dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/estuary: Add PowerDNS recursor Netdata monitoring

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-12 19:37:52 +01:00
parent e0f9d50713
commit e846c4404e
6 changed files with 59 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/boxes/colony/vms/estuary/dns.nix
View File

@@ -19,22 +19,36 @@ in
owner = "pdns";
group = "pdns";
};
"netdata-powerdns.conf" = {
"colony-netdata-powerdns.conf" = {
owner = "netdata";
group = "netdata";
};
"colony-pdns-recursor.conf" = {
owner = "pdns-recursor";
group = "pdns-recursor";
};
"colony-netdata-powerdns_recursor.conf" = {
owner = "netdata";
group = "netdata";
};
};
pdns.recursor = {
enable = true;
extraSettingsFile = config.age.secrets."colony-pdns-recursor.conf".path;
};
};
services = {
netdata = {
configDir = {
"go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path;
"go.d/powerdns.conf" = config.age.secrets."colony-netdata-powerdns.conf".path;
"go.d/powerdns_recursor.conf" = config.age.secrets."colony-netdata-powerdns_recursor.conf".path;
};
};
pdns-recursor = {
enable = true;
dns = {
address = [
"127.0.0.1" "::1"
@@ -53,6 +67,10 @@ in
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
};
};
};

38
nixos/modules/pdns.nix
View File

@@ -162,7 +162,17 @@ let
cfg = config.my.pdns;
extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
baseRecursorSettings = pkgs.writeText "pdns-recursor.conf" (settingsToLines config.services.pdns-recursor.settings);
generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
oldUmask="$(umask)"
umask 006
cat "${base}" "${cfg."${type}".extraSettingsFile}" > "${dst}"
umask "$oldUmask"
'' else ''
cp "${base}" "${dst}"
'';
namedConf = pkgs.writeText "pdns-named.conf" ''
options {
@@ -206,7 +216,7 @@ in
auth = {
enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
settings = mkOpt' configType { } "Authoritative server settings.";
extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
extraSettingsFile = extraSettingsOpt;
bind = {
options = {
@@ -218,6 +228,11 @@ in
};
};
};
recursor = {
enable = mkBoolOpt' false "Whether to enable PowerDNS recursive nameserver.";
extraSettingsFile = extraSettingsOpt;
};
};
config = mkMerge [
@@ -260,14 +275,7 @@ in
systemd.services.pdns = {
preStart = ''
${if (cfg.auth.extraSettingsFile != null) then ''
oldUmask="$(umask)"
umask 006
cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
umask "$oldUmask"
'' else ''
cp ${baseAuthSettings} /run/pdns/pdns.conf
''}
${generateSettings "auth" baseAuthSettings "/run/pdns/pdns.conf"}
source ${loadZonesCommon}
@@ -300,5 +308,17 @@ in
enable = true;
};
})
(mkIf cfg.recursor.enable {
systemd.services.pdns-recursor = {
preStart = ''
${generateSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.conf"}
'';
serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor" ];
};
services.pdns-recursor = {
enable = true;
};
})
];
}