tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
0cd381a41ccd524eaf1eae8779fbd80205eb0674
tuxcord.nix/nixos/modules/dns.nix
T

101 lines
2.2 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
agenixDnsDir = ../../agenix/dns + "/${config.dns.domain}";
agenixKeys = builtins.attrNames (builtins.readDir agenixDnsDir);
keys = map (
filename:
let
zonesub = _: "zonesub";
subdomain = name: "subdomain ${name}";
zoneDomain =
if lib.strings.hasSuffix ".key.age" filename then
lib.strings.removeSuffix ".key.age" filename
else
throw "${filename} is not a `.key.age` file";
in
{
name = zoneDomain;
path = config.age.secrets."dns/${filename}".path;
type = if zoneDomain == config.dns.domain then zonesub else subdomain;
}
) agenixKeys;
cfg = config.dns;
inherit (lib)
mkEnableOption
mkOption
mkIf
;
in
{
options.dns = {
enable = mkEnableOption "" // {
default = true;
};
domain = mkOption {
type = with lib.types; str;
default = config.networking.fqdn;
};
};
config = mkIf cfg.enable {
age.secrets = builtins.listToAttrs (
map (
filename:
let
path = "${agenixDnsDir}/${filename}";
in
{
name = "dns/${filename}";
value = {
file = path;
group = "named";
owner = "named";
};
}
) agenixKeys
);
services.bind = {
enable = true;
extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
zones = {
"${config.dns.domain}" = {
# grant "tuxcord.net" zonesub ANY;
extraConfig = ''
update-policy {
${builtins.concatStringsSep "\n" (
map (key: "grant \"${key.name}\" ${key.type key.name} ANY;") keys
)}
};
'';
file = "/var/dns/${config.dns.domain}.zone"; # need to put default stuff
master = true;
};
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/dns";
group = "named";
user = "named";
}
];
networking.firewall =
let
ports = [ config.services.bind.listenOnPort ];
in
{
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
};
}
Reference in New Issue View Git Blame Copy Permalink