hosts/mermet/knot.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config.services) knot;
   5   inherit (config.users) users groups;
   6 in
   7 {
   8 imports = [
   9   knot/autogeree.net.nix
  10   knot/sourcephile.fr.nix
  11 ];
  12 options.services.knot = {
  13   zones = lib.mkOption {
  14     default = {};
  15     type = types.attrsOf (types.submodule ({name, ...}: {
  16       #config.domain = lib.mkDefault name;
  17       options = {
  18         conf = lib.mkOption {
  19           type = types.lines;
  20         };
  21         data = lib.mkOption {
  22           type = types.nullOr types.lines;
  23         };
  24       };
  25     }));
  26   };
  27 };
  28 config = {
  29 systemd.services.knot.serviceConfig.ExecStartPre =
  30   lib.mapAttrsToList (domain: {data, ...}: ''
  31     +${pkgs.coreutils}/bin/install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
  32      ${pkgs.writeText "${domain}.zone" data} \
  33      /var/lib/knot/zones/${domain}.zone
  34   '') knot.zones;
  35 /*
  36 systemd.services.knot.postStart = lib.mkAfter ''
  37   PATH="/run/current-system/sw/bin:$PATH"
  38   knotc zone-freeze ${domain}.
  39   while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
  40   knotc zone-flush ${domain}.
  41   install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
  42   knotc zone-reload ${domain}.
  43   knotc zone-thaw ${domain}.
  44 '';
  45 */
  46 networking.nftables.ruleset = ''
  47   # for knot to notify ns6.gandi.net
  48   add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 counter accept comment "DNS"
  49   add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 counter accept comment "DNS"
  50   # for knot to notify ns0.muarf.org
  51   add rule inet filter fw2net ip daddr  78.192.65.63 udp dport 53 counter accept comment "DNS"
  52   add rule inet filter fw2net ip daddr  78.192.65.63 tcp dport 53 counter accept comment "DNS"
  53   # for knot to receive queries
  54   add rule inet filter net2fw udp dport 53 counter accept comment "DNS"
  55   add rule inet filter net2fw tcp dport 53 counter accept comment "DNS"
  56 '';
  57 services.knot = {
  58   enable = true;
  59   extraArgs = [ "-v" ];
  60   # https://www.knot-dns.cz/docs/2.6/html/reference.html
  61   extraConfig = ''
  62     server :
  63       # Listen on localhost to allow only there
  64       # dynamic updates for ACME challenges.
  65       listen: 127.0.0.1@5353
  66
  67     mod-rrl:
  68       - id: default
  69         rate-limit: 200
  70         slip: 2
  71
  72     template:
  73       - id: default
  74         dnssec-signing: off
  75         # move databases below the state directory, because they need to be writable
  76         storage: /var/lib/knot/zones
  77         # Input-only zone files
  78         # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
  79         # prevents modification of the zonefiles, since the zonefiles are immutable
  80         #zonefile-sync: -1
  81         zonefile-load: difference
  82         journal-content: changes
  83         global-module: mod-rrl/default
  84
  85     database:
  86         journal-db: /var/lib/knot/journal
  87         kasp-db: /var/lib/knot/kasp
  88         timer-db: /var/lib/knot/timer
  89
  90     log:
  91       - target: syslog
  92         any: info
  93
  94     remote:
  95       - id: local_resolver
  96         address: 127.0.0.1@53
  97
  98       - id: secondary_gandi
  99         address: 217.70.177.40@53
 100
 101       - id: secondary_muarf
 102         address: 78.192.65.63@53
 103
 104     submission:
 105       - id: dnssec_validating_resolver
 106         parent: local_resolver
 107
 108     policy:
 109       - id: rsa
 110         single-type-signing: false
 111         ksk-shared: false
 112         algorithm: RSASHA256
 113         ksk-size: 4096
 114         zsk-size: 2048
 115         zsk-lifetime: 30d
 116         ksk-lifetime: 365d
 117         ksk-submission: dnssec_validating_resolver
 118
 119       - id: ed25519
 120         single-type-signing: false
 121         ksk-shared: false
 122         algorithm: ED25519
 123         ksk-size: 256
 124         zsk-size: 256
 125         zsk-lifetime: 30d
 126         ksk-lifetime: 365d
 127         cds-cdnskey-publish: always
 128         ksk-submission: dnssec_validating_resolver
 129
 130     acl:
 131       # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
 132       - id: acl_gandi
 133         address: 217.70.177.40
 134         action: transfer
 135
 136       - id: acl_muarf
 137         address: 78.192.65.63
 138         action: transfer
 139
 140   '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
 141 };
 142 };
 143 }