nix-community / dns.nix Goto Github PK
View Code? Open in Web Editor NEWA Nix DSL for DNS zone files [maintainers=@raitobezarius @kirelagin @Tom-Hubrecht]
License: Mozilla Public License 2.0
A Nix DSL for DNS zone files [maintainers=@raitobezarius @kirelagin @Tom-Hubrecht]
License: Mozilla Public License 2.0
First off this library is great, definitely a much nicer way to define DNS records, and I'd be thrilled if it was in core NixOS.
I see a mention of Let's Encrypt in the library; do you use DNS-based authentication with Let's Encrypt? I'm finding it rather difficult to set up with nsd and dns.nix, and if you do use DNS-based authentication, it would be useful to have an example of it.
dns.nix appears to unconditionally append a period to the name component of all records.
This rules out creating records such as
subdomain 60 IN A 1.2.3.4
i.e. ones where the domain name is considered relative to the zone origin.
This is frequently useful, for example to use the same zone file for multiple origins.
Note: I haven't looked at the code too closely, so it's possible that I'm missing something and it's already possible to do this.
See DMARC specification, Section 7.1.
We should provide a combinator that will allow one to create a record that says “I am ok receiving reports from ” and optionally override the destination. Don’t forget support for wildcards.
This is going to be a rather simple TXT record.
writeZone
relies on pkgs.writeTextFile
, which is only available when the full nixpkgs
is instantiated (import "${nixpkgs}" { system = "some-system"; }
). It's simple enough a wrapper that I can just call writeTextFile
myself, but I guess it should be documented somewhere along with writeZone
itself.
Looks like something related to types is wrong, but the laziness of Nix comes to rescue, which made it unnoticed until this issue.
error: cannot coerce a set to a string
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:22:
39| example = [ t.example ];
40| description = "List of ${t} records for this zone/subzone";
| ^
41| }) rsubtypes';
nix eval .#lib
error: cannot coerce a set to a string
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:22:
39| example = [ t.example ];
40| description = "List of ${t} records for this zone/subzone";
| ^
41| }) rsubtypes';
… while evaluating the attribute 'description'
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:7:
39| example = [ t.example ];
40| description = "List of ${t} records for this zone/subzone";
| ^
41| }) rsubtypes';
… while evaluating the attribute 'A'
… while evaluating the attribute 'options'
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:44:5:
43| subzone = types.submodule {
44| options = subzoneOptions;
| ^
45| };
… while evaluating the attribute 'modules'
at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:567:13:
566| payload = {
567| modules = modules;
| ^
568| specialArgs = specialArgs;
… while evaluating the attribute 'payload'
at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:566:11:
565| type = types.submoduleWith;
566| payload = {
| ^
567| modules = modules;
… while evaluating the attribute 'functor'
at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:156:14:
155| { _type = "option-type";
156| inherit name check merge emptyValue getSubOptions getSubModules substSubModules typeMerge functor deprecationMessage nestedTypes;
| ^
157| description = if description == null then name else description;
… while evaluating the attribute 'subzone'
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/default.nix:11:47:
10| inherit (import ./simple.nix { inherit lib; }) domain-name;
11| inherit (import ./zone.nix { inherit lib; }) zone subzone;
| ^
12| record = import ./record.nix { inherit lib; };
… while evaluating the attribute 'types'
at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/flake.nix:22:22:
21| inherit (dns) combinators;
22| inherit (dns) types;
| ^
23| toString = name: zone: builtins.toString (dns.evalZone name zone);
Whats the maintenance status on this repo? There are some PRs open for long time which are seemingly are not being reviewed. I and @astro are already using it for https://gitea.c3d2.de/zentralwerk/network and planning to template our entire DNS with it and for that we would like to potentially get some changes in and not rely on a fork.
Currently we only have example.nix
, which incorporates almost all kinds of records, but it looks like it’s time to get an actual test suite, that will not only cover all of the functionality in terms of supported record types, but will also cover some of the logic, which the code is starting to accumulate.
I think it would not be a bad idea to have detailed examples of various options for integrating the zones into NixOS configurations of various styles (e.g. #19).
Currently its a little annoying to create a subdomain host with a specific TTL. I would suggest something like the following:
{
hostTTL = ttl: ipv4: ipv6:
lib.optionalAttrs (ipv4 != null) { A = [{ address = ipv4; inherit ttl; }]; } //
lib.optionalAttrs (ipv6 != null) { AAAA = [{ address = ipv6; inherit ttl; }]; };
}
Bind9 has a length limit for TXT records.
When creating e.g. a DKIM record with the following key: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0D9oTjw3GT1mQY7oOb9k7oEqxwFzpH3x0+5I3BzPiahiuhUdXgW5pt1KOddwVLzxsKkqTkTACyLRAaJVX4yKq06GeiIKYE8NU1Tt+N4/cUVjLqWQ8q80u8UkLdgrdIlwBb+p079OXogSnpg0N762bqyB1uEADhUNjRP6lQMYfBAzqVJNkUo4ABm+GsWlcPuhOBc0Sp6F5IhvBx/uyyzz46f/50kHOQgYWCblGwglrX9awEEBiMtWtGNBH7iO0DqL4AiJJC8PBvj2kS5sCdZRfCHRBGPczClmvCWf2JA6pL+PFqwtne35KGFIRHOluv3cn6YzQU3jhTaMMOWrgXHcFQIDAQAB
the record is too long and leads to a syntax error in the zone.
This behavior is confirm to RFC 1035 Section 3.3:
<character-string> is treated as binary information, and can be up to 256 characters in length (including the length octet).
A fix is available over here: https://serverfault.com/questions/571720/publishing-long-domain-key-records-in-bind9
I've deployed dns.nix in my config, but this line https://git.dotya.ml/RiXotStudio/system-management/src/branch/central/services/named/bind.nix#L11 causes an infinite recursion that community support in nix's matrix channel suspect is coming from dns.nix
Log: http://ix.io/3sbs
Currently i have to put this codeblock in all imported files to have dns.*
available:
# https://git.dotya.ml/RiXotStudio/system-management/src/commit/bb1a8104567c95c3502dab31a5854010d7441d7f/services/named/bind.nix#L4
dns = import (pkgs.fetchFromGitHub {
owner = "kirelagin";
repo = "dns.nix";
rev = "v1.1.0";
sha256 = "0zvg92fjrfmdylk8ic3b2srsrqc8ii94a1ir0v5sknjyxvy5f3rf";
});
Is there a way to define this as a module to have it available in all imported files to avoid duplicate code e.g.
{ config, lib, dns, ... }:
let
zoneFile = dns.util.${builtins.currentSystem}.writeZone "${config.networking.fqdn}" (import (../../domains + "/${config.networking.domain}" + /machines + "/${config.networking.hostName}" + /zones/main.nix) { inherit dns; inherit config; });
in {
networking.firewall.allowedTCPPorts = lib.optional config.services.bind.enable 53;
services.bind = {
# FIXME(Krey): Research as tor's DNS is only resolving A and AAAA ?
# forwarders = if(config.services.tor.client.dns.enable == true )
# then [
# # BUG(Krey): https://github.com/NixOS/nixpkgs/issues/129714
# "127.0.0.1 port 9053"
# ]
# else [ ];
zones = {
"${config.networking.fqdn}" = {
file = zoneFile;
master = true;
masters = [ "${config.networking.interfaces.enp7s0.ipv4.addresses}" ];
};
};
};
}
Notice the { config, lib, dns, ... }:
I am trying to solve this for 4 days while none in matrix channel for nixOS knows how to do this without causing an infinite recursion as highlighted in NixOS/nix#5007
It would be nice to be able to set the default TTL globally for a given zone.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.