Commit | Line | Data |
---|---|---|
ba69e8f7 JL |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu> | |
3 | ;;; | |
4 | ;;; This file is part of GNU Guix. | |
5 | ;;; | |
6 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
7 | ;;; under the terms of the GNU General Public License as published by | |
8 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
9 | ;;; your option) any later version. | |
10 | ;;; | |
11 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
12 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | ;;; GNU General Public License for more details. | |
15 | ;;; | |
16 | ;;; You should have received a copy of the GNU General Public License | |
17 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
18 | ||
19 | (define-module (gnu services dns) | |
20 | #:use-module (gnu services) | |
21 | #:use-module (gnu services configuration) | |
22 | #:use-module (gnu services shepherd) | |
23 | #:use-module (gnu system shadow) | |
24 | #:use-module (gnu packages admin) | |
25 | #:use-module (gnu packages dns) | |
26 | #:use-module (guix packages) | |
27 | #:use-module (guix records) | |
28 | #:use-module (guix gexp) | |
29 | #:use-module (srfi srfi-1) | |
30 | #:use-module (srfi srfi-34) | |
31 | #:use-module (srfi srfi-35) | |
32 | #:use-module (ice-9 match) | |
33 | #:use-module (ice-9 regex) | |
34 | #:export (knot-service-type | |
35 | knot-acl-configuration | |
36 | knot-key-configuration | |
37 | knot-keystore-configuration | |
38 | knot-zone-configuration | |
39 | knot-remote-configuration | |
40 | knot-policy-configuration | |
41 | knot-configuration | |
42 | define-zone-entries | |
43 | zone-file | |
44 | zone-entry)) | |
45 | ||
46 | ;;; | |
47 | ;;; Knot DNS. | |
48 | ;;; | |
49 | ||
50 | (define-record-type* <knot-key-configuration> | |
51 | knot-key-configuration make-knot-key-configuration | |
52 | knot-key-configuration? | |
53 | (id knot-key-configuration-id | |
54 | (default "")) | |
55 | (algorithm knot-key-configuration-algorithm | |
56 | (default #f)); one of #f, or an algorithm name | |
57 | (secret knot-key-configuration-secret | |
58 | (default ""))) | |
59 | ||
60 | (define-record-type* <knot-acl-configuration> | |
61 | knot-acl-configuration make-knot-acl-configuration | |
62 | knot-acl-configuration? | |
63 | (id knot-acl-configuration-id | |
64 | (default "")) | |
65 | (address knot-acl-configuration-address | |
66 | (default '())) | |
67 | (key knot-acl-configuration-key | |
68 | (default '())) | |
69 | (action knot-acl-configuration-action | |
70 | (default '())) | |
71 | (deny? knot-acl-configuration-deny? | |
72 | (default #f))) | |
73 | ||
74 | (define-record-type* <zone-entry> | |
75 | zone-entry make-zone-entry | |
76 | zone-entry? | |
77 | (name zone-entry-name | |
78 | (default "@")) | |
79 | (ttl zone-entry-ttl | |
80 | (default "")) | |
81 | (class zone-entry-class | |
82 | (default "IN")) | |
83 | (type zone-entry-type | |
84 | (default "A")) | |
85 | (data zone-entry-data | |
86 | (default ""))) | |
87 | ||
88 | (define-record-type* <zone-file> | |
89 | zone-file make-zone-file | |
90 | zone-file? | |
91 | (entries zone-file-entries | |
92 | (default '())) | |
93 | (origin zone-file-origin | |
94 | (default "")) | |
95 | (ns zone-file-ns | |
96 | (default "ns")) | |
97 | (mail zone-file-mail | |
98 | (default "hostmaster")) | |
99 | (serial zone-file-serial | |
100 | (default 1)) | |
101 | (refresh zone-file-refresh | |
102 | (default "2d")) | |
103 | (retry zone-file-retry | |
104 | (default "15m")) | |
105 | (expiry zone-file-expiry | |
106 | (default "2w")) | |
107 | (nx zone-file-nx | |
108 | (default "1h"))) | |
109 | (define-record-type* <knot-keystore-configuration> | |
110 | knot-keystore-configuration make-knot-keystore-configuration | |
111 | knot-keystore-configuration? | |
112 | (id knot-keystore-configuration-id | |
113 | (default "")) | |
114 | (backend knot-keystore-configuration-backend | |
115 | (default 'pem)) | |
116 | (config knot-keystore-configuration-config | |
117 | (default "/var/lib/knot/keys/keys"))) | |
118 | ||
119 | (define-record-type* <knot-policy-configuration> | |
120 | knot-policy-configuration make-knot-policy-configuration | |
121 | knot-policy-configuration? | |
122 | (id knot-policy-configuration-id | |
123 | (default "")) | |
124 | (keystore knot-policy-configuration-keystore | |
125 | (default "default")) | |
126 | (manual? knot-policy-configuration-manual? | |
127 | (default #f)) | |
128 | (single-type-signing? knot-policy-configuration-single-type-signing? | |
129 | (default #f)) | |
130 | (algorithm knot-policy-configuration-algorithm | |
131 | (default "ecdsap256sha256")) | |
132 | (ksk-size knot-policy-configuration-ksk-size | |
133 | (default 256)) | |
134 | (zsk-size knot-policy-configuration-zsk-size | |
135 | (default 256)) | |
136 | (dnskey-ttl knot-policy-configuration-dnskey-ttl | |
137 | (default 'default)) | |
138 | (zsk-lifetime knot-policy-configuration-zsk-lifetime | |
139 | (default "30d")) | |
140 | (propagation-delay knot-policy-configuration-propagation-delay | |
141 | (default "1d")) | |
142 | (rrsig-lifetime knot-policy-configuration-rrsig-lifetime | |
143 | (default "14d")) | |
144 | (rrsig-refresh knot-policy-configuration-rrsig-refresh | |
145 | (default "7d")) | |
146 | (nsec3? knot-policy-configuration-nsec3? | |
147 | (default #f)) | |
148 | (nsec3-iterations knot-policy-configuration-nsec3-iterations | |
149 | (default 5)) | |
150 | (nsec3-salt-length knot-policy-configuration-nsec3-salt-length | |
151 | (default 8)) | |
152 | (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime | |
153 | (default "30d"))) | |
154 | ||
155 | (define-record-type* <knot-zone-configuration> | |
156 | knot-zone-configuration make-knot-zone-configuration | |
157 | knot-zone-configuration? | |
158 | (domain knot-zone-configuration-domain | |
159 | (default "")) | |
160 | (file knot-zone-configuration-file | |
161 | (default "")) ; the file where this zone is saved. | |
162 | (zone knot-zone-configuration-zone | |
163 | (default (zone-file))) ; initial content of the zone file | |
164 | (master knot-zone-configuration-master | |
165 | (default '())) | |
166 | (ddns-master knot-zone-configuration-ddns-master | |
167 | (default #f)) | |
168 | (notify knot-zone-configuration-notify | |
169 | (default '())) | |
170 | (acl knot-zone-configuration-acl | |
171 | (default '())) | |
172 | (semantic-checks? knot-zone-configuration-semantic-checks? | |
173 | (default #f)) | |
174 | (disable-any? knot-zone-configuration-disable-any? | |
175 | (default #f)) | |
176 | (zonefile-sync knot-zone-configuration-zonefile-sync | |
177 | (default 0)) | |
178 | (dnssec-policy knot-zone-configuration-dnssec-policy | |
179 | (default #f)) | |
180 | (serial-policy knot-zone-configuration-serial-policy | |
181 | (default 'increment))) | |
182 | ||
183 | (define-record-type* <knot-remote-configuration> | |
184 | knot-remote-configuration make-knot-remote-configuration | |
185 | knot-remote-configuration? | |
186 | (id knot-remote-configuration-id | |
187 | (default "")) | |
188 | (address knot-remote-configuration-address | |
189 | (default '())) | |
190 | (via knot-remote-configuration-via | |
191 | (default '())) | |
192 | (key knot-remote-configuration-key | |
193 | (default #f))) | |
194 | ||
195 | (define-record-type* <knot-configuration> | |
196 | knot-configuration make-knot-configuration | |
197 | knot-configuration? | |
198 | (knot knot-configuration-knot | |
199 | (default knot)) | |
200 | (run-directory knot-configuration-run-directory | |
201 | (default "/var/run/knot")) | |
202 | (listen-v4 knot-configuration-listen-v4 | |
203 | (default "0.0.0.0")) | |
204 | (listen-v6 knot-configuration-listen-v6 | |
205 | (default "::")) | |
206 | (listen-port knot-configuration-listen-port | |
207 | (default 53)) | |
208 | (keys knot-configuration-keys | |
209 | (default '())) | |
210 | (keystores knot-configuration-keystores | |
211 | (default '())) | |
212 | (acls knot-configuration-acls | |
213 | (default '())) | |
214 | (remotes knot-configuration-remotes | |
215 | (default '())) | |
216 | (policies knot-configuration-policies | |
217 | (default '())) | |
218 | (zones knot-configuration-zones | |
219 | (default '()))) | |
220 | ||
221 | (define-syntax define-zone-entries | |
222 | (syntax-rules () | |
223 | ((_ id (name ttl class type data) ...) | |
224 | (define id (list (make-zone-entry name ttl class type data) ...))))) | |
225 | ||
226 | (define (error-out msg) | |
227 | (raise (condition (&message (message msg))))) | |
228 | ||
229 | (define (verify-knot-key-configuration key) | |
230 | (unless (knot-key-configuration? key) | |
231 | (error-out "keys must be a list of only knot-key-configuration.")) | |
232 | (let ((id (knot-key-configuration-id key))) | |
233 | (unless (and (string? id) (not (equal? id ""))) | |
234 | (error-out "key id must be a non empty string."))) | |
235 | (unless (memq '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512) | |
236 | (knot-key-configuration-algorithm key)) | |
237 | (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1, | |
238 | 'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512"))) | |
239 | ||
240 | (define (verify-knot-keystore-configuration keystore) | |
241 | (unless (knot-keystore-configuration? keystore) | |
242 | (error-out "keystores must be a list of only knot-keystore-configuration.")) | |
243 | (let ((id (knot-keystore-configuration-id keystore))) | |
244 | (unless (and (string? id) (not (equal? id ""))) | |
245 | (error-out "keystore id must be a non empty string."))) | |
246 | (unless (memq '(pem pkcs11) | |
247 | (knot-keystore-configuration-backend keystore)) | |
248 | (error-out "backend must be one of: 'pem or 'pkcs11"))) | |
249 | ||
250 | (define (verify-knot-policy-configuration policy) | |
251 | (unless (knot-keystore-configuration? policy) | |
252 | (error-out "policies must be a list of only knot-policy-configuration.")) | |
253 | (let ((id (knot-policy-configuration-id policy))) | |
254 | (unless (and (string? id) (not (equal? id ""))) | |
255 | (error-out "policy id must be a non empty string.")))) | |
256 | ||
257 | (define (verify-knot-acl-configuration acl) | |
258 | (unless (knot-acl-configuration? acl) | |
259 | (error-out "acls must be a list of only knot-acl-configuration.")) | |
260 | (let ((id (knot-acl-configuration-id acl)) | |
261 | (address (knot-acl-configuration-address acl)) | |
262 | (key (knot-acl-configuration-key acl)) | |
263 | (action (knot-acl-configuration-action acl))) | |
264 | (unless (and (string? id) (not (equal? id ""))) | |
265 | (error-out "acl id must be a non empty string.")) | |
266 | (unless (and (list? address) | |
267 | (fold (lambda (x1 x2) (and (string? x1) (string? x2))) "" address)) | |
268 | (error-out "acl address must be a list of strings."))) | |
269 | (unless (boolean? (knot-acl-configuration-deny? acl)) | |
270 | (error-out "deny? must be #t or #f."))) | |
271 | ||
272 | (define (verify-knot-zone-configuration zone) | |
273 | (unless (knot-zone-configuration? zone) | |
274 | (error-out "zones must be a list of only knot-zone-configuration.")) | |
275 | (let ((domain (knot-zone-configuration-domain zone))) | |
276 | (unless (and (string? domain) (not (equal? domain ""))) | |
277 | (error-out "zone domain must be a non empty string.")))) | |
278 | ||
279 | (define (verify-knot-remote-configuration remote) | |
280 | (unless (knot-remote-configuration? remote) | |
281 | (error-out "remotes must be a list of only knot-remote-configuration.")) | |
282 | (let ((id (knot-remote-configuration-id remote))) | |
283 | (unless (and (string? id) (not (equal? id ""))) | |
284 | (error-out "remote id must be a non empty string.")))) | |
285 | ||
286 | (define (verify-knot-configuration config) | |
287 | (unless (package? (knot-configuration-knot config)) | |
288 | (error-out "knot configuration field must be a package.")) | |
289 | (unless (string? (knot-configuration-run-directory config)) | |
290 | (error-out "run-directory must be a string.")) | |
291 | (unless (list? (knot-configuration-keys config)) | |
292 | (error-out "keys must be a list of knot-key-configuration.")) | |
293 | (for-each (lambda (key) (verify-knot-key-configuration key)) | |
294 | (knot-configuration-keys config)) | |
295 | (unless (list? (knot-configuration-keystores config)) | |
296 | (error-out "keystores must be a list of knot-keystore-configuration.")) | |
297 | (for-each (lambda (keystore) (verify-knot-keystore-configuration keystore)) | |
298 | (knot-configuration-keystores config)) | |
299 | (unless (list? (knot-configuration-acls config)) | |
300 | (error-out "acls must be a list of knot-acl-configuration.")) | |
301 | (for-each (lambda (acl) (verify-knot-acl-configuration acl)) | |
302 | (knot-configuration-acls config)) | |
303 | (unless (list? (knot-configuration-zones config)) | |
304 | (error-out "zones must be a list of knot-zone-configuration.")) | |
305 | (for-each (lambda (zone) (verify-knot-zone-configuration zone)) | |
306 | (knot-configuration-zones config)) | |
307 | (unless (list? (knot-configuration-policies config)) | |
308 | (error-out "policies must be a list of knot-policy-configuration.")) | |
309 | (for-each (lambda (policy) (verify-knot-policy-configuration policy)) | |
310 | (knot-configuration-policies config)) | |
311 | (unless (list? (knot-configuration-remotes config)) | |
312 | (error-out "remotes must be a list of knot-remote-configuration.")) | |
313 | (for-each (lambda (remote) (verify-knot-remote-configuration remote)) | |
314 | (knot-configuration-remotes config)) | |
315 | #t) | |
316 | ||
317 | (define (format-string-list l) | |
318 | "Formats a list of string in YAML" | |
319 | (if (eq? l '()) | |
320 | "" | |
321 | (let ((l (reverse l))) | |
322 | (string-append | |
323 | "[" | |
324 | (fold (lambda (x1 x2) | |
325 | (string-append (if (symbol? x1) (symbol->string x1) x1) ", " | |
326 | (if (symbol? x2) (symbol->string x2) x2))) | |
327 | (car l) (cdr l)) | |
328 | "]")))) | |
329 | ||
330 | (define (knot-acl-config acls) | |
331 | (with-output-to-string | |
332 | (lambda () | |
333 | (for-each | |
334 | (lambda (acl-config) | |
335 | (let ((id (knot-acl-configuration-id acl-config)) | |
336 | (address (knot-acl-configuration-address acl-config)) | |
337 | (key (knot-acl-configuration-key acl-config)) | |
338 | (action (knot-acl-configuration-action acl-config)) | |
339 | (deny? (knot-acl-configuration-deny? acl-config))) | |
340 | (format #t " - id: ~a\n" id) | |
341 | (unless (eq? address '()) | |
342 | (format #t " address: ~a\n" (format-string-list address))) | |
343 | (unless (eq? key '()) | |
344 | (format #t " key: ~a\n" (format-string-list key))) | |
345 | (unless (eq? action '()) | |
346 | (format #t " action: ~a\n" (format-string-list action))) | |
347 | (format #t " deny: ~a\n" (if deny? "on" "off")))) | |
348 | acls)))) | |
349 | ||
350 | (define (knot-key-config keys) | |
351 | (with-output-to-string | |
352 | (lambda () | |
353 | (for-each | |
354 | (lambda (key-config) | |
355 | (let ((id (knot-key-configuration-id key-config)) | |
356 | (algorithm (knot-key-configuration-algorithm key-config)) | |
357 | (secret (knot-key-configuration-secret key-config))) | |
358 | (format #t " - id: ~a\n" id) | |
359 | (if algorithm | |
360 | (format #t " algorithm: ~a\n" (symbol->string algorithm))) | |
361 | (format #t " secret: ~a\n" secret))) | |
362 | keys)))) | |
363 | ||
364 | (define (knot-keystore-config keystores) | |
365 | (with-output-to-string | |
366 | (lambda () | |
367 | (for-each | |
368 | (lambda (keystore-config) | |
369 | (let ((id (knot-keystore-configuration-id keystore-config)) | |
370 | (backend (knot-keystore-configuration-backend keystore-config)) | |
371 | (config (knot-keystore-configuration-config keystore-config))) | |
372 | (format #t " - id: ~a\n" id) | |
373 | (format #t " backend: ~a\n" (symbol->string backend)) | |
374 | (format #t " config: \"~a\"\n" config))) | |
375 | keystores)))) | |
376 | ||
377 | (define (knot-policy-config policies) | |
378 | (with-output-to-string | |
379 | (lambda () | |
380 | (for-each | |
381 | (lambda (policy-config) | |
382 | (let ((id (knot-policy-configuration-id policy-config)) | |
383 | (keystore (knot-policy-configuration-keystore policy-config)) | |
384 | (manual? (knot-policy-configuration-manual? policy-config)) | |
385 | (single-type-signing? (knot-policy-configuration-single-type-signing? | |
386 | policy-config)) | |
387 | (algorithm (knot-policy-configuration-algorithm policy-config)) | |
388 | (ksk-size (knot-policy-configuration-ksk-size policy-config)) | |
389 | (zsk-size (knot-policy-configuration-zsk-size policy-config)) | |
390 | (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-config)) | |
391 | (zsk-lifetime (knot-policy-configuration-zsk-lifetime policy-config)) | |
392 | (propagation-delay (knot-policy-configuration-propagation-delay | |
393 | policy-config)) | |
394 | (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime | |
395 | policy-config)) | |
396 | (nsec3? (knot-policy-configuration-nsec3? policy-config)) | |
397 | (nsec3-iterations (knot-policy-configuration-nsec3-iterations | |
398 | policy-config)) | |
399 | (nsec3-salt-length (knot-policy-configuration-nsec3-salt-length | |
400 | policy-config)) | |
401 | (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt-lifetime | |
402 | policy-config))) | |
403 | (format #t " - id: ~a\n" id) | |
404 | (format #t " keystore: ~a\n" keystore) | |
405 | (format #t " manual: ~a\n" (if manual? "on" "off")) | |
406 | (format #t " single-type-signing: ~a\n" (if single-type-signing? | |
407 | "on" "off")) | |
408 | (format #t " algorithm: ~a\n" algorithm) | |
409 | (format #t " ksk-size: ~a\n" (number->string ksk-size)) | |
410 | (format #t " zsk-size: ~a\n" (number->string zsk-size)) | |
411 | (unless (eq? dnskey-ttl 'default) | |
412 | (format #t " dnskey-ttl: ~a\n" dnskey-ttl)) | |
413 | (format #t " zsk-lifetime: ~a\n" zsk-lifetime) | |
414 | (format #t " propagation-delay: ~a\n" propagation-delay) | |
415 | (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime) | |
416 | (format #t " nsec3: ~a\n" (if nsec3? "on" "off")) | |
417 | (format #t " nsec3-iterations: ~a\n" | |
418 | (number->string nsec3-iterations)) | |
419 | (format #t " nsec3-salt-length: ~a\n" | |
420 | (number->string nsec3-salt-length)) | |
421 | (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifetime))) | |
422 | policies)))) | |
423 | ||
424 | (define (knot-remote-config remotes) | |
425 | (with-output-to-string | |
426 | (lambda () | |
427 | (for-each | |
428 | (lambda (remote-config) | |
429 | (let ((id (knot-remote-configuration-id remote-config)) | |
430 | (address (knot-remote-configuration-address remote-config)) | |
431 | (via (knot-remote-configuration-via remote-config)) | |
432 | (key (knot-remote-configuration-key remote-config))) | |
433 | (format #t " - id: ~a\n" id) | |
434 | (unless (eq? address '()) | |
435 | (format #t " address: ~a\n" (format-string-list address))) | |
436 | (unless (eq? via '()) | |
437 | (format #t " via: ~a\n" (format-string-list via))) | |
438 | (if key | |
439 | (format #t " key: ~a\n" key)))) | |
440 | remotes)))) | |
441 | ||
442 | (define (serialize-zone-entries entries) | |
443 | (with-output-to-string | |
444 | (lambda () | |
445 | (for-each | |
446 | (lambda (entry) | |
447 | (let ((name (zone-entry-name entry)) | |
448 | (ttl (zone-entry-ttl entry)) | |
449 | (class (zone-entry-class entry)) | |
450 | (type (zone-entry-type entry)) | |
451 | (data (zone-entry-data entry))) | |
452 | (format #t "~a ~a ~a ~a ~a\n" name ttl class type data))) | |
453 | entries)))) | |
454 | ||
455 | (define (serialize-zone-file zone domain) | |
456 | (computed-file (string-append domain ".zone") | |
457 | #~(begin | |
458 | (call-with-output-file #$output | |
459 | (lambda (port) | |
460 | (format port "$ORIGIN ~a.\n" | |
461 | #$(zone-file-origin zone)) | |
462 | (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n" | |
463 | #$(zone-file-ns zone) | |
464 | #$(zone-file-mail zone) | |
465 | #$(zone-file-serial zone) | |
466 | #$(zone-file-refresh zone) | |
467 | #$(zone-file-retry zone) | |
468 | #$(zone-file-expiry zone) | |
469 | #$(zone-file-nx zone)) | |
470 | (format port "~a\n" | |
471 | #$(serialize-zone-entries (zone-file-entries zone)))))))) | |
472 | ||
473 | (define (knot-zone-config zone) | |
474 | (let ((content (knot-zone-configuration-zone zone))) | |
475 | #~(with-output-to-string | |
476 | (lambda () | |
477 | (let ((domain #$(knot-zone-configuration-domain zone)) | |
478 | (file #$(knot-zone-configuration-file zone)) | |
479 | (master (list #$@(knot-zone-configuration-master zone))) | |
480 | (ddns-master #$(knot-zone-configuration-ddns-master zone)) | |
481 | (notify (list #$@(knot-zone-configuration-notify zone))) | |
482 | (acl (list #$@(knot-zone-configuration-acl zone))) | |
483 | (semantic-checks? #$(knot-zone-configuration-semantic-checks? zone)) | |
484 | (disable-any? #$(knot-zone-configuration-disable-any? zone)) | |
485 | (dnssec-policy #$(knot-zone-configuration-dnssec-policy zone)) | |
486 | (serial-policy '#$(knot-zone-configuration-serial-policy zone))) | |
487 | (format #t " - domain: ~a\n" domain) | |
488 | (if (eq? master '()) | |
489 | ;; This server is a master | |
490 | (if (equal? file "") | |
491 | (format #t " file: ~a\n" | |
492 | #$(serialize-zone-file content | |
493 | (knot-zone-configuration-domain zone))) | |
494 | (format #t " file: ~a\n" file)) | |
495 | ;; This server is a slave (has masters) | |
496 | (begin | |
497 | (format #t " master: ~a\n" | |
498 | #$(format-string-list | |
499 | (knot-zone-configuration-master zone))) | |
500 | (if ddns-master (format #t " ddns-master ~a\n" ddns-master)))) | |
501 | (unless (eq? notify '()) | |
502 | (format #t " notify: ~a\n" | |
503 | #$(format-string-list | |
504 | (knot-zone-configuration-notify zone)))) | |
505 | (unless (eq? acl '()) | |
506 | (format #t " acl: ~a\n" | |
507 | #$(format-string-list | |
508 | (knot-zone-configuration-acl zone)))) | |
509 | (format #t " semantic-checks: ~a\n" (if semantic-checks? "on" "off")) | |
510 | (format #t " disable-any: ~a\n" (if disable-any? "on" "off")) | |
511 | (if dnssec-policy | |
512 | (begin | |
513 | (format #t " dnssec-signing: on\n") | |
514 | (format #t " dnssec-policy: ~a\n" dnssec-policy))) | |
515 | (format #t " serial-policy: ~a\n" | |
516 | (symbol->string serial-policy))))))) | |
517 | ||
518 | (define (knot-config-file config) | |
519 | (verify-knot-configuration config) | |
520 | (computed-file "knot.conf" | |
521 | #~(begin | |
522 | (call-with-output-file #$output | |
523 | (lambda (port) | |
524 | (format port "server:\n") | |
525 | (format port " rundir: ~a\n" #$(knot-configuration-run-directory config)) | |
526 | (format port " user: knot\n") | |
527 | (format port " listen: ~a@~a\n" | |
528 | #$(knot-configuration-listen-v4 config) | |
529 | #$(knot-configuration-listen-port config)) | |
530 | (format port " listen: ~a@~a\n" | |
531 | #$(knot-configuration-listen-v6 config) | |
532 | #$(knot-configuration-listen-port config)) | |
533 | (format port "\nkey:\n") | |
534 | (format port #$(knot-key-config (knot-configuration-keys config))) | |
535 | (format port "\nkeystore:\n") | |
536 | (format port #$(knot-keystore-config (knot-configuration-keystores config))) | |
537 | (format port "\nacl:\n") | |
538 | (format port #$(knot-acl-config (knot-configuration-acls config))) | |
539 | (format port "\nremote:\n") | |
540 | (format port #$(knot-remote-config (knot-configuration-remotes config))) | |
541 | (format port "\npolicy:\n") | |
542 | (format port #$(knot-policy-config (knot-configuration-policies config))) | |
543 | (unless #$(eq? (knot-configuration-zones config) '()) | |
544 | (format port "\nzone:\n") | |
545 | (format port "~a\n" | |
546 | (string-concatenate | |
547 | (list #$@(map knot-zone-config | |
548 | (knot-configuration-zones config))))))))))) | |
549 | ||
550 | (define %knot-accounts | |
551 | (list (user-group (name "knot") (system? #t)) | |
552 | (user-account | |
553 | (name "knot") | |
554 | (group "knot") | |
555 | (system? #t) | |
556 | (comment "knot dns server user") | |
557 | (home-directory "/var/empty") | |
558 | (shell (file-append shadow "/sbin/nologin"))))) | |
559 | ||
560 | (define (knot-activation config) | |
561 | #~(begin | |
562 | (use-modules (guix build utils)) | |
563 | (define (mkdir-p/perms directory owner perms) | |
564 | (mkdir-p directory) | |
565 | (chown directory (passwd:uid owner) (passwd:gid owner)) | |
566 | (chmod directory perms)) | |
567 | (mkdir-p/perms #$(knot-configuration-run-directory config) | |
568 | (getpwnam "knot") #o755) | |
569 | (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755) | |
570 | (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755) | |
571 | (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755))) | |
572 | ||
573 | (define (knot-shepherd-service config) | |
574 | (let* ((config-file (knot-config-file config)) | |
575 | (knot (knot-configuration-knot config))) | |
576 | (list (shepherd-service | |
577 | (documentation "Run the Knot DNS daemon.") | |
578 | (provision '(knot dns)) | |
579 | (requirement '(networking)) | |
580 | (start #~(make-forkexec-constructor | |
581 | (list (string-append #$knot "/sbin/knotd") | |
582 | "-c" #$config-file))) | |
583 | (stop #~(make-kill-destructor)))))) | |
584 | ||
585 | (define knot-service-type | |
586 | (service-type (name 'knot) | |
587 | (extensions | |
588 | (list (service-extension shepherd-root-service-type | |
589 | knot-shepherd-service) | |
590 | (service-extension activation-service-type | |
591 | knot-activation) | |
592 | (service-extension account-service-type | |
593 | (const %knot-accounts)))))) |