nix-config/hosts/bind/default.nix

{ zentralwerk, config, pkgs, ... }:
let
  # wrap reload in freeze/thaw so that zones are reloaded that had
  # been updated by dyndns
  reloadCommand = with pkgs; writeScriptBin "reload-bind" ''
    #!${runtimeShell}

    rndc() {
      ${bind}/sbin/rndc -k /etc/bind/rndc.key $@
    }

    chmod a+rwx /var/lib/c3d2-dns/zones
    rndc freeze
    rndc reload
    rndc thaw
  '';
in
{
  c3d2 = {
    hq.statistics.enable = true;
    deployment.server = "server10";
  };

  environment = {
    etc.gitconfig.text = ''
      [url "gitea@gitea.c3d2.de:"]
      insteadOf = https://gitea.c3d2.de/
    '';
    systemPackages = with pkgs; [
      rsync # used in drone CI
    ];
  };

  networking = {
    hostName = "bind";
    firewall = {
      allowedTCPPorts = [
        # DNS
        53
      ];
      allowedUDPPorts = [
        # DNS
        53
      ];
    };
  };

  # Privileged commands triggered by deploy-c3d2-dns
  security.sudo.extraRules = [ {
    users = [ "c3d2-dns" ];
    commands = [ {
      command = "/etc/profiles/per-user/c3d2-dns/bin/reload-bind";
      options = [ "NOPASSWD" ];
    } ];
  } ];

  # DNS server
  services.bind = {
    enable = true;
    extraConfig = ''
      include "${config.users.users.c3d2-dns.home}/zones.conf";
      include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";

      # for collectd
      statistics-channels {
        inet 127.0.0.1 port 8053;
      };
    '';
  };

  # BIND statistics in Grafana
  services.collectd.plugins.bind = ''
    URL "http://127.0.0.1:8053/";
    ParseTime       false
    OpCodes         true
    QTypes          true
    ServerStats     true
    ZoneMaintStats  true
    ResolverStats   false
    MemoryStats     true
  '';

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
     "ssh-keys/c3d2-dns/private" = {
        owner = "c3d2-dns";
        path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
      };
      "ssh-keys/c3d2-dns/public" = {
        owner = "c3d2-dns";
        path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
      };
    };
  };

  system.stateVersion = "22.05";

  systemd.services.bind.serviceConfig = {
    Restart = "always";
    RestartSec = "5s";
  };

  systemd.tmpfiles.rules = [
    "d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
    "d /var/lib/bind/slave 0755 named nogroup - -"
  ];

  # Build user
  users.groups.c3d2-dns = {};
  users.users.c3d2-dns = {
    isNormalUser = true;
    group = "c3d2-dns";
    home = "/var/lib/c3d2-dns";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
    ];
    packages = [ reloadCommand ];
  };
}
deadnix 2023-03-09 21:47:10 +01:00			`{ zentralwerk, config, pkgs, ... }:`
bind: init 2021-10-15 02:07:50 +02:00			`let`
bind: enhance reloading bind 2022-11-16 02:15:04 +01:00			`# wrap reload in freeze/thaw so that zones are reloaded that had`
			`# been updated by dyndns`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`reloadCommand = with pkgs; writeScriptBin "reload-bind" ''`
			`#!${runtimeShell}`
bind: enhance reloading bind 2022-11-16 02:15:04 +01:00
			`rndc() {`
			`${bind}/sbin/rndc -k /etc/bind/rndc.key $@`
			`}`

bind: make zones directory writable to bind for .jnl files 2023-06-22 12:22:32 +02:00			`chmod a+rwx /var/lib/c3d2-dns/zones`
bind: enhance reloading bind 2022-11-16 02:15:04 +01:00			`rndc freeze`
			`rndc reload`
			`rndc thaw`
			`'';`
bind: init 2021-10-15 02:07:50 +02:00			`in`
			`{`
			`c3d2 = {`
			`hq.statistics.enable = true;`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`deployment.server = "server10";`
bind: init 2021-10-15 02:07:50 +02:00			`};`

bind: add missing rsync for ci 2023-11-08 21:14:58 +01:00			`environment = {`
			`etc.gitconfig.text = ''`
			`[url "gitea@gitea.c3d2.de:"]`
			`insteadOf = https://gitea.c3d2.de/`
			`'';`
			`systemPackages = with pkgs; [`
			`rsync # used in drone CI`
			`];`
			`};`
add system.stateVersion to all the containers that still miss it 2022-06-21 18:32:15 +02:00
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`networking = {`
			`hostName = "bind";`
			`firewall = {`
			`allowedTCPPorts = [`
Format 2022-12-18 23:47:42 +01:00			`# DNS`
			`53`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`];`
			`allowedUDPPorts = [`
Format 2022-12-18 23:47:42 +01:00			`# DNS`
			`53`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`];`
			`};`
			`};`
bind: init 2021-10-15 02:07:50 +02:00
bind: sort 2023-03-23 21:36:53 +01:00			`# Privileged commands triggered by deploy-c3d2-dns`
			`security.sudo.extraRules = [ {`
			`users = [ "c3d2-dns" ];`
			`commands = [ {`
bind: fix sudoers rule 2023-12-16 18:07:37 +01:00			`command = "/etc/profiles/per-user/c3d2-dns/bin/reload-bind";`
bind: sort 2023-03-23 21:36:53 +01:00			`options = [ "NOPASSWD" ];`
			`} ];`
			`} ];`

bind: doc, refactor, fix 2021-10-18 04:04:40 +02:00			`# DNS server`
bind: init 2021-10-15 02:07:50 +02:00			`services.bind = {`
			`enable = true;`
			`extraConfig = ''`
bind: fix paths, add ssh key declarative 2023-03-23 23:05:12 +01:00			`include "${config.users.users.c3d2-dns.home}/zones.conf";`
bind: source zentralwerk zones from zentralwerk flake instead of static export in c3d2-dns.git 2022-01-25 01:26:54 +01:00			`include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";`
bind: add bind stats 2021-10-16 01:51:27 +02:00
			`# for collectd`
			`statistics-channels {`
			`inet 127.0.0.1 port 8053;`
			`};`
bind: init 2021-10-15 02:07:50 +02:00			`'';`
			`};`
bind: doc, refactor, fix 2021-10-18 04:04:40 +02:00
			`# BIND statistics in Grafana`
bind: add bind stats 2021-10-16 01:51:27 +02:00			`services.collectd.plugins.bind = ''`
			`URL "http://127.0.0.1:8053/";`
			`ParseTime false`
			`OpCodes true`
			`QTypes true`
			`ServerStats true`
			`ZoneMaintStats true`
			`ResolverStats false`
			`MemoryStats true`
			`'';`
bind: init 2021-10-15 02:07:50 +02:00
bind: fix paths, add ssh key declarative 2023-03-23 23:05:12 +01:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
			`secrets = {`
			`"ssh-keys/c3d2-dns/private" = {`
			`owner = "c3d2-dns";`
			`path = "/var/lib/c3d2-dns/.ssh/id_ed25519";`
			`};`
			`"ssh-keys/c3d2-dns/public" = {`
			`owner = "c3d2-dns";`
			`path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";`
			`};`
			`};`
			`};`

bind: sort 2023-03-23 21:36:53 +01:00			`system.stateVersion = "22.05";`

			`systemd.services.bind.serviceConfig = {`
			`Restart = "always";`
			`RestartSec = "5s";`
			`};`

			`systemd.tmpfiles.rules = [`
			`"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"`
			`"d /var/lib/bind/slave 0755 named nogroup - -"`
			`];`

bind: init 2021-10-15 02:07:50 +02:00			`# Build user`
			`users.groups.c3d2-dns = {};`
			`users.users.c3d2-dns = {`
bind: allow drone to log into dns user 2023-03-23 01:39:41 +01:00			`isNormalUser = true;`
bind: init 2021-10-15 02:07:50 +02:00			`group = "c3d2-dns";`
			`home = "/var/lib/c3d2-dns";`
bind: use drone ci 2023-03-23 01:31:24 +01:00			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"`
			`];`
			`packages = [ reloadCommand ];`
bind: init 2021-10-15 02:07:50 +02:00			`};`
			`}`