mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-30 03:56:12 +01:00
82 lines
1.7 KiB
Nix
82 lines
1.7 KiB
Nix
|
{ lib, pkgs, secret, ... }:
|
||
|
let
|
||
|
inherit (lib)
|
||
|
concatMapStringsSep;
|
||
|
|
||
|
loggingConfig = ''
|
||
|
logging {
|
||
|
${concatMapStringsSep "\n" (x:
|
||
|
''
|
||
|
channel ${x}_file {
|
||
|
file "/var/log/named/${x}.log" versions 3 size 5m;
|
||
|
severity dynamic;
|
||
|
print-time yes;
|
||
|
};
|
||
|
category ${x} { ${x}_file; };
|
||
|
'') [
|
||
|
"default"
|
||
|
"database"
|
||
|
"security"
|
||
|
"config"
|
||
|
"resolver"
|
||
|
"xfer-in"
|
||
|
"xfer-out"
|
||
|
"notify"
|
||
|
"client"
|
||
|
"unmatched"
|
||
|
"queries"
|
||
|
"network"
|
||
|
"update"
|
||
|
"network"
|
||
|
"dispatch"
|
||
|
"dnssec"
|
||
|
"lame-servers"
|
||
|
]}
|
||
|
};
|
||
|
'';
|
||
|
in
|
||
|
{
|
||
|
systemd.tmpfiles.rules = [
|
||
|
"d /var/log/named 0750 named named - -"
|
||
|
];
|
||
|
|
||
|
services.bind = {
|
||
|
enable = true;
|
||
|
forward = "only";
|
||
|
forwarders = [
|
||
|
"127.0.0.1 port 5353"
|
||
|
];
|
||
|
|
||
|
directory = "/var/lib/bind";
|
||
|
zones = {
|
||
|
"in.redalder.org" = {
|
||
|
file = ./zones/in.redalder.org.zone;
|
||
|
master = true;
|
||
|
};
|
||
|
"hosts.in.redalder.org" = {
|
||
|
file = ./zones/hosts.in.redalder.org.zone;
|
||
|
master = true;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
cacheNetworks = [
|
||
|
"127.0.0.0/8"
|
||
|
(secret.network.networks.home.wireless or "")
|
||
|
(secret.network.networks.home.mine or "")
|
||
|
"10.64.99.0/24"
|
||
|
(secret.network.networks.home.amsterdam or "")
|
||
|
(secret.network.networks.vpn or "")
|
||
|
"172.26.64.0/20"
|
||
|
];
|
||
|
extraConfig = loggingConfig;
|
||
|
extraOptions = ''
|
||
|
# recursion yes;
|
||
|
dnssec-validation auto;
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
systemd.services.bind = {
|
||
|
before = [ "network-online.target" ];
|
||
|
};
|
||
|
}
|