DNS and Kerberos config belongs in config

It's not creating options.
2021-11-22 08:31:24 -08:00 · 2021-11-22 08:31:24 -08:00 · dea78e651d
commit dea78e651d
parent aade448e5f
4 changed files with 4 additions and 149 deletions
--- a/lib/fudo/dns.nix
+++ b/lib/fudo/dns.nix
@ -55,7 +55,10 @@ let
    #   if (host-data == null) then [] else (
    #     (map (sshfp: "${hostname} IN SSHFP ${sshfp}") host-data.ssh-fingerprints) ++ (optional (host-data.rp != null) "${hostname} IN RP ${host-data.rp}")
    #   );
-    sshfp-records = if (hasAttr hostname config.fudo.hosts) then (map (sshfp: "${hostname} IN SSHFP ${sshfp}") config.fudo.hosts.${hostname}.ssh-fingerprints) else [];
+    sshfp-records = if (hasAttr hostname config.fudo.hosts) then
+      (map (sshfp: "${hostname} IN SSHFP ${sshfp}")
+        config.fudo.hosts.${hostname}.ssh-fingerprints)
+                    else [];
    a-record = optional (nethost-data.ipv4-address != null) "${hostname} IN A ${nethost-data.ipv4-address}";
    aaaa-record = optional (nethost-data.ipv6-address != null) "${hostname} IN AAAA ${nethost-data.ipv6-address}";
    description-record = optional (nethost-data.description != null) "${hostname} IN TXT \"${nethost-data.description}\"";
--- a/lib/fudo/domain/dns.nix
+++ b/lib/fudo/domain/dns.nix
@ -1,69 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  hostname = config.instance.hostname;
-  domain = config.instance.local-domain;
-  cfg = config.fudo.domains.${domain};
-
-  served-domain = cfg.primary-nameserver != null;
-
-  is-primary = hostname == cfg.primary-nameserver;
-
-  create-srv-record = port: hostname: {
-    port = port;
-    host = hostname;
-  };
-
-in {
-  config = {
-    fudo.dns = mkIf is-primary (let
-      primary-ip = pkgs.lib.fudo.network.host-ipv4 config hostname;
-      all-ips = pkgs.lib.fudo.network.host-ips config hostname;
-    in {
-      enable = true;
-      identity = "${hostname}.${domain}";
-      nameservers = {
-        ns1 = {
-          ipv4-address = primary-ip;
-          description = "Primary ${domain} nameserver";
-        };
-      };
-
-      # Deliberately leaving out localhost so the primary nameserver
-      # can use a custom recursor
-      listen-ips = all-ips;
-
-      domains = {
-        ${domain} = {
-          dnssec = true;
-          default-host = primary-ip;
-          gssapi-realm = cfg.gssapi-realm;
-          mx = optional (cfg.primary-mailserver != null)
-            cfg.primary-mailserver;
-          # TODO: there's no guarantee this exists...
-          dmarc-report-address = "dmarc-report@${domain}";
-
-          network-definition = let
-            network = config.fudo.networks.${domain};
-          in network // {
-            srv-records = {
-              tcp = {
-                domain = [{
-                  host = "ns1.${domain}";
-                  port = 53;
-                }];
-              };
-              udp = {
-                domain = [{
-                  host = "ns1.${domain}";
-                  port = 53;
-                }];
-              };
-            };
-          };
-        };
-      };
-    });
-  };
-}
--- a/lib/fudo/domain/kerberos.nix
+++ b/lib/fudo/domain/kerberos.nix
@ -1,74 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  hostname = config.instance.hostname;
-  domain = config.instance.local-domain;
-  cfg = config.fudo.domains.${domain};
-
-in {
-  config = let
-    hostname = config.instance.hostname;
-    is-master = hostname == cfg.kerberos-master;
-    is-slave = elem hostname cfg.kerberos-slaves;
-
-    kerberized-domain = cfg.kerberos-master != null;
-
-  in {
-    fudo = {
-      auth.kdc = mkIf (is-master || is-slave) {
-        enable = true;
-        realm = cfg.gssapi-realm;
-        # TODO: Also bind to ::1?
-        bind-addresses =
-          (pkgs.lib.fudo.network.host-ips config hostname) ++
-          [ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1");
-        master-config = mkIf is-master {
-          acl = let
-            admin-entries = genAttrs cfg.local-admins
-              (admin: {
-                perms = [ "add" "change-password" "list" ];
-              });
-          in admin-entries // {
-            "*/root" = { perms = [ "all" ]; };
-          };
-        };
-        slave-config = mkIf is-slave {
-          master-host = cfg.kerberos-master;
-          # You gotta provide the keytab yourself, sorry...
-        };
-      };
-
-      dns.domains.${domain} = {
-        network-definition = mkIf kerberized-domain {
-          srv-records = let
-            get-fqdn = hostname:
-              "${hostname}.${config.fudo.hosts.${hostname}.domain}";
-
-            create-srv-record = port: hostname: {
-              port = port;
-              host = hostname;
-            };
-
-            all-servers = map get-fqdn
-              ([cfg.kerberos-master] ++ cfg.kerberos-slaves);
-
-            master-servers =
-              map get-fqdn [cfg.kerberos-master];
-
-          in {
-            tcp = {
-              kerberos = map (create-srv-record 88) all-servers;
-              kerberos-adm = map (create-srv-record 749) master-servers;
-            };
-            udp = {
-              kerberos = map (create-srv-record 88) all-servers;
-              kerberos-master = map (create-srv-record 88) master-servers;
-              kpasswd = map (create-srv-record 464) master-servers;
-            };
-          };
-        };
-      };
-    };
-  };
-}
--- a/lib/fudo/domains.nix
+++ b/lib/fudo/domains.nix
@ -86,9 +86,4 @@ in {
    description = "Domain configurations for all domains known to the system.";
    default = { };
  };
-
-  imports = [
-    ./domain/kerberos.nix
-    ./domain/dns.nix
-  ];
 }