diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index 9c65687..3a2a95a 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -13,28 +13,50 @@ let in { config = { - services.pdns-recursor = { - enable = true; - dns = { - address = [ - "127.0.0.1" "::1" - assignments.base.ipv4.address assignments.base.ipv6.address - ]; - allowFrom = [ - "127.0.0.0/8" "::1/128" - lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6 - ]; - }; - forwardZones = genAttrs authZones (_: "127.0.0.1:5353"); - - settings = { - query-local-address = [ "0.0.0.0" "::" ]; - - # DNS NOTIFY messages override TTL - allow-notify-for = authZones; - allow-notify-from = [ "127.0.0.0/8" "::1/128" ]; + my = { + secrets.files = { + "pdns.conf" = { + owner = "pdns"; + group = "pdns"; + }; + "netdata-powerdns.conf" = { + owner = "netdata"; + group = "netdata"; + }; }; }; + + services = { + netdata = { + configDir = { + "go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path; + }; + }; + + pdns-recursor = { + enable = true; + dns = { + address = [ + "127.0.0.1" "::1" + assignments.base.ipv4.address assignments.base.ipv6.address + ]; + allowFrom = [ + "127.0.0.0/8" "::1/128" + lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6 + ]; + }; + forwardZones = genAttrs authZones (_: "127.0.0.1:5353"); + + settings = { + query-local-address = [ "0.0.0.0" "::" ]; + + # DNS NOTIFY messages override TTL + allow-notify-for = authZones; + allow-notify-from = [ "127.0.0.0/8" "::1/128" ]; + }; + }; + }; + # For rec_control environment.systemPackages = with pkgs; [ pdns-recursor @@ -42,6 +64,7 @@ in my.pdns.auth = { enable = true; + extraSettingsFile = config.age.secrets."pdns.conf".path; settings = { primary = true; resolver = "127.0.0.1"; @@ -54,6 +77,11 @@ in #loglevel = 7; #log-dns-queries = true; #log-dns-details = true; + + api = true; + webserver = true; + webserver-address = "::"; + webserver-allow-from = [ "127.0.0.1" "::1" ]; }; bind = { diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix index 62326cd..d2a7a8b 100644 --- a/nixos/modules/pdns.nix +++ b/nixos/modules/pdns.nix @@ -17,7 +17,7 @@ let else if bool.check val then toBool val else if isList val then (concatMapStringsSep "," serialize val) else ""; - settingsToLines = s: concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s); + settingsToLines = s: (concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s)) + "\n"; bindList = l: "{ ${concatStringsSep "; " l} }"; bindAlsoNotify = with lib.types; mkOpt' (listOf str) [ ] "List of additional address to send DNS NOTIFY messages to."; @@ -162,6 +162,8 @@ let cfg = config.my.pdns; + baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings); + namedConf = pkgs.writeText "pdns-named.conf" '' options { directory "/run/pdns/bind-zones"; @@ -204,6 +206,7 @@ in auth = { enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver."; settings = mkOpt' configType { } "Authoritative server settings."; + extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets)."; bind = { options = { @@ -257,6 +260,15 @@ in systemd.services.pdns = { preStart = '' + ${if (cfg.auth.extraSettingsFile != null) then '' + oldUmask="$(umask)" + umask 006 + cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf + umask "$oldUmask" + '' else '' + cp ${baseAuthSettings} /run/pdns/pdns.conf + ''} + source ${loadZonesCommon} mkdir /run/pdns/{bind-zones,file-records} @@ -278,6 +290,7 @@ in reloadTriggers = [ zones ]; serviceConfig = { + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=/run/pdns --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; RuntimeDirectory = "pdns"; StateDirectory = "pdns"; }; @@ -285,7 +298,6 @@ in services.powerdns = { enable = true; - extraConfig = settingsToLines cfg.auth.settings; }; }) ]; diff --git a/secrets/netdata-powerdns.conf.age b/secrets/netdata-powerdns.conf.age new file mode 100644 index 0000000..3223896 --- /dev/null +++ b/secrets/netdata-powerdns.conf.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 B9K/XQ UynBAIths3H37dT79pa0u5l7rdlZrUhmXXipKam3iF0 +tJdtGeonlTjSSPFyaIcfr1q9QeV5Xwl/lL1pNEXeDJ0 +-> X25519 Ti5W6oqKAoeBCBRl2yO2KtWX+Rh/brhJWJzidCY8c20 +xiDfEPLJ04LP9r8QV7AroNnJME5YLy77Sulb28HiX88 +-> $T!haUSN-grease '| TTM< *N-o8 qX +4+glmJsXO4qHrxsr7TICzTG/MLYXbbs +--- W2GcnWdHA9WN6Y1EtlNPClM5WeEU3TcybzUXTtiIKXc +- _,mIE|ߎ=N䊨#KqD&w=\ 8 ~q!RL0w]ԙΞRa&aV մ|,ZT8}Vhٛt@V5S!s"[{c +hcа \ No newline at end of file diff --git a/secrets/pdns.conf.age b/secrets/pdns.conf.age new file mode 100644 index 0000000..7f43350 --- /dev/null +++ b/secrets/pdns.conf.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 B9K/XQ /kv+tjtTxUS9If5ognIwNC3TmO+18KL0nOEkxy5JGz0 +LHbhmFnFFMckiK1dRtJxfy4a5ZYUkBB8bpO8IS4WWtA +-> X25519 cxHRN7s0xsX3ZPJcJ5yaZ4fVwAfcWJx8sx+EqXyKiHw +kJK3WRVizmL8b8cgfRFs0Em71aks0G8eFBHZeLJGWsw +-> 8!{=+-grease 7N}9_80% GL[9 }#I`Kx}) mJw +PFJMFv12BxUgTzf305i+dqevE18VzMjjdUYtaLRc2GW5PDGEhUf58HMWsqKVSTwu +CSp9e8dSNE0JqEDR7Y9vkHGmEsoTP/4 +--- zz2KJqzb87axtYxVRiUYyOxhK2vVQ5C5oa++Jp43Q58 +ɲ-Ty$zueP[j#=bi#DJ;:dX-ڴ)?)Kv缭D \ No newline at end of file