dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/estuary: Add PowerDNS auth Netdata monitoring

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-12 18:57:00 +01:00
parent 6ae99062fd
commit e0f9d50713
4 changed files with 82 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -13,28 +13,50 @@ let
in
{
config = {
services.pdns-recursor = {
enable = true;
dns = {
address = [
"127.0.0.1" "::1"
assignments.base.ipv4.address assignments.base.ipv6.address
];
allowFrom = [
"127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
];
};
forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
settings = {
query-local-address = [ "0.0.0.0" "::" ];
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
my = {
secrets.files = {
"pdns.conf" = {
owner = "pdns";
group = "pdns";
};
"netdata-powerdns.conf" = {
owner = "netdata";
group = "netdata";
};
};
};
services = {
netdata = {
configDir = {
"go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path;
};
};
pdns-recursor = {
enable = true;
dns = {
address = [
"127.0.0.1" "::1"
assignments.base.ipv4.address assignments.base.ipv6.address
];
allowFrom = [
"127.0.0.0/8" "::1/128"
lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
];
};
forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
settings = {
query-local-address = [ "0.0.0.0" "::" ];
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
};
};
};
# For rec_control
environment.systemPackages = with pkgs; [
pdns-recursor
@@ -42,6 +64,7 @@ in
my.pdns.auth = {
enable = true;
extraSettingsFile = config.age.secrets."pdns.conf".path;
settings = {
primary = true;
resolver = "127.0.0.1";
@@ -54,6 +77,11 @@ in
#loglevel = 7;
#log-dns-queries = true;
#log-dns-details = true;
api = true;
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
};
bind = {

16
nixos/modules/pdns.nix
View File

@@ -17,7 +17,7 @@ let
else if bool.check val then toBool val
else if isList val then (concatMapStringsSep "," serialize val)
else "";
settingsToLines = s: concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s);
settingsToLines = s: (concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s)) + "\n";
bindList = l: "{ ${concatStringsSep "; " l} }";
bindAlsoNotify = with lib.types; mkOpt' (listOf str) [ ] "List of additional address to send DNS NOTIFY messages to.";
@@ -162,6 +162,8 @@ let
cfg = config.my.pdns;
baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
namedConf = pkgs.writeText "pdns-named.conf" ''
options {
directory "/run/pdns/bind-zones";
@@ -204,6 +206,7 @@ in
auth = {
enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
settings = mkOpt' configType { } "Authoritative server settings.";
extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
bind = {
options = {
@@ -257,6 +260,15 @@ in
systemd.services.pdns = {
preStart = ''
${if (cfg.auth.extraSettingsFile != null) then ''
oldUmask="$(umask)"
umask 006
cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
umask "$oldUmask"
'' else ''
cp ${baseAuthSettings} /run/pdns/pdns.conf
''}
source ${loadZonesCommon}
mkdir /run/pdns/{bind-zones,file-records}
@@ -278,6 +290,7 @@ in
reloadTriggers = [ zones ];
serviceConfig = {
ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=/run/pdns --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
RuntimeDirectory = "pdns";
StateDirectory = "pdns";
};
@@ -285,7 +298,6 @@ in
services.powerdns = {
enable = true;
extraConfig = settingsToLines cfg.auth.settings;
};
})
];