define system config for dns resolver

data/zones/noc.eh22.intern.zone

@@ -2,5 +2,7 @@ $ORIGIN noc.eh22.intern.
 @ 0 IN SOA auth-dns noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
 @ 0 IN NS 10.20.25.3.
 auth-dns 0 IN A 10.20.25.3
+grafana 0 IN A 10.20.25.4
 proxmox 0 IN A 10.20.25.1
+resolv-dns 0 IN A 10.20.25.5
 sketchy-router 0 IN A 10.20.25.2

systems/default.nix

@@ -6,7 +6,11 @@ let
   # call like `mkSystem "x86_64-linux" "<hostname>.eh22.intern"`
   mkSystem =
     systemType: name:
-    nixpkgs.lib.nixosSystem {
+    let
+      lib = nixpkgs.lib;
+      systemModule = if lib.pathIsDirectory ./${name} then ./${name}/system.nix else ./${name}.nix;
+    in
+    lib.nixosSystem {
       system = systemType;
       specialArgs = flake.inputs;
       modules = [
@@ -17,8 +21,7 @@ let
 
         ../modules/base_system.nix
         ../modules/user_account.nix
-        #../modules/mail_relay.nix
-        ./${name}.nix
+        systemModule
 
         (
           let
@@ -39,6 +42,7 @@ in
 {
   # prod hosts
   "auth-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "auth-dns.noc.eh22.intern";
+  "resolv-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "resolv-dns.noc.eh22.intern";
 
   # staging temp infra
   "sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";

systems/resolv-dns.noc.eh22.intern/kresd-config.lua

@@ -0,0 +1,23 @@
+-- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
+
+-- load non-default modules
+modules.load("view")
+modules.load("prefill")
+
+-- define list of internal-only domains
+ehDomains = policy.todnames({'noc.eh22.intern'})
+
+-- for the mgmt-network, forward ehDomains to our authorative server
+view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
+view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
+
+-- allow resolution from our internal network
+view:addr('10.20.25.0/24', policy.all(policy.PASS))
+
+-- precache the root zone to reduce traffic load to it
+prefill.config({
+  ["."] = {
+    url = "https://www.internic.net/domain/root.zone",
+    interval = 24 * 60 * 60,
+  }
+})

systems/resolv-dns.noc.eh22.intern/system.nix

@@ -0,0 +1,36 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ];
+
+  # configure static IP address
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-mgmtNet" = {
+        matchConfig.MACAddress = "BC:24:11:61:E3:D9";
+        address = [ "10.20.25.5/24" ];
+        gateway = [ "10.20.25.2" ];
+      };
+    };
+  };
+
+  # enable knot resolv server
+  # ref: https://search.nüschtos.de/?query=services.kresd
+  #      https://www.knot-resolver.cz/documentation/stable/
+  services.kresd = {
+    enable = true;
+    instances = 4;
+    listenPlain = [ "53" ];
+    extraConfig = builtins.readFile ./kresd-config.lua;
+  };
+
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11";
+}