From bb5e0900614e575e906d164e692c2a34d0be3f61 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 7 Apr 2019 00:28:46 +0200 Subject: [PATCH] Add DNS resolver --- nixops/eldiron.nix | 1 + nixops/modules/dns/default.nix | 122 +++++++++++++++++++++++++++++++++ 2 files changed, 123 insertions(+) create mode 100644 nixops/modules/dns/default.nix diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 9d32bb3..3e346d4 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -36,6 +36,7 @@ ./modules/task ./modules/irc ./modules/buildbot + ./modules/dns ]; services.myGitolite.enable = true; services.myDatabases.enable = true; diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix new file mode 100644 index 0000000..b5187a8 --- /dev/null +++ b/nixops/modules/dns/default.nix @@ -0,0 +1,122 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +{ + config = let + cfg = config.services.bind; + configFile = pkgs.writeText "named.conf" '' + include "/etc/bind/rndc.key"; + controls { + inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; + }; + + acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; + acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; + + options { + listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; + listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; + allow-query { cachenetworks; }; + blackhole { badnetworks; }; + forward first; + forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; + directory "/var/run/named"; + pid-file "/var/run/named/named.pid"; + ${cfg.extraOptions} + }; + + ${cfg.extraConfig} + + ${ lib.concatMapStrings + ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }: + '' + zone "${name}" { + type ${if master then "master" else "slave"}; + file "${file}"; + ${ if lib.lists.length slaves > 0 then + '' + allow-transfer { + ${lib.concatMapStrings (ip: "${ip};\n") slaves} + }; + '' else ""} + ${ if lib.lists.length masters > 0 then + '' + masters { + ${lib.concatMapStrings (ip: "${ip};\n") masters} + }; + '' else ""} + allow-query { any; }; + ${extra} + }; + '') + cfg.zones } + ''; + in + { + networking.firewall.allowedUDPPorts = [ 53 ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + services.bind = { + enable = true; + cacheNetworks = ["any"]; + configFile = configFile; + extraOptions = '' + allow-recursion { 127.0.0.1; }; + allow-transfer { none; }; + + notify-source ${myconfig.env.servers.eldiron.ips.main.ip4}; + notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6}; + version none; + hostname none; + server-id none; + ''; + zones = with myconfig.env.dns; + assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) == "."; + assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) == "."; + (map (conf: { + name = conf.name; + master = false; + file = "/var/run/named/${conf.name}.zone"; + masters = if lib.attrsets.hasAttr "masters" conf + then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters) + else []; + }) slaveZones) + ++ (map (conf: { + name = conf.name; + master = true; + extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else ""; + slaves = if lib.attrsets.hasAttr "slaves" conf + then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves) + else []; + file = pkgs.writeText "${conf.name}.zone" '' + $TTL 10800 + @ IN SOA ${soa.primary} ${soa.email} ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl} + + ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))} + + ${conf.entries} + + ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' + mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} + ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} + ${lib.concatStringsSep "\n\n" (map (e: + let + n = if e.domain == "" then "@" else "${e.domain} "; + suffix = if e.domain == "" then "" else ".${e.domain}"; + in + '' + ; ------------------ mail: ${n} --------------------------- + ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""} + + ; Mail sender authentications + ${n} IN TXT "v=spf1 mx ~all" + _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster@immae.eu; ruf=mailto:postmaster@immae.eu;" + ${if e.send then '' + immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF" + "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" ) + '' else ""} + '') conf.withEmail)} + '' else ""} + ''; + }) masterZones); + }; + }; +} -- 2.41.0