From de4b8833bdf25eba019d73ace854bbbd0bcb1bc5 Mon Sep 17 00:00:00 2001
From: javalsai <jvssxxi@gmail.com>
Date: Sun, 3 May 2026 19:32:39 +0200
Subject: [PATCH] nixos/services: make dns configuration easier

---
 agenix/dns/tuxcord.net/tuxcord.net.key.age    |  19 +++
 .../dns/tuxcord.test/sub.tuxcord.test.key.age | Bin 0 -> 1080 bytes
 agenix/dns/tuxcord.test/tuxcord.test.key.age  |  19 +++
 agenix/ntfy.age                               |  33 ++---
 agenix/secrets.nix                            |   9 +-
 nixos/common.nix                              |   8 --
 nixos/hosts/tuxcord-ca/default.nix            |   1 +
 nixos/hosts/tuxcord-test/default.nix          |   1 +
 nixos/modules/dns.nix                         | 120 ++++++++++++------
 9 files changed, 145 insertions(+), 65 deletions(-)
 create mode 100644 agenix/dns/tuxcord.net/tuxcord.net.key.age
 create mode 100644 agenix/dns/tuxcord.test/sub.tuxcord.test.key.age
 create mode 100644 agenix/dns/tuxcord.test/tuxcord.test.key.age
diff --git a/agenix/dns/tuxcord.net/tuxcord.net.key.age b/agenix/dns/tuxcord.net/tuxcord.net.key.age
new file mode 100644
index 0000000..64f291f
--- /dev/null
+++ b/agenix/dns/tuxcord.net/tuxcord.net.key.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA XXuM89kA+Hnc4nKJ005H+IDYV5qk4nEx/IUWk/CbKiM
+sPJrUh6RI+Anzwy/nSR/dbCkZQvpJ3dGYSkChfJEv2Q
+-> ssh-ed25519 zNC8SA mg1uB6DPLT/3DE2Hh+EIGv9N4ZmDSi1w7UeW91u0cHs
+qBAmL0fgdRNuM4VYiDx0g6T2ZJFiqhgXpC/4C/RsVqU
+-> ssh-ed25519 EiAAKw EL0tfmXf6b2DWA3Ty4fhYdJL6AYdvknGv/To81dJ2zU
+KtZZx4//yDaAU6bt9JWYdBRbpqn79YHAu46857SBBPI
+-> ssh-rsa eFi+Zw
+jDWmTVRF7H9rhPAVEV2HkHtXpc/g16jlPDxvxzfnftyGF6aGfgoRwKtOwtqZtaB/
+UDE6Pzo3n5yg5/B8d0JhabBMfZpSJ8xiJcJfti8sY5tno97HhL0Fzd2r/0VM74iO
+TZ/ZA8xJACFfm9VclUz3gZWNG7qU4CrMYXQxWcwacphCiIFyFJVuaQEDf1rQnqEd
+3C8bMYxgRmUI64lLaRHdYD84hQ49xXrtuEQbJu6e/B3zCWsAMzpVciE/maDBBBGz
+EFRhhvP3Y8riBt4FLgYRVpvwge44LrX0N9NHeOyFmgP/S62ShDP+xLBnw9V3Tcuz
+9iuyJS4lz/mSWE9ISa1y21emQAuXOwdMkFM0b6tSCBL1zwKUNAzmEV/S4BMydNex
+/1m1ZaWDrOpfrBzRU+kN02a5sCHNGjO2/4T0dCjoGOeHUvpOw0IxniSQiKZj03nQ
+mWnWDp1sA/DK0ySs0AcYXJUs9EoeDQ1ny6tQ1Loc9xzX6uMFnFLfYIWXiI4erldl
+
+--- 9ryp8lwLiw/0MYGf1zSVR8ML6l5h83D0Flaks10d7Yg
+¹´m“Õ¶œK[.›šLÛãKÜ Õr'4†ÿÎÂû*­«ÖÜý­¬ßÏñ-¨À–T,Cê$Š¦ŸVØ¦f·E:pu*wdwe[óR¦ŒëëwŸP§Qøhªi½è0L×0J"©eþD÷l‡‡gõ®’üœ’ù„&9õ™5éÑjZÀÞÇ«ßd
\ No newline at end of file
diff --git a/agenix/dns/tuxcord.test/sub.tuxcord.test.key.age b/agenix/dns/tuxcord.test/sub.tuxcord.test.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..0845444cca5403f668abc9e968a9666515162920
GIT binary patch
literal 1080
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+&oN4Kaa3@zv<Rtm
zba6AZNUscw3N;Qh)=moZcL~bOD%4Ldb@wVT3r$J()(=ZD%I69<O*bp?O-yn(({?c|
zj?5}Z^~p60Gxf+Y^DC$<%}dWLP0F({3H3{fa7DMR%Fo#%*ij+EB*ZJpQM;%jqa@$J
zvMM+wFeJjTxY#o%KgXxc$G|5qB+1B0->aZ7(3LC5$VlJWsNBpeptR68xiZW%F)uOS
zz|%d&ImM_X*TvYv**`MVKioaSFBIK2*Gxx8?{WpF++u@*l<b^vm+at_ihxYNim>G5
zph|BOPp|R-*N`%^uwbXc98;r;a91w3f+{a(laj!6<J<@@gEC|H{J^rTq$(d*eHVRq
zzal@!yr{&qs+5f6Ah>Ns#fb{3ZkgIq<y^%%K~+X(!DXHn2JZTW-Vv@|#>s)M&S_O<
zp{535PR0hlrlxt}h6NGE6;+v;M()N{B`%c)#u4UKDOna4iMd>k&L+9V?q;cZIi^0w
zp`jM(CHd|y*)GXm;d!P`nYjf8zTVFHZb|vBAzt~~9u-CIF6GHy9{x^FMj1u!DHW+)
z;Xy7zsbyhlp1C36<vF2IWuXRDrdf`m;U$ixf!bz8>7nV7ksj%0QOWK}0hVPx{uQ3V
zmO+u37TPA>WqCz`Ts~D1{waPr+4)&Hg<g(E1*MrmmPI86IiVrRhQTE+`c8T2rWWOu
z$%&c%=B6$M#ufhhfrgotCe8+F`8oL!23%fARgMNB$rkRWrb)SmMM+5!Zm#Z$A^G7Y
zMv=}TW?3fbxw(d!zW#Y3Vfs!vMfw)$*-k0>1v!x}uFj#ZA%$GtZkhR6A%;edmfl8@
zu4MuFB?hL2CK0YtMdfK}?&f*L#Rh5NuG+ad{>3gHCVBqlmU#w+73LMb$(AXGiG_Jw
zImQ0r`Az`==@lVH9<IKY#+Jqw<z;~uS)nC`iS9n7eia!euAUZ=E}>Q7InD)%ktOD-
znO^P%=2cFH$!ST(T-uc>dH%^J-j2quS(aX&!Ty1k+Bv3P&f2~e;Vy+$W*L^Q$-$2P
z5h1>*0U>T7`FZ}~MIK28t{I+LmDyQEMO<9Ey1EL5A^Aa7nH7;`PWt%~ZWURj`3AYk
zd7=JUmQk)28J<ZMdAUXTJ~>8Nj)7diF8)7V>iL#yx!~`zKFR#Ip?%pmkCk8Pn8N%z
zdQTun+rHCXlD6x9%WKTFVlr0hV~A=jyIPm6(areIJN>ZH*VUI=u9~DTv8=z56;vg)
z{(RG+AI*73>P~<2PcMD5D{uCOR=cAAn!S;48Rk^46S_V3@XyQ97FSk!f9;JctZ)D1
TFVQa^Yp=I6=YI6mO(BH<K^u97

literal 0
HcmV?d00001

diff --git a/agenix/dns/tuxcord.test/tuxcord.test.key.age b/agenix/dns/tuxcord.test/tuxcord.test.key.age
new file mode 100644
index 0000000..40d2e5d
--- /dev/null
+++ b/agenix/dns/tuxcord.test/tuxcord.test.key.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 86jJdtfiJBUnXAh0R+VjMeX5NTB+kGQlOioe/9Us6GI
+i0EPVHWazwgTCracN1bn9mvbpynd1x+XNE+5Hh09bKM
+-> ssh-ed25519 zNC8SA hL+Axpc8Qy8iosArb+JdAaQdf6gPlUaLRQ0w4YJJU1c
+k4prWpg+pyuykv8N2RjQQT7Ow53QjXBYxsqBwjtgFjw
+-> ssh-ed25519 EiAAKw /+UyD03g2OVWeJzooMrMxNH0otkY6Km9BDSJ+f8zVGQ
+kFSmApLaIFQ1F1ZaLThFlb7ZOfIDWDYZByuYfEvn2FU
+-> ssh-rsa eFi+Zw
+p5uxnSM+9jojTeHlzDycwEKqklY6F1oDU87e0pn/WhNBtSo3SzNI0aHtwKDLN548
+m4RQNQ6wKWAl36VvQDJmWiP6LJNKx5oQvgCLqqJ+fGTAx1mUUL+hpVC+Y2siONbN
+WWbFXVD1FHk+enHkRA9ZERiVPqV7Zg5b55t+E2dwRh2fas8IlOwBEEceIggYKi85
+Dywr8dhdL1VeAHG1l4fdkgn9A3oLqMHIw0oUHX16CawCYrQZt9bezDR6mb8HuEdM
+KVHSd6y+Aq0wYgcmGEkknw45VlG9Mjor0qhW9y+cJQ941niiPr1Q7LPcpdLAUmHP
+KbGDnnt/vvMEXaa5G1HDytvedHbAygx/fWGfm3Ngq8qUAV7kEHz2kUclJ5OOBTRm
+M0081XNKZF2QdmN+O8eMFMor1OcKsNe3Ril0Y8rPtMd+iwOulLbbV3b8LZ/Jd1+9
+ePUoOyj0wP4gVzXo5INiNVtYK+sK6Ek1Gt+UCHhAlJwj5RulmIvEzISZjHJAt4yU
+
+--- hljwKKncDABYcm9RHZtEdHhRlKqSFtoE6GihIfBqowU
+ošã…ŒüFÔÑr	u·«¢sð­(ÿg»NÇšØÄø¬äƒÇ¤gIsã„ý¡^•Õíõ‚›Ò1¼ÁQé¥]¶aE”^Áœiw«Ne2:4Ì ö®bH†ŠŽÆyf¸ nü‰$+ÉÃ_Ö¶•éjòê4Ý>Þ $?”<“³·IŠ¨……‘˜'±
\ No newline at end of file
diff --git a/agenix/ntfy.age b/agenix/ntfy.age
index 27e6cf7..73546fc 100644
--- a/agenix/ntfy.age
+++ b/agenix/ntfy.age
@@ -1,17 +1,20 @@
 age-encryption.org/v1
--> ssh-ed25519 Wl2fDA JMymqEdh+xJbl8VcL5wg7Y2Dk4667DzNO85RCskX+0Q
-ZQqF0eYpvrLujGdIvAMbfwPnKGa+mfNvAhHGMdXiYaI
--> ssh-ed25519 zNC8SA UCQhQA4f3OiNoxejDBMabnls3LjS0GQmvIqPpjB/FH8
-0qvv6W1heZiE1DDYEj1U5N2e99DZLxlJ6A8EoZ31DhM
--> ssh-rsa 3G83yA
-Gnpw8t6njIXGm98jTS47Afx6TogPnIJP59rapF0CkYkDXZNrW7WK+fcERHLN2+a+
-PSkjwkql3LfAtCNqrIJZwWLj/URnKQF5N3ZKwOa1+wsM3GeUzjvaQwPZunj4jyFs
-IJlL+ika2sBk/HvOa1r6ntj2cvLM1fIhbs9bOEZW3br3M3sfXk386TgrytqzM248
-3xS2iIwIBmBiI5Xem8KO2+J/2Vk9Px/ZPkBpdIAaZAmihe3g/VWNKHhXrwdM9ZA7
-tHgw5ohK8ug88ep9XCIFD75DPeK/60wqAdkGs4PE6THcsKqhN061TAEq3SWRl8wp
-Kd17yAzHDLhsbdWXT/Q912Y4YJCB3TnD0MFGzPF7sks2NknB6yowwjnCGlqzf5rW
-RBKHp6PTM+x/eDi89vS+uIBtyGFaFU7wBTl4FzJpKoOsRIDYNktGkJSxdTzrMO1n
-XqXtJtqZaXN7UExA+ko9ln446I7RG8c3hNGx4A4bR1xUEUE8WD/TMhjzrbzysYSl
+-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
+/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
+-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
+HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
+-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
+r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
+-> ssh-rsa eFi+Zw
+Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
+o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
+qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
+oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
+ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
+amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
+b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
+rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
 
---- BuKW3bW48i1OD38J2bj5sRkn+zg/WKiLtf8zgycCr2A
-g­©2Ôkâ5	ÀóìØ!]0kÉW€³ÍØ¡t>éQžk[I3Vâ4EÔàwc`L;UvžVe)m©mé¿€Û¸
\ No newline at end of file
+--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
+]
+ý­¢Ôÿi¹‡7c·f`b@%X”¿J)û[<+;x-ÇKmTõ@ãÌ„ýŸK]7sc*ë­Ÿ‡¼2Ý®5
\ No newline at end of file
diff --git a/agenix/secrets.nix b/agenix/secrets.nix
index a3119d1..3101494 100644
--- a/agenix/secrets.nix
+++ b/agenix/secrets.nix
@@ -6,7 +6,10 @@ in
 {
   "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 
-  # tsig-keygen sub.domain.tld.
-  "dns/tuxcord.key".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
-  # "dns/users/XXX.key".publicKeys = [ users.XXX ];
+  # tsig-keygen etc.sub.domain.tld.
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
diff --git a/nixos/common.nix b/nixos/common.nix
index 51e88f5..a6a0487 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -28,14 +28,6 @@ in
     ./vm.nix
   ];
 
-  age.secrets = {
-    dns-root-key = {
-      file = ../agenix/dns/tuxcord.key;
-      group = "named";
-      owner = "named";
-    };
-  };
-
   nix = {
     package = inputs'.nix-super.packages.default;
 
diff --git a/nixos/hosts/tuxcord-ca/default.nix b/nixos/hosts/tuxcord-ca/default.nix
index b0b24c4..a3eeb69 100644
--- a/nixos/hosts/tuxcord-ca/default.nix
+++ b/nixos/hosts/tuxcord-ca/default.nix
@@ -4,6 +4,7 @@
     ./storage.nix
   ];
 
+  dns.enable = true;
   networking.fqdn = "tuxcord.net";
   time.timeZone = "Canada/Eastern";
 }
diff --git a/nixos/hosts/tuxcord-test/default.nix b/nixos/hosts/tuxcord-test/default.nix
index 1fdcfdf..ad811a1 100644
--- a/nixos/hosts/tuxcord-test/default.nix
+++ b/nixos/hosts/tuxcord-test/default.nix
@@ -1,3 +1,4 @@
 {
+  dns.enable = true;
   networking.fqdn = "tuxcord.test";
 }
diff --git a/nixos/modules/dns.nix b/nixos/modules/dns.nix
index 388d08d..ffed8c7 100644
--- a/nixos/modules/dns.nix
+++ b/nixos/modules/dns.nix
@@ -1,58 +1,100 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
-  fqdn = "tuxcord.net";
-  # fqdn = config.networking.fqdn;
+  agenixDnsDir = ../../agenix/dns + "/${config.dns.domain}";
+  agenixKeys = builtins.attrNames (builtins.readDir agenixDnsDir);
 
-  zonesub = _: "zonesub";
-  subdomain = name: "subdomain ${name}";
+  keys = map (
+    filename:
+    let
+      zonesub = _: "zonesub";
+      subdomain = name: "subdomain ${name}";
 
-  # careful, assumes the fqdn (name) matches the key name content
-  keys = [
+      zoneDomain =
+        if lib.strings.hasSuffix ".key.age" filename then
+          lib.strings.removeSuffix ".key.age" filename
+        else
+          throw "${filename} is not a `.key.age` file";
+    in
     {
-      name = "tuxcord.net";
-      path = config.age.secrets.dns-root-key.path;
-      type = zonesub;
+      name = zoneDomain;
+      path = config.age.secrets."dns/${filename}".path;
+      type = if zoneDomain == config.dns.domain then zonesub else subdomain;
     }
-  ];
+  ) agenixKeys;
+
+  cfg = config.dns;
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    mkIf
+    ;
 in
 {
-  services.bind = {
-    enable = true;
+  options.dns = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
 
-    extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
-
-    zones = {
-      "${fqdn}" = {
-        # grant "tuxcord.net" zonesub ANY;
-        extraConfig = ''
-          update-policy {
-            ${builtins.concatStringsSep "\n" (
-              map (key: "grant \"${key.name}\" ${key.type key.name} ANY;") keys
-            )}
-          };
-        '';
-        file = "/var/dns/${fqdn}.zone"; # need to put default stuff
-        master = true;
-      };
+    domain = mkOption {
+      type = with lib.types; str;
+      default = config.networking.fqdn;
     };
   };
 
-  environment.persistence."/persist" = {
-    directories = [
+  config = mkIf cfg.enable {
+    age.secrets = builtins.listToAttrs (
+      map (
+        filename:
+        let
+          path = "${agenixDnsDir}/${filename}";
+        in
+        {
+          name = "dns/${filename}";
+          value = {
+            file = path;
+            group = "named";
+            owner = "named";
+          };
+        }
+      ) agenixKeys
+    );
+
+    services.bind = {
+      enable = true;
+
+      extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
+
+      zones = {
+        "${config.dns.domain}" = {
+          # grant "tuxcord.net" zonesub ANY;
+          extraConfig = ''
+            update-policy {
+              ${builtins.concatStringsSep "\n" (
+                map (key: "grant \"${key.name}\" ${key.type key.name} ANY;") keys
+              )}
+            };
+          '';
+          file = "/var/dns/${config.dns.domain}.zone"; # need to put default stuff
+          master = true;
+        };
+      };
+    };
+
+    environment.persistence."/persist".directories = [
       {
         directory = "/var/dns";
         group = "named";
         user = "named";
       }
     ];
-  };
 
-  networking.firewall =
-    let
-      ports = [ config.services.bind.listenOnPort ];
-    in
-    {
-      allowedTCPPorts = ports;
-      allowedUDPPorts = ports;
-    };
+    networking.firewall =
+      let
+        ports = [ config.services.bind.listenOnPort ];
+      in
+      {
+        allowedTCPPorts = ports;
+        allowedUDPPorts = ports;
+      };
+  };
 }
