From 8175055f973b3f6e8a383abcaa42afb22f279e24 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 1 May 2021 21:07:09 +0200
Subject: [PATCH] Add keys handling for bind9

---
 modules/private/dns.nix         | 27 +++++++++++++++++++++++++++
 modules/private/environment.nix | 15 +++++++++++++++
 nixops/secrets                  |  2 +-
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index cb900ff..1149daf 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -3,6 +3,15 @@
   options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
   config = let
     cfg = config.services.bind;
+    keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys));
+    toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
+      server ${s} {
+        keys { ${builtins.concatStringsSep ";" keys}; };
+      };
+    '') servers);
+    serverIncludes = builtins.concatStringsSep "\n" (map (v:
+      lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys)
+    ) config.myEnv.dns.slaveZones);
     configFile = pkgs.writeText "named.conf" ''
       include "/etc/bind/rndc.key";
       controls {
@@ -24,6 +33,9 @@
         ${cfg.extraOptions}
       };
 
+      ${keyIncludes}
+      ${serverIncludes}
+
       ${cfg.extraConfig}
 
       ${ lib.concatMapStrings
@@ -65,6 +77,21 @@
   in lib.mkIf config.myServices.dns.enable {
     networking.firewall.allowedUDPPorts = [ 53 ];
     networking.firewall.allowedTCPPorts = [ 53 ];
+    users.users.named.extraGroups = [ "keys" ];
+    secrets.keys = lib.mapAttrsToList (k: v:
+      {
+        dest = "bind/${k}.key";
+        permissions = "0400";
+        user = "named";
+        text = ''
+          key "${k}"
+            {
+              algorithm ${v.algorithm};
+              secret "${v.secret}";
+            };
+        '';
+      }
+    ) config.myEnv.dns.keys;
     services.bind = {
       enable = true;
       cacheNetworks = ["any"];
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 9cd591e..32af339 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -384,6 +384,16 @@ in
             };
             type = attrsOf (attrsOf (listOf str));
           };
+          keys = mkOption {
+            default = {};
+            description = "DNS keys";
+            type = attrsOf (submodule {
+              options = {
+                algorithm = mkOption { type = str; description = "Algorithm"; };
+                secret    = mkOption { type = str; description = "Secret"; };
+              };
+            });
+          };
           slaveZones = mkOption {
             description = "List of slave zones";
             type = listOf (submodule {
@@ -393,6 +403,11 @@ in
                   description = "NS master groups of this zone";
                   type = listOf str;
                 };
+                keys = mkOption {
+                  default = [];
+                  description = "Keys associated to the server";
+                  type = listOf str;
+                };
               };
             });
           };
diff --git a/nixops/secrets b/nixops/secrets
index e816753..bbc6606 160000
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit e816753f9ffc851a6f1e35cfa267a03e2a0ad2aa
+Subproject commit bbc6606211e970d0df974f0f74693f48186aea9c
-- 
2.41.0