Add NixOS option useZonegen to simplify setup with zonegen

Luflosi · Jun 5, 2024 · 45f5641 · 45f5641
1 parent 84f1f97
commit 45f5641
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/nix/module.nix b/nix/module.nix
@@ -250,7 +250,15 @@ in
           IPAddressDeny = "any";
         };
       };
+
+      assertions = lib.singleton {
+        assertion = !(cfg.useNsupdateProgram && cfg.useZonegen);
+        message = ''
+          Only one of services.dyndnsd.useNsupdateProgram and services.dyndnsd.useZonegen can be set at once.
+        '';
+      };
     })
+
     (lib.mkIf (cfg.enable && cfg.useNsupdateProgram) {
       users.groups.ddns = {};
       systemd.services.dyndnsd.serviceConfig.SupplementaryGroups = [ "ddns" ];
@@ -278,5 +286,27 @@ in
         ipv6.stdin = lib.mkDefault "update delete {domain}. IN AAAA\nupdate add {domain}. {ttl} IN AAAA {ipv6}\n";
       };
     })
+
+    (lib.mkIf (cfg.enable && cfg.useZonegen) {
+      users.groups.zonegen = {};
+
+      systemd.services.dyndnsd.serviceConfig = {
+        SupplementaryGroups = [ "zonegen" ];
+        ReadWritePaths = [ "/var/lib/bind/zones/dyn/" ];
+
+        # The tempfile-fast rust crate tries to keep the old permissions, so we need to allow this class of system calls
+        SystemCallFilter = [ "@chown" ];
+        UMask = "0022"; # Allow all processes (including BIND) to read the zone files (and database)
+      };
+
+      services.dyndnsd.settings.update_program = {
+        bin = "${pkgs.zonegen}/bin/zonegen";
+        args = [ "--dir" "/var/lib/bind/zones/dyn/" ];
+        stdin_per_zone_update = "send\n";
+        final_stdin = "quit\n";
+        ipv4.stdin = "update add {domain}. {ttl} IN A {ipv4}\n";
+        ipv6.stdin = "update add {domain}. {ttl} IN AAAA {ipv6}\n";
+      };
+    })
   ];
 }