darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions
nixos-config/zones/signzone.nix

33 lines
1.1 KiB
Nix
Raw Normal View History

Add authorative zones hopefully
2022-02-08 21:01:33 +00:00
{ dns, keyname, zone, zonename, ... }: { pkgs, system, ... }:
let
writeZone = dns.util.${system}.writeZone;
zoneFile = writeZone zonename zone;
in
{
systemd.services."zonesign@${zonename}" = {
description = "Signing the DNS zone '${zonename}'";
wantedBy = [ "bind.service" ];
before = [ "bind.service" ];
script = ''
set -ex
# Create the named directory if it doesnt exist
${pkgs.coreutils}/bin/mkdir -pv /var/lib/named
# Sign the zone and write it to /var/lib/named
${pkgs.bind}/bin/dns-signzone -k /run/secrets/${keyname} -a -p -r /dev/urandom -3 $(${pkgs.coreutils}/bin/head -c 16 /dev/urandom | ${pkgs.coreutils}/bin/sha256sum | ${pkgs.coreutils}/bin/cut -b 1-32) -f /var/lib/named/${zonename} ${zoneFile}
${pkgs.bind}/bin/rndc reload ${zonename} || true
'';
};
systemd.timers."zonesign@${zonename}" = {
description = "Resign the DNS zone '${zonename}'";
timerConfig = {
Unit = "zonesign@${zonename}.service";
OnUnitInactiveSec = 86400;
RandomizedDelaySec = 3600;
};
wantedBy = [ "bind.service" ];
};
sops.secrets."${keyname}" = { };
}
Reference in a new issue Copy permalink