116 lines
2.5 KiB
Nix
116 lines
2.5 KiB
Nix
{ zentralwerk, config, pkgs, ... }:
|
|
let
|
|
# wrap reload in freeze/thaw so that zones are reloaded that had
|
|
# been updated by dyndns
|
|
reloadCommand = with pkgs; writeScriptBin "reload-bind" ''
|
|
#!${runtimeShell}
|
|
|
|
rndc() {
|
|
${bind}/sbin/rndc -k /etc/bind/rndc.key $@
|
|
}
|
|
|
|
chmod a+rwx /var/lib/c3d2-dns/zones
|
|
rndc freeze
|
|
rndc reload
|
|
rndc thaw
|
|
'';
|
|
in
|
|
{
|
|
c3d2 = {
|
|
hq.statistics.enable = true;
|
|
deployment.server = "server10";
|
|
};
|
|
|
|
environment.etc.gitconfig.text = ''
|
|
[url "gitea@gitea.c3d2.de:"]
|
|
insteadOf = https://gitea.c3d2.de/
|
|
'';
|
|
|
|
networking = {
|
|
hostName = "bind";
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
# DNS
|
|
53
|
|
];
|
|
allowedUDPPorts = [
|
|
# DNS
|
|
53
|
|
];
|
|
};
|
|
};
|
|
|
|
# Privileged commands triggered by deploy-c3d2-dns
|
|
security.sudo.extraRules = [ {
|
|
users = [ "c3d2-dns" ];
|
|
commands = [ {
|
|
command = "${reloadCommand}/bin/reload-bind";
|
|
options = [ "NOPASSWD" ];
|
|
} ];
|
|
} ];
|
|
|
|
# DNS server
|
|
services.bind = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
include "${config.users.users.c3d2-dns.home}/zones.conf";
|
|
include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";
|
|
|
|
# for collectd
|
|
statistics-channels {
|
|
inet 127.0.0.1 port 8053;
|
|
};
|
|
'';
|
|
};
|
|
|
|
# BIND statistics in Grafana
|
|
services.collectd.plugins.bind = ''
|
|
URL "http://127.0.0.1:8053/";
|
|
ParseTime false
|
|
OpCodes true
|
|
QTypes true
|
|
ServerStats true
|
|
ZoneMaintStats true
|
|
ResolverStats false
|
|
MemoryStats true
|
|
'';
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
secrets = {
|
|
"ssh-keys/c3d2-dns/private" = {
|
|
owner = "c3d2-dns";
|
|
path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
|
|
};
|
|
"ssh-keys/c3d2-dns/public" = {
|
|
owner = "c3d2-dns";
|
|
path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
|
|
};
|
|
};
|
|
};
|
|
|
|
system.stateVersion = "22.05";
|
|
|
|
systemd.services.bind.serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
|
|
"d /var/lib/bind/slave 0755 named nogroup - -"
|
|
];
|
|
|
|
# Build user
|
|
users.groups.c3d2-dns = {};
|
|
users.users.c3d2-dns = {
|
|
isNormalUser = true;
|
|
group = "c3d2-dns";
|
|
home = "/var/lib/c3d2-dns";
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
|
|
];
|
|
packages = [ reloadCommand ];
|
|
};
|
|
}
|