dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/estuary: Add PowerDNS recursor Netdata monitoring

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-06-12 19:37:52 +01:00
parent e0f9d50713
commit e846c4404e
6 changed files with 59 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/boxes/colony/vms/estuary/dns.nix
View File

@ -19,22 +19,36 @@ in
owner = "pdns"; owner = "pdns";
group = "pdns"; group = "pdns";
}; };
"netdata-powerdns.conf" = { "colony-netdata-powerdns.conf" = {
owner = "netdata"; owner = "netdata";
group = "netdata"; group = "netdata";
}; };
"colony-pdns-recursor.conf" = {
owner = "pdns-recursor";
group = "pdns-recursor";
};
"colony-netdata-powerdns_recursor.conf" = {
owner = "netdata";
group = "netdata";
};
};
pdns.recursor = {
enable = true;
extraSettingsFile = config.age.secrets."colony-pdns-recursor.conf".path;
}; };
}; };
services = { services = {
netdata = { netdata = {
configDir = { configDir = {
"go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path; "go.d/powerdns.conf" = config.age.secrets."colony-netdata-powerdns.conf".path;
"go.d/powerdns_recursor.conf" = config.age.secrets."colony-netdata-powerdns_recursor.conf".path;
}; };
}; };
pdns-recursor = { pdns-recursor = {
enable = true;
dns = { dns = {
address = [ address = [
"127.0.0.1" "::1" "127.0.0.1" "::1"
@ -53,6 +67,10 @@ in
# DNS NOTIFY messages override TTL # DNS NOTIFY messages override TTL
allow-notify-for = authZones; allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ]; allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
}; };
}; };
}; };

38
nixos/modules/pdns.nix
View File

@ -162,7 +162,17 @@ let
cfg = config.my.pdns; cfg = config.my.pdns;
extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings); baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
baseRecursorSettings = pkgs.writeText "pdns-recursor.conf" (settingsToLines config.services.pdns-recursor.settings);
generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
oldUmask="$(umask)"
umask 006
cat "${base}" "${cfg."${type}".extraSettingsFile}" > "${dst}"
umask "$oldUmask"
'' else ''
cp "${base}" "${dst}"
'';
namedConf = pkgs.writeText "pdns-named.conf" '' namedConf = pkgs.writeText "pdns-named.conf" ''
options { options {
@ -206,7 +216,7 @@ in
auth = { auth = {
enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver."; enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
settings = mkOpt' configType { } "Authoritative server settings."; settings = mkOpt' configType { } "Authoritative server settings.";
extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets)."; extraSettingsFile = extraSettingsOpt;
bind = { bind = {
options = { options = {
@ -218,6 +228,11 @@ in
}; };
}; };
}; };
recursor = {
enable = mkBoolOpt' false "Whether to enable PowerDNS recursive nameserver.";
extraSettingsFile = extraSettingsOpt;
};
}; };
config = mkMerge [ config = mkMerge [
@ -260,14 +275,7 @@ in
systemd.services.pdns = { systemd.services.pdns = {
preStart = '' preStart = ''
${if (cfg.auth.extraSettingsFile != null) then '' ${generateSettings "auth" baseAuthSettings "/run/pdns/pdns.conf"}
oldUmask="$(umask)"
umask 006
cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
umask "$oldUmask"
'' else ''
cp ${baseAuthSettings} /run/pdns/pdns.conf
''}
source ${loadZonesCommon} source ${loadZonesCommon}
@ -300,5 +308,17 @@ in
enable = true; enable = true;
}; };
}) })
(mkIf cfg.recursor.enable {
systemd.services.pdns-recursor = {
preStart = ''
${generateSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.conf"}
'';
serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor" ];
};
services.pdns-recursor = {
enable = true;
};
})
]; ];
} }

BIN
secrets/colony-netdata-powerdns.conf.age Normal file
View File

Binary file not shown.

BIN
secrets/colony-netdata-powerdns_recursor.conf.age Normal file
View File

Binary file not shown.

9
secrets/colony-pdns-recursor.conf.age Normal file
View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
-> sK$y-grease `L hNh
RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
<EFBFBD>[ðÛÿ?¹RßNã•vÉÝO£5yŬ?+XBê ;~¬ˆ±Ú!“ýX»¥mŽ95Š?UáD¨Äªu”pÍžÙÑ„_hcò

10
secrets/netdata-powerdns.conf.age
View File

@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 B9K/XQ UynBAIths3H37dT79pa0u5l7rdlZrUhmXXipKam3iF0
tJdtGeonlTjSSPFyaIcfr1q9QeV5Xwl/lL1pNEXeDJ0
-> X25519 Ti5W6oqKAoeBCBRl2yO2KtWX+Rh/brhJWJzidCY8c20
xiDfEPLJ04LP9r8QV7AroNnJME5YLy77Sulb28HiX88
-> $T!haUSN-grease '| TTM< *N-o8 qX
4+glmJsXO4qHrxsr7TICzTG/MLYXbbs
--- W2GcnWdHA9WN6Y1EtlNPClM5WeEU3TcybzUXTtiIKXc
ýÇ- _½,­m€IE|º§ÿ‡ßŽ=Nñÿû䊨ßñ#KæqæD®<44>&w¹=\ 8 Ÿ¯ÉîÅù~q!þö<C3BE>±¦Rª•L0šw]°ŽÔ™³ÎžðìR…§Ž¿a&aV Õ´|,ûZT8¬Ñ}üVáâhÙt@V5¨¬²S!s¾"[ôò{c
ªÄÖ•¨<E280A2>Êhcþ™Ð°åÖ