| 
									
										
										
										
											2014-04-14 16:26:48 +02:00
										 |  |  | { config, lib, pkgs, ... }: | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-04-14 16:26:48 +02:00
										 |  |  | with lib; | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | let | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |   cfg = config.services.bind; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-07-27 00:07:25 +02:00
										 |  |  |   bindUser = "named"; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |   confFile = pkgs.writeText "named.conf" | 
					
						
							|  |  |  |     ''
 | 
					
						
							| 
									
										
										
										
											2017-06-17 22:05:07 +03:00
										 |  |  |       include "/etc/bind/rndc.key"; | 
					
						
							|  |  |  |       controls { | 
					
						
							|  |  |  |         inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |       acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; | 
					
						
							|  |  |  |       acl badnetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       options { | 
					
						
							| 
									
										
										
										
											2017-06-10 04:19:07 -06:00
										 |  |  |         listen-on { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; | 
					
						
							|  |  |  |         listen-on-v6 { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |         allow-query { cachenetworks; }; | 
					
						
							|  |  |  |         blackhole { badnetworks; }; | 
					
						
							|  |  |  |         forward first; | 
					
						
							| 
									
										
										
										
											2013-08-26 19:36:01 +00:00
										 |  |  |         forwarders { ${concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; | 
					
						
							| 
									
										
										
										
											2018-12-19 22:39:28 +01:00
										 |  |  |         directory "/run/named"; | 
					
						
							|  |  |  |         pid-file "/run/named/named.pid"; | 
					
						
							| 
									
										
										
										
											2018-05-07 03:05:30 +02:00
										 |  |  |         ${cfg.extraOptions} | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  |       }; | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-09-29 11:50:39 +02:00
										 |  |  |       ${cfg.extraConfig} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |       ${ concatMapStrings | 
					
						
							| 
									
										
										
										
											2019-07-20 17:36:05 +02:00
										 |  |  |           ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }: | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  |             ''
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |               zone "${name}" { | 
					
						
							|  |  |  |                 type ${if master then "master" else "slave"}; | 
					
						
							|  |  |  |                 file "${file}"; | 
					
						
							|  |  |  |                 ${ if master then | 
					
						
							|  |  |  |                    ''
 | 
					
						
							|  |  |  |                      allow-transfer { | 
					
						
							|  |  |  |                        ${concatMapStrings (ip: "${ip};\n") slaves} | 
					
						
							|  |  |  |                      }; | 
					
						
							|  |  |  |                    ''
 | 
					
						
							|  |  |  |                    else | 
					
						
							|  |  |  |                    ''
 | 
					
						
							|  |  |  |                      masters { | 
					
						
							|  |  |  |                        ${concatMapStrings (ip: "${ip};\n") masters} | 
					
						
							|  |  |  |                      }; | 
					
						
							|  |  |  |                    ''
 | 
					
						
							|  |  |  |                 } | 
					
						
							|  |  |  |                 allow-query { any; }; | 
					
						
							| 
									
										
										
										
											2019-07-20 17:36:05 +02:00
										 |  |  |                 ${extraConfig} | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |               }; | 
					
						
							|  |  |  |             '')
 | 
					
						
							|  |  |  |           cfg.zones } | 
					
						
							|  |  |  |     '';
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  | in | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |   ###### interface | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   options = { | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |     services.bind = { | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-04-20 20:05:26 +02:00
										 |  |  |       enable = mkEnableOption "BIND domain name server"; | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |       cacheNetworks = mkOption { | 
					
						
							|  |  |  |         default = ["127.0.0.0/24"]; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							| 
									
										
										
										
											2019-10-23 09:50:47 -06:00
										 |  |  |           What networks are allowed to use us as a resolver.  Note | 
					
						
							|  |  |  |           that this is for recursive queries -- all networks are | 
					
						
							|  |  |  |           allowed to query zones configured with the `zones` option. | 
					
						
							|  |  |  |           It is recommended that you limit cacheNetworks to avoid your | 
					
						
							|  |  |  |           server being used for DNS amplification attacks. | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |       blockedNetworks = mkOption { | 
					
						
							|  |  |  |         default = []; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           What networks are just blocked. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-06-10 14:50:44 +00:00
										 |  |  |       ipv4Only = mkOption { | 
					
						
							|  |  |  |         default = false; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							| 
									
										
										
										
											2013-08-26 19:36:01 +00:00
										 |  |  |           Only use ipv4, even if the host supports ipv6. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       forwarders = mkOption { | 
					
						
							|  |  |  |         default = config.networking.nameservers; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           List of servers we should forward requests to. | 
					
						
							| 
									
										
										
										
											2012-06-10 14:50:44 +00:00
										 |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-10 04:19:07 -06:00
										 |  |  |       listenOn = mkOption { | 
					
						
							|  |  |  |         default = ["any"]; | 
					
						
							|  |  |  |         type = types.listOf types.str; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           Interfaces to listen on. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       listenOnIpv6 = mkOption { | 
					
						
							|  |  |  |         default = ["any"]; | 
					
						
							|  |  |  |         type = types.listOf types.str; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           Ipv6 interfaces to listen on. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |       zones = mkOption { | 
					
						
							|  |  |  |         default = []; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           List of zones we claim authority over. | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  |             master=false means slave server; slaves means addresses | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |            who may request zone transfer. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |         example = [{ | 
					
						
							|  |  |  |           name = "example.com"; | 
					
						
							|  |  |  |           master = false; | 
					
						
							|  |  |  |           file = "/var/dns/example.com"; | 
					
						
							|  |  |  |           masters = ["192.168.0.1"]; | 
					
						
							|  |  |  |           slaves = []; | 
					
						
							| 
									
										
										
										
											2019-07-20 17:36:05 +02:00
										 |  |  |           extraConfig = ""; | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |         }]; | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-09-29 11:50:39 +02:00
										 |  |  |       extraConfig = mkOption { | 
					
						
							| 
									
										
										
										
											2016-10-23 19:33:41 +02:00
										 |  |  |         type = types.lines; | 
					
						
							| 
									
										
										
										
											2015-09-29 11:50:39 +02:00
										 |  |  |         default = ""; | 
					
						
							|  |  |  |         description = "
 | 
					
						
							|  |  |  |           Extra lines to be added verbatim to the generated named configuration file. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-05-07 03:05:30 +02:00
										 |  |  |       extraOptions = mkOption { | 
					
						
							|  |  |  |         type = types.lines; | 
					
						
							|  |  |  |         default = ""; | 
					
						
							|  |  |  |         description = ''
 | 
					
						
							|  |  |  |           Extra lines to be added verbatim to the options section of the | 
					
						
							|  |  |  |           generated named configuration file. | 
					
						
							|  |  |  |         '';
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-11-03 19:13:52 +00:00
										 |  |  |       configFile = mkOption { | 
					
						
							| 
									
										
										
										
											2016-01-17 19:34:55 +01:00
										 |  |  |         type = types.path; | 
					
						
							| 
									
										
										
										
											2011-11-03 19:13:52 +00:00
										 |  |  |         default = confFile; | 
					
						
							| 
									
										
										
										
											2016-01-17 19:34:55 +01:00
										 |  |  |         defaultText = "confFile"; | 
					
						
							| 
									
										
										
										
											2011-11-03 19:13:52 +00:00
										 |  |  |         description = "
 | 
					
						
							|  |  |  |           Overridable config file to use for named. By default, that | 
					
						
							|  |  |  |           generated by nixos. | 
					
						
							|  |  |  |         ";
 | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-07-01 12:15:56 +00:00
										 |  |  |     }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |   }; | 
					
						
							| 
									
										
										
										
											2011-09-14 18:20:50 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2008-07-01 12:15:56 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-12 16:36:19 +00:00
										 |  |  |   ###### implementation | 
					
						
							| 
									
										
										
										
											2008-07-01 12:15:56 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-07-15 20:18:49 +03:00
										 |  |  |   config = mkIf cfg.enable { | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     networking.resolvconf.useLocalResolver = mkDefault true; | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-09-14 19:51:29 +02:00
										 |  |  |     users.users.${bindUser} = | 
					
						
							|  |  |  |       { uid = config.ids.uids.bind; | 
					
						
							| 
									
										
										
										
											2012-07-27 00:07:25 +02:00
										 |  |  |         description = "BIND daemon user"; | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-01-06 06:50:18 +00:00
										 |  |  |     systemd.services.bind = { | 
					
						
							| 
									
										
										
										
											2016-09-08 22:19:43 +02:00
										 |  |  |       description = "BIND Domain Name Server"; | 
					
						
							| 
									
										
										
										
											2016-09-10 20:14:09 +02:00
										 |  |  |       after = [ "network.target" ]; | 
					
						
							| 
									
										
										
										
											2016-01-06 06:50:18 +00:00
										 |  |  |       wantedBy = [ "multi-user.target" ]; | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-01-06 06:50:18 +00:00
										 |  |  |       preStart = ''
 | 
					
						
							| 
									
										
										
										
											2017-06-17 22:05:07 +03:00
										 |  |  |         mkdir -m 0755 -p /etc/bind | 
					
						
							|  |  |  |         if ! [ -f "/etc/bind/rndc.key" ]; then | 
					
						
							| 
									
										
										
										
											2019-06-10 23:52:50 +01:00
										 |  |  |           ${pkgs.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null | 
					
						
							| 
									
										
										
										
											2017-06-17 22:05:07 +03:00
										 |  |  |         fi | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-12-19 22:39:28 +01:00
										 |  |  |         ${pkgs.coreutils}/bin/mkdir -p /run/named | 
					
						
							|  |  |  |         chown ${bindUser} /run/named | 
					
						
							| 
									
										
										
										
											2016-01-06 06:50:18 +00:00
										 |  |  |       '';
 | 
					
						
							| 
									
										
										
										
											2008-07-01 12:15:56 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-17 22:05:07 +03:00
										 |  |  |       serviceConfig = { | 
					
						
							|  |  |  |         ExecStart  = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; | 
					
						
							|  |  |  |         ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; | 
					
						
							|  |  |  |         ExecStop   = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-09-08 22:19:43 +02:00
										 |  |  |       unitConfig.Documentation = "man:named(8)"; | 
					
						
							| 
									
										
										
										
											2016-01-06 06:50:18 +00:00
										 |  |  |     }; | 
					
						
							| 
									
										
										
										
											2009-03-06 12:27:13 +00:00
										 |  |  |   }; | 
					
						
							|  |  |  | } |