X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdns.nix;h=8fc40454b78b3bd4df6196c4071ded05d923485e;hb=8ece257945ea039664279ec80f5c0f501b0bf3fd;hp=cb900ffad6ca725b9853666d6055c095117b716f;hpb=68ff82c61628212208bc339b9f91fd1dba6ade50;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/dns.nix b/modules/private/dns.nix index cb900ff..8fc4045 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix @@ -2,7 +2,25 @@ { options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver"; config = let + # taken from unstable + cartesianProductOfSets = attrsOfLists: with lib; + lib.foldl' (listOfAttrs: attrName: + concatMap (attrs: + map (listValue: attrs // { ${attrName} = listValue; }) attrsOfLists.${attrName} + ) listOfAttrs + ) [{}] (attrNames attrsOfLists); cfg = config.services.bind; + keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"${config.secrets.fullPaths."bind/${v}.key"}\";") (builtins.attrNames config.myEnv.dns.keys)); + cartProduct = lib.foldr + (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); }) + {} + (lib.unique (lib.concatMap (z: cartesianProductOfSets { masters = z.masters or []; keys = z.keys or []; }) config.myEnv.dns.slaveZones)); + toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: '' + server ${s} { + keys { ${builtins.concatStringsSep ";" keys}; }; + }; + '') servers); + serverIncludes = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: toKeyList (lib.flatten (builtins.attrValues config.myEnv.dns.ns."${n}"))) cartProduct); configFile = pkgs.writeText "named.conf" '' include "/etc/bind/rndc.key"; controls { @@ -24,10 +42,13 @@ ${cfg.extraOptions} }; + ${keyIncludes} + ${serverIncludes} + ${cfg.extraConfig} ${ lib.concatMapStrings - ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }: + ({ name, file, master ? true, extraConfig ? "", slaves ? [], masters ? [] }: '' zone "${name}" { type ${if master then "master" else "slave"}; @@ -45,16 +66,16 @@ }; '' else ""} allow-query { any; }; - ${extra} + ${extraConfig} }; '') - cfg.zones } + (builtins.attrValues cfg.zones) } ''; mxes = lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers; ip4mxes = builtins.concatStringsSep "\n" (lib.mapAttrsToList - (n: v: "${v.mx.subdomain} IN A ${v.ips.main.ip4}") + (n: v: builtins.concatStringsSep "\n" (map (i: "${v.mx.subdomain} IN A ${i}") v.ips.main.ip4)) mxes); ip6mxes = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: builtins.concatStringsSep "\n" (map (i: "${v.mx.subdomain} IN AAAA ${i}") v.ips.main.ip6)) @@ -63,8 +84,42 @@ (_: v: "${n} IN MX ${v.mx.priority} ${v.mx.subdomain}.${conf.name}.") mxes); in lib.mkIf config.myServices.dns.enable { + myServices.chatonsProperties.hostings.dns-secondaire = { + file.datetime = "2022-08-22T02:00:00"; + hosting = { + name = "DNS secondaire"; + description = "DNS secondaire"; + website = "ns1.immae.eu"; + status.level = "OK"; + status.description = "OK"; + registration.load = "OPEN"; + install.type = "PACKAGE"; + }; + software = { + name = "bind9"; + website = pkgs.bind.meta.homepage; + license.url = pkgs.bind.meta.license.url; + license.name = pkgs.bind.meta.license.fullName; + version = pkgs.bind.version; + source.url = "https://www.isc.org/download/"; + }; + }; networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ]; + users.users.named.extraGroups = [ "keys" ]; + secrets.keys = lib.mapAttrs' (k: v: + lib.nameValuePair "bind/${k}.key" { + permissions = "0400"; + user = "named"; + text = '' + key "${k}" + { + algorithm ${v.algorithm}; + secret "${v.secret}"; + }; + ''; + } + ) config.myEnv.dns.keys; services.bind = { enable = true; cacheNetworks = ["any"]; @@ -73,7 +128,7 @@ allow-recursion { 127.0.0.1; }; allow-transfer { none; }; - notify-source ${config.myEnv.servers.eldiron.ips.main.ip4}; + notify-source ${lib.head config.myEnv.servers.eldiron.ips.main.ip4}; notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6}; version none; hostname none; @@ -89,11 +144,13 @@ masters = if lib.attrsets.hasAttr "masters" conf then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters) else []; + slaves = []; }) slaveZones) ++ (map (conf: { name = conf.name; master = true; - extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else ""; + extraConfig = if lib.attrsets.hasAttr "extra" conf then conf.extra else ""; + masters = []; slaves = if lib.attrsets.hasAttr "slaves" conf then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves) else []; @@ -134,7 +191,7 @@ ; https://support.google.com/a/answer/9261504 _mta-sts${suffix} IN TXT "v=STSv1;id=20200109150200Z" _smtp._tls${suffix} IN TXT "v=TLSRPTv1;rua=mailto:postmaster+mta-sts@immae.eu" - mta-sts${suffix} IN A ${config.myEnv.servers.eldiron.ips.main.ip4} + ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN A ${i}") config.myEnv.servers.eldiron.ips.main.ip4)} ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)} ; Mail sender authentications