From df4b1e5020c1dc2f75f63f2a367d790a95320beb Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Fri, 7 Jun 2024 12:01:53 +0200 Subject: linde: create small helpers for powerdns configuration --- system/linde.nix | 81 ++++++++++++++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 34 deletions(-) (limited to 'system') diff --git a/system/linde.nix b/system/linde.nix index d3f60cb0..04529059 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -333,40 +333,53 @@ in # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? - services.powerdns = { - enable = true; - secretFile = config.age.secrets.powerdns.path; - extraConfig = '' - launch=gsqlite3 - dnsupdate=yes - allow-dnsupdate-from=0.0.0.0/0,::/0 - only-notify= - also-notify=216.218.130.2 - allow-axfr-ips=216.218.133.2,2001:470:600::2 - outgoing-axfr-expand-alias=yes - expand-alias=yes - resolver=1.1.1.1 - local-address=${net-ip4} ${net-ip6} - reuseport=yes - log-dns-details=no - log-dns-queries=no - loglevel=5 - primary=yes - secondary=yes - send-signed-notify=no - prevent-self-notification=no - - default-soa-edit=inception-increment - - api=yes - # replaced by secretFile/envsubst - api-key=$API_KEY - - gsqlite3-database=/var/db/pdns/zones.db - gsqlite3-pragma-foreign-keys=yes - gsqlite3-dnssec=yes - ''; - }; + services.powerdns = + let + inherit (lib.lists) flatten; + inherit (lib.strings) concatStringsSep; + he = rec { + notify = "216.218.130.2"; + axfr = [ + notify + "2001:470:600::2" + ]; + }; + iplist = ips: concatStringsSep "," (flatten ips); + in + { + enable = true; + secretFile = config.age.secrets.powerdns.path; + extraConfig = '' + launch=gsqlite3 + dnsupdate=yes + allow-dnsupdate-from=0.0.0.0/0,::/0 + only-notify= + also-notify=${iplist [ he.notify ]} + allow-axfr-ips=${iplist [ he.axfr ]} + outgoing-axfr-expand-alias=yes + expand-alias=yes + resolver=1.1.1.1 + local-address=${net-ip4} ${net-ip6} + reuseport=yes + log-dns-details=no + log-dns-queries=no + loglevel=5 + primary=yes + secondary=yes + send-signed-notify=no + prevent-self-notification=no + + default-soa-edit=inception-increment + + api=yes + # replaced by secretFile/envsubst + api-key=$API_KEY + + gsqlite3-database=/var/db/pdns/zones.db + gsqlite3-pragma-foreign-keys=yes + gsqlite3-dnssec=yes + ''; + }; systemd.services.hagezi-blocklist-update = { enable = true; -- cgit 1.4.1