nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

DNS and Kerberos config belongs in config

Browse Source 
It's not creating options.
This commit is contained in:
niten 2021-11-22 08:31:24 -08:00
parent aade448e5f
commit dea78e651d
4 changed files with 4 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/fudo/dns.nix
View File

@ -55,7 +55,10 @@ let
# if (host-data == null) then [] else ( # if (host-data == null) then [] else (
# (map (sshfp: "${hostname} IN SSHFP ${sshfp}") host-data.ssh-fingerprints) ++ (optional (host-data.rp != null) "${hostname} IN RP ${host-data.rp}") # (map (sshfp: "${hostname} IN SSHFP ${sshfp}") host-data.ssh-fingerprints) ++ (optional (host-data.rp != null) "${hostname} IN RP ${host-data.rp}")
# ); # );
sshfp-records = if (hasAttr hostname config.fudo.hosts) then (map (sshfp: "${hostname} IN SSHFP ${sshfp}") config.fudo.hosts.${hostname}.ssh-fingerprints) else []; sshfp-records = if (hasAttr hostname config.fudo.hosts) then
(map (sshfp: "${hostname} IN SSHFP ${sshfp}")
config.fudo.hosts.${hostname}.ssh-fingerprints)
else [];
a-record = optional (nethost-data.ipv4-address != null) "${hostname} IN A ${nethost-data.ipv4-address}"; a-record = optional (nethost-data.ipv4-address != null) "${hostname} IN A ${nethost-data.ipv4-address}";
aaaa-record = optional (nethost-data.ipv6-address != null) "${hostname} IN AAAA ${nethost-data.ipv6-address}"; aaaa-record = optional (nethost-data.ipv6-address != null) "${hostname} IN AAAA ${nethost-data.ipv6-address}";
description-record = optional (nethost-data.description != null) "${hostname} IN TXT \"${nethost-data.description}\""; description-record = optional (nethost-data.description != null) "${hostname} IN TXT \"${nethost-data.description}\"";

69
lib/fudo/domain/dns.nix
View File

@ -1,69 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain = config.instance.local-domain;
cfg = config.fudo.domains.${domain};
served-domain = cfg.primary-nameserver != null;
is-primary = hostname == cfg.primary-nameserver;
create-srv-record = port: hostname: {
port = port;
host = hostname;
};
in {
config = {
fudo.dns = mkIf is-primary (let
primary-ip = pkgs.lib.fudo.network.host-ipv4 config hostname;
all-ips = pkgs.lib.fudo.network.host-ips config hostname;
in {
enable = true;
identity = "${hostname}.${domain}";
nameservers = {
ns1 = {
ipv4-address = primary-ip;
description = "Primary ${domain} nameserver";
};
};
# Deliberately leaving out localhost so the primary nameserver
# can use a custom recursor
listen-ips = all-ips;
domains = {
${domain} = {
dnssec = true;
default-host = primary-ip;
gssapi-realm = cfg.gssapi-realm;
mx = optional (cfg.primary-mailserver != null)
cfg.primary-mailserver;
# TODO: there's no guarantee this exists...
dmarc-report-address = "dmarc-report@${domain}";
network-definition = let
network = config.fudo.networks.${domain};
in network // {
srv-records = {
tcp = {
domain = [{
host = "ns1.${domain}";
port = 53;
}];
};
udp = {
domain = [{
host = "ns1.${domain}";
port = 53;
}];
};
};
};
};
};
});
};
}

74
lib/fudo/domain/kerberos.nix
View File

@ -1,74 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain = config.instance.local-domain;
cfg = config.fudo.domains.${domain};
in {
config = let
hostname = config.instance.hostname;
is-master = hostname == cfg.kerberos-master;
is-slave = elem hostname cfg.kerberos-slaves;
kerberized-domain = cfg.kerberos-master != null;
in {
fudo = {
auth.kdc = mkIf (is-master || is-slave) {
enable = true;
realm = cfg.gssapi-realm;
# TODO: Also bind to ::1?
bind-addresses =
(pkgs.lib.fudo.network.host-ips config hostname) ++
[ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1");
master-config = mkIf is-master {
acl = let
admin-entries = genAttrs cfg.local-admins
(admin: {
perms = [ "add" "change-password" "list" ];
});
in admin-entries // {
"*/root" = { perms = [ "all" ]; };
};
};
slave-config = mkIf is-slave {
master-host = cfg.kerberos-master;
# You gotta provide the keytab yourself, sorry...
};
};
dns.domains.${domain} = {
network-definition = mkIf kerberized-domain {
srv-records = let
get-fqdn = hostname:
"${hostname}.${config.fudo.hosts.${hostname}.domain}";
create-srv-record = port: hostname: {
port = port;
host = hostname;
};
all-servers = map get-fqdn
([cfg.kerberos-master] ++ cfg.kerberos-slaves);
master-servers =
map get-fqdn [cfg.kerberos-master];
in {
tcp = {
kerberos = map (create-srv-record 88) all-servers;
kerberos-adm = map (create-srv-record 749) master-servers;
};
udp = {
kerberos = map (create-srv-record 88) all-servers;
kerberos-master = map (create-srv-record 88) master-servers;
kpasswd = map (create-srv-record 464) master-servers;
};
};
};
};
};
};
}

5
lib/fudo/domains.nix
View File

@ -86,9 +86,4 @@ in {
description = "Domain configurations for all domains known to the system."; description = "Domain configurations for all domains known to the system.";
default = { }; default = { };
}; };
imports = [
./domain/kerberos.nix
./domain/dns.nix
];
} }