Add dnssec for reverse zones

2023-11-03 13:10:50 -07:00 · 2023-11-03 13:10:50 -07:00 · aa331b5b48
parent a7ea67fedb
commit aa331b5b48
2 changed files with 26 additions and 18 deletions
--- a/authoritative-dns.nix
+++ b/authoritative-dns.nix
@ -102,11 +102,13 @@ in {
              inherit (domainCfg) zone;
            };
          }) cfg.domains;
-        reverseZones = concatMapAttrs (domain: domainOpts:
+        reverseZones = concatMapAttrs (domain:
+          { ksk, zone, ... }:
          listToAttrs (map (network:
            reverseZonefile {
-              inherit domain network;
-              inherit (domainOpts.zone) nameservers;
+              inherit domain network ksk;
+              inherit (zone) nameservers;
+              keyFile = ksk.key-file;
              ipHostMap = cfg.ip-host-map;
              serial = cfg.timestamp;
            }) domainOpts.reverse-zones)) cfg.domains;
--- a/reverse-zone.nix
+++ b/reverse-zone.nix
@ -1,7 +1,8 @@
 { pkgs, ... }:

-{ domain, network, nameservers, ipHostMap, serial, zoneTTL ? 10800
-, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600 }:
+{ domain, network, nameservers, ipHostMap, serial, keyFile ? null
+, zoneTTL ? 10800, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600
+}:

 with pkgs.lib;
 let
@ -47,16 +48,21 @@ let

  nameserverEntries = map (nameserver: "@ IN NS ${nameserver}.") nameservers;

-in nameValuePair "${getNetworkZoneName network}" ''
-  $ORIGIN ${getNetworkZoneName network}
-  $TTL ${toString zoneTTL}
-  @ IN SOA ${head nameservers}. hostmaster.${domain}. (
-    ${serial}
-    ${toString refresh}
-    ${toString retry}
-    ${toString expire}
-    ${toString minimum}
-  )
-  ${concatStringsSep "\n" nameserverEntries}
-  ${concatStringsSep "\n" (generateReverseZoneEntries network domain ipHostMap)}
-''
+in nameValuePair "${getNetworkZoneName network}" {
+  dnssec = keyFile != null;
+  ksk.keyFile = keyFile;
+  data = ''
+    $ORIGIN ${getNetworkZoneName network}
+    $TTL ${toString zoneTTL}
+    @ IN SOA ${head nameservers}. hostmaster.${domain}. (
+      ${serial}
+      ${toString refresh}
+      ${toString retry}
+      ${toString expire}
+      ${toString minimum}
+    )
+    ${concatStringsSep "\n" nameserverEntries}
+    ${concatStringsSep "\n"
+    (generateReverseZoneEntries network domain ipHostMap)}
+  '';
+}