dns.scm 43 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039
  1. ;;; GNU Guix --- Functional package management for GNU
  2. ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
  3. ;;; Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
  4. ;;; Copyright © 2020 Pierre Langlois <pierre.langlois@gmx.com>
  5. ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
  6. ;;;
  7. ;;; This file is part of GNU Guix.
  8. ;;;
  9. ;;; GNU Guix is free software; you can redistribute it and/or modify it
  10. ;;; under the terms of the GNU General Public License as published by
  11. ;;; the Free Software Foundation; either version 3 of the License, or (at
  12. ;;; your option) any later version.
  13. ;;;
  14. ;;; GNU Guix is distributed in the hope that it will be useful, but
  15. ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  16. ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. ;;; GNU General Public License for more details.
  18. ;;;
  19. ;;; You should have received a copy of the GNU General Public License
  20. ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
  21. (define-module (gnu services dns)
  22. #:use-module (gnu services)
  23. #:use-module (gnu services configuration)
  24. #:use-module (gnu services shepherd)
  25. #:use-module (gnu system shadow)
  26. #:use-module (gnu packages admin)
  27. #:use-module (gnu packages dns)
  28. #:use-module (guix packages)
  29. #:use-module (guix records)
  30. #:use-module (guix gexp)
  31. #:use-module (guix modules)
  32. #:use-module (srfi srfi-1)
  33. #:use-module (srfi srfi-26)
  34. #:use-module (srfi srfi-34)
  35. #:use-module (srfi srfi-35)
  36. #:use-module (ice-9 match)
  37. #:use-module (ice-9 regex)
  38. #:export (knot-service-type
  39. knot-acl-configuration
  40. knot-key-configuration
  41. knot-keystore-configuration
  42. knot-zone-configuration
  43. knot-remote-configuration
  44. knot-policy-configuration
  45. knot-configuration
  46. define-zone-entries
  47. zone-file
  48. zone-entry
  49. knot-resolver-service-type
  50. knot-resolver-configuration
  51. dnsmasq-service-type
  52. dnsmasq-configuration
  53. ddclient-service-type
  54. ddclient-configuration))
  55. ;;;
  56. ;;; Knot DNS.
  57. ;;;
  58. (define-record-type* <knot-key-configuration>
  59. knot-key-configuration make-knot-key-configuration
  60. knot-key-configuration?
  61. (id knot-key-configuration-id
  62. (default ""))
  63. (algorithm knot-key-configuration-algorithm
  64. (default #f)); one of #f, or an algorithm name
  65. (secret knot-key-configuration-secret
  66. (default "")))
  67. (define-record-type* <knot-acl-configuration>
  68. knot-acl-configuration make-knot-acl-configuration
  69. knot-acl-configuration?
  70. (id knot-acl-configuration-id
  71. (default ""))
  72. (address knot-acl-configuration-address
  73. (default '()))
  74. (key knot-acl-configuration-key
  75. (default '()))
  76. (action knot-acl-configuration-action
  77. (default '()))
  78. (deny? knot-acl-configuration-deny?
  79. (default #f)))
  80. (define-record-type* <zone-entry>
  81. zone-entry make-zone-entry
  82. zone-entry?
  83. (name zone-entry-name
  84. (default "@"))
  85. (ttl zone-entry-ttl
  86. (default ""))
  87. (class zone-entry-class
  88. (default "IN"))
  89. (type zone-entry-type
  90. (default "A"))
  91. (data zone-entry-data
  92. (default "")))
  93. (define-record-type* <zone-file>
  94. zone-file make-zone-file
  95. zone-file?
  96. (entries zone-file-entries
  97. (default '()))
  98. (origin zone-file-origin
  99. (default ""))
  100. (ns zone-file-ns
  101. (default "ns"))
  102. (mail zone-file-mail
  103. (default "hostmaster"))
  104. (serial zone-file-serial
  105. (default 1))
  106. (refresh zone-file-refresh
  107. (default (* 2 24 3600)))
  108. (retry zone-file-retry
  109. (default (* 15 60)))
  110. (expiry zone-file-expiry
  111. (default (* 2 7 24 3600)))
  112. (nx zone-file-nx
  113. (default 3600)))
  114. (define-record-type* <knot-keystore-configuration>
  115. knot-keystore-configuration make-knot-keystore-configuration
  116. knot-keystore-configuration?
  117. (id knot-keystore-configuration-id
  118. (default ""))
  119. (backend knot-keystore-configuration-backend
  120. (default 'pem))
  121. (config knot-keystore-configuration-config
  122. (default "/var/lib/knot/keys/keys")))
  123. (define-record-type* <knot-policy-configuration>
  124. knot-policy-configuration make-knot-policy-configuration
  125. knot-policy-configuration?
  126. (id knot-policy-configuration-id
  127. (default ""))
  128. (keystore knot-policy-configuration-keystore
  129. (default "default"))
  130. (manual? knot-policy-configuration-manual?
  131. (default #f))
  132. (single-type-signing? knot-policy-configuration-single-type-signing?
  133. (default #f))
  134. (algorithm knot-policy-configuration-algorithm
  135. (default "ecdsap256sha256"))
  136. (ksk-size knot-policy-configuration-ksk-size
  137. (default 256))
  138. (zsk-size knot-policy-configuration-zsk-size
  139. (default 256))
  140. (dnskey-ttl knot-policy-configuration-dnskey-ttl
  141. (default 'default))
  142. (zsk-lifetime knot-policy-configuration-zsk-lifetime
  143. (default (* 30 24 3600)))
  144. (propagation-delay knot-policy-configuration-propagation-delay
  145. (default (* 24 3600)))
  146. (rrsig-lifetime knot-policy-configuration-rrsig-lifetime
  147. (default (* 14 24 3600)))
  148. (rrsig-refresh knot-policy-configuration-rrsig-refresh
  149. (default (* 7 24 3600)))
  150. (nsec3? knot-policy-configuration-nsec3?
  151. (default #f))
  152. (nsec3-iterations knot-policy-configuration-nsec3-iterations
  153. (default 5))
  154. (nsec3-salt-length knot-policy-configuration-nsec3-salt-length
  155. (default 8))
  156. (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime
  157. (default (* 30 24 3600))))
  158. (define-record-type* <knot-zone-configuration>
  159. knot-zone-configuration make-knot-zone-configuration
  160. knot-zone-configuration?
  161. (domain knot-zone-configuration-domain
  162. (default ""))
  163. (file knot-zone-configuration-file
  164. (default "")) ; the file where this zone is saved.
  165. (zone knot-zone-configuration-zone
  166. (default (zone-file))) ; initial content of the zone file
  167. (master knot-zone-configuration-master
  168. (default '()))
  169. (ddns-master knot-zone-configuration-ddns-master
  170. (default #f))
  171. (notify knot-zone-configuration-notify
  172. (default '()))
  173. (acl knot-zone-configuration-acl
  174. (default '()))
  175. (semantic-checks? knot-zone-configuration-semantic-checks?
  176. (default #f))
  177. (zonefile-sync knot-zone-configuration-zonefile-sync
  178. (default 0))
  179. (zonefile-load knot-zone-configuration-zonefile-load
  180. (default #f))
  181. (journal-content knot-zone-configuration-journal-content
  182. (default #f))
  183. (max-journal-usage knot-zone-configuration-max-journal-usage
  184. (default #f))
  185. (max-journal-depth knot-zone-configuration-max-journal-depth
  186. (default #f))
  187. (max-zone-size knot-zone-configuration-max-zone-size
  188. (default #f))
  189. (dnssec-policy knot-zone-configuration-dnssec-policy
  190. (default #f))
  191. (serial-policy knot-zone-configuration-serial-policy
  192. (default 'increment)))
  193. (define-record-type* <knot-remote-configuration>
  194. knot-remote-configuration make-knot-remote-configuration
  195. knot-remote-configuration?
  196. (id knot-remote-configuration-id
  197. (default ""))
  198. (address knot-remote-configuration-address
  199. (default '()))
  200. (via knot-remote-configuration-via
  201. (default '()))
  202. (key knot-remote-configuration-key
  203. (default #f)))
  204. (define-record-type* <knot-configuration>
  205. knot-configuration make-knot-configuration
  206. knot-configuration?
  207. (knot knot-configuration-knot
  208. (default knot))
  209. (run-directory knot-configuration-run-directory
  210. (default "/var/run/knot"))
  211. (includes knot-configuration-includes
  212. (default '()))
  213. (listen-v4 knot-configuration-listen-v4
  214. (default "0.0.0.0"))
  215. (listen-v6 knot-configuration-listen-v6
  216. (default "::"))
  217. (listen-port knot-configuration-listen-port
  218. (default 53))
  219. (keys knot-configuration-keys
  220. (default '()))
  221. (keystores knot-configuration-keystores
  222. (default '()))
  223. (acls knot-configuration-acls
  224. (default '()))
  225. (remotes knot-configuration-remotes
  226. (default '()))
  227. (policies knot-configuration-policies
  228. (default '()))
  229. (zones knot-configuration-zones
  230. (default '())))
  231. (define-syntax define-zone-entries
  232. (syntax-rules ()
  233. ((_ id (name ttl class type data) ...)
  234. (define id (list (make-zone-entry name ttl class type data) ...)))))
  235. (define (error-out msg)
  236. (raise (condition (&message (message msg)))))
  237. (define (verify-knot-key-configuration key)
  238. (unless (knot-key-configuration? key)
  239. (error-out "keys must be a list of only knot-key-configuration."))
  240. (let ((id (knot-key-configuration-id key)))
  241. (unless (and (string? id) (not (equal? id "")))
  242. (error-out "key id must be a non empty string.")))
  243. (unless (memq (knot-key-configuration-algorithm key)
  244. '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512))
  245. (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1,
  246. 'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512")))
  247. (define (verify-knot-keystore-configuration keystore)
  248. (unless (knot-keystore-configuration? keystore)
  249. (error-out "keystores must be a list of only knot-keystore-configuration."))
  250. (let ((id (knot-keystore-configuration-id keystore)))
  251. (unless (and (string? id) (not (equal? id "")))
  252. (error-out "keystore id must be a non empty string.")))
  253. (unless (memq (knot-keystore-configuration-backend keystore)
  254. '(pem pkcs11))
  255. (error-out "backend must be one of: 'pem or 'pkcs11")))
  256. (define (verify-knot-policy-configuration policy)
  257. (unless (knot-policy-configuration? policy)
  258. (error-out "policies must be a list of only knot-policy-configuration."))
  259. (let ((id (knot-policy-configuration-id policy)))
  260. (unless (and (string? id) (not (equal? id "")))
  261. (error-out "policy id must be a non empty string."))))
  262. (define (verify-knot-acl-configuration acl)
  263. (unless (knot-acl-configuration? acl)
  264. (error-out "acls must be a list of only knot-acl-configuration."))
  265. (let ((id (knot-acl-configuration-id acl))
  266. (address (knot-acl-configuration-address acl))
  267. (key (knot-acl-configuration-key acl))
  268. (action (knot-acl-configuration-action acl)))
  269. (unless (and (string? id) (not (equal? id "")))
  270. (error-out "acl id must be a non empty string."))
  271. (unless (and (list? address)
  272. (every string? address))
  273. (error-out "acl address must be a list of strings.")))
  274. (unless (boolean? (knot-acl-configuration-deny? acl))
  275. (error-out "deny? must be #t or #f.")))
  276. (define (verify-knot-zone-configuration zone)
  277. (unless (knot-zone-configuration? zone)
  278. (error-out "zones must be a list of only knot-zone-configuration."))
  279. (let ((domain (knot-zone-configuration-domain zone)))
  280. (unless (and (string? domain) (not (equal? domain "")))
  281. (error-out "zone domain must be a non empty string."))))
  282. (define (verify-knot-remote-configuration remote)
  283. (unless (knot-remote-configuration? remote)
  284. (error-out "remotes must be a list of only knot-remote-configuration."))
  285. (let ((id (knot-remote-configuration-id remote)))
  286. (unless (and (string? id) (not (equal? id "")))
  287. (error-out "remote id must be a non empty string."))))
  288. (define (verify-knot-configuration config)
  289. (unless (package? (knot-configuration-knot config))
  290. (error-out "knot configuration field must be a package."))
  291. (unless (string? (knot-configuration-run-directory config))
  292. (error-out "run-directory must be a string."))
  293. (unless (list? (knot-configuration-includes config))
  294. (error-out "includes must be a list of strings or file-like objects."))
  295. (unless (list? (knot-configuration-keys config))
  296. (error-out "keys must be a list of knot-key-configuration."))
  297. (for-each (lambda (key) (verify-knot-key-configuration key))
  298. (knot-configuration-keys config))
  299. (unless (list? (knot-configuration-keystores config))
  300. (error-out "keystores must be a list of knot-keystore-configuration."))
  301. (for-each (lambda (keystore) (verify-knot-keystore-configuration keystore))
  302. (knot-configuration-keystores config))
  303. (unless (list? (knot-configuration-acls config))
  304. (error-out "acls must be a list of knot-acl-configuration."))
  305. (for-each (lambda (acl) (verify-knot-acl-configuration acl))
  306. (knot-configuration-acls config))
  307. (unless (list? (knot-configuration-zones config))
  308. (error-out "zones must be a list of knot-zone-configuration."))
  309. (for-each (lambda (zone) (verify-knot-zone-configuration zone))
  310. (knot-configuration-zones config))
  311. (unless (list? (knot-configuration-policies config))
  312. (error-out "policies must be a list of knot-policy-configuration."))
  313. (for-each (lambda (policy) (verify-knot-policy-configuration policy))
  314. (knot-configuration-policies config))
  315. (unless (list? (knot-configuration-remotes config))
  316. (error-out "remotes must be a list of knot-remote-configuration."))
  317. (for-each (lambda (remote) (verify-knot-remote-configuration remote))
  318. (knot-configuration-remotes config))
  319. #t)
  320. (define (format-string-list l)
  321. "Formats a list of string in YAML"
  322. (if (eq? l '())
  323. ""
  324. (let ((l (reverse l)))
  325. (string-append
  326. "["
  327. (fold (lambda (x1 x2)
  328. (string-append (if (symbol? x1) (symbol->string x1) x1) ", "
  329. (if (symbol? x2) (symbol->string x2) x2)))
  330. (if (symbol? (car l)) (symbol->string (car l)) (car l)) (cdr l))
  331. "]"))))
  332. (define (knot-acl-config acls)
  333. (with-output-to-string
  334. (lambda ()
  335. (for-each
  336. (lambda (acl-config)
  337. (let ((id (knot-acl-configuration-id acl-config))
  338. (address (knot-acl-configuration-address acl-config))
  339. (key (knot-acl-configuration-key acl-config))
  340. (action (knot-acl-configuration-action acl-config))
  341. (deny? (knot-acl-configuration-deny? acl-config)))
  342. (format #t " - id: ~a\n" id)
  343. (unless (eq? address '())
  344. (format #t " address: ~a\n" (format-string-list address)))
  345. (unless (eq? key '())
  346. (format #t " key: ~a\n" (format-string-list key)))
  347. (unless (eq? action '())
  348. (format #t " action: ~a\n" (format-string-list action)))
  349. (format #t " deny: ~a\n" (if deny? "on" "off"))))
  350. acls))))
  351. (define (knot-key-config keys)
  352. (with-output-to-string
  353. (lambda ()
  354. (for-each
  355. (lambda (key-config)
  356. (let ((id (knot-key-configuration-id key-config))
  357. (algorithm (knot-key-configuration-algorithm key-config))
  358. (secret (knot-key-configuration-secret key-config)))
  359. (format #t " - id: ~a\n" id)
  360. (if algorithm
  361. (format #t " algorithm: ~a\n" (symbol->string algorithm)))
  362. (format #t " secret: ~a\n" secret)))
  363. keys))))
  364. (define (knot-keystore-config keystores)
  365. (with-output-to-string
  366. (lambda ()
  367. (for-each
  368. (lambda (keystore-config)
  369. (let ((id (knot-keystore-configuration-id keystore-config))
  370. (backend (knot-keystore-configuration-backend keystore-config))
  371. (config (knot-keystore-configuration-config keystore-config)))
  372. (format #t " - id: ~a\n" id)
  373. (format #t " backend: ~a\n" (symbol->string backend))
  374. (format #t " config: \"~a\"\n" config)))
  375. keystores))))
  376. (define (knot-policy-config policies)
  377. (with-output-to-string
  378. (lambda ()
  379. (for-each
  380. (lambda (policy-config)
  381. (let ((id (knot-policy-configuration-id policy-config))
  382. (keystore (knot-policy-configuration-keystore policy-config))
  383. (manual? (knot-policy-configuration-manual? policy-config))
  384. (single-type-signing? (knot-policy-configuration-single-type-signing?
  385. policy-config))
  386. (algorithm (knot-policy-configuration-algorithm policy-config))
  387. (ksk-size (knot-policy-configuration-ksk-size policy-config))
  388. (zsk-size (knot-policy-configuration-zsk-size policy-config))
  389. (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-config))
  390. (zsk-lifetime (knot-policy-configuration-zsk-lifetime policy-config))
  391. (propagation-delay (knot-policy-configuration-propagation-delay
  392. policy-config))
  393. (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime
  394. policy-config))
  395. (nsec3? (knot-policy-configuration-nsec3? policy-config))
  396. (nsec3-iterations (knot-policy-configuration-nsec3-iterations
  397. policy-config))
  398. (nsec3-salt-length (knot-policy-configuration-nsec3-salt-length
  399. policy-config))
  400. (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt-lifetime
  401. policy-config)))
  402. (format #t " - id: ~a\n" id)
  403. (format #t " keystore: ~a\n" keystore)
  404. (format #t " manual: ~a\n" (if manual? "on" "off"))
  405. (format #t " single-type-signing: ~a\n" (if single-type-signing?
  406. "on" "off"))
  407. (format #t " algorithm: ~a\n" algorithm)
  408. (format #t " ksk-size: ~a\n" (number->string ksk-size))
  409. (format #t " zsk-size: ~a\n" (number->string zsk-size))
  410. (unless (eq? dnskey-ttl 'default)
  411. (format #t " dnskey-ttl: ~a\n" dnskey-ttl))
  412. (format #t " zsk-lifetime: ~a\n" zsk-lifetime)
  413. (format #t " propagation-delay: ~a\n" propagation-delay)
  414. (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime)
  415. (format #t " nsec3: ~a\n" (if nsec3? "on" "off"))
  416. (format #t " nsec3-iterations: ~a\n"
  417. (number->string nsec3-iterations))
  418. (format #t " nsec3-salt-length: ~a\n"
  419. (number->string nsec3-salt-length))
  420. (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifetime)))
  421. policies))))
  422. (define (knot-remote-config remotes)
  423. (with-output-to-string
  424. (lambda ()
  425. (for-each
  426. (lambda (remote-config)
  427. (let ((id (knot-remote-configuration-id remote-config))
  428. (address (knot-remote-configuration-address remote-config))
  429. (via (knot-remote-configuration-via remote-config))
  430. (key (knot-remote-configuration-key remote-config)))
  431. (format #t " - id: ~a\n" id)
  432. (unless (eq? address '())
  433. (format #t " address: ~a\n" (format-string-list address)))
  434. (unless (eq? via '())
  435. (format #t " via: ~a\n" (format-string-list via)))
  436. (if key
  437. (format #t " key: ~a\n" key))))
  438. remotes))))
  439. (define (serialize-zone-entries entries)
  440. (with-output-to-string
  441. (lambda ()
  442. (for-each
  443. (lambda (entry)
  444. (let ((name (zone-entry-name entry))
  445. (ttl (zone-entry-ttl entry))
  446. (class (zone-entry-class entry))
  447. (type (zone-entry-type entry))
  448. (data (zone-entry-data entry)))
  449. (format #t "~a ~a ~a ~a ~a\n" name ttl class type data)))
  450. entries))))
  451. (define (serialize-zone-file zone domain)
  452. (computed-file (string-append domain ".zone")
  453. #~(begin
  454. (call-with-output-file #$output
  455. (lambda (port)
  456. (format port "$ORIGIN ~a.\n"
  457. #$(zone-file-origin zone))
  458. (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n"
  459. #$(zone-file-ns zone)
  460. #$(zone-file-mail zone)
  461. #$(zone-file-serial zone)
  462. #$(zone-file-refresh zone)
  463. #$(zone-file-retry zone)
  464. #$(zone-file-expiry zone)
  465. #$(zone-file-nx zone))
  466. (format port "~a\n"
  467. #$(serialize-zone-entries (zone-file-entries zone))))))))
  468. (define (knot-zone-config zone)
  469. (let ((content (knot-zone-configuration-zone zone)))
  470. #~(with-output-to-string
  471. (lambda ()
  472. (let ((domain #$(knot-zone-configuration-domain zone))
  473. (file #$(knot-zone-configuration-file zone))
  474. (master (list #$@(knot-zone-configuration-master zone)))
  475. (ddns-master #$(knot-zone-configuration-ddns-master zone))
  476. (notify (list #$@(knot-zone-configuration-notify zone)))
  477. (acl (list #$@(knot-zone-configuration-acl zone)))
  478. (semantic-checks? #$(knot-zone-configuration-semantic-checks? zone))
  479. (zonefile-sync #$(knot-zone-configuration-zonefile-sync zone))
  480. (zonefile-load '#$(knot-zone-configuration-zonefile-load zone))
  481. (journal-content #$(knot-zone-configuration-journal-content zone))
  482. (max-journal-usage #$(knot-zone-configuration-max-journal-usage zone))
  483. (max-journal-depth #$(knot-zone-configuration-max-journal-depth zone))
  484. (max-zone-size #$(knot-zone-configuration-max-zone-size zone))
  485. (dnssec-policy #$(knot-zone-configuration-dnssec-policy zone))
  486. (serial-policy '#$(knot-zone-configuration-serial-policy zone)))
  487. (format #t " - domain: ~a\n" domain)
  488. (if (eq? master '())
  489. ;; This server is a master
  490. (if (equal? file "")
  491. (format #t " file: ~a\n"
  492. #$(serialize-zone-file content
  493. (knot-zone-configuration-domain zone)))
  494. (format #t " file: ~a\n" file))
  495. ;; This server is a slave (has masters)
  496. (begin
  497. (format #t " master: ~a\n"
  498. #$(format-string-list
  499. (knot-zone-configuration-master zone)))
  500. (if ddns-master (format #t " ddns-master ~a\n" ddns-master))))
  501. (unless (eq? notify '())
  502. (format #t " notify: ~a\n"
  503. #$(format-string-list
  504. (knot-zone-configuration-notify zone))))
  505. (unless (eq? acl '())
  506. (format #t " acl: ~a\n"
  507. #$(format-string-list
  508. (knot-zone-configuration-acl zone))))
  509. (format #t " semantic-checks: ~a\n" (if semantic-checks? "on" "off"))
  510. (if zonefile-sync
  511. (format #t " zonefile-sync: ~a\n" zonefile-sync))
  512. (if zonefile-load
  513. (format #t " zonefile-load: ~a\n"
  514. (symbol->string zonefile-load)))
  515. (if journal-content
  516. (format #t " journal-content: ~a\n"
  517. (symbol->string journal-content)))
  518. (if max-journal-usage
  519. (format #t " max-journal-usage: ~a\n" max-journal-usage))
  520. (if max-journal-depth
  521. (format #t " max-journal-depth: ~a\n" max-journal-depth))
  522. (if max-zone-size
  523. (format #t " max-zone-size: ~a\n" max-zone-size))
  524. (if dnssec-policy
  525. (begin
  526. (format #t " dnssec-signing: on\n")
  527. (format #t " dnssec-policy: ~a\n" dnssec-policy)))
  528. (format #t " serial-policy: ~a\n"
  529. (symbol->string serial-policy)))))))
  530. (define (knot-config-file config)
  531. (verify-knot-configuration config)
  532. (computed-file "knot.conf"
  533. #~(begin
  534. (call-with-output-file #$output
  535. (lambda (port)
  536. (for-each (lambda (inc)
  537. (format port "include: ~a\n" inc))
  538. '#$(knot-configuration-includes config))
  539. (format port "server:\n")
  540. (format port " rundir: ~a\n" #$(knot-configuration-run-directory config))
  541. (format port " user: knot\n")
  542. (format port " listen: ~a@~a\n"
  543. #$(knot-configuration-listen-v4 config)
  544. #$(knot-configuration-listen-port config))
  545. (format port " listen: ~a@~a\n"
  546. #$(knot-configuration-listen-v6 config)
  547. #$(knot-configuration-listen-port config))
  548. (format port "\nkey:\n")
  549. (format port #$(knot-key-config (knot-configuration-keys config)))
  550. (format port "\nkeystore:\n")
  551. (format port #$(knot-keystore-config (knot-configuration-keystores config)))
  552. (format port "\nacl:\n")
  553. (format port #$(knot-acl-config (knot-configuration-acls config)))
  554. (format port "\nremote:\n")
  555. (format port #$(knot-remote-config (knot-configuration-remotes config)))
  556. (format port "\npolicy:\n")
  557. (format port #$(knot-policy-config (knot-configuration-policies config)))
  558. (unless #$(eq? (knot-configuration-zones config) '())
  559. (format port "\nzone:\n")
  560. (format port "~a\n"
  561. (string-concatenate
  562. (list #$@(map knot-zone-config
  563. (knot-configuration-zones config)))))))))))
  564. (define %knot-accounts
  565. (list (user-group (name "knot") (system? #t))
  566. (user-account
  567. (name "knot")
  568. (group "knot")
  569. (system? #t)
  570. (comment "knot dns server user")
  571. (home-directory "/var/empty")
  572. (shell (file-append shadow "/sbin/nologin")))))
  573. (define (knot-activation config)
  574. (with-imported-modules (source-module-closure '((gnu build activation)))
  575. #~(begin
  576. (use-modules (gnu build activation))
  577. (mkdir-p/perms #$(knot-configuration-run-directory config)
  578. (getpwnam "knot") #o755)
  579. (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
  580. (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
  581. (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755))))
  582. (define (knot-shepherd-service config)
  583. (let* ((config-file (knot-config-file config))
  584. (knot (knot-configuration-knot config)))
  585. (list (shepherd-service
  586. (documentation "Run the Knot DNS daemon.")
  587. (provision '(knot dns))
  588. (requirement '(networking))
  589. (start #~(make-forkexec-constructor
  590. (list (string-append #$knot "/sbin/knotd")
  591. "-c" #$config-file)))
  592. (stop #~(make-kill-destructor))))))
  593. (define knot-service-type
  594. (service-type (name 'knot)
  595. (extensions
  596. (list (service-extension shepherd-root-service-type
  597. knot-shepherd-service)
  598. (service-extension activation-service-type
  599. knot-activation)
  600. (service-extension account-service-type
  601. (const %knot-accounts))))
  602. (description
  603. "Run @uref{https://www.knot-dns.cz/, Knot}, an authoritative
  604. name server for the @acronym{DNS, Domain Name System}.")))
  605. ;;;
  606. ;;; Knot Resolver.
  607. ;;;
  608. (define-record-type* <knot-resolver-configuration>
  609. knot-resolver-configuration
  610. make-knot-resolver-configuration
  611. knot-resolver-configuration?
  612. (package knot-resolver-configuration-package
  613. (default knot-resolver))
  614. (kresd-config-file knot-resolver-kresd-config-file
  615. (default %kresd.conf))
  616. (garbage-collection-interval knot-resolver-garbage-collection-interval
  617. (default 1000)))
  618. (define %kresd.conf
  619. (plain-file "kresd.conf" "-- -*- mode: lua -*-
  620. trust_anchors.add_file('/var/cache/knot-resolver/root.keys')
  621. net = { '127.0.0.1', '::1' }
  622. user('knot-resolver', 'knot-resolver')
  623. modules = { 'hints > iterate', 'stats', 'predict' }
  624. cache.size = 100 * MB
  625. "))
  626. (define %knot-resolver-accounts
  627. (list (user-group
  628. (name "knot-resolver")
  629. (system? #t))
  630. (user-account
  631. (name "knot-resolver")
  632. (group "knot-resolver")
  633. (system? #t)
  634. (home-directory "/var/cache/knot-resolver")
  635. (shell (file-append shadow "/sbin/nologin")))))
  636. (define (knot-resolver-activation config)
  637. #~(begin
  638. (use-modules (guix build utils))
  639. (let ((rundir "/var/cache/knot-resolver")
  640. (owner (getpwnam "knot-resolver")))
  641. (mkdir-p rundir)
  642. (chown rundir (passwd:uid owner) (passwd:gid owner)))))
  643. (define knot-resolver-shepherd-services
  644. (match-lambda
  645. (($ <knot-resolver-configuration> package
  646. kresd-config-file
  647. garbage-collection-interval)
  648. (list
  649. (shepherd-service
  650. (provision '(kresd))
  651. (requirement '(networking))
  652. (documentation "Run the Knot Resolver daemon.")
  653. (start #~(make-forkexec-constructor
  654. '(#$(file-append package "/sbin/kresd")
  655. "-c" #$kresd-config-file "-n"
  656. "/var/cache/knot-resolver")))
  657. (stop #~(make-kill-destructor)))
  658. (shepherd-service
  659. (provision '(kres-cache-gc))
  660. (requirement '(user-processes))
  661. (documentation "Run the Knot Resolver Garbage Collector daemon.")
  662. (start #~(make-forkexec-constructor
  663. '(#$(file-append package "/sbin/kres-cache-gc")
  664. "-d" #$(number->string garbage-collection-interval)
  665. "-c" "/var/cache/knot-resolver")
  666. #:user "knot-resolver"
  667. #:group "knot-resolver"))
  668. (stop #~(make-kill-destructor)))))))
  669. (define knot-resolver-service-type
  670. (service-type
  671. (name 'knot-resolver)
  672. (extensions
  673. (list (service-extension shepherd-root-service-type
  674. knot-resolver-shepherd-services)
  675. (service-extension activation-service-type
  676. knot-resolver-activation)
  677. (service-extension account-service-type
  678. (const %knot-resolver-accounts))))
  679. (default-value (knot-resolver-configuration))
  680. (description "Run the Knot DNS Resolver.")))
  681. ;;;
  682. ;;; Dnsmasq.
  683. ;;;
  684. (define-record-type* <dnsmasq-configuration>
  685. dnsmasq-configuration make-dnsmasq-configuration
  686. dnsmasq-configuration?
  687. (package dnsmasq-configuration-package
  688. (default dnsmasq)) ;package
  689. (no-hosts? dnsmasq-configuration-no-hosts?
  690. (default #f)) ;boolean
  691. (port dnsmasq-configuration-port
  692. (default 53)) ;integer
  693. (local-service? dnsmasq-configuration-local-service?
  694. (default #t)) ;boolean
  695. (listen-addresses dnsmasq-configuration-listen-address
  696. (default '())) ;list of string
  697. (resolv-file dnsmasq-configuration-resolv-file
  698. (default "/etc/resolv.conf")) ;string
  699. (no-resolv? dnsmasq-configuration-no-resolv?
  700. (default #f)) ;boolean
  701. (servers dnsmasq-configuration-servers
  702. (default '())) ;list of string
  703. (addresses dnsmasq-configuration-addresses
  704. (default '())) ;list of string
  705. (cache-size dnsmasq-configuration-cache-size
  706. (default 150)) ;integer
  707. (negative-cache? dnsmasq-configuration-negative-cache?
  708. (default #t)) ;boolean
  709. (tftp-enable? dnsmasq-configuration-tftp-enable?
  710. (default #f)) ;boolean
  711. (tftp-no-fail? dnsmasq-configuration-tftp-no-fail?
  712. (default #f)) ;boolean
  713. (tftp-single-port? dnsmasq-configuration-tftp-single-port?
  714. (default #f)) ;boolean
  715. (tftp-secure? dnsmasq-tftp-secure?
  716. (default #f)) ;boolean
  717. (tftp-max dnsmasq-tftp-max
  718. (default #f)) ;integer
  719. (tftp-mtu dnsmasq-tftp-mtu
  720. (default #f)) ;integer
  721. (tftp-no-blocksize? dnsmasq-tftp-no-blocksize?
  722. (default #f)) ;boolean
  723. (tftp-lowercase? dnsmasq-tftp-lowercase?
  724. (default #f)) ;boolean
  725. (tftp-port-range dnsmasq-tftp-port-range
  726. (default #f)) ;string
  727. (tftp-root dnsmasq-tftp-root
  728. (default "/var/empty,lo")) ;string
  729. (tftp-unique-root dnsmasq-tftp-unique-root
  730. (default #f))) ;"" or "ip" or "mac"
  731. (define dnsmasq-shepherd-service
  732. (match-lambda
  733. (($ <dnsmasq-configuration> package
  734. no-hosts?
  735. port local-service? listen-addresses
  736. resolv-file no-resolv? servers
  737. addresses cache-size negative-cache?
  738. tftp-enable? tftp-no-fail?
  739. tftp-single-port? tftp-secure?
  740. tftp-max tftp-mtu tftp-no-blocksize?
  741. tftp-lowercase? tftp-port-range
  742. tftp-root tftp-unique-root)
  743. (shepherd-service
  744. (provision '(dnsmasq))
  745. (requirement '(networking))
  746. (documentation "Run the dnsmasq DNS server.")
  747. (start #~(make-forkexec-constructor
  748. '(#$(file-append package "/sbin/dnsmasq")
  749. "--keep-in-foreground"
  750. "--pid-file=/run/dnsmasq.pid"
  751. #$@(if no-hosts?
  752. '("--no-hosts")
  753. '())
  754. #$(format #f "--port=~a" port)
  755. #$@(if local-service?
  756. '("--local-service")
  757. '())
  758. #$@(map (cut format #f "--listen-address=~a" <>)
  759. listen-addresses)
  760. #$(format #f "--resolv-file=~a" resolv-file)
  761. #$@(if no-resolv?
  762. '("--no-resolv")
  763. '())
  764. #$@(map (cut format #f "--server=~a" <>)
  765. servers)
  766. #$@(map (cut format #f "--address=~a" <>)
  767. addresses)
  768. #$(format #f "--cache-size=~a" cache-size)
  769. #$@(if negative-cache?
  770. '()
  771. '("--no-negcache"))
  772. #$@(if tftp-enable?
  773. '("--enable-tftp")
  774. '())
  775. #$@(if tftp-no-fail?
  776. '("--tftp-no-fail")
  777. '())
  778. #$@(if tftp-single-port?
  779. '("--tftp-single-port")
  780. '())
  781. #$@(if tftp-secure?
  782. '("--tftp-secure?")
  783. '())
  784. #$@(if tftp-max
  785. (list (format #f "--tftp-max=~a" tftp-max))
  786. '())
  787. #$@(if tftp-mtu
  788. (list (format #f "--tftp-mtu=~a" tftp-mtu))
  789. '())
  790. #$@(if tftp-no-blocksize?
  791. '("--tftp-no-blocksize")
  792. '())
  793. #$@(if tftp-lowercase?
  794. '("--tftp-lowercase")
  795. '())
  796. #$@(if tftp-port-range
  797. (list (format #f "--tftp-port-range=~a"
  798. tftp-port-range))
  799. '())
  800. #$@(if tftp-root
  801. (list (format #f "--tftp-root=~a" tftp-root))
  802. '())
  803. #$@(if tftp-unique-root
  804. (list
  805. (if (> (length tftp-unique-root) 0)
  806. (format #f "--tftp-unique-root=~a" tftp-unique-root)
  807. (format #f "--tftp-unique-root")))
  808. '()))
  809. #:pid-file "/run/dnsmasq.pid"))
  810. (stop #~(make-kill-destructor))))))
  811. (define (dnsmasq-activation config)
  812. #~(begin
  813. (use-modules (guix build utils))
  814. ;; create directory to store dnsmasq lease file
  815. (mkdir-p "/var/lib/misc")))
  816. (define dnsmasq-service-type
  817. (service-type
  818. (name 'dnsmasq)
  819. (extensions
  820. (list (service-extension shepherd-root-service-type
  821. (compose list dnsmasq-shepherd-service))
  822. (service-extension activation-service-type
  823. dnsmasq-activation)))
  824. (default-value (dnsmasq-configuration))
  825. (description "Run the dnsmasq DNS server.")))
  826. ;;;
  827. ;;; ddclient
  828. ;;;
  829. (define (uglify-field-name field-name)
  830. (string-delete #\? (symbol->string field-name)))
  831. (define (serialize-field field-name val)
  832. (when (not (member field-name '(group secret-file user)))
  833. (format #t "~a=~a\n" (uglify-field-name field-name) val)))
  834. (define (serialize-boolean field-name val)
  835. (serialize-field field-name (if val "yes" "no")))
  836. (define (serialize-integer field-name val)
  837. (serialize-field field-name (number->string val)))
  838. (define (serialize-string field-name val)
  839. (if (and (string? val) (string=? val ""))
  840. ""
  841. (serialize-field field-name val)))
  842. (define (serialize-list field-name val)
  843. (if (null? val) "" (serialize-field field-name (string-join val))))
  844. (define (serialize-extra-options extra-options)
  845. (string-join extra-options "\n" 'suffix))
  846. (define-configuration ddclient-configuration
  847. (ddclient
  848. (package ddclient)
  849. "The ddclient package.")
  850. (daemon
  851. (integer 300)
  852. "The period after which ddclient will retry to check IP and domain name.")
  853. (syslog
  854. (boolean #t)
  855. "Use syslog for the output.")
  856. (mail
  857. (string "root")
  858. "Mail to user.")
  859. (mail-failure
  860. (string "root")
  861. "Mail failed update to user.")
  862. (pid
  863. (string "/var/run/ddclient/ddclient.pid")
  864. "The ddclient PID file.")
  865. (ssl
  866. (boolean #t)
  867. "Enable SSL support.")
  868. (user
  869. (string "ddclient")
  870. "Specifies the user name or ID that is used when running ddclient
  871. program.")
  872. (group
  873. (string "ddclient")
  874. "Group of the user who will run the ddclient program.")
  875. (secret-file
  876. (string "/etc/ddclient/secrets.conf")
  877. "Secret file which will be appended to @file{ddclient.conf} file. This
  878. file contains credentials for use by ddclient. You are expected to create it
  879. manually.")
  880. (extra-options
  881. (list '())
  882. "Extra options will be appended to @file{ddclient.conf} file."))
  883. (define (ddclient-account config)
  884. "Return the user accounts and user groups for CONFIG."
  885. (let ((ddclient-user (ddclient-configuration-user config))
  886. (ddclient-group (ddclient-configuration-group config)))
  887. (list (user-group
  888. (name ddclient-group)
  889. (system? #t))
  890. (user-account
  891. (name ddclient-user)
  892. (system? #t)
  893. (group ddclient-group)
  894. (comment "ddclientd privilege separation user")
  895. (home-directory (string-append "/var/run/" ddclient-user))))))
  896. (define (ddclient-activation config)
  897. "Return the activation GEXP for CONFIG."
  898. (with-imported-modules '((guix build utils)
  899. (ice-9 rdelim))
  900. #~(begin
  901. (use-modules (guix build utils)
  902. (ice-9 rdelim))
  903. (let ((ddclient-user
  904. (passwd:uid (getpw #$(ddclient-configuration-user config))))
  905. (ddclient-group
  906. (passwd:gid (getpw #$(ddclient-configuration-group config))))
  907. (ddclient-secret-file
  908. #$(ddclient-configuration-secret-file config)))
  909. ;; 'ddclient' complains about ddclient.conf file permissions, which
  910. ;; rules out /gnu/store. Thus we copy the ddclient.conf to /etc.
  911. (for-each (lambda (dir)
  912. (mkdir-p dir)
  913. (chmod dir #o700)
  914. (chown dir ddclient-user ddclient-group))
  915. '("/var/cache/ddclient" "/var/run/ddclient"
  916. "/etc/ddclient"))
  917. (with-output-to-file "/etc/ddclient/ddclient.conf"
  918. (lambda ()
  919. (display
  920. (string-append
  921. "# Generated by 'ddclient-service'.\n\n"
  922. #$(with-output-to-string
  923. (lambda ()
  924. (serialize-configuration config
  925. ddclient-configuration-fields)))
  926. (if (string-null? ddclient-secret-file)
  927. ""
  928. (format #f "\n\n# Appended from '~a'.\n\n~a"
  929. ddclient-secret-file
  930. (with-input-from-file ddclient-secret-file
  931. read-string)))))))
  932. (chmod "/etc/ddclient/ddclient.conf" #o600)
  933. (chown "/etc/ddclient/ddclient.conf"
  934. ddclient-user ddclient-group)))))
  935. (define (ddclient-shepherd-service config)
  936. "Return a <shepherd-service> for ddclient with CONFIG."
  937. (let ((ddclient (ddclient-configuration-ddclient config))
  938. (ddclient-pid (ddclient-configuration-pid config))
  939. (ddclient-user (ddclient-configuration-user config))
  940. (ddclient-group (ddclient-configuration-group config)))
  941. (list (shepherd-service
  942. (provision '(ddclient))
  943. (documentation "Run ddclient daemon.")
  944. (start #~(make-forkexec-constructor
  945. (list #$(file-append ddclient "/bin/ddclient")
  946. "-foreground"
  947. "-file" "/etc/ddclient/ddclient.conf")
  948. #:pid-file #$ddclient-pid
  949. #:environment-variables
  950. (list "SSL_CERT_DIR=/run/current-system/profile\
  951. /etc/ssl/certs"
  952. "SSL_CERT_FILE=/run/current-system/profile\
  953. /etc/ssl/certs/ca-certificates.crt")
  954. #:user #$ddclient-user
  955. #:group #$ddclient-group))
  956. (stop #~(make-kill-destructor))))))
  957. (define ddclient-service-type
  958. (service-type
  959. (name 'ddclient)
  960. (extensions
  961. (list (service-extension account-service-type
  962. ddclient-account)
  963. (service-extension shepherd-root-service-type
  964. ddclient-shepherd-service)
  965. (service-extension activation-service-type
  966. ddclient-activation)))
  967. (default-value (ddclient-configuration))
  968. (description "Configure address updating utility for dynamic DNS services,
  969. ddclient.")))
  970. (define (generate-ddclient-documentation)
  971. (generate-documentation
  972. `((ddclient-configuration ,ddclient-configuration-fields))
  973. 'ddclient-configuration))