diff options
Diffstat (limited to 'nixos/modules/services/networking/bind.nix')
-rw-r--r-- | nixos/modules/services/networking/bind.nix | 102 |
1 files changed, 80 insertions, 22 deletions
diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index faad8863575..480d5a184f2 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -6,8 +6,44 @@ let cfg = config.services.bind; + bindPkg = config.services.bind.package; + bindUser = "named"; + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = [ ]; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; + }; + }; + confFile = pkgs.writeText "named.conf" '' include "/etc/bind/rndc.key"; @@ -25,7 +61,7 @@ let blackhole { badnetworks; }; forward first; forwarders { ${concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; - directory "/run/named"; + directory "${cfg.directory}"; pid-file "/run/named/named.pid"; ${cfg.extraOptions} }; @@ -55,7 +91,7 @@ let ${extraConfig} }; '') - cfg.zones } + (attrValues cfg.zones) } ''; in @@ -70,8 +106,17 @@ in enable = mkEnableOption "BIND domain name server"; + + package = mkOption { + type = types.package; + default = pkgs.bind; + defaultText = "pkgs.bind"; + description = "The BIND package to use."; + }; + cacheNetworks = mkOption { - default = ["127.0.0.0/24"]; + default = [ "127.0.0.0/24" ]; + type = types.listOf types.str; description = " What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are @@ -82,7 +127,8 @@ in }; blockedNetworks = mkOption { - default = []; + default = [ ]; + type = types.listOf types.str; description = " What networks are just blocked. "; @@ -90,6 +136,7 @@ in ipv4Only = mkOption { default = false; + type = types.bool; description = " Only use ipv4, even if the host supports ipv6. "; @@ -97,13 +144,14 @@ in forwarders = mkOption { default = config.networking.nameservers; + type = types.listOf types.str; description = " List of servers we should forward requests to. "; }; listenOn = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Interfaces to listen on. @@ -111,28 +159,34 @@ in }; listenOnIpv6 = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Ipv6 interfaces to listen on. "; }; + directory = mkOption { + type = types.str; + default = "/run/named"; + description = "Working directory of BIND."; + }; + zones = mkOption { - default = []; + default = [ ]; + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); description = " List of zones we claim authority over. - master=false means slave server; slaves means addresses - who may request zone transfer. "; - example = [{ - name = "example.com"; - master = false; - file = "/var/dns/example.com"; - masters = ["192.168.0.1"]; - slaves = []; - extraConfig = ""; - }]; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = [ "192.168.0.1" ]; + slaves = [ ]; + extraConfig = ""; + }; + }; }; extraConfig = mkOption { @@ -174,7 +228,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; users.users.${bindUser} = - { uid = config.ids.uids.bind; + { + uid = config.ids.uids.bind; description = "BIND daemon user"; }; @@ -186,17 +241,20 @@ in preStart = '' mkdir -m 0755 -p /etc/bind if ! [ -f "/etc/bind/rndc.key" ]; then - ${pkgs.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null + ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null fi ${pkgs.coreutils}/bin/mkdir -p /run/named chown ${bindUser} /run/named + + ${pkgs.coreutils}/bin/mkdir -p ${cfg.directory} + chown ${bindUser} ${cfg.directory} ''; serviceConfig = { - ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; - ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; - ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; + ExecStart = "${bindPkg.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + ExecReload = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; + ExecStop = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; }; unitConfig.Documentation = "man:named(8)"; |