Reorganize the config
This commit is contained in:
parent
a045355053
commit
2e5ee202bf
146
nsd.nix
146
nsd.nix
@ -86,7 +86,7 @@ let
|
|||||||
configFile = pkgs.writeTextDir "nsd.conf" ''
|
configFile = pkgs.writeTextDir "nsd.conf" ''
|
||||||
server:
|
server:
|
||||||
chroot: "${stateDir}"
|
chroot: "${stateDir}"
|
||||||
username: ${username}
|
username: "${username}"
|
||||||
|
|
||||||
# The directory for zonefile: files. The daemon chdirs here.
|
# The directory for zonefile: files. The daemon chdirs here.
|
||||||
zonesdir: "${stateDir}"
|
zonesdir: "${stateDir}"
|
||||||
@ -978,86 +978,92 @@ in {
|
|||||||
groups."${username}".gid = config.ids.gids.nsd;
|
groups."${username}".gid = config.ids.gids.nsd;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.nsd = {
|
systemd = {
|
||||||
description = "NSD authoritative only domain name service";
|
services = {
|
||||||
|
nsd = {
|
||||||
|
description = "NSD authoritative only domain name service";
|
||||||
|
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
startLimitBurst = 4;
|
startLimitBurst = 4;
|
||||||
startLimitIntervalSec = 5 * 60; # 5 mins
|
startLimitIntervalSec = 5 * 60; # 5 mins
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
||||||
StandardError = "null";
|
StandardError = "null";
|
||||||
PIDFile = pidFile;
|
PIDFile = pidFile;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = "4s";
|
RestartSec = "4s";
|
||||||
};
|
};
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
rm -Rf "${stateDir}/private/"
|
rm -Rf "${stateDir}/private/"
|
||||||
rm -Rf "${stateDir}/tmp/"
|
rm -Rf "${stateDir}/tmp/"
|
||||||
|
|
||||||
mkdir -m 0700 -p "${stateDir}/private"
|
mkdir -m 0700 -p "${stateDir}/private"
|
||||||
mkdir -m 0700 -p "${stateDir}/tmp"
|
mkdir -m 0700 -p "${stateDir}/tmp"
|
||||||
mkdir -m 0700 -p "${stateDir}/var"
|
mkdir -m 0700 -p "${stateDir}/var"
|
||||||
|
mkdir -m 0711 -p "${stateDir}/run"
|
||||||
|
|
||||||
cat > "${stateDir}/don't touch anything in here" << EOF
|
cat > "${stateDir}/don't touch anything in here" << EOF
|
||||||
Everything in this directory except NSD's state in var and dnssec
|
Everything in this directory except NSD's state in var and dnssec
|
||||||
is automatically generated and will be purged and redeployed by
|
is automatically generated and will be purged and redeployed by
|
||||||
the nsd.service pre-start script.
|
the nsd.service pre-start script.
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
chown ${username}:${username} -R "${stateDir}/private"
|
chown ${username}:${username} -R "${stateDir}/private"
|
||||||
chown ${username}:${username} -R "${stateDir}/tmp"
|
chown ${username}:${username} -R "${stateDir}/tmp"
|
||||||
chown ${username}:${username} -R "${stateDir}/var"
|
chown ${username}:${username} -R "${stateDir}/var"
|
||||||
|
chown ${username}:${username} -R "${stateDir}/run"
|
||||||
|
|
||||||
rm -rf "${stateDir}/zones"
|
rm -rf "${stateDir}/zones"
|
||||||
cp -rL "${nsdEnv}/zones" "${stateDir}/zones"
|
cp -rL "${nsdEnv}/zones" "${stateDir}/zones"
|
||||||
|
|
||||||
${copyKeys}
|
${copyKeys}
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.timers.nsd-dnssec = mkIf dnssec {
|
|
||||||
description = "Automatic DNSSEC key rollover";
|
|
||||||
|
|
||||||
wantedBy = [ "nsd.service" ];
|
|
||||||
before = [ "nsd.service" ];
|
|
||||||
|
|
||||||
timerConfig = {
|
|
||||||
OnActiveSec = cfg.dnssecInterval;
|
|
||||||
OnUnitActiveSec = cfg.dnssecInterval;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.nsd-dnssec = mkIf dnssec {
|
|
||||||
description = "DNSSEC key rollover";
|
|
||||||
|
|
||||||
wantedBy = [ "nsd.service" ];
|
|
||||||
before = [ "nsd.service" ];
|
|
||||||
|
|
||||||
preStart = let
|
|
||||||
zoneRotateCmd = zone:
|
|
||||||
let zoneDir = "${stateDir}/dnssec/${zone}";
|
|
||||||
in ''
|
|
||||||
mkdir -p ${zoneDir}
|
|
||||||
${pkgs.nsdRotateKeys}/bin/nsd-rotate-keys \
|
|
||||||
--key-directory=${zoneDir} \
|
|
||||||
--validity-period=30 \
|
|
||||||
--period-overlap=10 \
|
|
||||||
--metadata=${zoneDir}/metadata.json \
|
|
||||||
--verbose \
|
|
||||||
${zone}
|
|
||||||
'';
|
'';
|
||||||
zoneRotateCmds = map zoneRotateCmd (lib.attrNames dnssecZones);
|
};
|
||||||
in lib.concatStringsSep "\n" zoneRotateCmds;
|
|
||||||
|
|
||||||
script = signZones;
|
services.nsd-dnssec = mkIf dnssec {
|
||||||
|
description = "DNSSEC key rollover";
|
||||||
|
|
||||||
postStop = ''
|
wantedBy = [ "nsd.service" ];
|
||||||
/run/current-system/systemd/bin/systemctl kill -s SIGHUP nsd.service
|
before = [ "nsd.service" ];
|
||||||
'';
|
|
||||||
|
preStart = let
|
||||||
|
zoneRotateCmd = zone:
|
||||||
|
let zoneDir = "${stateDir}/dnssec/${zone}";
|
||||||
|
in ''
|
||||||
|
mkdir -p ${zoneDir}
|
||||||
|
${pkgs.nsdRotateKeys}/bin/nsd-rotate-keys \
|
||||||
|
--key-directory=${zoneDir} \
|
||||||
|
--validity-period=30 \
|
||||||
|
--period-overlap=10 \
|
||||||
|
--metadata=${zoneDir}/metadata.json \
|
||||||
|
--verbose \
|
||||||
|
${zone}
|
||||||
|
'';
|
||||||
|
zoneRotateCmds = map zoneRotateCmd (lib.attrNames dnssecZones);
|
||||||
|
in lib.concatStringsSep "\n" zoneRotateCmds;
|
||||||
|
|
||||||
|
script = signZones;
|
||||||
|
|
||||||
|
postStop = ''
|
||||||
|
/run/current-system/systemd/bin/systemctl kill -s SIGHUP nsd.service
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
timers.nsd-dnssec = mkIf dnssec {
|
||||||
|
description = "Automatic DNSSEC key rollover";
|
||||||
|
|
||||||
|
wantedBy = [ "nsd.service" ];
|
||||||
|
before = [ "nsd.service" ];
|
||||||
|
|
||||||
|
timerConfig = {
|
||||||
|
OnActiveSec = cfg.dnssecInterval;
|
||||||
|
OnUnitActiveSec = cfg.dnssecInterval;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user