summary refs log tree commit diff stats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/linde.nix81
1 files changed, 47 insertions, 34 deletions
diff --git a/system/linde.nix b/system/linde.nix
index d3f60cb0..04529059 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -333,40 +333,53 @@ in
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "23.05"; # Did you read the comment?
 
-  services.powerdns = {
-    enable = true;
-    secretFile = config.age.secrets.powerdns.path;
-    extraConfig = ''
-      launch=gsqlite3
-      dnsupdate=yes
-      allow-dnsupdate-from=0.0.0.0/0,::/0
-      only-notify=
-      also-notify=216.218.130.2
-      allow-axfr-ips=216.218.133.2,2001:470:600::2
-      outgoing-axfr-expand-alias=yes
-      expand-alias=yes
-      resolver=1.1.1.1
-      local-address=${net-ip4} ${net-ip6}
-      reuseport=yes
-      log-dns-details=no
-      log-dns-queries=no
-      loglevel=5
-      primary=yes
-      secondary=yes
-      send-signed-notify=no
-      prevent-self-notification=no
-
-      default-soa-edit=inception-increment
-
-      api=yes
-      # replaced by secretFile/envsubst
-      api-key=$API_KEY
-
-      gsqlite3-database=/var/db/pdns/zones.db
-      gsqlite3-pragma-foreign-keys=yes
-      gsqlite3-dnssec=yes
-    '';
-  };
+  services.powerdns =
+    let
+      inherit (lib.lists) flatten;
+      inherit (lib.strings) concatStringsSep;
+      he = rec {
+        notify = "216.218.130.2";
+        axfr = [
+          notify
+          "2001:470:600::2"
+        ];
+      };
+      iplist = ips: concatStringsSep "," (flatten ips);
+    in
+    {
+      enable = true;
+      secretFile = config.age.secrets.powerdns.path;
+      extraConfig = ''
+        launch=gsqlite3
+        dnsupdate=yes
+        allow-dnsupdate-from=0.0.0.0/0,::/0
+        only-notify=
+        also-notify=${iplist [ he.notify ]}
+        allow-axfr-ips=${iplist [ he.axfr ]}
+        outgoing-axfr-expand-alias=yes
+        expand-alias=yes
+        resolver=1.1.1.1
+        local-address=${net-ip4} ${net-ip6}
+        reuseport=yes
+        log-dns-details=no
+        log-dns-queries=no
+        loglevel=5
+        primary=yes
+        secondary=yes
+        send-signed-notify=no
+        prevent-self-notification=no
+
+        default-soa-edit=inception-increment
+
+        api=yes
+        # replaced by secretFile/envsubst
+        api-key=$API_KEY
+
+        gsqlite3-database=/var/db/pdns/zones.db
+        gsqlite3-pragma-foreign-keys=yes
+        gsqlite3-dnssec=yes
+      '';
+    };
 
   systemd.services.hagezi-blocklist-update = {
     enable = true;