diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-07 15:07:00 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-07 15:07:00 +0200 |
commit | 79d2de8b83d765721b2cb720b2bc59673df54a4a (patch) | |
tree | db989f06302e31a1468832d106d25d611717e363 /nixops/modules/dns | |
parent | 86663f1789aecdb62e44a4be46e0ed111b795a09 (diff) | |
download | Nix-79d2de8b83d765721b2cb720b2bc59673df54a4a.tar.gz Nix-79d2de8b83d765721b2cb720b2bc59673df54a4a.tar.zst Nix-79d2de8b83d765721b2cb720b2bc59673df54a4a.zip |
Move directories with only default.nix to standalone file
Diffstat (limited to 'nixops/modules/dns')
-rw-r--r-- | nixops/modules/dns/default.nix | 132 |
1 files changed, 0 insertions, 132 deletions
diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix deleted file mode 100644 index 0096f55..0000000 --- a/nixops/modules/dns/default.nix +++ /dev/null | |||
@@ -1,132 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | { | ||
3 | config = let | ||
4 | cfg = config.services.bind; | ||
5 | configFile = pkgs.writeText "named.conf" '' | ||
6 | include "/etc/bind/rndc.key"; | ||
7 | controls { | ||
8 | inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; | ||
9 | }; | ||
10 | |||
11 | acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; | ||
12 | acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; | ||
13 | |||
14 | options { | ||
15 | listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; | ||
16 | listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; | ||
17 | allow-query { cachenetworks; }; | ||
18 | blackhole { badnetworks; }; | ||
19 | forward first; | ||
20 | forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; | ||
21 | directory "/var/run/named"; | ||
22 | pid-file "/var/run/named/named.pid"; | ||
23 | ${cfg.extraOptions} | ||
24 | }; | ||
25 | |||
26 | ${cfg.extraConfig} | ||
27 | |||
28 | ${ lib.concatMapStrings | ||
29 | ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }: | ||
30 | '' | ||
31 | zone "${name}" { | ||
32 | type ${if master then "master" else "slave"}; | ||
33 | file "${file}"; | ||
34 | ${ if lib.lists.length slaves > 0 then | ||
35 | '' | ||
36 | allow-transfer { | ||
37 | ${lib.concatMapStrings (ip: "${ip};\n") slaves} | ||
38 | }; | ||
39 | '' else ""} | ||
40 | ${ if lib.lists.length masters > 0 then | ||
41 | '' | ||
42 | masters { | ||
43 | ${lib.concatMapStrings (ip: "${ip};\n") masters} | ||
44 | }; | ||
45 | '' else ""} | ||
46 | allow-query { any; }; | ||
47 | ${extra} | ||
48 | }; | ||
49 | '') | ||
50 | cfg.zones } | ||
51 | ''; | ||
52 | in | ||
53 | { | ||
54 | networking.firewall.allowedUDPPorts = [ 53 ]; | ||
55 | networking.firewall.allowedTCPPorts = [ 53 ]; | ||
56 | services.bind = { | ||
57 | enable = true; | ||
58 | cacheNetworks = ["any"]; | ||
59 | configFile = configFile; | ||
60 | extraOptions = '' | ||
61 | allow-recursion { 127.0.0.1; }; | ||
62 | allow-transfer { none; }; | ||
63 | |||
64 | notify-source ${myconfig.env.servers.eldiron.ips.main.ip4}; | ||
65 | notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6}; | ||
66 | version none; | ||
67 | hostname none; | ||
68 | server-id none; | ||
69 | ''; | ||
70 | zones = with myconfig.env.dns; | ||
71 | assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != "."; | ||
72 | assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != "."; | ||
73 | (map (conf: { | ||
74 | name = conf.name; | ||
75 | master = false; | ||
76 | file = "/var/run/named/${conf.name}.zone"; | ||
77 | masters = if lib.attrsets.hasAttr "masters" conf | ||
78 | then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters) | ||
79 | else []; | ||
80 | }) slaveZones) | ||
81 | ++ (map (conf: { | ||
82 | name = conf.name; | ||
83 | master = true; | ||
84 | extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else ""; | ||
85 | slaves = if lib.attrsets.hasAttr "slaves" conf | ||
86 | then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves) | ||
87 | else []; | ||
88 | file = pkgs.writeText "${conf.name}.zone" '' | ||
89 | $TTL 10800 | ||
90 | @ IN SOA ${soa.primary}. ${builtins.replaceStrings ["@"] ["."] soa.email}. ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl} | ||
91 | |||
92 | ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))} | ||
93 | |||
94 | ${conf.entries} | ||
95 | |||
96 | ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' | ||
97 | mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} | ||
98 | mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4} | ||
99 | ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} | ||
100 | ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)} | ||
101 | ${lib.concatStringsSep "\n\n" (map (e: | ||
102 | let | ||
103 | n = if e.domain == "" then "@" else "${e.domain} "; | ||
104 | suffix = if e.domain == "" then "" else ".${e.domain}"; | ||
105 | in | ||
106 | '' | ||
107 | ; ------------------ mail: ${n} --------------------------- | ||
108 | ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""} | ||
109 | ;${if e.receive then "${n} IN MX 50 mx-1.${conf.name}." else ""} | ||
110 | |||
111 | ; Mail sender authentications | ||
112 | ${n} IN TXT "v=spf1 mx ~all" | ||
113 | _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster+rua@immae.eu; ruf=mailto:postmaster+ruf@immae.eu;" | ||
114 | ${if e.send then '' | ||
115 | immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; " | ||
116 | "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF" | ||
117 | "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" ) | ||
118 | '' else ""} | ||
119 | '') conf.withEmail)} | ||
120 | '' + (if conf.name == "immae.eu" then '' | ||
121 | ; ----------------- Accept DMARC reports ------------------- | ||
122 | ${lib.concatStringsSep "\n" ( | ||
123 | lib.flatten ( | ||
124 | map (z: map (e: "${e.domain}${if builtins.stringLength e.domain > 0 then "." else ""}${z.name}._report._dmarc IN TXT \"v=DMARC1;\"") (z.withEmail or [])) masterZones | ||
125 | ) | ||
126 | )} | ||
127 | '' else "") else ""} | ||
128 | ''; | ||
129 | }) masterZones); | ||
130 | }; | ||
131 | }; | ||
132 | } | ||