PVV-DNS/nsd.conf.nix

{
  lib,
  stdenvNoCC,
  nsd,
}:
let
  sourceIP = "129.241.210.211"; # dvask.pvv.ntnu.no
in
stdenvNoCC.mkDerivation {
  name = "nsd.conf";

  dontUnpack = true;
  dontBuild = true;

  passAsFile = [ "configFile" ];
  configFile = ''
    # Generated by https://git.pvv.ntnu.no/felixalb/PVV-DNS
    # See man 5 nsd.conf

    server:
        hide-version: yes
        verbosity: 1
        logfile: /var/log/nsd.log
        database: "" # disable database
        ip-address: ${sourceIP}
        minimal-responses: yes
        rrl-ratelimit: 200
        rrl-ipv4-prefix-length: 32
        # TODO: "metrics-enable" enables prometheus metrics

    remote-control:
        control-enable: yes
        control-interface: /var/run/nsd.sock

  ''
  + (builtins.concatStringsSep "\n" (
    map
      (name: ''
        zone:
            name: "${name}"
            zonefile: "${name}.zone"
            # TODO: Should we NOTIFY secondary servers?
            # Allow transfers:
            # ns1.ntnu.no
            provide-xfr: 129.241.0.208 NOKEY
            provide-xfr: 2001:700:300::208 NOKEY
            # ns2.ntnu.no
            provide-xfr: 129.241.0.209 NOKEY
            provide-xfr: 2001:700:300::209 NOKEY
            # deckard.nvg.ntnu.no
            provide-xfr: 129.241.210.82 NOKEY
            provide-xfr: 2001:700:300:2000::82 NOKEY
            # swix.nvg.ntnu.no
            provide-xfr: 129.241.210.66 NOKEY
            provide-xfr: 2001:700:300:2000:a00:20ff:fec0:be40 NOKEY
            # nn.uninett.no
            provide-xfr: 153.38.0.181 NOKEY
            provide-xfr: 2001:700:0:503::aa:5302 NOKEY
      '')
      [
        "128-255.210.241.129.in-addr.arpa"
        "210.241.129.in-addr.arpa"
        "9.1.0.0.3.0.0.0.7.0.1.0.0.2.ip6.arpa"
        "nuccc.org"
        "pvv.no"
        "pvv.ntnu.no"
        "pvv.org"
      ]
  ));

  doCheck = false;
  nativeCheckInputs = [ nsd ];
  checkPhase = ''
    runHook preCheck

    nsd-checkconf "$configFilePath"
    echo 'nsd.conf is ok'

    runHook postCheck
  '';

  installPhase = ''
    runHook preCheck

    install -Dm444 "$configFilePath" "$out"

    runHook postCheck
  '';

  doFixup = false;
}