Add CAA to dns

3 files changed, 4 insertions, 0 deletions

diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index ebced42..cb900ff 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -102,6 +102,9 @@
               @ IN SOA ${soa.primary}. ${builtins.replaceStrings ["@"] ["."] soa.email}. ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
 
               ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
+              ${lib.optionalString (conf.withCAA != null) ''
+                ${conf.name}. IN CAA 0 issue "${conf.withCAA}"
+              ''}
 
               ${conf.entries}
 
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 490a405..91e018d 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -401,6 +401,7 @@ in
             type = listOf (submodule {
               options = {
                 name = mkOption { type = str; description = "zone name"; };
+                withCAA = mkOption { type = nullOr str; description = "CAA entry"; default = null; };
                 slaves = mkOption {
                   description = "NS slave groups of this zone";
                   type = listOf str;
diff --git a/nixops/secrets b/nixops/secrets
-Subproject 6864a6e47101fa922e8d0bca60b9d0ca30803b2
+Subproject 9f0dec5a2040820a1ce8859838f92499babefdc