darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions
nixos-config/zones/signzone.nix

36 lines
1.2 KiB
Nix
Raw Normal View History

add ksk and zsk, fix the file names, etc
2022-02-09 08:27:19 +00:00
{ dns, ksk, zsk, zone, zonename, ... }: { pkgs, system, ... }:
Add authorative zones hopefully
2022-02-08 21:01:33 +00:00
let
writeZone = dns.util.${system}.writeZone;
zoneFile = writeZone zonename zone;
in
{
systemd.services."zonesign@${zonename}" = {
description = "Signing the DNS zone '${zonename}'";
wantedBy = [ "bind.service" ];
before = [ "bind.service" ];
script = ''
set -ex
# Create the named directory if it doesnt exist
${pkgs.coreutils}/bin/mkdir -pv /var/lib/named
# Sign the zone and write it to /var/lib/named
add ksk and zsk, fix the file names, etc
2022-02-09 08:27:19 +00:00
${pkgs.bind}/bin/dnssec-signzone -k /run/secrets/${ksk} -a -3 $(${pkgs.coreutils}/bin/head -c 16 /dev/urandom | ${pkgs.coreutils}/bin/sha256sum | ${pkgs.coreutils}/bin/cut -b 1-32) -f /var/lib/named/${zonename} ${zoneFile} /run/secrets/${zsk}
Add authorative zones hopefully
2022-02-08 21:01:33 +00:00
${pkgs.bind}/bin/rndc reload ${zonename} || true
'';
};
systemd.timers."zonesign@${zonename}" = {
description = "Resign the DNS zone '${zonename}'";
timerConfig = {
Unit = "zonesign@${zonename}.service";
OnUnitInactiveSec = 86400;
RandomizedDelaySec = 3600;
};
wantedBy = [ "bind.service" ];
};
add ksk and zsk, fix the file names, etc
2022-02-09 08:27:19 +00:00
sops.secrets."${ksk}.key" = { };
sops.secrets."${ksk}.private" = { };
sops.secrets."${zsk}.key" = { };
sops.secrets."${zsk}.private" = { };
Add authorative zones hopefully
2022-02-08 21:01:33 +00:00
}
Reference in a new issue Copy permalink