diff options
Diffstat (limited to 'sys/ns/nsd.nix')
| -rw-r--r-- | sys/ns/nsd.nix | 59 |
1 files changed, 49 insertions, 10 deletions
diff --git a/sys/ns/nsd.nix b/sys/ns/nsd.nix index 74fa7dd..1dfa16b 100644 --- a/sys/ns/nsd.nix +++ b/sys/ns/nsd.nix @@ -1,15 +1,29 @@ { config, lib, ... }: with lib; let + inherit (config.networking) domain; + cfg = config.local.ns.server; + + acmeChallengeDomain = "acme-challenge.${domain}"; in { - options.local.ns.server = { + options. local. ns. server = { enable = mkEnableOption "nsd authoritative server"; tsigName = mkOption { type = types.str; default = "NOKEY"; }; + + acme = { + apiListen.v6 = mkOption { + type = types.str; + }; + + dnsListen.v6 = mkOption { + type = types.str; + }; + }; }; config = mkIf cfg.enable { @@ -29,19 +43,44 @@ in allowedUDPPorts = [ port ]; }; - services.nsd = { - enable = true; + services = { + acme-dns = { + enable = true; + settings = { + api = { + ip = "[${cfg.acme.apiListen.v6}]"; + port = 80; + }; - ipFreebind = true; + general = { + domain = acmeChallengeDomain; + nsname = acmeChallengeDomain; + nsadmin = "hostmaster.${domain}"; - bind8Stats = true; - statistics = 3600; + listen = "[${cfg.acme.dnsListen.v6}]:53"; - tcpCount = 128; - tcpTimeout = 30; - tcpQueryCount = 128; + records = [ + "${acmeChallengeDomain}. NS ${acmeChallengeDomain}." + "${acmeChallengeDomain}. AAAA ${cfg.acme.dnsListen.v6}" + ]; + }; + }; + }; + + nsd = { + enable = true; + + ipFreebind = true; - zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones; + bind8Stats = true; + statistics = 3600; + + tcpCount = 128; + tcpTimeout = 30; + tcpQueryCount = 128; + + zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones; + }; }; }; } |