diff --git a/flake/dns/config/chn.moe.nix b/flake/dns/config/chn.moe.nix index 85d1c330..9c2eb1b0 100644 --- a/flake/dns/config/chn.moe.nix +++ b/flake/dns/config/chn.moe.nix @@ -62,6 +62,7 @@ in ]; "_xlog-challenge.xlog" = { type = "TXT"; value = "chn"; }; autoroute = { type = "NS"; values = "vps6.chn.moe."; }; + ts = { type = "NS"; values = "vps6.chn.moe."; }; "mail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; }; "webmail" = { type = "CNAME"; value = "tuesday.mxrouting.net."; }; "x._domainkey" = diff --git a/modules/services/bind.nix b/modules/services/bind.nix index cf26cec6..6580a60e 100644 --- a/modules/services/bind.nix +++ b/modules/services/bind.nix @@ -41,9 +41,13 @@ inputs: package = inputs.pkgs.bind.overrideAttrs (prev: { buildInputs = prev.buildInputs ++ [ inputs.pkgs.libmaxminddb ]; }); listenOn = [(inputs.topInputs.self.config.dns."chn.moe".getAddress "vps6")]; + cacheNetworks = [ "any" ]; extraOptions = '' - recursion no; + max-cache-ttl 0; + max-ncache-ttl 0; + allow-recursion { any; }; + dnssec-validation no; geoip-directory "${inputs.config.services.geoipupdate.settings.DatabaseDirectory}"; ''; extraConfig = @@ -58,6 +62,11 @@ inputs: type master; file "${chinaZone}"; }; + zone "ts.chn.moe" { + type forward; + forward only; + forwarders { 100.100.100.100; }; + }; zone "." { type hint; file "${nullZone}"; @@ -69,6 +78,11 @@ inputs: type master; file "${globalZone}"; }; + zone "ts.chn.moe" { + type forward; + forward only; + forwarders { 100.100.100.100; }; + }; zone "." { type hint; file "${nullZone}"; diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix index 7ceaeade..b066f8e1 100644 --- a/modules/services/tailscale.nix +++ b/modules/services/tailscale.nix @@ -2,42 +2,19 @@ inputs: { options.nixos.services.tailscale = let inherit (inputs.lib) mkOption types; in mkOption { type = types.nullOr (types.submodule {}); default = {}; }; - config = - let inherit (inputs.config.nixos.services) tailscale; - in inputs.lib.mkIf (tailscale != null) (inputs.lib.mkMerge - [ - { - services.tailscale = - { - enable = true; - openFirewall = true; - disableTaildrop = true; - # authKeyParameters should not be set - authKeyFile = inputs.config.nixos.system.sops.secrets."tailscale".path; - extraUpFlags = [ "--login-server=https://headscale.chn.moe" "--accept-dns=false" ]; - extraSetFlags = [ "--accept-dns=false" ]; - }; - nixos.system.sops.secrets."tailscale" = {}; - networking.firewall.trustedInterfaces = [ inputs.config.services.tailscale.interfaceName ]; - } - # 如果启用了 xray client,则 dns 交给 dnsmasq 处理 - # 如果没有启用 xray client 但使用 systemd networkd,则 dns 交给 systemd-networkd 处理 - # 否则,需要交给 networkmanager 处理,但暂时不用实现 - ( - inputs.localLib.mkConditional (inputs.config.nixos.services.xray.client != null) - { services.dnsmasq.settings.server = [ "/ts.chn.moe/100.100.100.100" ]; } - ( - inputs.localLib.mkConditional (inputs.config.nixos.system.network.implementation == "systemd-networkd") - { - services.resolved.extraConfig = - '' - [Resolve] - DNS=100.100.100.100 - Domains=~ts.chn.moe - ''; - } - { assertions = [{ assertion = false; message = "not implemented"; }]; } - ) - ) - ]); + config = let inherit (inputs.config.nixos.services) tailscale; in inputs.lib.mkIf (tailscale != null) + { + services.tailscale = + { + enable = true; + openFirewall = true; + disableTaildrop = true; + # authKeyParameters should not be set + authKeyFile = inputs.config.nixos.system.sops.secrets."tailscale".path; + extraUpFlags = [ "--login-server=https://headscale.chn.moe" "--accept-dns=false" ]; + extraSetFlags = [ "--accept-dns=false" ]; + }; + nixos.system.sops.secrets."tailscale" = {}; + networking.firewall.trustedInterfaces = [ inputs.config.services.tailscale.interfaceName ]; + }; }