summary refs log tree commit diff
path: root/modules/services/networking/bind.nix
blob: 54eb5e08e9be37f771d2762bdca67c45b4d5fb36 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

{ config, pkgs, ... }:

with pkgs.lib;

let

  startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces";

  cfg = config.services.bind;

  confFile = pkgs.writeText "named.conf"
    ''
      acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
      acl badnetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };

      options {
        listen-on {any;};
        listen-on-v6 {any;};
        allow-query { cachenetworks; };
        blackhole { badnetworks; };
        forward first;
        forwarders { ${concatMapStrings (entry: " ${entry}; ") config.networking.nameservers} };
        directory "/var/run/named";
        pid-file "/var/run/named/named.pid";
      };

      ${ concatMapStrings
          ({ name, file, master ? true, slaves ? [], masters ? [] }:
            ''
              zone "${name}" {
                type ${if master then "master" else "slave"};
                file "${file}";
                ${ if master then
                   ''
                     allow-transfer {
                       ${concatMapStrings (ip: "${ip};\n") slaves}
                     };
                   ''
                   else
                   ''
                     masters {
                       ${concatMapStrings (ip: "${ip};\n") masters}
                     };
                   ''
                }
                allow-query { any; };
              };
            '')
          cfg.zones }
    '';

in

{

  ###### interface

  options = {

    services.bind = {

      enable = mkOption {
        default = false;
        description = "
          Whether to enable BIND domain name server.
        ";
      };

      cacheNetworks = mkOption {
        default = ["127.0.0.0/24"];
        description = "
          What networks are allowed to use us as a resolver.
        ";
      };

      blockedNetworks = mkOption {
        default = [];
        description = "
          What networks are just blocked.
        ";
      };

      zones = mkOption {
        default = [];
        description = "
          List of zones we claim authority over.
            master=false means slave server; slaves means addresses
           who may request zone transfer.
        ";
        example = [{
          name = "example.com";
          master = false;
          file = "/var/dns/example.com";
          masters = ["192.168.0.1"];
          slaves = [];
        }];
      };

    };

  };


  ###### implementation

  config = mkIf config.services.bind.enable {

    jobs.bind =
      { description = "BIND name server job";

        preStart =
          ''
            ${pkgs.coreutils}/bin/mkdir -p /var/run/named
          '';

        exec = "${pkgs.bind}/sbin/named -c ${confFile} -f";
      };

  };

}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 19:34:15 +0000