aboutsummaryrefslogtreecommitdiff
path: root/nixops/modules/dns
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-07 15:07:00 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-07 15:07:00 +0200
commit79d2de8b83d765721b2cb720b2bc59673df54a4a (patch)
treedb989f06302e31a1468832d106d25d611717e363 /nixops/modules/dns
parent86663f1789aecdb62e44a4be46e0ed111b795a09 (diff)
downloadNix-79d2de8b83d765721b2cb720b2bc59673df54a4a.tar.gz
Nix-79d2de8b83d765721b2cb720b2bc59673df54a4a.tar.zst
Nix-79d2de8b83d765721b2cb720b2bc59673df54a4a.zip
Move directories with only default.nix to standalone file
Diffstat (limited to 'nixops/modules/dns')
-rw-r--r--nixops/modules/dns/default.nix132
1 files changed, 0 insertions, 132 deletions
diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix
deleted file mode 100644
index 0096f55..0000000
--- a/nixops/modules/dns/default.nix
+++ /dev/null
@@ -1,132 +0,0 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }:
2{
3 config = let
4 cfg = config.services.bind;
5 configFile = pkgs.writeText "named.conf" ''
6 include "/etc/bind/rndc.key";
7 controls {
8 inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
9 };
10
11 acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
12 acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
13
14 options {
15 listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
16 listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
17 allow-query { cachenetworks; };
18 blackhole { badnetworks; };
19 forward first;
20 forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };
21 directory "/var/run/named";
22 pid-file "/var/run/named/named.pid";
23 ${cfg.extraOptions}
24 };
25
26 ${cfg.extraConfig}
27
28 ${ lib.concatMapStrings
29 ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
30 ''
31 zone "${name}" {
32 type ${if master then "master" else "slave"};
33 file "${file}";
34 ${ if lib.lists.length slaves > 0 then
35 ''
36 allow-transfer {
37 ${lib.concatMapStrings (ip: "${ip};\n") slaves}
38 };
39 '' else ""}
40 ${ if lib.lists.length masters > 0 then
41 ''
42 masters {
43 ${lib.concatMapStrings (ip: "${ip};\n") masters}
44 };
45 '' else ""}
46 allow-query { any; };
47 ${extra}
48 };
49 '')
50 cfg.zones }
51 '';
52 in
53 {
54 networking.firewall.allowedUDPPorts = [ 53 ];
55 networking.firewall.allowedTCPPorts = [ 53 ];
56 services.bind = {
57 enable = true;
58 cacheNetworks = ["any"];
59 configFile = configFile;
60 extraOptions = ''
61 allow-recursion { 127.0.0.1; };
62 allow-transfer { none; };
63
64 notify-source ${myconfig.env.servers.eldiron.ips.main.ip4};
65 notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
66 version none;
67 hostname none;
68 server-id none;
69 '';
70 zones = with myconfig.env.dns;
71 assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != ".";
72 assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != ".";
73 (map (conf: {
74 name = conf.name;
75 master = false;
76 file = "/var/run/named/${conf.name}.zone";
77 masters = if lib.attrsets.hasAttr "masters" conf
78 then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
79 else [];
80 }) slaveZones)
81 ++ (map (conf: {
82 name = conf.name;
83 master = true;
84 extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
85 slaves = if lib.attrsets.hasAttr "slaves" conf
86 then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
87 else [];
88 file = pkgs.writeText "${conf.name}.zone" ''
89 $TTL 10800
90 @ IN SOA ${soa.primary}. ${builtins.replaceStrings ["@"] ["."] soa.email}. ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
91
92 ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
93
94 ${conf.entries}
95
96 ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
97 mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4}
98 mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4}
99 ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
100 ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)}
101 ${lib.concatStringsSep "\n\n" (map (e:
102 let
103 n = if e.domain == "" then "@" else "${e.domain} ";
104 suffix = if e.domain == "" then "" else ".${e.domain}";
105 in
106 ''
107 ; ------------------ mail: ${n} ---------------------------
108 ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""}
109 ;${if e.receive then "${n} IN MX 50 mx-1.${conf.name}." else ""}
110
111 ; Mail sender authentications
112 ${n} IN TXT "v=spf1 mx ~all"
113 _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster+rua@immae.eu; ruf=mailto:postmaster+ruf@immae.eu;"
114 ${if e.send then ''
115 immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; "
116 "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
117 "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
118 '' else ""}
119 '') conf.withEmail)}
120 '' + (if conf.name == "immae.eu" then ''
121 ; ----------------- Accept DMARC reports -------------------
122 ${lib.concatStringsSep "\n" (
123 lib.flatten (
124 map (z: map (e: "${e.domain}${if builtins.stringLength e.domain > 0 then "." else ""}${z.name}._report._dmarc IN TXT \"v=DMARC1;\"") (z.withEmail or [])) masterZones
125 )
126 )}
127 '' else "") else ""}
128 '';
129 }) masterZones);
130 };
131 };
132}