diff options
Diffstat (limited to 'modules/private/dns.nix')
-rw-r--r-- | modules/private/dns.nix | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/private/dns.nix b/modules/private/dns.nix index cb900ff..1149daf 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix | |||
@@ -3,6 +3,15 @@ | |||
3 | options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver"; | 3 | options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver"; |
4 | config = let | 4 | config = let |
5 | cfg = config.services.bind; | 5 | cfg = config.services.bind; |
6 | keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys)); | ||
7 | toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: '' | ||
8 | server ${s} { | ||
9 | keys { ${builtins.concatStringsSep ";" keys}; }; | ||
10 | }; | ||
11 | '') servers); | ||
12 | serverIncludes = builtins.concatStringsSep "\n" (map (v: | ||
13 | lib.optionalString (builtins.length v.keys > 0) (toKeyList (lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns."${n}") v.masters)) v.keys) | ||
14 | ) config.myEnv.dns.slaveZones); | ||
6 | configFile = pkgs.writeText "named.conf" '' | 15 | configFile = pkgs.writeText "named.conf" '' |
7 | include "/etc/bind/rndc.key"; | 16 | include "/etc/bind/rndc.key"; |
8 | controls { | 17 | controls { |
@@ -24,6 +33,9 @@ | |||
24 | ${cfg.extraOptions} | 33 | ${cfg.extraOptions} |
25 | }; | 34 | }; |
26 | 35 | ||
36 | ${keyIncludes} | ||
37 | ${serverIncludes} | ||
38 | |||
27 | ${cfg.extraConfig} | 39 | ${cfg.extraConfig} |
28 | 40 | ||
29 | ${ lib.concatMapStrings | 41 | ${ lib.concatMapStrings |
@@ -65,6 +77,21 @@ | |||
65 | in lib.mkIf config.myServices.dns.enable { | 77 | in lib.mkIf config.myServices.dns.enable { |
66 | networking.firewall.allowedUDPPorts = [ 53 ]; | 78 | networking.firewall.allowedUDPPorts = [ 53 ]; |
67 | networking.firewall.allowedTCPPorts = [ 53 ]; | 79 | networking.firewall.allowedTCPPorts = [ 53 ]; |
80 | users.users.named.extraGroups = [ "keys" ]; | ||
81 | secrets.keys = lib.mapAttrsToList (k: v: | ||
82 | { | ||
83 | dest = "bind/${k}.key"; | ||
84 | permissions = "0400"; | ||
85 | user = "named"; | ||
86 | text = '' | ||
87 | key "${k}" | ||
88 | { | ||
89 | algorithm ${v.algorithm}; | ||
90 | secret "${v.secret}"; | ||
91 | }; | ||
92 | ''; | ||
93 | } | ||
94 | ) config.myEnv.dns.keys; | ||
68 | services.bind = { | 95 | services.bind = { |
69 | enable = true; | 96 | enable = true; |
70 | cacheNetworks = ["any"]; | 97 | cacheNetworks = ["any"]; |