{ lib, pkgs, secret, ... }: let inherit (lib) concatMapStringsSep; loggingConfig = '' logging { ${concatMapStringsSep "\n" (x: '' channel ${x}_file { file "/var/log/named/${x}.log" versions 3 size 5m; severity dynamic; print-time yes; }; category ${x} { ${x}_file; }; '') [ "default" "database" "security" "config" "resolver" "xfer-in" "xfer-out" "notify" "client" "unmatched" "queries" "network" "update" "network" "dispatch" "dnssec" "lame-servers" ]} }; ''; in { systemd.tmpfiles.rules = [ "d /var/log/named 0750 named named - -" ]; services.bind = { enable = true; forward = "only"; forwarders = [ "127.0.0.1 port 5353" ]; directory = "/var/lib/bind"; zones = { "in.redalder.org" = { file = ./zones/in.redalder.org.zone; master = true; }; "hosts.in.redalder.org" = { file = ./zones/hosts.in.redalder.org.zone; master = true; }; }; cacheNetworks = [ "127.0.0.0/8" (secret.network.networks.home.wireless or "") (secret.network.networks.home.mine or "") "10.64.99.0/24" (secret.network.networks.home.amsterdam or "") (secret.network.networks.vpn or "") "172.26.64.0/20" ]; extraConfig = loggingConfig; extraOptions = '' # recursion yes; dnssec-validation auto; ''; }; systemd.services.bind = { before = [ "network-online.target" ]; }; }