diff options
-rw-r--r-- | nixops/eldiron.nix | 1 | ||||
-rw-r--r-- | nixops/modules/dns/default.nix | 122 |
2 files changed, 123 insertions, 0 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 9d32bb3..3e346d4 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix | |||
@@ -36,6 +36,7 @@ | |||
36 | ./modules/task | 36 | ./modules/task |
37 | ./modules/irc | 37 | ./modules/irc |
38 | ./modules/buildbot | 38 | ./modules/buildbot |
39 | ./modules/dns | ||
39 | ]; | 40 | ]; |
40 | services.myGitolite.enable = true; | 41 | services.myGitolite.enable = true; |
41 | services.myDatabases.enable = true; | 42 | services.myDatabases.enable = true; |
diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix new file mode 100644 index 0000000..b5187a8 --- /dev/null +++ b/nixops/modules/dns/default.nix | |||
@@ -0,0 +1,122 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | { | ||
3 | config = let | ||
4 | cfg = config.services.bind; | ||
5 | configFile = pkgs.writeText "named.conf" '' | ||
6 | include "/etc/bind/rndc.key"; | ||
7 | controls { | ||
8 | inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; | ||
9 | }; | ||
10 | |||
11 | acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; | ||
12 | acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; | ||
13 | |||
14 | options { | ||
15 | listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; | ||
16 | listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; | ||
17 | allow-query { cachenetworks; }; | ||
18 | blackhole { badnetworks; }; | ||
19 | forward first; | ||
20 | forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; | ||
21 | directory "/var/run/named"; | ||
22 | pid-file "/var/run/named/named.pid"; | ||
23 | ${cfg.extraOptions} | ||
24 | }; | ||
25 | |||
26 | ${cfg.extraConfig} | ||
27 | |||
28 | ${ lib.concatMapStrings | ||
29 | ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }: | ||
30 | '' | ||
31 | zone "${name}" { | ||
32 | type ${if master then "master" else "slave"}; | ||
33 | file "${file}"; | ||
34 | ${ if lib.lists.length slaves > 0 then | ||
35 | '' | ||
36 | allow-transfer { | ||
37 | ${lib.concatMapStrings (ip: "${ip};\n") slaves} | ||
38 | }; | ||
39 | '' else ""} | ||
40 | ${ if lib.lists.length masters > 0 then | ||
41 | '' | ||
42 | masters { | ||
43 | ${lib.concatMapStrings (ip: "${ip};\n") masters} | ||
44 | }; | ||
45 | '' else ""} | ||
46 | allow-query { any; }; | ||
47 | ${extra} | ||
48 | }; | ||
49 | '') | ||
50 | cfg.zones } | ||
51 | ''; | ||
52 | in | ||
53 | { | ||
54 | networking.firewall.allowedUDPPorts = [ 53 ]; | ||
55 | networking.firewall.allowedTCPPorts = [ 53 ]; | ||
56 | services.bind = { | ||
57 | enable = true; | ||
58 | cacheNetworks = ["any"]; | ||
59 | configFile = configFile; | ||
60 | extraOptions = '' | ||
61 | allow-recursion { 127.0.0.1; }; | ||
62 | allow-transfer { none; }; | ||
63 | |||
64 | notify-source ${myconfig.env.servers.eldiron.ips.main.ip4}; | ||
65 | notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6}; | ||
66 | version none; | ||
67 | hostname none; | ||
68 | server-id none; | ||
69 | ''; | ||
70 | zones = with myconfig.env.dns; | ||
71 | assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) == "."; | ||
72 | assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) == "."; | ||
73 | (map (conf: { | ||
74 | name = conf.name; | ||
75 | master = false; | ||
76 | file = "/var/run/named/${conf.name}.zone"; | ||
77 | masters = if lib.attrsets.hasAttr "masters" conf | ||
78 | then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters) | ||
79 | else []; | ||
80 | }) slaveZones) | ||
81 | ++ (map (conf: { | ||
82 | name = conf.name; | ||
83 | master = true; | ||
84 | extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else ""; | ||
85 | slaves = if lib.attrsets.hasAttr "slaves" conf | ||
86 | then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves) | ||
87 | else []; | ||
88 | file = pkgs.writeText "${conf.name}.zone" '' | ||
89 | $TTL 10800 | ||
90 | @ IN SOA ${soa.primary} ${soa.email} ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl} | ||
91 | |||
92 | ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))} | ||
93 | |||
94 | ${conf.entries} | ||
95 | |||
96 | ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then '' | ||
97 | mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4} | ||
98 | ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)} | ||
99 | ${lib.concatStringsSep "\n\n" (map (e: | ||
100 | let | ||
101 | n = if e.domain == "" then "@" else "${e.domain} "; | ||
102 | suffix = if e.domain == "" then "" else ".${e.domain}"; | ||
103 | in | ||
104 | '' | ||
105 | ; ------------------ mail: ${n} --------------------------- | ||
106 | ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""} | ||
107 | |||
108 | ; Mail sender authentications | ||
109 | ${n} IN TXT "v=spf1 mx ~all" | ||
110 | _dmarc${suffix} IN TXT "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster@immae.eu; ruf=mailto:postmaster@immae.eu;" | ||
111 | ${if e.send then '' | ||
112 | immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; " | ||
113 | "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF" | ||
114 | "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" ) | ||
115 | '' else ""} | ||
116 | '') conf.withEmail)} | ||
117 | '' else ""} | ||
118 | ''; | ||
119 | }) masterZones); | ||
120 | }; | ||
121 | }; | ||
122 | } | ||