X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdns.nix;fp=modules%2Fprivate%2Fdns.nix;h=1149daf6787508f36befea23903b7360774f80e6;hb=8175055f973b3f6e8a383abcaa42afb22f279e24;hp=cb900ffad6ca725b9853666d6055c095117b716f;hpb=a0e80453478719b9b13240f0e045d4d0419b8109;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/dns.nix b/modules/private/dns.nix index cb900ff..1149daf 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix @@ -3,6 +3,15 @@ options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver"; config = let cfg = config.services.bind; + keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys)); + toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: '' + server ${s} { + keys { ${builtins.concatStringsSep ";" keys}; }; + }; + '') servers); + serverIncludes = builtins.concatStringsSep "\n" (map (v: + lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys) + ) config.myEnv.dns.slaveZones); configFile = pkgs.writeText "named.conf" '' include "/etc/bind/rndc.key"; controls { @@ -24,6 +33,9 @@ ${cfg.extraOptions} }; + ${keyIncludes} + ${serverIncludes} + ${cfg.extraConfig} ${ lib.concatMapStrings @@ -65,6 +77,21 @@ in lib.mkIf config.myServices.dns.enable { networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ]; + users.users.named.extraGroups = [ "keys" ]; + secrets.keys = lib.mapAttrsToList (k: v: + { + dest = "bind/${k}.key"; + permissions = "0400"; + user = "named"; + text = '' + key "${k}" + { + algorithm ${v.algorithm}; + secret "${v.secret}"; + }; + ''; + } + ) config.myEnv.dns.keys; services.bind = { enable = true; cacheNetworks = ["any"];