From dea78e651d52fd7053374da9a2709fb95117684b Mon Sep 17 00:00:00 2001 From: niten Date: Mon, 22 Nov 2021 08:31:24 -0800 Subject: [PATCH] DNS and Kerberos config belongs in config It's not creating options. --- lib/fudo/dns.nix | 5 ++- lib/fudo/domain/dns.nix | 69 --------------------------------- lib/fudo/domain/kerberos.nix | 74 ------------------------------------ lib/fudo/domains.nix | 5 --- 4 files changed, 4 insertions(+), 149 deletions(-) delete mode 100644 lib/fudo/domain/dns.nix delete mode 100644 lib/fudo/domain/kerberos.nix diff --git a/lib/fudo/dns.nix b/lib/fudo/dns.nix index fcee95b..d404ce2 100644 --- a/lib/fudo/dns.nix +++ b/lib/fudo/dns.nix @@ -55,7 +55,10 @@ let # if (host-data == null) then [] else ( # (map (sshfp: "${hostname} IN SSHFP ${sshfp}") host-data.ssh-fingerprints) ++ (optional (host-data.rp != null) "${hostname} IN RP ${host-data.rp}") # ); - sshfp-records = if (hasAttr hostname config.fudo.hosts) then (map (sshfp: "${hostname} IN SSHFP ${sshfp}") config.fudo.hosts.${hostname}.ssh-fingerprints) else []; + sshfp-records = if (hasAttr hostname config.fudo.hosts) then + (map (sshfp: "${hostname} IN SSHFP ${sshfp}") + config.fudo.hosts.${hostname}.ssh-fingerprints) + else []; a-record = optional (nethost-data.ipv4-address != null) "${hostname} IN A ${nethost-data.ipv4-address}"; aaaa-record = optional (nethost-data.ipv6-address != null) "${hostname} IN AAAA ${nethost-data.ipv6-address}"; description-record = optional (nethost-data.description != null) "${hostname} IN TXT \"${nethost-data.description}\""; diff --git a/lib/fudo/domain/dns.nix b/lib/fudo/domain/dns.nix deleted file mode 100644 index bf84435..0000000 --- a/lib/fudo/domain/dns.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - hostname = config.instance.hostname; - domain = config.instance.local-domain; - cfg = config.fudo.domains.${domain}; - - served-domain = cfg.primary-nameserver != null; - - is-primary = hostname == cfg.primary-nameserver; - - create-srv-record = port: hostname: { - port = port; - host = hostname; - }; - -in { - config = { - fudo.dns = mkIf is-primary (let - primary-ip = pkgs.lib.fudo.network.host-ipv4 config hostname; - all-ips = pkgs.lib.fudo.network.host-ips config hostname; - in { - enable = true; - identity = "${hostname}.${domain}"; - nameservers = { - ns1 = { - ipv4-address = primary-ip; - description = "Primary ${domain} nameserver"; - }; - }; - - # Deliberately leaving out localhost so the primary nameserver - # can use a custom recursor - listen-ips = all-ips; - - domains = { - ${domain} = { - dnssec = true; - default-host = primary-ip; - gssapi-realm = cfg.gssapi-realm; - mx = optional (cfg.primary-mailserver != null) - cfg.primary-mailserver; - # TODO: there's no guarantee this exists... - dmarc-report-address = "dmarc-report@${domain}"; - - network-definition = let - network = config.fudo.networks.${domain}; - in network // { - srv-records = { - tcp = { - domain = [{ - host = "ns1.${domain}"; - port = 53; - }]; - }; - udp = { - domain = [{ - host = "ns1.${domain}"; - port = 53; - }]; - }; - }; - }; - }; - }; - }); - }; -} diff --git a/lib/fudo/domain/kerberos.nix b/lib/fudo/domain/kerberos.nix deleted file mode 100644 index f104c0a..0000000 --- a/lib/fudo/domain/kerberos.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - hostname = config.instance.hostname; - domain = config.instance.local-domain; - cfg = config.fudo.domains.${domain}; - -in { - config = let - hostname = config.instance.hostname; - is-master = hostname == cfg.kerberos-master; - is-slave = elem hostname cfg.kerberos-slaves; - - kerberized-domain = cfg.kerberos-master != null; - - in { - fudo = { - auth.kdc = mkIf (is-master || is-slave) { - enable = true; - realm = cfg.gssapi-realm; - # TODO: Also bind to ::1? - bind-addresses = - (pkgs.lib.fudo.network.host-ips config hostname) ++ - [ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"); - master-config = mkIf is-master { - acl = let - admin-entries = genAttrs cfg.local-admins - (admin: { - perms = [ "add" "change-password" "list" ]; - }); - in admin-entries // { - "*/root" = { perms = [ "all" ]; }; - }; - }; - slave-config = mkIf is-slave { - master-host = cfg.kerberos-master; - # You gotta provide the keytab yourself, sorry... - }; - }; - - dns.domains.${domain} = { - network-definition = mkIf kerberized-domain { - srv-records = let - get-fqdn = hostname: - "${hostname}.${config.fudo.hosts.${hostname}.domain}"; - - create-srv-record = port: hostname: { - port = port; - host = hostname; - }; - - all-servers = map get-fqdn - ([cfg.kerberos-master] ++ cfg.kerberos-slaves); - - master-servers = - map get-fqdn [cfg.kerberos-master]; - - in { - tcp = { - kerberos = map (create-srv-record 88) all-servers; - kerberos-adm = map (create-srv-record 749) master-servers; - }; - udp = { - kerberos = map (create-srv-record 88) all-servers; - kerberos-master = map (create-srv-record 88) master-servers; - kpasswd = map (create-srv-record 464) master-servers; - }; - }; - }; - }; - }; - }; -} diff --git a/lib/fudo/domains.nix b/lib/fudo/domains.nix index 5b6202b..56a0425 100644 --- a/lib/fudo/domains.nix +++ b/lib/fudo/domains.nix @@ -86,9 +86,4 @@ in { description = "Domain configurations for all domains known to the system."; default = { }; }; - - imports = [ - ./domain/kerberos.nix - ./domain/dns.nix - ]; }