]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/knot.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nsd: re-add autogeree.net zone
[sourcephile-nix.git] / servers / mermet / knot.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) knot;
5 in
6 {
7 imports = [
8 knot/autogeree.net.nix
9 knot/sourcephile.fr.nix
10 ];
11 options.services.knot = {
12 zones = lib.mkOption {
13 default = {};
14 type = types.attrsOf (types.submodule ({domain, ...}: {
15 #config.domain = lib.mkDefault domain;
16 options = {
17 conf = lib.mkOption {
18 type = types.lines;
19 };
20 data = lib.mkOption {
21 type = types.nullOr types.lines;
22 };
23 };
24 }));
25 };
26 };
27 config = {
28 security.acme = {
29 acceptTerms = true;
30 };
31 environment.systemPackages = [
32 pkgs.lego
33 ];
34 users = {
35 groups = {
36 acme = {};
37 };
38 };
39 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
40 lib.optionalString (data != null) ''
41 install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
42 '') knot.zones);
43 /*
44 systemd.services.knot.postStart = lib.mkAfter ''
45 PATH="/run/current-system/sw/bin:$PATH"
46 knotc zone-freeze ${domain}.
47 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
48 knotc zone-flush ${domain}.
49 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
50 knotc zone-reload ${domain}.
51 knotc zone-thaw ${domain}.
52 '';
53 */
54 services.knot = {
55 enable = true;
56 extraArgs = [ "-v" ];
57 # https://www.knot-dns.cz/docs/2.6/html/reference.html
58 extraConfig = ''
59 server :
60 listen: 127.0.0.1@5353
61
62 mod-rrl:
63 - id: default
64 rate-limit: 200
65 slip: 2
66
67 template:
68 - id: default
69 dnssec-signing: off
70 # move databases below the state directory, because they need to be writable
71 storage: /var/lib/knot/zones
72 # Input-only zone files
73 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
74 # prevents modification of the zonefiles, since the zonefiles are immutable
75 #zonefile-sync: -1
76 zonefile-load: difference
77 journal-content: changes
78 global-module: mod-rrl/default
79
80 database:
81 journal-db: /var/lib/knot/journal
82 kasp-db: /var/lib/knot/kasp
83 timer-db: /var/lib/knot/timer
84
85 log:
86 - target: syslog
87 any: info
88
89 remote:
90 - id: local_resolver
91 address: 127.0.0.1@53
92
93 - id: secondary_gandi
94 address: 217.70.177.40@53
95
96 - id: secondary_muarf
97 address: 78.192.65.63@53
98
99 submission:
100 - id: dnssec_validating_resolver
101 parent: local_resolver
102
103 policy:
104 - id: rsa
105 single-type-signing: false
106 ksk-shared: false
107 algorithm: RSASHA256
108 ksk-size: 4096
109 zsk-size: 2048
110 zsk-lifetime: 30d
111 ksk-lifetime: 365d
112 ksk-submission: dnssec_validating_resolver
113
114 - id: ed25519
115 single-type-signing: false
116 ksk-shared: false
117 algorithm: ED25519
118 ksk-size: 256
119 zsk-size: 256
120 zsk-lifetime: 30d
121 ksk-lifetime: 365d
122 cds-cdnskey-publish: always
123 ksk-submission: dnssec_validating_resolver
124
125 acl:
126 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
127 - id: acl_gandi
128 address: 217.70.177.40
129 action: transfer
130
131 - id: acl_muarf
132 address: 78.192.65.63
133 action: transfer
134
135 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
136 };
137 };
138 }
NixOS configurations for Sourcephile's infrastructure