aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nixops/eldiron.nix1
-rw-r--r--nixops/modules/dns/default.nix122
2 files changed, 123 insertions, 0 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 9d32bb3..3e346d4 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -36,6 +36,7 @@
36 ./modules/task 36 ./modules/task
37 ./modules/irc 37 ./modules/irc
38 ./modules/buildbot 38 ./modules/buildbot
39 ./modules/dns
39 ]; 40 ];
40 services.myGitolite.enable = true; 41 services.myGitolite.enable = true;
41 services.myDatabases.enable = true; 42 services.myDatabases.enable = true;
diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix
new file mode 100644
index 0000000..b5187a8
--- /dev/null
+++ b/nixops/modules/dns/default.nix
@@ -0,0 +1,122 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }:
2{
3 config = let
4 cfg = config.services.bind;
5 configFile = pkgs.writeText "named.conf" ''
6 include "/etc/bind/rndc.key";
7 controls {
8 inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
9 };
10
11 acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
12 acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
13
14 options {
15 listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
16 listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
17 allow-query { cachenetworks; };
18 blackhole { badnetworks; };
19 forward first;
20 forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };
21 directory "/var/run/named";
22 pid-file "/var/run/named/named.pid";
23 ${cfg.extraOptions}
24 };
25
26 ${cfg.extraConfig}
27
28 ${ lib.concatMapStrings
29 ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
30 ''
31 zone "${name}" {
32 type ${if master then "master" else "slave"};
33 file "${file}";
34 ${ if lib.lists.length slaves > 0 then
35 ''
36 allow-transfer {
37 ${lib.concatMapStrings (ip: "${ip};\n") slaves}
38 };
39 '' else ""}
40 ${ if lib.lists.length masters > 0 then
41 ''
42 masters {
43 ${lib.concatMapStrings (ip: "${ip};\n") masters}
44 };
45 '' else ""}
46 allow-query { any; };
47 ${extra}
48 };
49 '')
50 cfg.zones }
51 '';
52 in
53 {
54 networking.firewall.allowedUDPPorts = [ 53 ];
55 networking.firewall.allowedTCPPorts = [ 53 ];
56 services.bind = {
57 enable = true;
58 cacheNetworks = ["any"];
59 configFile = configFile;
60 extraOptions = ''
61 allow-recursion { 127.0.0.1; };
62 allow-transfer { none; };
63
64 notify-source ${myconfig.env.servers.eldiron.ips.main.ip4};
65 notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
66 version none;
67 hostname none;
68 server-id none;
69 '';
70 zones = with myconfig.env.dns;
71 assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) == ".";
72 assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) == ".";
73 (map (conf: {
74 name = conf.name;
75 master = false;
76 file = "/var/run/named/${conf.name}.zone";
77 masters = if lib.attrsets.hasAttr "masters" conf
78 then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
79 else [];
80 }) slaveZones)
81 ++ (map (conf: {
82 name = conf.name;
83 master = true;
84 extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
85 slaves = if lib.attrsets.hasAttr "slaves" conf
86 then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
87 else [];
88 file = pkgs.writeText "${conf.name}.zone" ''
89 $TTL 10800
90 @ IN SOA ${soa.primary} ${soa.email} ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
91
92 ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
93
94 ${conf.entries}
95
96 ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
97 mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4}
98 ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
99 ${lib.concatStringsSep "\n\n" (map (e:
100 let
101 n = if e.domain == "" then "@" else "${e.domain} ";
102 suffix = if e.domain == "" then "" else ".${e.domain}";
103 in
104 ''
105 ; ------------------ mail: ${n} ---------------------------
106 ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""}
107
108 ; Mail sender authentications
109 ${n} IN TXT "v=spf1 mx ~all"
110 _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster@immae.eu; ruf=mailto:postmaster@immae.eu;"
111 ${if e.send then ''
112 immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; "
113 "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
114 "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
115 '' else ""}
116 '') conf.withEmail)}
117 '' else ""}
118 '';
119 }) masterZones);
120 };
121 };
122}