ctucx.git: nixfiles

ctucx' nixfiles

commit b00c6814c133964a5807bcef87889cb4d8d161ba
parent a9a2f802ffb0458620b73aa6599820d438cd2133
Author: Katja (ctucx) <git@ctu.cx>
Date: Sat, 1 Mar 2025 16:56:46 +0100

modules/linux/dns: implement `keyFiles` and `extraACL` options

1 file changed, 28 insertions(+), 11 deletions(-)
M
modules/linux/dns.nix
|
39
++++++++++++++++++++++++++++-----------
diff --git a/modules/linux/dns.nix b/modules/linux/dns.nix
@@ -1,5 +1,9 @@
 { currentSystem, nodes, config, lib, pkgs, ... }:
 
+#
+# this module requires lix' experimental `pipe-operator` feature!
+#
+
 with lib;
 
 let

@@ -41,7 +45,7 @@ in {
 
     zonesDir = lib.mkOption {
       type    = lib.types.str;
-      default = "zones";
+      default = "nixZones";
     };
 
     dataDir = lib.mkOption {

@@ -49,6 +53,11 @@ in {
       default = "/var/lib/knot";
     };
 
+    keyFiles = lib.mkOption {
+      type    = types.listOf types.path;
+      default = [];
+    };
+
     # contains dns entries defined on the local host
     zones = mkOption {
       type    = lib.types.attrsOf pkgs.dns.lib.types.subzone;

@@ -65,6 +74,11 @@ in {
       type    = (pkgs.formats.yaml { }).type;
       default = {};
     };
+
+    extraACL = mkOption {
+      type    = (pkgs.formats.yaml { }).type;
+      default = {};
+    };
   };
 
   config = mkIf cfg.enable {

@@ -90,8 +104,8 @@ in {
       secondaryAddresses = filterDNSServerAddresses   nodes false;
       secondaries        = filterDNSServerSecondaries nodes;
     in {
-	    enable = true;
-	    keyFiles = [];
+	    enable   = true;
+	    keyFiles = lib.mkIf (cfg.keyFiles != []) cfg.keyFiles;
 	    settings = {
 	      log.syslog.any = "info";
 

@@ -105,11 +119,13 @@ in {
 
         remote = { primary.address = primaryAddresses; } // secondaries;
 
-        acl.allowTransfer.address = secondaryAddresses;
-        acl.allowTransfer.action  = "transfer";
+        acl = {
+          allowTransfer.address = secondaryAddresses;
+          allowTransfer.action  = "transfer";
 
-        acl.allowNotify.address   = primaryAddresses;
-        acl.allowNotify.action    = "notify";
+          allowNotify.address   = primaryAddresses;
+          allowNotify.action    = "notify";
+        } // cfg.extraACL;
 
         template = let
           notify = {

@@ -156,13 +172,14 @@ in {
           "catalog.".catalog-template = "secondaryZone";
           "catalog.".template         = "secondaryZone";
         } else {
-          "catalog.".catalog-role = "generate";
-          "catalog.".template     = "notifyZone";
+          "catalog.".catalog-role  = "generate";
+          "catalog.".template      = "notifyZone";
         } // (lib.mapAttrs (name: zone: {
           template = "primaryZone";
-        }) cfg.allZones) // (lib.mapAttrs (name: zone: {
+        }) cfg.allZones) // (lib.mapAttrs (name: zone: zone // {
           template = "extraZone";
-        } // zone) cfg.extraZones);
+          acl      = lib.mkIf (builtins.hasAttr "acl" zone) (lib.flatten [ [ "allowTransfer" ] zone.acl ]);
+        }) cfg.extraZones);
 	    };
   	};