.
+              fw1             IN    A       10.40.99.1
+            ''
+          ]
+        );
+      };
+      "14.168.192.in-addr.arpa." = {
+        master = true;
+        extraConfig = ''
+           allow-update { key "dhcp-update-key"; };
+           journal "${config.services.bind.directory}/db.14.168.192.in-addr.arpa.jnl";
+        '';
+        file = pkgs.writeText "14.168.192.in-addr.arpa" (
+          lib.strings.concatStrings [
+            ''
+              $ORIGIN 14.168.192.in-addr.arpa.
+              $TTL    86400
+              @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
+              ${zoneSerial}           ; serial number
+              3600                    ; refresh
+              900                     ; retry
+              1209600                 ; expire
+              1800                    ; ttl
+              )
+                              IN    NS      fw1.nwk3.rabbito.tech.
+            ''
+          ]
+        );
+      };
+      "13.168.192.in-addr.arpa." = {
+        master = true;
+        extraConfig = ''
+           allow-update { key "dhcp-update-key"; };
+           journal "${config.services.bind.directory}/db.13.168.192.in-addr.arpa.jnl";
+        '';
+        file = pkgs.writeText "13.168.192.in-addr.arpa" (
+          lib.strings.concatStrings [
+            ''
+              $ORIGIN 13.168.192.in-addr.arpa.
+              $TTL    86400
+              @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
+              ${zoneSerial}           ; serial number
+              3600                    ; refresh
+              900                     ; retry
+              1209600                 ; expire
+              1800                    ; ttl
+              )
+                              IN    NS      fw1.nwk3.rabbito.tech.
+            ''
+          ]
+        );
+      };
+      "16.168.192.in-addr.arpa." = {
+        master = true;
+        extraConfig = ''
+           allow-update { key "dhcp-update-key"; };
+           journal "${config.services.bind.directory}/db.16.168.192.in-addr.arpa.jnl";
+        '';
+        file = pkgs.writeText "16.168.192.in-addr.arpa" (
+          lib.strings.concatStrings [
+            ''
+              $ORIGIN 16.168.192.in-addr.arpa.
+              $TTL    86400
+              @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
+              ${zoneSerial}           ; serial number
+              3600                    ; refresh
+              900                     ; retry
+              1209600                 ; expire
+              1800                    ; ttl
+              )
+                              IN    NS      fw1.nwk3.rabbito.tech.
+            ''
+          ]
+        );
+      };
+      "99.40.10.in-addr.arpa." = {
+        master = true;
+        extraConfig = ''
+           allow-update { key "dhcp-update-key"; };
+           journal "${config.services.bind.directory}/db.99.40.10.in-addr.arpa.jnl";
+        '';
+        file = pkgs.writeText "99.40.10.in-addr.arpa" (
+          lib.strings.concatStrings [
+            ''
+              $ORIGIN 99.40.10.in-addr.arpa.
+              $TTL    86400
+              @ IN SOA nwk3.rabbito.tech. admin.rabbito.tech (
+              ${zoneSerial}           ; serial number
+              3600                    ; refresh
+              900                     ; retry
+              1209600                 ; expire
+              1800                    ; ttl
+              )
+                              IN    NS      fw1.nwk3.rabbito.tech.
+              1               IN    PTR     fw1.nwk3.rabbito.tech.
+            ''
+          ]
+        );
+      };
+    };
+  };
+  services.kea.dhcp-ddns = {
+    settings = {
+      reverse-ddns = {
+        ddns-domains = [
+          {
+            name = "14.168.192.in-addr.arpa.";
+            key-name = "dhcp-update-key";
+            dns-servers = [{
+              hostname = "";
+              ip-address = "10.40.99.1";
+              port = 53;
+            }];
+          }
+          {
+            name = "13.168.192.in-addr.arpa.";
+            key-name = "dhcp-update-key";
+            dns-servers = [{
+              hostname = "";
+              ip-address = "10.40.99.1";
+              port = 53;
+            }];
+          }
+          {
+            name = "16.168.192.in-addr.arpa.";
+            key-name = "dhcp-update-key";
+            dns-servers = [{
+              hostname = "";
+              ip-address = "10.40.99.1";
+              port = 53;
+            }];
+          }
+          {
+            name = "99.40.10.in-addr.arpa";
+            key-name = "dhcp-update-key";
+            dns-servers = [{
+              hostname = "";
+              ip-address = "10.40.99.1";
+              port = 53;
+            }];
+          }
+        ];
       };
     };
   };

Diff for: nixos/personalities/server/router/ddns.nix

@@ -1,10 +1,55 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  firstBindAddress = lib.head config.services.bind.listenOn;
+in
 {
   sops.secrets.cfApiToken = {
     sopsFile = ../../../../secrets/users.yaml;
   };
+  sops.secrets."bind-ddns-tsig-file" = {
+    sopsFile = ../../../../secrets/users.yaml;
+    owner = config.systemd.services.bind.serviceConfig.User;
+    group = config.systemd.services.bind.serviceConfig.User;
+  };
+  sops.secrets."ddns-tsig-key" = {
+    # TODO: poor secret name
+    sopsFile = ../../../../secrets/users.yaml;
+    owner = config.systemd.services.kea-dhcp-ddns-server.serviceConfig.User;
+    group = config.systemd.services.kea-dhcp-ddns-server.serviceConfig.User;
+  };
   services.cfdyndns = {
     enable = true;
     apiTokenFile = config.sops.secrets.cfApiToken.path;
   };
+
+  services.bind.extraConfig = ''
+    include "${config.sops.secrets."bind-ddns-tsig-file".path}";
+  '';
+
+  services.kea.dhcp-ddns = {
+    enable = true;
+    settings = {
+      tsig-keys = [
+        {
+          name = "dhcp-update-key";
+          algorithm = "hmac-sha256";
+          secret-file = "${config.sops.secrets."ddns-tsig-key".path}";
+        }
+      ];
+      forward-ddns = {
+        ddns-domains = [
+          {
+            name = "${config.networking.domain}.";
+            key-name = "dhcp-update-key";
+            dns-servers = [{
+              hostname = "";
+              ip-address = "${firstBindAddress}";
+              port = 53;
+            }];
+          }
+        ];
+      };
+    };
+  };
+
 }

Diff for: nixos/personalities/server/router/default.nix

@@ -62,17 +62,6 @@
     vlan100 = { id=100; interface="lan"; };
     vlan101 = { id=101; interface="lan"; };
   };
-  services.avahi = {
-    enable = true;
-    hostName = "${config.networking.hostName}";
-    allowInterfaces = [ "vlan100" "vlan101" ];
-    publish = {
-      enable = true;
-      addresses = true;
-      domain = true;
-      userServices = true;
-    };
-  };
   services.udpbroadcastrelay = {
     enable = true;
     package = pkgs.udpbroadcastrelay;

Diff for: nixos/personalities/server/router/dhcp.nix

@@ -1,7 +1,20 @@
+{config, ...}:
 {
+
+  sops.secrets.ddns-tsig-key = {
+    # TODO: poor secret name
+    sopsFile = ../../../../secrets/users.yaml;
+  };
+
   services.kea.dhcp4 = {
     enable = true;
     settings = {
+      dhcp-ddns.enable-updates = true;
+      ddns-replace-client-name = "when-not-present";
+      ddns-update-on-renew = true;
+      ddns-override-client-update = true;
+      ddns-override-no-update = true;
+      ddns-qualifying-suffix = "${config.networking.domain}";
       lease-database = {
         name = "/var/lib/kea/dhcp4.leases";
         persist = true;

Diff for: secrets/users.yaml

@@ -5,6 +5,8 @@ chromium-client-secret: ENC[AES256_GCM,data:CrQUBfe8lZHdYkCbi7NfBUqqTK2BBe518Oej
 tailscale-auth-key: ENC[AES256_GCM,data:bZlL8FYKJMOfj1RWHZFIgNkGY5G4qwBohZKf9aavYOelrIDjWb6kot3eLhGR6S3cJt+/pzFv75143AKrUNc=,iv:I3BAY57o8Bl7BIqRXzEmjDvNg1j6EPKS6KlDn0WXDLU=,tag:EP3KB3QOgqAVO8XXQ5Twog==,type:str]
 nixbuild-ssh-key: ENC[AES256_GCM,data:CJoF+QvIYYBF82iRwqfFsvyTaGZf4zgZYpnppA9jYij6lGWee3LGA0lDp05oG6h3QY5Yrp8XB8lx4WUzALWHjYn9cY+762PxfRO8SwQYx1oJvfP8zZv02WgzctbyxHNNP3bn4yC1YyWDyvWTCU9uQgL+kWOjNpfSBqGJ7rGAuF+XypgmgFMbly4sl8Z3SbICFNVWQOCloemHS/kN2hNu+KlaWgoAPbgAWmLnYb9qndkQKiwapxfi0J4KyU/ryqXW98a+ig89e8u+mJmA8Q9p6XwkEYZ9DAqHg95dqPgjJYgrlmpy4dJ8UHpdFACD8cWQEu11n2O9dIy5pw/YpF89n2toFgDX1Kn/4FMXVaBg/uzJfF9IaOLLOEnqMTXrin+2DWmFDnS+/9w0ybcDPGhIL3+d9xSN8cWgYIB4dr2AVBajbwF3PezczWTg+UIC6fyT1QQAXkusL07pcntOy0g+fMkCXBYLTu84QPmXpRXJVdBDF2v3TF9gtpfc1tpOW0LWc+U0x0m5WALNUAJJ1MXk,iv:UmwIuZIvndyzPQvsm/3M+EwA3gyfyLxZfFcKK6tkkVg=,tag:hIDXKv3E+7SPDBPwSmyV4Q==,type:str]
 cfApiToken: ENC[AES256_GCM,data:H58ODWo3uRm/V4MuNRXV/LxGq6eSX/Og+k95wyV3cLLy9GCVPJP/AA==,iv:z71Fyl6XjcOwl0mwu/sycYm6g3ZZ8HijeeILWXUwUII=,tag:BIXwlUfI7CywLga4+zF87g==,type:str]
+ddns-tsig-key: ENC[AES256_GCM,data:QstpuXoJUplS4BxvRmGIbGBk0+uiLtbyE5XV3CcCcJd6xz7CCIOpsb/YR7w=,iv:2eEL8mD49o9+Qd0VPGAkkudBZOv5YV9h5vuHnugJ8BY=,tag:nurtUr3nfPOmwAExybJsNQ==,type:str]
+bind-ddns-tsig-file: ENC[AES256_GCM,data:VoZh19vnpVxad/PBJdIv8axpZfZZA/txPNESwwRk23YrJ2aSJ+I19LbLPPniEryFSUchyaDocgeLy0vTC/FElc2IQQoj4oEX8sUeskL6Mi57WsZYLAQfIVEr1R0vyja6f+XOUSwmI/suU3AHDhmkSu0=,iv:cUKG+55PQiaGYm3056ri5OsG10YFJMWyC9+rPg6e7DM=,tag:J2PNelxamFMaUTbfN4dWcw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -92,8 +94,8 @@ sops:
             aXVheUlzK3prQWR5bytPcmlWSC9qOFEKmLiEcU0rCyi7HnBlgG/WZESnqC8erjKa
             jNXj+pFjHW8bq6DlC8lclufntBiu7GYyX73SAE3Tpa9vMTyooGlv0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T20:34:19Z"
-    mac: ENC[AES256_GCM,data:wYCBK7exvPP6bEa84InCly3FZDYuvtzzA16kYhMs6cmbKgNPfsaIDyiRmabAcB2y4S69wW7E220PSpTollvJEy7y9ZuQuSED6VskobPg7eXxaEXKpcgzIPOD2L+W6EL7bYogi6x0YpBJuvu+ONSUJuCuOT9PwCCXiOIFy/ZTw4I=,iv:mNCUnjJnVXLrjfLu48eH0FiKQveK2OdYln+uCcY308c=,tag:dEMGpAxXtAVRpdRMEqLMZA==,type:str]
+    lastmodified: "2025-01-13T01:37:56Z"
+    mac: ENC[AES256_GCM,data:8oW84vt/OyouzxAut+LD40tzfinoyXBMELsXuzDiQOPPXsj/GHf4kgAI0lFgjswGM6z8IWE1yvgpMryW59qTulbWnjfC753PQnmBvD2YGB1ASGq3OulursIGGtksWeUC3KDKcg4iAWeqXI6u7tTc+4hi5MTi7nPmQbjn1UrxZso=,iv:+r1IgqsV5402DU/ZmHTxgsS3wc0quSMfgyXGM/hScZE=,tag:nPE9vfoB94KJQcVQh+TeWQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.2