dotfiles/nixos/systems/blowhole/bind.nix

89 lines
1.7 KiB
Nix
Raw Normal View History

{
lib,
pkgs,
secret,
...
}: let
inherit
(lib)
concatMapStringsSep
;
loggingConfig = ''
logging {
${concatMapStringsSep "\n" (x: ''
channel ${x}_file {
file "/var/log/named/${x}.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category ${x} { ${x}_file; };
'') [
"default"
"database"
"security"
"config"
"resolver"
"xfer-in"
"xfer-out"
"notify"
"client"
"unmatched"
"queries"
"network"
"update"
"network"
"dispatch"
"dnssec"
"lame-servers"
]}
};
'';
in {
systemd.tmpfiles.rules = [
"d /var/log/named 0750 named named - -"
];
services.bind = {
enable = true;
forward = "only";
forwarders = [
"127.0.0.1 port 5353"
];
directory = "/var/lib/bind";
zones = {
"in.redalder.org" = {
file = ./zones/in.redalder.org.zone;
master = true;
};
"hosts.in.redalder.org" = {
file = ./zones/hosts.in.redalder.org.zone;
master = true;
};
};
cacheNetworks = [
"127.0.0.0/8"
(secret.network.networks.home.wireless or "")
(secret.network.networks.home.mine or "")
"10.64.99.0/24"
(secret.network.networks.home.amsterdam or "")
(secret.network.networks.vpn or "")
"172.26.64.0/20"
"10.64.48.0/21"
"172.26.96.0/24"
"172.26.80.0/20"
];
extraConfig = loggingConfig;
extraOptions = ''
# recursion yes;
dnssec-validation auto;
'';
};
systemd.services.bind = {
before = ["network-online.target"];
};
}