nix-community / dns.nix Goto Github PK

First off this library is great, definitely a much nicer way to define DNS records, and I'd be thrilled if it was in core NixOS.

I see a mention of Let's Encrypt in the library; do you use DNS-based authentication with Let's Encrypt? I'm finding it rather difficult to set up with nsd and dns.nix, and if you do use DNS-based authentication, it would be useful to have an example of it.

dns.nix appears to unconditionally append a period to the name component of all records.

This rules out creating records such as

subdomain 60 IN A 1.2.3.4

i.e. ones where the domain name is considered relative to the zone origin.
This is frequently useful, for example to use the same zone file for multiple origins.

Note: I haven't looked at the code too closely, so it's possible that I'm missing something and it's already possible to do this.

See DMARC specification, Section 7.1.

We should provide a combinator that will allow one to create a record that says “I am ok receiving reports from ” and optionally override the destination. Don’t forget support for wildcards.

This is going to be a rather simple TXT record.

writeZone relies on pkgs.writeTextFile, which is only available when the full nixpkgs is instantiated (import "${nixpkgs}" { system = "some-system"; }). It's simple enough a wrapper that I can just call writeTextFile myself, but I guess it should be documented somewhere along with writeZone itself.

Looks like something related to types is wrong, but the laziness of Nix comes to rescue, which made it unnoticed until this issue.

Error message

error: cannot coerce a set to a string

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:22:

           39|       example = [ t.example ];
           40|       description = "List of ${t} records for this zone/subzone";
             |                      ^
           41|     }) rsubtypes';

Steps to reproduce

nix eval .#lib

Environment

• nix: 2.5pre20211007_844dd90
• nixpkgs: (flake.lock)

Full trace stack

error: cannot coerce a set to a string

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:22:

           39|       example = [ t.example ];
           40|       description = "List of ${t} records for this zone/subzone";
             |                      ^
           41|     }) rsubtypes';

       … while evaluating the attribute 'description'

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:40:7:

           39|       example = [ t.example ];
           40|       description = "List of ${t} records for this zone/subzone";
             |       ^
           41|     }) rsubtypes';

       … while evaluating the attribute 'A'

       … while evaluating the attribute 'options'

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/zone.nix:44:5:

           43|   subzone = types.submodule {
           44|     options = subzoneOptions;
             |     ^
           45|   };

       … while evaluating the attribute 'modules'

       at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:567:13:

          566|           payload = {
          567|             modules = modules;
             |             ^
          568|             specialArgs = specialArgs;

       … while evaluating the attribute 'payload'

       at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:566:11:

          565|           type = types.submoduleWith;
          566|           payload = {
             |           ^
          567|             modules = modules;

       … while evaluating the attribute 'functor'

       at /nix/store/xj7afnfszb4a883wjxv9xnlpqj352cis-source/lib/types.nix:156:14:

          155|     { _type = "option-type";
          156|       inherit name check merge emptyValue getSubOptions getSubModules substSubModules typeMerge functor deprecationMessage nestedTypes;
             |              ^
          157|       description = if description == null then name else description;

       … while evaluating the attribute 'subzone'

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/dns/types/default.nix:11:47:

           10|   inherit (import ./simple.nix { inherit lib; }) domain-name;
           11|   inherit (import ./zone.nix { inherit lib; }) zone subzone;
             |                                               ^
           12|   record = import ./record.nix { inherit lib; };

       … while evaluating the attribute 'types'

       at /nix/store/lbv7b80mmv8cb7ihq9ksj4bwkdk23biw-source/flake.nix:22:22:

           21|         inherit (dns) combinators;
           22|         inherit (dns) types;
             |                      ^
           23|         toString = name: zone: builtins.toString (dns.evalZone name zone);

Whats the maintenance status on this repo? There are some PRs open for long time which are seemingly are not being reviewed. I and @astro are already using it for https://gitea.c3d2.de/zentralwerk/network and planning to template our entire DNS with it and for that we would like to potentially get some changes in and not rely on a fork.

cc @RaitoBezarius @kirelagin @Tom-Hubrecht

Currently we only have example.nix, which incorporates almost all kinds of records, but it looks like it’s time to get an actual test suite, that will not only cover all of the functionality in terms of supported record types, but will also cover some of the logic, which the code is starting to accumulate.

I think it would not be a bad idea to have detailed examples of various options for integrating the zones into NixOS configurations of various styles (e.g. #19).

Currently its a little annoying to create a subdomain host with a specific TTL. I would suggest something like the following:

{
  hostTTL = ttl: ipv4: ipv6:
     lib.optionalAttrs (ipv4 != null) { A = [{ address = ipv4; inherit ttl; }]; } //
     lib.optionalAttrs (ipv6 != null) { AAAA = [{ address = ipv6; inherit ttl; }]; };
}

Bind9 has a length limit for TXT records.

When creating e.g. a DKIM record with the following key: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0D9oTjw3GT1mQY7oOb9k7oEqxwFzpH3x0+5I3BzPiahiuhUdXgW5pt1KOddwVLzxsKkqTkTACyLRAaJVX4yKq06GeiIKYE8NU1Tt+N4/cUVjLqWQ8q80u8UkLdgrdIlwBb+p079OXogSnpg0N762bqyB1uEADhUNjRP6lQMYfBAzqVJNkUo4ABm+GsWlcPuhOBc0Sp6F5IhvBx/uyyzz46f/50kHOQgYWCblGwglrX9awEEBiMtWtGNBH7iO0DqL4AiJJC8PBvj2kS5sCdZRfCHRBGPczClmvCWf2JA6pL+PFqwtne35KGFIRHOluv3cn6YzQU3jhTaMMOWrgXHcFQIDAQAB

the record is too long and leads to a syntax error in the zone.

This behavior is confirm to RFC 1035 Section 3.3:

<character-string> is treated as binary information, and can be up to 256 characters in length (including the length octet).

A fix is available over here: https://serverfault.com/questions/571720/publishing-long-domain-key-records-in-bind9

I've deployed dns.nix in my config, but this line https://git.dotya.ml/RiXotStudio/system-management/src/branch/central/services/named/bind.nix#L11 causes an infinite recursion that community support in nix's matrix channel suspect is coming from dns.nix

Log: http://ix.io/3sbs

Currently i have to put this codeblock in all imported files to have dns.* available:

# https://git.dotya.ml/RiXotStudio/system-management/src/commit/bb1a8104567c95c3502dab31a5854010d7441d7f/services/named/bind.nix#L4
dns = import (pkgs.fetchFromGitHub {
	owner = "kirelagin";
	repo = "dns.nix";
	rev = "v1.1.0";
	sha256 = "0zvg92fjrfmdylk8ic3b2srsrqc8ii94a1ir0v5sknjyxvy5f3rf";
});

Is there a way to define this as a module to have it available in all imported files to avoid duplicate code e.g.

{ config, lib, dns, ... }:
	let
		zoneFile = dns.util.${builtins.currentSystem}.writeZone "${config.networking.fqdn}" (import (../../domains + "/${config.networking.domain}" + /machines + "/${config.networking.hostName}" + /zones/main.nix) { inherit dns; inherit config; });
	in {
		networking.firewall.allowedTCPPorts = lib.optional config.services.bind.enable 53;

		services.bind = {
			# FIXME(Krey): Research as tor's DNS is only resolving A and AAAA ?
			# forwarders = if(config.services.tor.client.dns.enable == true )
			# 	then [
			# 		# BUG(Krey): https://github.com/NixOS/nixpkgs/issues/129714
			# 		"127.0.0.1 port 9053"
			# 	]
			# 	else [ ];
			zones = {
				"${config.networking.fqdn}" = {
					file = zoneFile;
					master = true;
					masters = [ "${config.networking.interfaces.enp7s0.ipv4.addresses}" ];
				};
			};
		};
	}

Notice the { config, lib, dns, ... }:

Context

I am trying to solve this for 4 days while none in matrix channel for nixOS knows how to do this without causing an infinite recursion as highlighted in NixOS/nix#5007

It would be nice to be able to set the default TTL globally for a given zone.