options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
config = let
cfg = config.services.bind;
+ keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys));
+ toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
+ server ${s} {
+ keys { ${builtins.concatStringsSep ";" keys}; };
+ };
+ '') servers);
+ serverIncludes = builtins.concatStringsSep "\n" (map (v:
+ lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys)
+ ) config.myEnv.dns.slaveZones);
configFile = pkgs.writeText "named.conf" ''
include "/etc/bind/rndc.key";
controls {
${cfg.extraOptions}
};
+ ${keyIncludes}
+ ${serverIncludes}
+
${cfg.extraConfig}
${ lib.concatMapStrings
in lib.mkIf config.myServices.dns.enable {
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ];
+ users.users.named.extraGroups = [ "keys" ];
+ secrets.keys = lib.mapAttrsToList (k: v:
+ {
+ dest = "bind/${k}.key";
+ permissions = "0400";
+ user = "named";
+ text = ''
+ key "${k}"
+ {
+ algorithm ${v.algorithm};
+ secret "${v.secret}";
+ };
+ '';
+ }
+ ) config.myEnv.dns.keys;
services.bind = {
enable = true;
cacheNetworks = ["any"];
};
type = attrsOf (attrsOf (listOf str));
};
+ keys = mkOption {
+ default = {};
+ description = "DNS keys";
+ type = attrsOf (submodule {
+ options = {
+ algorithm = mkOption { type = str; description = "Algorithm"; };
+ secret = mkOption { type = str; description = "Secret"; };
+ };
+ });
+ };
slaveZones = mkOption {
description = "List of slave zones";
type = listOf (submodule {
description = "NS master groups of this zone";
type = listOf str;
};
+ keys = mkOption {
+ default = [];
+ description = "Keys associated to the server";
+ type = listOf str;
+ };
};
});
};
projects / perso / Immae / Config / Nix.git / commitdiff
