nixos/estuary: Add PowerDNS auth Netdata monitoring

nixos/boxes/colony/vms/estuary/dns.nix

@@ -13,28 +13,50 @@ let
 in
 {
   config = {
-    services.pdns-recursor = {
+    my = {
-      enable = true;
+      secrets.files = {
-      dns = {
+        "pdns.conf" = {
-        address = [
+          owner = "pdns";
-          "127.0.0.1" "::1"
+          group = "pdns";
-          assignments.base.ipv4.address assignments.base.ipv6.address
+        };
-        ];
+        "netdata-powerdns.conf" = {
-        allowFrom = [
+          owner = "netdata";
-          "127.0.0.0/8" "::1/128"
+          group = "netdata";
-          lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
+        };
-        ];
-      };
-      forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
-
-      settings = {
-        query-local-address = [ "0.0.0.0" "::" ];
-
-        # DNS NOTIFY messages override TTL
-        allow-notify-for = authZones;
-        allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
       };
     };
+
+    services = {
+      netdata = {
+        configDir = {
+          "go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path;
+        };
+      };
+
+      pdns-recursor = {
+        enable = true;
+        dns = {
+          address = [
+            "127.0.0.1" "::1"
+            assignments.base.ipv4.address assignments.base.ipv6.address
+          ];
+          allowFrom = [
+            "127.0.0.0/8" "::1/128"
+            lib.my.colony.prefixes.all.v4 lib.my.colony.prefixes.all.v6
+          ];
+        };
+        forwardZones = genAttrs authZones (_: "127.0.0.1:5353");
+
+        settings = {
+          query-local-address = [ "0.0.0.0" "::" ];
+
+          # DNS NOTIFY messages override TTL
+          allow-notify-for = authZones;
+          allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+        };
+      };
+    };
+
     # For rec_control
     environment.systemPackages = with pkgs; [
       pdns-recursor
@@ -42,6 +64,7 @@ in
 
     my.pdns.auth = {
       enable = true;
+      extraSettingsFile = config.age.secrets."pdns.conf".path;
       settings = {
         primary = true;
         resolver = "127.0.0.1";
@@ -54,6 +77,11 @@ in
         #loglevel = 7;
         #log-dns-queries = true;
         #log-dns-details = true;
+
+        api = true;
+        webserver = true;
+        webserver-address = "::";
+        webserver-allow-from = [ "127.0.0.1" "::1" ];
       };
 
       bind = {

nixos/modules/pdns.nix

@@ -17,7 +17,7 @@ let
     else if bool.check      val then toBool val
     else if isList          val then (concatMapStringsSep "," serialize val)
     else "";
-  settingsToLines = s: concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s);
+  settingsToLines = s: (concatStringsSep "\n" (mapAttrsToList (k: v: "${k}=${serialize v}") s)) + "\n";
 
   bindList = l: "{ ${concatStringsSep "; " l} }";
   bindAlsoNotify = with lib.types; mkOpt' (listOf str) [ ] "List of additional address to send DNS NOTIFY messages to.";
@@ -162,6 +162,8 @@ let
 
   cfg = config.my.pdns;
 
+  baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
+
   namedConf = pkgs.writeText "pdns-named.conf" ''
     options {
       directory "/run/pdns/bind-zones";
@@ -204,6 +206,7 @@ in
     auth = {
       enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
       settings = mkOpt' configType { } "Authoritative server settings.";
+      extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
 
       bind = {
         options = {
@@ -257,6 +260,15 @@ in
 
       systemd.services.pdns = {
         preStart = ''
+          ${if (cfg.auth.extraSettingsFile != null) then ''
+            oldUmask="$(umask)"
+            umask 006
+            cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
+            umask "$oldUmask"
+          '' else ''
+            cp ${baseAuthSettings} /run/pdns/pdns.conf
+          ''}
+
           source ${loadZonesCommon}
 
           mkdir /run/pdns/{bind-zones,file-records}
@@ -278,6 +290,7 @@ in
 
         reloadTriggers = [ zones ];
         serviceConfig = {
+          ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=/run/pdns --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ];
           RuntimeDirectory = "pdns";
           StateDirectory = "pdns";
         };
@@ -285,7 +298,6 @@ in
 
       services.powerdns = {
         enable = true;
-        extraConfig = settingsToLines cfg.auth.settings;
       };
     })
   ];

secrets/netdata-powerdns.conf.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 B9K/XQ UynBAIths3H37dT79pa0u5l7rdlZrUhmXXipKam3iF0
+tJdtGeonlTjSSPFyaIcfr1q9QeV5Xwl/lL1pNEXeDJ0
+-> X25519 Ti5W6oqKAoeBCBRl2yO2KtWX+Rh/brhJWJzidCY8c20
+xiDfEPLJ04LP9r8QV7AroNnJME5YLy77Sulb28HiX88
+-> $T!haUSN-grease '| TTM< *N-o8 qX
+4+glmJsXO4qHrxsr7TICzTG/MLYXbbs
+--- W2GcnWdHA9WN6Y1EtlNPClM5WeEU3TcybzUXTtiIKXc
+ýÇ-_½,­m€IE|º§ÿ‡ßŽ=Nñÿû䊨ßñ#KæqæD®<44>&w¹=\
8
	Ÿ¯ÉîÅù~q!þö<C3BE>±¦Rª•L0šw]°ŽÔ™³ÎžðìR…§’Ž¿a&aVÕ´|,ûZT8¬Ñ}üVáâhÙ›t@V5¨¬²S!s¾"[ôò{c
+ªÄÖ•¨<E280A2>Êhcþ™Ð°åÖ

secrets/pdns.conf.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 B9K/XQ /kv+tjtTxUS9If5ognIwNC3TmO+18KL0nOEkxy5JGz0
+LHbhmFnFFMckiK1dRtJxfy4a5ZYUkBB8bpO8IS4WWtA
+-> X25519 cxHRN7s0xsX3ZPJcJ5yaZ4fVwAfcWJx8sx+EqXyKiHw
+kJK3WRVizmL8b8cgfRFs0Em71aks0G8eFBHZeLJGWsw
+-> 8!{=+-grease 7N}9_80% GL[9 }#I`Kx}) mJw
+PFJMFv12BxUgTzf305i+dqevE18VzMjjdUYtaLRc2GW5PDGEhUf58HMWsqKVSTwu
+CSp9e8dSNE0JqEDR7Y9vkHGmEsoTP/4
+--- zz2KJqzb87axtYxVRiUYyOxhK2vVQ5C5oa++Jp43Q58
+ɲÁ-ÏßTy$§z‚uÈ
e³¦à
P«[j#<ƒHjûõ>=Žbi<1E>#DJ;:ÊdX“-¶Ú´)ðî?ý)KvŠòç¼­…ŠD<C5A0>Íæ