From e846c4404e5a903540349b3f6833908aa9a3ce8b Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sun, 12 Jun 2022 19:37:52 +0100
Subject: [PATCH] nixos/estuary: Add PowerDNS recursor Netdata monitoring

---
 nixos/boxes/colony/vms/estuary/dns.nix        |  24 +++++++++--
 nixos/modules/pdns.nix                        |  38 +++++++++++++-----
 secrets/colony-netdata-powerdns.conf.age      | Bin 0 -> 577 bytes
 .../colony-netdata-powerdns_recursor.conf.age | Bin 0 -> 472 bytes
 secrets/colony-pdns-recursor.conf.age         |   9 +++++
 secrets/netdata-powerdns.conf.age             |  10 -----
 6 files changed, 59 insertions(+), 22 deletions(-)
 create mode 100644 secrets/colony-netdata-powerdns.conf.age
 create mode 100644 secrets/colony-netdata-powerdns_recursor.conf.age
 create mode 100644 secrets/colony-pdns-recursor.conf.age
 delete mode 100644 secrets/netdata-powerdns.conf.age

diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix
index 3a2a95a..53a2e78 100644
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -19,22 +19,36 @@ in
           owner = "pdns";
           group = "pdns";
         };
-        "netdata-powerdns.conf" = {
+        "colony-netdata-powerdns.conf" = {
           owner = "netdata";
           group = "netdata";
         };
+
+        "colony-pdns-recursor.conf" = {
+          owner = "pdns-recursor";
+          group = "pdns-recursor";
+        };
+        "colony-netdata-powerdns_recursor.conf" = {
+          owner = "netdata";
+          group = "netdata";
+        };
+      };
+
+      pdns.recursor = {
+        enable = true;
+        extraSettingsFile = config.age.secrets."colony-pdns-recursor.conf".path;
       };
     };
 
     services = {
       netdata = {
         configDir = {
-          "go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path;
+          "go.d/powerdns.conf" = config.age.secrets."colony-netdata-powerdns.conf".path;
+          "go.d/powerdns_recursor.conf" = config.age.secrets."colony-netdata-powerdns_recursor.conf".path;
         };
       };
 
       pdns-recursor = {
-        enable = true;
         dns = {
           address = [
             "127.0.0.1" "::1"
@@ -53,6 +67,10 @@ in
           # DNS NOTIFY messages override TTL
           allow-notify-for = authZones;
           allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+
+          webserver = true;
+          webserver-address = "::";
+          webserver-allow-from = [ "127.0.0.1" "::1" ];
         };
       };
     };
diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix
index d2a7a8b..43334e4 100644
--- a/nixos/modules/pdns.nix
+++ b/nixos/modules/pdns.nix
@@ -162,7 +162,17 @@ let
 
   cfg = config.my.pdns;
 
+  extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
   baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
+  baseRecursorSettings = pkgs.writeText "pdns-recursor.conf" (settingsToLines config.services.pdns-recursor.settings);
+  generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
+    oldUmask="$(umask)"
+    umask 006
+    cat "${base}" "${cfg."${type}".extraSettingsFile}" > "${dst}"
+    umask "$oldUmask"
+  '' else ''
+    cp "${base}" "${dst}"
+  '';
 
   namedConf = pkgs.writeText "pdns-named.conf" ''
     options {
@@ -206,7 +216,7 @@ in
     auth = {
       enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
       settings = mkOpt' configType { } "Authoritative server settings.";
-      extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
+      extraSettingsFile = extraSettingsOpt;
 
       bind = {
         options = {
@@ -218,6 +228,11 @@ in
         };
       };
     };
+
+    recursor = {
+      enable = mkBoolOpt' false "Whether to enable PowerDNS recursive nameserver.";
+      extraSettingsFile = extraSettingsOpt;
+    };
   };
 
   config = mkMerge [
@@ -260,14 +275,7 @@ in
 
       systemd.services.pdns = {
         preStart = ''
-          ${if (cfg.auth.extraSettingsFile != null) then ''
-            oldUmask="$(umask)"
-            umask 006
-            cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
-            umask "$oldUmask"
-          '' else ''
-            cp ${baseAuthSettings} /run/pdns/pdns.conf
-          ''}
+          ${generateSettings "auth" baseAuthSettings "/run/pdns/pdns.conf"}
 
           source ${loadZonesCommon}
 
@@ -300,5 +308,17 @@ in
         enable = true;
       };
     })
+    (mkIf cfg.recursor.enable {
+      systemd.services.pdns-recursor = {
+        preStart = ''
+          ${generateSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.conf"}
+        '';
+        serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor" ];
+      };
+
+      services.pdns-recursor = {
+        enable = true;
+      };
+    })
   ];
 }
diff --git a/secrets/colony-netdata-powerdns.conf.age b/secrets/colony-netdata-powerdns.conf.age
new file mode 100644
index 0000000000000000000000000000000000000000..44ebc0e33246bd10f6915b416b03db25b3b77aa7
GIT binary patch
literal 577
zcmXBNO>5I&003YSPf^CegUnMHL(r0?O`E0xSxM5Q%leVTCT%+OkS1A@w`tlYP1;38
z#DgLXbVD5s6!9R6h{*IHC@2UX^rGyb2VrA~2Ty`HVTcT$Kk#UliI|@5FZKpb*PHJ8
z78<1>WCjib8!-(G$5SLslO<G@;Dv=!P+IhJMTx^u11oo0hFYwM7{L!2PD?m3S)oRt
zqh@Ix!iId^!A4dsO$H4z*8si^>^NrIQrM58ep&RY89P+awrA~a>i<Yj(qXC>gM?ta
zO<tf{mO*C;Z9yu_7|~}W7j$_|XXFvxgnDzHQ6>t;B2&vzMTSsKCIY>VLN`Tx*iJ|s
zF|w*UpOet;-oWLD5l14HZ)$-F8`M;*a~hsz;T96`mH~Uzi6N&zN|XdOQ}7x+daef?
zyiC&|I8_S=3PrR>?!b2IVeE>zB;U~#F6+8=%d&8_#1fQ{$)q!oG#fDGRwA%C%=QP=
zKo0%1m+Ckr1++9$bc_(K1c1#7rBn?<5CqmlzFA@A$Q=r{U#J=p$Le&H4(HXZOlFcY
z6YEhkSInXs3q9tf<(v5z{;>^t{`o6stMPm8J^t}!^V0RpJ8KgglkGDfcCdBx%{seV
zh&ETGgDYe2Ca&!JDPUWlzcELRx1T(F>HgGqA%FYPey}^c`u)P{>&f(TV*AI9wJ)al
zggrhs<J`UI*6Qc(p#AFRt*gK8J^T9L?^0aApFTYM=Wyac{?PbIPdb0i8BMPOY5d4P
DCZy55

literal 0
HcmV?d00001

diff --git a/secrets/colony-netdata-powerdns_recursor.conf.age b/secrets/colony-netdata-powerdns_recursor.conf.age
new file mode 100644
index 0000000000000000000000000000000000000000..61cf8f8fafb93fd39dc32d6e4ca8bba79c4f5482
GIT binary patch
literal 472
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4vh>!E2vjh1O$yC)
zDJpaHt<cW)Gmgqk)Aln=4b7-<4)pPIP00=Mjw&uFw+M7GaOEnlDhn|2wG0pPDfX$#
z4^7H&cPh`-&NeaibBT2FtPC^GN-_5Eb92hd3<TL00kO!fq{2HX(%GocFx<<s!os^!
z+uNt2s35(#IL*Ve)WbX9C9K>dH7KpXsGO@P)!er@J=rwZBO)g(P20u9v!XaM&&<F#
zC@RIvq^L3?z&k9`H8?WN%oSvVTV8raif(#QYGQG!LXBruW=NKOzCv`Vy_=J%Wr%{R
zvP}V(YgJ};B+xy&x(c~f?x}9Y2Ch}50Rdi~ex8wqQJx;9p&?${W~HG9g?Y}}>F$0`
zCIv>B23)oRZF?NeWw+g$6xZV*BxN+$?T(pH)ZOLzKNdyTX&%;QFz_!C>E%DdAF(|s
z<KVf<HTvykb%vcgsy8tl=86}+BWKnxHSe^>!<Wb3D+kQ_%&;s@NiD`*NzbFfz{{sE
zTwML&-#2Ri%G`q)6XLecb1OaZX7RH_iPe9lS8kW<U<p+>4EU^+c#3m!@SLe1yeg^}
J??}^U1^_|1r*QxP

literal 0
HcmV?d00001

diff --git a/secrets/colony-pdns-recursor.conf.age b/secrets/colony-pdns-recursor.conf.age
new file mode 100644
index 0000000..7322257
--- /dev/null
+++ b/secrets/colony-pdns-recursor.conf.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
+/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
+-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
+hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
+-> sK$y-grease `L hNh
+RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
+--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
+[ðÛÿ?¹‹RßNã•vÉÝO£5yÅ¬?+XBê;~¬ˆ±Ú!–uú‘“ýX»¥mŽ95Š?UáD¨Äª‹u”pÍžÙÑ„_hcò
\ No newline at end of file
diff --git a/secrets/netdata-powerdns.conf.age b/secrets/netdata-powerdns.conf.age
deleted file mode 100644
index 3223896..0000000
--- a/secrets/netdata-powerdns.conf.age
+++ /dev/null
@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 B9K/XQ UynBAIths3H37dT79pa0u5l7rdlZrUhmXXipKam3iF0
-tJdtGeonlTjSSPFyaIcfr1q9QeV5Xwl/lL1pNEXeDJ0
--> X25519 Ti5W6oqKAoeBCBRl2yO2KtWX+Rh/brhJWJzidCY8c20
-xiDfEPLJ04LP9r8QV7AroNnJME5YLy77Sulb28HiX88
--> $T!haUSN-grease '| TTM< *N-o8 qX
-4+glmJsXO4qHrxsr7TICzTG/MLYXbbs
---- W2GcnWdHA9WN6Y1EtlNPClM5WeEU3TcybzUXTtiIKXc
-ýÇ-_½,­m€IE|º§ÿ‡ßŽ=NñÿûäŠ¨ßñ#KæqæD®&w¹=\8	Ÿ¯ÉîÅù~q!þö±¦Rª•L0šw]°ŽÔ™³ÎžðìR…§’Ž¿a&aVÕ´|,ûZT8¬Ñ}üVáâhÙ›t@V5¨¬²S!s¾"[ôò{c
-ªÄÖ•¨Êhcþ™Ð°åÖ
\ No newline at end of file