aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorW. Kosior <koszko@koszko.org>2024-09-25 14:56:58 +0200
committerW. Kosior <koszko@koszko.org>2024-09-25 15:02:59 +0200
commitc7470f996d888b33f7c0d58fae10927a9f09e4ee (patch)
treed1f206fb0521ffdec5d0ea5a30539e3ca388e011
parent4bca7e2049f942f8017cca6eeab1465d50e90cc4 (diff)
downloadkoszko-org-guix-server-c7470f996d888b33f7c0d58fae10927a9f09e4ee.tar.gz
koszko-org-guix-server-c7470f996d888b33f7c0d58fae10927a9f09e4ee.zip
Set up local DNS resolver.
-rw-r--r--salamina.scm34
1 files changed, 34 insertions, 0 deletions
diff --git a/salamina.scm b/salamina.scm
index 7d58285..d1c661f 100644
--- a/salamina.scm
+++ b/salamina.scm
@@ -15,6 +15,7 @@
((gnu packages) #:select (specifications->packages))
((gnu packages admin) #:select (shadow))
+ ((gnu packages dns) #:select (knot-resolver))
((gnu packages koszko-services) #:prefix ks:)
((gnu packages python) #:select (guix-pythonpath-search-path))
((gnu packages web) #:select (httpd mod-wsgi))
@@ -592,6 +593,39 @@
'("koszko.org" "koszkonutek-tmp.pl.eu.org"))))))
+(define %root.keys-path
+ "/var/cache/knot-resolver/root.keys")
+
+(prepend %services
+ (simple-service 'knot-resolver-root-keys-activation activation-service-type
+ #~(let* ((filename #$%root.keys-path)
+ (filename-tmp (format #f "~a-new" filename))
+ (passwd (getpwnam "knot-resolver")))
+ (mkdir-p (dirname filename))
+ (copy-file #$(file-append knot-resolver "/etc/knot-resolver/root.keys")
+ filename-tmp)
+ (chown filename-tmp (passwd:uid passwd) (passwd:gid passwd))
+ (rename-file filename-tmp filename))))
+
+(prepend %services
+ (service dns:knot-resolver-service-type
+ (dns:knot-resolver-configuration
+ (kresd-config-file (mixed-text-file "kresd.conf" "\
+net.listen('0.0.0.0', 5353)
+modules = { 'view' }
+trust_anchors.add_file('" %root.keys-path "')
+
+local_dnames = policy.todnames({'koszko.org', 'koszkonutek-tmp.pl.eu.org'})
+policy.add(policy.suffix(policy.STUB('127.0.0.1'), local_dnames))
+
+for _, mask in ipairs({'10.8.0.0/24', '127.0.0.1/32'}) do
+ view:addr(mask, policy.all(policy.PASS))
+end
+
+view:addr('0.0.0.0/0', policy.all(policy.DENY))
+")))))
+
+
(prepend %services
(service mail:mail-aliases-service-type
'(("root" "admin"))))