Add dnssec for reverse zones

authoritative-dns.nix

@@ -102,11 +102,13 @@ in {
               inherit (domainCfg) zone;
             };
           }) cfg.domains;
-        reverseZones = concatMapAttrs (domain: domainOpts:
+        reverseZones = concatMapAttrs (domain:
+          { ksk, zone, ... }:
           listToAttrs (map (network:
             reverseZonefile {
-              inherit domain network;
+              inherit domain network ksk;
-              inherit (domainOpts.zone) nameservers;
+              inherit (zone) nameservers;
+              keyFile = ksk.key-file;
               ipHostMap = cfg.ip-host-map;
               serial = cfg.timestamp;
             }) domainOpts.reverse-zones)) cfg.domains;

reverse-zone.nix

@@ -1,7 +1,8 @@
 { pkgs, ... }:
 
-{ domain, network, nameservers, ipHostMap, serial, zoneTTL ? 10800
+{ domain, network, nameservers, ipHostMap, serial, keyFile ? null
-, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600 }:
+, zoneTTL ? 10800, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600
+}:
 
 with pkgs.lib;
 let
@@ -47,7 +48,10 @@ let
 
   nameserverEntries = map (nameserver: "@ IN NS ${nameserver}.") nameservers;
 
-in nameValuePair "${getNetworkZoneName network}" ''
+in nameValuePair "${getNetworkZoneName network}" {
+  dnssec = keyFile != null;
+  ksk.keyFile = keyFile;
+  data = ''
     $ORIGIN ${getNetworkZoneName network}
     $TTL ${toString zoneTTL}
     @ IN SOA ${head nameservers}. hostmaster.${domain}. (
@@ -58,5 +62,7 @@ in nameValuePair "${getNetworkZoneName network}" ''
       ${toString minimum}
     )
     ${concatStringsSep "\n" nameserverEntries}
-  ${concatStringsSep "\n" (generateReverseZoneEntries network domain ipHostMap)}
+    ${concatStringsSep "\n"
-''
+    (generateReverseZoneEntries network domain ipHostMap)}
+  '';
+}