2022-06-12 15:39:15 +00:00
|
|
|
|
{
|
|
|
|
|
|
dns,
|
|
|
|
|
|
ksk,
|
|
|
|
|
|
zsk,
|
|
|
|
|
|
zone,
|
|
|
|
|
|
zonename,
|
|
|
|
|
|
...
|
|
|
|
|
|
}: {
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
system,
|
|
|
|
|
|
...
|
|
|
|
|
|
}: let
|
2022-06-12 15:42:42 +00:00
|
|
|
|
inherit (dns.util.${system}) writeZone;
|
2022-02-08 21:01:33 +00:00
|
|
|
|
zoneFile = writeZone zonename zone;
|
2022-06-12 15:39:15 +00:00
|
|
|
|
in {
|
2022-02-08 21:01:33 +00:00
|
|
|
|
systemd.services."zonesign@${zonename}" = {
|
|
|
|
|
|
description = "Signing the DNS zone '${zonename}'";
|
2022-06-12 15:39:15 +00:00
|
|
|
|
wantedBy = ["bind.service"];
|
|
|
|
|
|
before = ["bind.service"];
|
2022-02-08 21:01:33 +00:00
|
|
|
|
script = ''
|
|
|
|
|
|
set -ex
|
|
|
|
|
|
|
|
|
|
|
|
# Create the named directory if it doesn’t exist
|
|
|
|
|
|
${pkgs.coreutils}/bin/mkdir -pv /var/lib/named
|
|
|
|
|
|
|
|
|
|
|
|
# Sign the zone and write it to /var/lib/named
|
2022-02-09 08:29:45 +00:00
|
|
|
|
${pkgs.bind}/bin/dnssec-signzone -o ${zonename} -k /run/secrets/${ksk} -a -3 $(${pkgs.coreutils}/bin/head -c 16 /dev/urandom | ${pkgs.coreutils}/bin/sha256sum | ${pkgs.coreutils}/bin/cut -b 1-32) -f /var/lib/named/${zonename} ${zoneFile} /run/secrets/${zsk}
|
2022-02-09 09:29:55 +00:00
|
|
|
|
${pkgs.systemd}/bin/systemctl reload bind || true
|
2022-02-08 21:01:33 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
systemd.timers."zonesign@${zonename}" = {
|
|
|
|
|
|
description = "Resign the DNS zone '${zonename}'";
|
|
|
|
|
|
timerConfig = {
|
|
|
|
|
|
Unit = "zonesign@${zonename}.service";
|
|
|
|
|
|
OnUnitInactiveSec = 86400;
|
|
|
|
|
|
RandomizedDelaySec = 3600;
|
|
|
|
|
|
};
|
2022-06-12 15:39:15 +00:00
|
|
|
|
wantedBy = ["bind.service"];
|
2022-02-08 21:01:33 +00:00
|
|
|
|
};
|
2022-06-12 15:39:15 +00:00
|
|
|
|
sops.secrets."${ksk}.key" = {};
|
|
|
|
|
|
sops.secrets."${ksk}.private" = {};
|
|
|
|
|
|
sops.secrets."${zsk}.key" = {};
|
|
|
|
|
|
sops.secrets."${zsk}.private" = {};
|
2022-02-08 21:01:33 +00:00
|
|
|
|
}
|
