colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

trust-dns: perform more specialization via structured config instead of sed

Browse Source
This commit is contained in:
Colin
2023-10-02 22:02:46 +00:00
parent 48715546e2
commit 01cad7b702
1 changed files with 51 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
hosts/by-name/servo/services/trust-dns.nix
View File

@@ -9,12 +9,6 @@ in lib.mkMerge [
{ {
services.trust-dns.enable = true; services.trust-dns.enable = true;
services.trust-dns.settings.listen_addrs_ipv4 = [
# specify each address explicitly, instead of using "*".
# this ensures responses are sent from the address at which the request was received.
# it also allows to respond with different data based on the source of the traffic
"%LISTEN%"
];
# don't bind to IPv6 until i explicitly test that stack # don't bind to IPv6 until i explicitly test that stack
services.trust-dns.settings.listen_addrs_ipv6 = []; services.trust-dns.settings.listen_addrs_ipv6 = [];
services.trust-dns.quiet = true; services.trust-dns.quiet = true;
@@ -118,7 +112,63 @@ in lib.mkMerge [
sed = "${pkgs.gnused}/bin/sed"; sed = "${pkgs.gnused}/bin/sed";
zoneDir = "/var/lib/trust-dns"; zoneDir = "/var/lib/trust-dns";
zoneTemplate = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered; zoneTemplate = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
hnResolverConfig = pkgs.writeText "hn-resolver-config.toml" ''
anativeMap = {
lan = bindLan;
hn = bindHn;
wan = "%AWAN%"; # substituted in preStart
};
zoneFor = flavor: "${zoneDir}/${flavor}/uninsane.org.zone";
mkTrustDnsService = opts: flavor: let
flags = let baseCfg = config.services.trust-dns; in
(lib.optional baseCfg.debug "--debug") ++ (lib.optional baseCfg.quiet "--quiet");
flagsStr = builtins.concatStringsSep " " flags;
# TODO: since we compute the config here, we can customize the listen address right here instead of doing a string substitution.
toml = pkgs.formats.toml { };
configTemplate = opts.config or (toml.generate "trust-dns-${flavor}.toml" (
(
lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
) // {
listen_addrs_ipv4 = opts.listen or [ anative ];
}
));
configFile = "${zoneDir}/${flavor}-config.toml";
anative = anativeMap."${flavor}";
port = opts.port or 53;
in {
description = "trust-dns Domain Name Server (serving ${flavor})";
unitConfig.Documentation = "https://trust-dns.org/";
preStart = ''
wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
${sed} s/%AWAN%/$wan/ ${configTemplate} > ${configFile}
'' + lib.optionalString (!opts ? config) ''
${sed} \
-e s/%CNAMENATIVE%/servo.${flavor}/ \
-e s/%ANATIVE%/${anative}/ \
-e s/%AWAN%/$wan/ \
${zoneTemplate} > ${zoneFor flavor}
'';
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
ExecStart = ''
${pkgs.trust-dns}/bin/trust-dns \
--port ${builtins.toString port} \
--zonedir ${zoneDir}/${flavor}/ \
--config ${configFile} ${flagsStr}
'';
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
in {
trust-dns-wan = mkTrustDnsService { listen = [ bindLan bindOvpn ]; } "wan";
trust-dns-lan = mkTrustDnsService { port = 1053; } "lan";
trust-dns-hn = mkTrustDnsService { port = 1053; } "hn";
trust-dns-hn-resolver = mkTrustDnsService {
config = pkgs.writeText "hn-resolver-config.toml" ''
# i host a resolver in the wireguard VPN so that clients can resolve DNS through the VPN. # i host a resolver in the wireguard VPN so that clients can resolve DNS through the VPN.
# (that's what this file achieves). # (that's what this file achieves).
# #
@@ -147,62 +197,7 @@ in lib.mkMerge [
zone_type = "Forward" zone_type = "Forward"
stores = { type = "forward", name_servers = [{ socket_addr = "127.0.0.53:53", protocol = "udp", trust_nx_responses = true }] } stores = { type = "forward", name_servers = [{ socket_addr = "127.0.0.53:53", protocol = "udp", trust_nx_responses = true }] }
''; '';
} "hn-resolver";
anativeMap = {
lan = bindLan;
hn = bindHn;
wan = "$wan"; # evaluated at runtime
};
zoneFor = flavor: "${zoneDir}/${flavor}/uninsane.org.zone";
mkTrustDnsService = opts: flavor: let
flags = let baseCfg = config.services.trust-dns; in
(lib.optional baseCfg.debug "--debug") ++ (lib.optional baseCfg.quiet "--quiet");
flagsStr = builtins.concatStringsSep " " flags;
# TODO: since we compute the config here, we can customize the listen address right here instead of doing a string substitution.
toml = pkgs.formats.toml { };
origConfig = toml.generate "trust-dns.toml" (
lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
);
configFile = "${zoneDir}/${flavor}-config.toml";
anative = anativeMap."${flavor}";
listen = opts.listen or anative;
port = opts.port or 53;
makeConfig = if opts ? config then
"ln -sf ${opts.config} ${configFile}"
else ''
wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
${sed} \
-e s/%AWAN%/$wan/ \
-e s/%CNAMENATIVE%/servo.${flavor}/ \
-e s/%ANATIVE%/${anative}/ \
${zoneTemplate} > ${zoneFor flavor}
# listen only on the desired interfaces
sed 's/%LISTEN%/${listen}/' ${origConfig} > ${configFile}
'';
in {
description = "trust-dns Domain Name Server (serving ${flavor})";
unitConfig.Documentation = "https://trust-dns.org/";
preStart = makeConfig;
serviceConfig = config.systemd.services.trust-dns.serviceConfig // {
ExecStart = ''
${pkgs.trust-dns}/bin/trust-dns \
--port ${builtins.toString port} \
--zonedir ${zoneDir}/${flavor}/ \
--config ${configFile} ${flagsStr}
'';
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
in {
trust-dns-wan = mkTrustDnsService { listen = ''${bindLan}", "${bindOvpn}''; } "wan";
trust-dns-lan = mkTrustDnsService { port = 1053; } "lan";
trust-dns-hn = mkTrustDnsService { port = 1053; } "hn";
trust-dns-hn-resolver = mkTrustDnsService { config = hnResolverConfig; } "hn-resolver";
}; };
sane.services.dyn-dns.restartOnChange = [ sane.services.dyn-dns.restartOnChange = [