bind: log to /var/log/named/named.log

hosts/common/net/dns/bind.nix

@@ -1,4 +1,5 @@
 # debugging:
+# - /var/log/named/named.log
 ## config
 # - `man named`
 # - `man named.conf`
@@ -65,7 +66,10 @@ in
     # '';
 
     services.bind.extraArgs = [
-      "-d" "4"  # debug logging level: higher = more verbose
+      # -d = debug logging level: higher = more verbose
+      "-d" "2"
+      # -L = where to log. default is `named.run` in PWD -- unless running interactively in which case it logs to stdout
+      "-L" "/var/log/named/named.log"
     ];
 
     networking.resolvconf.useLocalResolver = false;  #< we manage resolvconf explicitly, above
@@ -119,5 +123,15 @@ in
         cat "/run/named/dhcp-configs/$c" >> /run/named/dhcp-configs.conf
       done
     '';
+    systemd.services.bind.serviceConfig.ReadWritePaths = [
+      "/var/log/named"
+    ];
+
+    sane.persist.sys.byPath."/var/log/named" = {
+      store = "ephemeral";
+      method = "symlink";
+      acl.mode = "0750";
+      acl.user = "named";
+    };
   };
 }