]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot.nix
nix: update input julm-nix
[sourcephile-nix.git] / hosts / mermet / knot.nix
1 { pkgs, lib, config, info, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) knot;
5 inherit (config.users) users groups;
6 in
7 {
8 imports = [
9 knot/autogeree.net.nix
10 knot/sourcephile.fr.nix
11 ];
12 options.services.knot = {
13 zones = lib.mkOption {
14 default = { };
15 type = types.attrsOf (types.submodule ({ ... }: {
16 #config.domain = lib.mkDefault name;
17 options = {
18 conf = lib.mkOption {
19 type = types.lines;
20 };
21 data = lib.mkOption {
22 type = types.nullOr types.lines;
23 };
24 };
25 }));
26 };
27 };
28 config = {
29 systemd.services.knot.serviceConfig.ExecStartPre =
30 lib.mapAttrsToList
31 (domain: { data, ... }: ''
32 +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
33 ${pkgs.writeText "${domain}.zone" data} \
34 /var/lib/knot/zones/${domain}.zone
35 '')
36 knot.zones;
37 /*
38 systemd.services.knot.postStart = lib.mkAfter ''
39 PATH="/run/current-system/sw/bin:$PATH"
40 knotc zone-freeze ${domain}.
41 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
42 knotc zone-flush ${domain}.
43 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
44 knotc zone-reload ${domain}.
45 knotc zone-thaw ${domain}.
46 '';
47 */
48 networking.nftables.ruleset = ''
49 table inet filter {
50 chain input-net {
51 meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
52 }
53 set output-net-knot-ipv4 { type ipv4_addr; }
54 set output-net-knot-ipv6 { type ipv6_addr; }
55 chain output-net {
56 skuid ${users.knot.name} \
57 meta l4proto { udp, tcp } th dport domain \
58 ip daddr @output-net-knot-ipv4 \
59 counter accept \
60 comment "knot: DNS notify"
61 skuid ${users.knot.name} \
62 meta l4proto { udp, tcp } th dport domain \
63 ip6 daddr @output-net-knot-ipv6 \
64 counter accept \
65 comment "knot: DNS notify"
66 }
67 }
68 '';
69 services.knot = {
70 enable = true;
71 extraArgs = [ "-v" ];
72 # https://www.knot-dns.cz/docs/2.6/html/reference.html
73 extraConfig = ''
74 server :
75 # Listen on localhost to allow only there
76 # dynamic updates for ACME challenges.
77 listen: 127.0.0.1@5353
78
79 mod-rrl:
80 - id: default
81 rate-limit: 200
82 slip: 2
83
84 template:
85 - id: default
86 dnssec-signing: off
87 # move databases below the state directory, because they need to be writable
88 storage: /var/lib/knot/zones
89 # Input-only zone files
90 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
91 # prevents modification of the zonefiles, since the zonefiles are immutable
92 #zonefile-sync: -1
93 zonefile-load: difference
94 journal-content: changes
95 global-module: mod-rrl/default
96
97 database:
98 journal-db: /var/lib/knot/journal
99 kasp-db: /var/lib/knot/kasp
100 timer-db: /var/lib/knot/timer
101
102 log:
103 - target: syslog
104 any: info
105
106 remote:
107 - id: local_resolver
108 address: 127.0.0.1@53
109
110 - id: secondary_gandi
111 address: ${info.gandi.dns.secondary.axfr.ipv4}@53
112
113 - id: secondary_muarf
114 address: 78.192.65.63@53
115
116 submission:
117 - id: dnssec_validating_resolver
118 parent: local_resolver
119
120 policy:
121 - id: rsa
122 single-type-signing: false
123 ksk-shared: false
124 algorithm: RSASHA256
125 ksk-size: 4096
126 zsk-size: 2048
127 zsk-lifetime: 30d
128 ksk-lifetime: 365d
129 ksk-submission: dnssec_validating_resolver
130
131 - id: ed25519
132 single-type-signing: false
133 ksk-shared: false
134 algorithm: ED25519
135 ksk-size: 256
136 zsk-size: 256
137 zsk-lifetime: 30d
138 ksk-lifetime: 365d
139 cds-cdnskey-publish: always
140 ksk-submission: dnssec_validating_resolver
141
142 acl:
143 - id: acl_gandi
144 address: ${info.gandi.dns.secondary.axfr.ipv4}
145 action: transfer
146
147 - id: acl_muarf
148 address: 78.192.65.63
149 action: transfer
150
151 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);
152 };
153 };
154 }