Add keys handling for bind9

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-05-01 21:07:09 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-05-01 21:07:09 +0200
commit: 8175055f973b3f6e8a383abcaa42afb22f279e24 (patch)
tree: 7d154e5b3de0825694dd103c6ec3080dd5721cbb /modules
parent: a0e80453478719b9b13240f0e045d4d0419b8109 (diff)
download: Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.tar.gz
Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.tar.zst
Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.zip
2 files changed, 42 insertions, 0 deletions
diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index cb900ff..1149daf 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -3,6 +3,15 @@
  options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
  config = let
    cfg = config.services.bind;
+    keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys));
+    toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
+      server ${s} {
+        keys { ${builtins.concatStringsSep ";" keys}; };
+      };
+    '') servers);
+    serverIncludes = builtins.concatStringsSep "\n" (map (v:
+      lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys)
+    ) config.myEnv.dns.slaveZones);
    configFile = pkgs.writeText "named.conf" ''
      include "/etc/bind/rndc.key";
      controls {
@@ -24,6 +33,9 @@
        ${cfg.extraOptions}
      };
+      ${keyIncludes}
+      ${serverIncludes}
      ${cfg.extraConfig}
      ${ lib.concatMapStrings
@@ -65,6 +77,21 @@
  in lib.mkIf config.myServices.dns.enable {
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.firewall.allowedTCPPorts = [ 53 ];
+    users.users.named.extraGroups = [ "keys" ];
+    secrets.keys = lib.mapAttrsToList (k: v:
+      {
+        dest = "bind/${k}.key";
+        permissions = "0400";
+        user = "named";
+        text = ''
+          key "${k}"
+            {
+              algorithm ${v.algorithm};
+              secret "${v.secret}";
+            };
+        '';
+      }
+    ) config.myEnv.dns.keys;
    services.bind = {
      enable = true;
      cacheNetworks = ["any"];
diff --git a/modules/private/environment.nix b/modules/private/environment.nix
index 9cd591e..32af339 100644
--- a/modules/private/environment.nix
+++ b/modules/private/environment.nix
@@ -384,6 +384,16 @@ in
            };
            type = attrsOf (attrsOf (listOf str));
          };
+          keys = mkOption {
+            default = {};
+            description = "DNS keys";
+            type = attrsOf (submodule {
+              options = {
+                algorithm = mkOption { type = str; description = "Algorithm"; };
+                secret    = mkOption { type = str; description = "Secret"; };
+              };
+            });
+          };
          slaveZones = mkOption {
            description = "List of slave zones";
            type = listOf (submodule {
@@ -393,6 +403,11 @@ in
                  description = "NS master groups of this zone";
                  type = listOf str;
                };
+                keys = mkOption {
+                  default = [];
+                  description = "Keys associated to the server";
+                  type = listOf str;
+                };
              };
            });
          };
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-05-01 21:07:09 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-05-01 21:07:09 +0200
commit	8175055f973b3f6e8a383abcaa42afb22f279e24 (patch)
tree	7d154e5b3de0825694dd103c6ec3080dd5721cbb /modules
parent	a0e80453478719b9b13240f0e045d4d0419b8109 (diff)
download	Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.tar.gz Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.tar.zst Nix-8175055f973b3f6e8a383abcaa42afb22f279e24.zip

diff --git a/modules/private/dns.nix b/modules/private/dns.nix index cb900ff..1149daf 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix
@@ -3,6 +3,15 @@
3	options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";	3	options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
4	config = let	4	config = let
5	cfg = config.services.bind;	5	cfg = config.services.bind;
		6	keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys));
		7	toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
		8	server ${s} {
		9	keys { ${builtins.concatStringsSep ";" keys}; };
		10	};
		11	'') servers);
		12	serverIncludes = builtins.concatStringsSep "\n" (map (v:
		13	lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys)
		14	) config.myEnv.dns.slaveZones);
6	configFile = pkgs.writeText "named.conf" ''	15	configFile = pkgs.writeText "named.conf" ''
7	include "/etc/bind/rndc.key";	16	include "/etc/bind/rndc.key";
8	controls {	17	controls {
@@ -24,6 +33,9 @@
24	${cfg.extraOptions}	33	${cfg.extraOptions}
25	};	34	};
26		35
		36	${keyIncludes}
		37	${serverIncludes}
		38
27	${cfg.extraConfig}	39	${cfg.extraConfig}
28		40
29	${ lib.concatMapStrings	41	${ lib.concatMapStrings
@@ -65,6 +77,21 @@
65	in lib.mkIf config.myServices.dns.enable {	77	in lib.mkIf config.myServices.dns.enable {
66	networking.firewall.allowedUDPPorts = [ 53 ];	78	networking.firewall.allowedUDPPorts = [ 53 ];
67	networking.firewall.allowedTCPPorts = [ 53 ];	79	networking.firewall.allowedTCPPorts = [ 53 ];
		80	users.users.named.extraGroups = [ "keys" ];
		81	secrets.keys = lib.mapAttrsToList (k: v:
		82	{
		83	dest = "bind/${k}.key";
		84	permissions = "0400";
		85	user = "named";
		86	text = ''
		87	key "${k}"
		88	{
		89	algorithm ${v.algorithm};
		90	secret "${v.secret}";
		91	};
		92	'';
		93	}
		94	) config.myEnv.dns.keys;
68	services.bind = {	95	services.bind = {
69	enable = true;	96	enable = true;
70	cacheNetworks = ["any"];	97	cacheNetworks = ["any"];


diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 9cd591e..32af339 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix
@@ -384,6 +384,16 @@ in
384	};	384	};
385	type = attrsOf (attrsOf (listOf str));	385	type = attrsOf (attrsOf (listOf str));
386	};	386	};
		387	keys = mkOption {
		388	default = {};
		389	description = "DNS keys";
		390	type = attrsOf (submodule {
		391	options = {
		392	algorithm = mkOption { type = str; description = "Algorithm"; };
		393	secret = mkOption { type = str; description = "Secret"; };
		394	};
		395	});
		396	};
387	slaveZones = mkOption {	397	slaveZones = mkOption {
388	description = "List of slave zones";	398	description = "List of slave zones";
389	type = listOf (submodule {	399	type = listOf (submodule {
@@ -393,6 +403,11 @@ in
393	description = "NS master groups of this zone";	403	description = "NS master groups of this zone";
394	type = listOf str;	404	type = listOf str;
395	};	405	};
		406	keys = mkOption {
		407	default = [];
		408	description = "Keys associated to the server";
		409	type = listOf str;
		410	};
396	};	411	};
397	});	412	});
398	};	413	};