1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
4 ;;; This file is part of GNU Guix.
6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
7 ;;; under the terms of the GNU General Public License as published by
8 ;;; the Free Software Foundation; either version 3 of the License, or (at
9 ;;; your option) any later version.
11 ;;; GNU Guix is distributed in the hope that it will be useful, but
12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ;;; GNU General Public License for more details.
16 ;;; You should have received a copy of the GNU General Public License
17 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
19 (define-module (gnu services dns)
20 #:use-module (gnu services)
21 #:use-module (gnu services configuration)
22 #:use-module (gnu services shepherd)
23 #:use-module (gnu system shadow)
24 #:use-module (gnu packages admin)
25 #:use-module (gnu packages dns)
26 #:use-module (guix packages)
27 #:use-module (guix records)
28 #:use-module (guix gexp)
29 #:use-module (srfi srfi-1)
30 #:use-module (srfi srfi-34)
31 #:use-module (srfi srfi-35)
32 #:use-module (ice-9 match)
33 #:use-module (ice-9 regex)
34 #:export (knot-service-type
35 knot-acl-configuration
36 knot-key-configuration
37 knot-keystore-configuration
38 knot-zone-configuration
39 knot-remote-configuration
40 knot-policy-configuration
50 (define-record-type* <knot-key-configuration>
51 knot-key-configuration make-knot-key-configuration
52 knot-key-configuration?
53 (id knot-key-configuration-id
55 (algorithm knot-key-configuration-algorithm
56 (default #f)); one of #f, or an algorithm name
57 (secret knot-key-configuration-secret
60 (define-record-type* <knot-acl-configuration>
61 knot-acl-configuration make-knot-acl-configuration
62 knot-acl-configuration?
63 (id knot-acl-configuration-id
65 (address knot-acl-configuration-address
67 (key knot-acl-configuration-key
69 (action knot-acl-configuration-action
71 (deny? knot-acl-configuration-deny?
74 (define-record-type* <zone-entry>
75 zone-entry make-zone-entry
81 (class zone-entry-class
88 (define-record-type* <zone-file>
89 zone-file make-zone-file
91 (entries zone-file-entries
93 (origin zone-file-origin
98 (default "hostmaster"))
99 (serial zone-file-serial
101 (refresh zone-file-refresh
103 (retry zone-file-retry
105 (expiry zone-file-expiry
109 (define-record-type* <knot-keystore-configuration>
110 knot-keystore-configuration make-knot-keystore-configuration
111 knot-keystore-configuration?
112 (id knot-keystore-configuration-id
114 (backend knot-keystore-configuration-backend
116 (config knot-keystore-configuration-config
117 (default "/var/lib/knot/keys/keys")))
119 (define-record-type* <knot-policy-configuration>
120 knot-policy-configuration make-knot-policy-configuration
121 knot-policy-configuration?
122 (id knot-policy-configuration-id
124 (keystore knot-policy-configuration-keystore
126 (manual? knot-policy-configuration-manual?
128 (single-type-signing? knot-policy-configuration-single-type-signing?
130 (algorithm knot-policy-configuration-algorithm
131 (default "ecdsap256sha256"))
132 (ksk-size knot-policy-configuration-ksk-size
134 (zsk-size knot-policy-configuration-zsk-size
136 (dnskey-ttl knot-policy-configuration-dnskey-ttl
138 (zsk-lifetime knot-policy-configuration-zsk-lifetime
140 (propagation-delay knot-policy-configuration-propagation-delay
142 (rrsig-lifetime knot-policy-configuration-rrsig-lifetime
144 (rrsig-refresh knot-policy-configuration-rrsig-refresh
146 (nsec3? knot-policy-configuration-nsec3?
148 (nsec3-iterations knot-policy-configuration-nsec3-iterations
150 (nsec3-salt-length knot-policy-configuration-nsec3-salt-length
152 (nsec3-salt-lifetime knot-policy-configuration-nsec3-salt-lifetime
155 (define-record-type* <knot-zone-configuration>
156 knot-zone-configuration make-knot-zone-configuration
157 knot-zone-configuration?
158 (domain knot-zone-configuration-domain
160 (file knot-zone-configuration-file
161 (default "")) ; the file where this zone is saved.
162 (zone knot-zone-configuration-zone
163 (default (zone-file))) ; initial content of the zone file
164 (master knot-zone-configuration-master
166 (ddns-master knot-zone-configuration-ddns-master
168 (notify knot-zone-configuration-notify
170 (acl knot-zone-configuration-acl
172 (semantic-checks? knot-zone-configuration-semantic-checks?
174 (disable-any? knot-zone-configuration-disable-any?
176 (zonefile-sync knot-zone-configuration-zonefile-sync
178 (dnssec-policy knot-zone-configuration-dnssec-policy
180 (serial-policy knot-zone-configuration-serial-policy
181 (default 'increment)))
183 (define-record-type* <knot-remote-configuration>
184 knot-remote-configuration make-knot-remote-configuration
185 knot-remote-configuration?
186 (id knot-remote-configuration-id
188 (address knot-remote-configuration-address
190 (via knot-remote-configuration-via
192 (key knot-remote-configuration-key
195 (define-record-type* <knot-configuration>
196 knot-configuration make-knot-configuration
198 (knot knot-configuration-knot
200 (run-directory knot-configuration-run-directory
201 (default "/var/run/knot"))
202 (listen-v4 knot-configuration-listen-v4
204 (listen-v6 knot-configuration-listen-v6
206 (listen-port knot-configuration-listen-port
208 (keys knot-configuration-keys
210 (keystores knot-configuration-keystores
212 (acls knot-configuration-acls
214 (remotes knot-configuration-remotes
216 (policies knot-configuration-policies
218 (zones knot-configuration-zones
221 (define-syntax define-zone-entries
223 ((_ id (name ttl class type data) ...)
224 (define id (list (make-zone-entry name ttl class type data) ...)))))
226 (define (error-out msg)
227 (raise (condition (&message (message msg)))))
229 (define (verify-knot-key-configuration key)
230 (unless (knot-key-configuration? key)
231 (error-out "keys must be a list of only knot-key-configuration."))
232 (let ((id (knot-key-configuration-id key)))
233 (unless (and (string? id) (not (equal? id "")))
234 (error-out "key id must be a non empty string.")))
235 (unless (memq '(#f hmac-md5 hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512)
236 (knot-key-configuration-algorithm key))
237 (error-out "algorithm must be one of: #f, 'hmac-md5, 'hmac-sha1,
238 'hmac-sha224, 'hmac-sha256, 'hmac-sha384 or 'hmac-sha512")))
240 (define (verify-knot-keystore-configuration keystore)
241 (unless (knot-keystore-configuration? keystore)
242 (error-out "keystores must be a list of only knot-keystore-configuration."))
243 (let ((id (knot-keystore-configuration-id keystore)))
244 (unless (and (string? id) (not (equal? id "")))
245 (error-out "keystore id must be a non empty string.")))
246 (unless (memq '(pem pkcs11)
247 (knot-keystore-configuration-backend keystore))
248 (error-out "backend must be one of: 'pem or 'pkcs11")))
250 (define (verify-knot-policy-configuration policy)
251 (unless (knot-keystore-configuration? policy)
252 (error-out "policies must be a list of only knot-policy-configuration."))
253 (let ((id (knot-policy-configuration-id policy)))
254 (unless (and (string? id) (not (equal? id "")))
255 (error-out "policy id must be a non empty string."))))
257 (define (verify-knot-acl-configuration acl)
258 (unless (knot-acl-configuration? acl)
259 (error-out "acls must be a list of only knot-acl-configuration."))
260 (let ((id (knot-acl-configuration-id acl))
261 (address (knot-acl-configuration-address acl))
262 (key (knot-acl-configuration-key acl))
263 (action (knot-acl-configuration-action acl)))
264 (unless (and (string? id) (not (equal? id "")))
265 (error-out "acl id must be a non empty string."))
266 (unless (and (list? address)
267 (fold (lambda (x1 x2) (and (string? x1) (string? x2))) "" address))
268 (error-out "acl address must be a list of strings.")))
269 (unless (boolean? (knot-acl-configuration-deny? acl))
270 (error-out "deny? must be #t or #f.")))
272 (define (verify-knot-zone-configuration zone)
273 (unless (knot-zone-configuration? zone)
274 (error-out "zones must be a list of only knot-zone-configuration."))
275 (let ((domain (knot-zone-configuration-domain zone)))
276 (unless (and (string? domain) (not (equal? domain "")))
277 (error-out "zone domain must be a non empty string."))))
279 (define (verify-knot-remote-configuration remote)
280 (unless (knot-remote-configuration? remote)
281 (error-out "remotes must be a list of only knot-remote-configuration."))
282 (let ((id (knot-remote-configuration-id remote)))
283 (unless (and (string? id) (not (equal? id "")))
284 (error-out "remote id must be a non empty string."))))
286 (define (verify-knot-configuration config)
287 (unless (package? (knot-configuration-knot config))
288 (error-out "knot configuration field must be a package."))
289 (unless (string? (knot-configuration-run-directory config))
290 (error-out "run-directory must be a string."))
291 (unless (list? (knot-configuration-keys config))
292 (error-out "keys must be a list of knot-key-configuration."))
293 (for-each (lambda (key) (verify-knot-key-configuration key))
294 (knot-configuration-keys config))
295 (unless (list? (knot-configuration-keystores config))
296 (error-out "keystores must be a list of knot-keystore-configuration."))
297 (for-each (lambda (keystore) (verify-knot-keystore-configuration keystore))
298 (knot-configuration-keystores config))
299 (unless (list? (knot-configuration-acls config))
300 (error-out "acls must be a list of knot-acl-configuration."))
301 (for-each (lambda (acl) (verify-knot-acl-configuration acl))
302 (knot-configuration-acls config))
303 (unless (list? (knot-configuration-zones config))
304 (error-out "zones must be a list of knot-zone-configuration."))
305 (for-each (lambda (zone) (verify-knot-zone-configuration zone))
306 (knot-configuration-zones config))
307 (unless (list? (knot-configuration-policies config))
308 (error-out "policies must be a list of knot-policy-configuration."))
309 (for-each (lambda (policy) (verify-knot-policy-configuration policy))
310 (knot-configuration-policies config))
311 (unless (list? (knot-configuration-remotes config))
312 (error-out "remotes must be a list of knot-remote-configuration."))
313 (for-each (lambda (remote) (verify-knot-remote-configuration remote))
314 (knot-configuration-remotes config))
317 (define (format-string-list l)
318 "Formats a list of string in YAML"
321 (let ((l (reverse l)))
324 (fold (lambda (x1 x2)
325 (string-append (if (symbol? x1) (symbol->string x1) x1) ", "
326 (if (symbol? x2) (symbol->string x2) x2)))
330 (define (knot-acl-config acls)
331 (with-output-to-string
335 (let ((id (knot-acl-configuration-id acl-config))
336 (address (knot-acl-configuration-address acl-config))
337 (key (knot-acl-configuration-key acl-config))
338 (action (knot-acl-configuration-action acl-config))
339 (deny? (knot-acl-configuration-deny? acl-config)))
340 (format #t " - id: ~a\n" id)
341 (unless (eq? address '())
342 (format #t " address: ~a\n" (format-string-list address)))
343 (unless (eq? key '())
344 (format #t " key: ~a\n" (format-string-list key)))
345 (unless (eq? action '())
346 (format #t " action: ~a\n" (format-string-list action)))
347 (format #t " deny: ~a\n" (if deny? "on" "off"))))
350 (define (knot-key-config keys)
351 (with-output-to-string
355 (let ((id (knot-key-configuration-id key-config))
356 (algorithm (knot-key-configuration-algorithm key-config))
357 (secret (knot-key-configuration-secret key-config)))
358 (format #t " - id: ~a\n" id)
360 (format #t " algorithm: ~a\n" (symbol->string algorithm)))
361 (format #t " secret: ~a\n" secret)))
364 (define (knot-keystore-config keystores)
365 (with-output-to-string
368 (lambda (keystore-config)
369 (let ((id (knot-keystore-configuration-id keystore-config))
370 (backend (knot-keystore-configuration-backend keystore-config))
371 (config (knot-keystore-configuration-config keystore-config)))
372 (format #t " - id: ~a\n" id)
373 (format #t " backend: ~a\n" (symbol->string backend))
374 (format #t " config: \"~a\"\n" config)))
377 (define (knot-policy-config policies)
378 (with-output-to-string
381 (lambda (policy-config)
382 (let ((id (knot-policy-configuration-id policy-config))
383 (keystore (knot-policy-configuration-keystore policy-config))
384 (manual? (knot-policy-configuration-manual? policy-config))
385 (single-type-signing? (knot-policy-configuration-single-type-signing?
387 (algorithm (knot-policy-configuration-algorithm policy-config))
388 (ksk-size (knot-policy-configuration-ksk-size policy-config))
389 (zsk-size (knot-policy-configuration-zsk-size policy-config))
390 (dnskey-ttl (knot-policy-configuration-dnskey-ttl policy-config))
391 (zsk-lifetime (knot-policy-configuration-zsk-lifetime policy-config))
392 (propagation-delay (knot-policy-configuration-propagation-delay
394 (rrsig-lifetime (knot-policy-configuration-rrsig-lifetime
396 (nsec3? (knot-policy-configuration-nsec3? policy-config))
397 (nsec3-iterations (knot-policy-configuration-nsec3-iterations
399 (nsec3-salt-length (knot-policy-configuration-nsec3-salt-length
401 (nsec3-salt-lifetime (knot-policy-configuration-nsec3-salt-lifetime
403 (format #t " - id: ~a\n" id)
404 (format #t " keystore: ~a\n" keystore)
405 (format #t " manual: ~a\n" (if manual? "on" "off"))
406 (format #t " single-type-signing: ~a\n" (if single-type-signing?
408 (format #t " algorithm: ~a\n" algorithm)
409 (format #t " ksk-size: ~a\n" (number->string ksk-size))
410 (format #t " zsk-size: ~a\n" (number->string zsk-size))
411 (unless (eq? dnskey-ttl 'default)
412 (format #t " dnskey-ttl: ~a\n" dnskey-ttl))
413 (format #t " zsk-lifetime: ~a\n" zsk-lifetime)
414 (format #t " propagation-delay: ~a\n" propagation-delay)
415 (format #t " rrsig-lifetime: ~a\n" rrsig-lifetime)
416 (format #t " nsec3: ~a\n" (if nsec3? "on" "off"))
417 (format #t " nsec3-iterations: ~a\n"
418 (number->string nsec3-iterations))
419 (format #t " nsec3-salt-length: ~a\n"
420 (number->string nsec3-salt-length))
421 (format #t " nsec3-salt-lifetime: ~a\n" nsec3-salt-lifetime)))
424 (define (knot-remote-config remotes)
425 (with-output-to-string
428 (lambda (remote-config)
429 (let ((id (knot-remote-configuration-id remote-config))
430 (address (knot-remote-configuration-address remote-config))
431 (via (knot-remote-configuration-via remote-config))
432 (key (knot-remote-configuration-key remote-config)))
433 (format #t " - id: ~a\n" id)
434 (unless (eq? address '())
435 (format #t " address: ~a\n" (format-string-list address)))
436 (unless (eq? via '())
437 (format #t " via: ~a\n" (format-string-list via)))
439 (format #t " key: ~a\n" key))))
442 (define (serialize-zone-entries entries)
443 (with-output-to-string
447 (let ((name (zone-entry-name entry))
448 (ttl (zone-entry-ttl entry))
449 (class (zone-entry-class entry))
450 (type (zone-entry-type entry))
451 (data (zone-entry-data entry)))
452 (format #t "~a ~a ~a ~a ~a\n" name ttl class type data)))
455 (define (serialize-zone-file zone domain)
456 (computed-file (string-append domain ".zone")
458 (call-with-output-file #$output
460 (format port "$ORIGIN ~a.\n"
461 #$(zone-file-origin zone))
462 (format port "@ IN SOA ~a ~a (~a ~a ~a ~a ~a)\n"
463 #$(zone-file-ns zone)
464 #$(zone-file-mail zone)
465 #$(zone-file-serial zone)
466 #$(zone-file-refresh zone)
467 #$(zone-file-retry zone)
468 #$(zone-file-expiry zone)
469 #$(zone-file-nx zone))
471 #$(serialize-zone-entries (zone-file-entries zone))))))))
473 (define (knot-zone-config zone)
474 (let ((content (knot-zone-configuration-zone zone)))
475 #~(with-output-to-string
477 (let ((domain #$(knot-zone-configuration-domain zone))
478 (file #$(knot-zone-configuration-file zone))
479 (master (list #$@(knot-zone-configuration-master zone)))
480 (ddns-master #$(knot-zone-configuration-ddns-master zone))
481 (notify (list #$@(knot-zone-configuration-notify zone)))
482 (acl (list #$@(knot-zone-configuration-acl zone)))
483 (semantic-checks? #$(knot-zone-configuration-semantic-checks? zone))
484 (disable-any? #$(knot-zone-configuration-disable-any? zone))
485 (dnssec-policy #$(knot-zone-configuration-dnssec-policy zone))
486 (serial-policy '#$(knot-zone-configuration-serial-policy zone)))
487 (format #t " - domain: ~a\n" domain)
489 ;; This server is a master
491 (format #t " file: ~a\n"
492 #$(serialize-zone-file content
493 (knot-zone-configuration-domain zone)))
494 (format #t " file: ~a\n" file))
495 ;; This server is a slave (has masters)
497 (format #t " master: ~a\n"
498 #$(format-string-list
499 (knot-zone-configuration-master zone)))
500 (if ddns-master (format #t " ddns-master ~a\n" ddns-master))))
501 (unless (eq? notify '())
502 (format #t " notify: ~a\n"
503 #$(format-string-list
504 (knot-zone-configuration-notify zone))))
505 (unless (eq? acl '())
506 (format #t " acl: ~a\n"
507 #$(format-string-list
508 (knot-zone-configuration-acl zone))))
509 (format #t " semantic-checks: ~a\n" (if semantic-checks? "on" "off"))
510 (format #t " disable-any: ~a\n" (if disable-any? "on" "off"))
513 (format #t " dnssec-signing: on\n")
514 (format #t " dnssec-policy: ~a\n" dnssec-policy)))
515 (format #t " serial-policy: ~a\n"
516 (symbol->string serial-policy)))))))
518 (define (knot-config-file config)
519 (verify-knot-configuration config)
520 (computed-file "knot.conf"
522 (call-with-output-file #$output
524 (format port "server:\n")
525 (format port " rundir: ~a\n" #$(knot-configuration-run-directory config))
526 (format port " user: knot\n")
527 (format port " listen: ~a@~a\n"
528 #$(knot-configuration-listen-v4 config)
529 #$(knot-configuration-listen-port config))
530 (format port " listen: ~a@~a\n"
531 #$(knot-configuration-listen-v6 config)
532 #$(knot-configuration-listen-port config))
533 (format port "\nkey:\n")
534 (format port #$(knot-key-config (knot-configuration-keys config)))
535 (format port "\nkeystore:\n")
536 (format port #$(knot-keystore-config (knot-configuration-keystores config)))
537 (format port "\nacl:\n")
538 (format port #$(knot-acl-config (knot-configuration-acls config)))
539 (format port "\nremote:\n")
540 (format port #$(knot-remote-config (knot-configuration-remotes config)))
541 (format port "\npolicy:\n")
542 (format port #$(knot-policy-config (knot-configuration-policies config)))
543 (unless #$(eq? (knot-configuration-zones config) '())
544 (format port "\nzone:\n")
547 (list #$@(map knot-zone-config
548 (knot-configuration-zones config)))))))))))
550 (define %knot-accounts
551 (list (user-group (name "knot") (system? #t))
556 (comment "knot dns server user")
557 (home-directory "/var/empty")
558 (shell (file-append shadow "/sbin/nologin")))))
560 (define (knot-activation config)
562 (use-modules (guix build utils))
563 (define (mkdir-p/perms directory owner perms)
565 (chown directory (passwd:uid owner) (passwd:gid owner))
566 (chmod directory perms))
567 (mkdir-p/perms #$(knot-configuration-run-directory config)
568 (getpwnam "knot") #o755)
569 (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
570 (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
571 (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755)))
573 (define (knot-shepherd-service config)
574 (let* ((config-file (knot-config-file config))
575 (knot (knot-configuration-knot config)))
576 (list (shepherd-service
577 (documentation "Run the Knot DNS daemon.")
578 (provision '(knot dns))
579 (requirement '(networking))
580 (start #~(make-forkexec-constructor
581 (list (string-append #$knot "/sbin/knotd")
582 "-c" #$config-file)))
583 (stop #~(make-kill-destructor))))))
585 (define knot-service-type
586 (service-type (name 'knot)
588 (list (service-extension shepherd-root-service-type
589 knot-shepherd-service)
590 (service-extension activation-service-type
592 (service-extension account-service-type
593 (const %knot-accounts))))))
HCoop / jackhill / guix / guix.git / blob