2 files changed, 12 insertions, 3 deletions

diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index 1149daf..7c59b43 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -2,16 +2,25 @@
 {
   options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
   config = let
+    # taken from unstable
+    cartesianProductOfSets = attrsOfLists: with lib;
+      lib.foldl' (listOfAttrs: attrName:
+        concatMap (attrs:
+          map (listValue: attrs // { ${attrName} = listValue; }) attrsOfLists.${attrName}
+        ) listOfAttrs
+      ) [{}] (attrNames attrsOfLists);
     cfg = config.services.bind;
     keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys));
+    cartProduct = lib.foldr
+      (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); })
+      {}
+      (lib.unique (lib.concatMap (z: cartesianProductOfSets { masters = z.masters or []; keys = z.keys or []; }) config.myEnv.dns.slaveZones));
     toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
       server ${s} {
         keys { ${builtins.concatStringsSep ";" keys}; };
       };
     '') servers);
-    serverIncludes = builtins.concatStringsSep "\n" (map (v:
-      lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys)
-    ) config.myEnv.dns.slaveZones);
+    serverIncludes = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: toKeyList (lib.flatten (builtins.attrValues config.myEnv.dns.ns."${n}"))) cartProduct);
     configFile = pkgs.writeText "named.conf" ''
       include "/etc/bind/rndc.key";
       controls {
diff --git a/nixops/secrets b/nixops/secrets
-Subproject 3246bc60354e06ad3777be50cec01af072bb8d9
+Subproject f5418699b19f968c232c3e6cdad79b4df1616c6