nix-config/hosts/bind/default.nix

{ zentralwerk, config, pkgs, ... }:
let
  # wrap reload in freeze/thaw so that zones are reloaded that had
  # been updated by dyndns
  reloadCommand = with pkgs; writeScriptBin "reload-bind" ''
    #!${runtimeShell}

    rndc() {
      ${bind}/sbin/rndc -k /etc/bind/rndc.key $@
    }

    rndc freeze
    rndc reload
    rndc thaw
  '';
in
{
  c3d2 = {
    hq.statistics.enable = true;
    deployment.server = "server10";
  };

  system.stateVersion = "22.05";

  networking = {
    hostName = "bind";
    firewall = {
      allowedTCPPorts = [
        # DNS
        53
      ];
      allowedUDPPorts = [
        # DNS
        53
      ];
    };
  };

  # DNS server
  services.bind = {
    enable = true;
    extraConfig = ''
      include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";
      include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";

      # for collectd
      statistics-channels {
        inet 127.0.0.1 port 8053;
      };
    '';
  };
  systemd.services.bind.serviceConfig = {
    Restart = "always";
    RestartSec = "5s";
  };

  # BIND statistics in Grafana
  services.collectd.plugins.bind = ''
    URL "http://127.0.0.1:8053/";
    ParseTime       false
    OpCodes         true
    QTypes          true
    ServerStats     true
    ZoneMaintStats  true
    ResolverStats   false
    MemoryStats     true
  '';

  # Build user
  users.groups.c3d2-dns = {};
  users.users.c3d2-dns = {
    isSystemUser = true;
    group = "c3d2-dns";
    home = "/var/lib/c3d2-dns";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
    ];
    packages = [ reloadCommand ];
  };

  systemd.tmpfiles.rules = [
    "d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
    "d /var/lib/bind/slave 0755 named nogroup - -"
  ];

  # Privileged commands triggered by deploy-c3d2-dns
  security.sudo.extraRules = [ {
    users = [ "c3d2-dns" ];
    commands = [ {
      command = "${reloadCommand}/bin/reload-bind";
      options = [ "NOPASSWD" ];
    } ];
  } ];
}
deadnix 2023-03-09 21:47:10 +01:00			`{ zentralwerk, config, pkgs, ... }:`
bind: init 2021-10-15 02:07:50 +02:00			`let`
bind: enhance reloading bind 2022-11-16 02:15:04 +01:00			`# wrap reload in freeze/thaw so that zones are reloaded that had`
			`# been updated by dyndns`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`reloadCommand = with pkgs; writeScriptBin "reload-bind" ''`
			`#!${runtimeShell}`
bind: enhance reloading bind 2022-11-16 02:15:04 +01:00
			`rndc() {`
			`${bind}/sbin/rndc -k /etc/bind/rndc.key $@`
			`}`

			`rndc freeze`
			`rndc reload`
			`rndc thaw`
			`'';`
bind: init 2021-10-15 02:07:50 +02:00			`in`
			`{`
			`c3d2 = {`
			`hq.statistics.enable = true;`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`deployment.server = "server10";`
bind: init 2021-10-15 02:07:50 +02:00			`};`

add system.stateVersion to all the containers that still miss it 2022-06-21 18:32:15 +02:00			`system.stateVersion = "22.05";`

Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`networking = {`
			`hostName = "bind";`
			`firewall = {`
			`allowedTCPPorts = [`
Format 2022-12-18 23:47:42 +01:00			`# DNS`
			`53`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`];`
			`allowedUDPPorts = [`
Format 2022-12-18 23:47:42 +01:00			`# DNS`
			`53`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`];`
			`};`
			`};`
bind: init 2021-10-15 02:07:50 +02:00
bind: doc, refactor, fix 2021-10-18 04:04:40 +02:00			`# DNS server`
bind: init 2021-10-15 02:07:50 +02:00			`services.bind = {`
			`enable = true;`
			`extraConfig = ''`
			`include "${config.users.users.c3d2-dns.home}/c3d2-dns/zones.conf";`
bind: source zentralwerk zones from zentralwerk flake instead of static export in c3d2-dns.git 2022-01-25 01:26:54 +01:00			`include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";`
bind: add bind stats 2021-10-16 01:51:27 +02:00
			`# for collectd`
			`statistics-channels {`
			`inet 127.0.0.1 port 8053;`
			`};`
bind: init 2021-10-15 02:07:50 +02:00			`'';`
			`};`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`systemd.services.bind.serviceConfig = {`
			`Restart = "always";`
			`RestartSec = "5s";`
bind: doc, refactor, fix 2021-10-18 04:04:40 +02:00			`};`

			`# BIND statistics in Grafana`
bind: add bind stats 2021-10-16 01:51:27 +02:00			`services.collectd.plugins.bind = ''`
			`URL "http://127.0.0.1:8053/";`
			`ParseTime false`
			`OpCodes true`
			`QTypes true`
			`ServerStats true`
			`ZoneMaintStats true`
			`ResolverStats false`
			`MemoryStats true`
			`'';`
bind: init 2021-10-15 02:07:50 +02:00
			`# Build user`
			`users.groups.c3d2-dns = {};`
			`users.users.c3d2-dns = {`
			`isSystemUser = true;`
			`group = "c3d2-dns";`
			`home = "/var/lib/c3d2-dns";`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"`
			`];`
			`packages = [ reloadCommand ];`
bind: init 2021-10-15 02:07:50 +02:00			`};`

			`systemd.tmpfiles.rules = [`
			`"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"`
bind: fix 2021-10-16 01:51:39 +02:00			`"d /var/lib/bind/slave 0755 named nogroup - -"`
bind: init 2021-10-15 02:07:50 +02:00			`];`

bind: use drone ci 2023-03-23 01:31:24 +01:00			`# Privileged commands triggered by deploy-c3d2-dns`
bind: init 2021-10-15 02:07:50 +02:00			`security.sudo.extraRules = [ {`
			`users = [ "c3d2-dns" ];`
			`commands = [ {`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`command = "${reloadCommand}/bin/reload-bind";`
bind: init 2021-10-15 02:07:50 +02:00			`options = [ "NOPASSWD" ];`
			`} ];`
			`} ];`
			`}`