From f4ff592efd816320e301cfb1fffcedfb64fcfb0a Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 4 Mar 2025 22:49:45 +0100
Subject: [PATCH 1/2] allow system definitions to be done in folders

---
 systems/default.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/systems/default.nix b/systems/default.nix
index 161bbda..255d69f 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -6,7 +6,11 @@ let
   # call like `mkSystem "x86_64-linux" "<hostname>.eh22.intern"`
   mkSystem =
     systemType: name:
-    nixpkgs.lib.nixosSystem {
+    let
+      lib = nixpkgs.lib;
+      systemModule = if lib.pathIsDirectory ./${name} then ./${name}/system.nix else ./${name}.nix;
+    in
+    lib.nixosSystem {
       system = systemType;
       specialArgs = flake.inputs;
       modules = [
@@ -17,8 +21,7 @@ let
 
         ../modules/base_system.nix
         ../modules/user_account.nix
-        #../modules/mail_relay.nix
-        ./${name}.nix
+        systemModule
 
         (
           let

From 78a1b6daa722f2b7afd410efb8f797946a0c73a0 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 4 Mar 2025 22:50:57 +0100
Subject: [PATCH 2/2] define system config for dns resolver

---
 data/zones/noc.eh22.intern.zone               |  2 ++
 systems/default.nix                           |  1 +
 .../kresd-config.lua                          | 23 ++++++++++++
 systems/resolv-dns.noc.eh22.intern/system.nix | 36 +++++++++++++++++++
 4 files changed, 62 insertions(+)
 create mode 100644 systems/resolv-dns.noc.eh22.intern/kresd-config.lua
 create mode 100644 systems/resolv-dns.noc.eh22.intern/system.nix

diff --git a/data/zones/noc.eh22.intern.zone b/data/zones/noc.eh22.intern.zone
index 1f6a657..e53b328 100644
--- a/data/zones/noc.eh22.intern.zone
+++ b/data/zones/noc.eh22.intern.zone
@@ -2,5 +2,7 @@ $ORIGIN noc.eh22.intern.
 @ 0 IN SOA auth-dns noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
 @ 0 IN NS 10.20.25.3.
 auth-dns 0 IN A 10.20.25.3
+grafana 0 IN A 10.20.25.4
 proxmox 0 IN A 10.20.25.1
+resolv-dns 0 IN A 10.20.25.5
 sketchy-router 0 IN A 10.20.25.2
diff --git a/systems/default.nix b/systems/default.nix
index 255d69f..bac10f0 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -42,6 +42,7 @@ in
 {
   # prod hosts
   "auth-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "auth-dns.noc.eh22.intern";
+  "resolv-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "resolv-dns.noc.eh22.intern";
 
   # staging temp infra
   "sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";
diff --git a/systems/resolv-dns.noc.eh22.intern/kresd-config.lua b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
new file mode 100644
index 0000000..52771e1
--- /dev/null
+++ b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
@@ -0,0 +1,23 @@
+-- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
+
+-- load non-default modules
+modules.load("view")
+modules.load("prefill")
+
+-- define list of internal-only domains
+ehDomains = policy.todnames({'noc.eh22.intern'})
+
+-- for the mgmt-network, forward ehDomains to our authorative server
+view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
+view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
+
+-- allow resolution from our internal network
+view:addr('10.20.25.0/24', policy.all(policy.PASS))
+
+-- precache the root zone to reduce traffic load to it
+prefill.config({
+  ["."] = {
+    url = "https://www.internic.net/domain/root.zone",
+    interval = 24 * 60 * 60,
+  }
+})
diff --git a/systems/resolv-dns.noc.eh22.intern/system.nix b/systems/resolv-dns.noc.eh22.intern/system.nix
new file mode 100644
index 0000000..c6fa428
--- /dev/null
+++ b/systems/resolv-dns.noc.eh22.intern/system.nix
@@ -0,0 +1,36 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ];
+
+  # configure static IP address
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-mgmtNet" = {
+        matchConfig.MACAddress = "BC:24:11:61:E3:D9";
+        address = [ "10.20.25.5/24" ];
+        gateway = [ "10.20.25.2" ];
+      };
+    };
+  };
+
+  # enable knot resolv server
+  # ref: https://search.nüschtos.de/?query=services.kresd
+  #      https://www.knot-resolver.cz/documentation/stable/
+  services.kresd = {
+    enable = true;
+    instances = 4;
+    listenPlain = [ "53" ];
+    extraConfig = builtins.readFile ./kresd-config.lua;
+  };
+
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11";
+}