]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/knot.nix
direnv: fix gpg keyserver
[sourcephile-nix.git] / servers / mermet / knot.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) knot;
5 in
6 {
7 imports = [
8 knot/autogeree.net.nix
9 knot/sourcephile.fr.nix
10 ];
11 options.services.knot = {
12 zones = lib.mkOption {
13 default = {};
14 type = types.attrsOf (types.submodule ({domain, ...}: {
15 #config.domain = lib.mkDefault domain;
16 options = {
17 conf = lib.mkOption {
18 type = types.lines;
19 };
20 data = lib.mkOption {
21 type = types.nullOr types.lines;
22 };
23 };
24 }));
25 };
26 };
27 config = {
28 security.acme = {
29 acceptTerms = true;
30 };
31 environment.systemPackages = [
32 pkgs.lego
33 ];
34 users = {
35 groups = {
36 acme = {};
37 };
38 };
39 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
40 lib.optionalString (data != null) ''
41 install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
42 '') knot.zones);
43 /*
44 systemd.services.knot.postStart = lib.mkAfter ''
45 PATH="/run/current-system/sw/bin:$PATH"
46 knotc zone-freeze ${domain}.
47 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
48 knotc zone-flush ${domain}.
49 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
50 knotc zone-reload ${domain}.
51 knotc zone-thaw ${domain}.
52 '';
53 */
54 services.knot = {
55 enable = true;
56 extraArgs = [ "-v" ];
57 # https://www.knot-dns.cz/docs/2.6/html/reference.html
58 extraConfig = ''
59 server :
60 # Listen on localhost to allow only there
61 # dynamic updates for ACME challenges.
62 listen: 127.0.0.1@5353
63
64 mod-rrl:
65 - id: default
66 rate-limit: 200
67 slip: 2
68
69 template:
70 - id: default
71 dnssec-signing: off
72 # move databases below the state directory, because they need to be writable
73 storage: /var/lib/knot/zones
74 # Input-only zone files
75 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
76 # prevents modification of the zonefiles, since the zonefiles are immutable
77 #zonefile-sync: -1
78 zonefile-load: difference
79 journal-content: changes
80 global-module: mod-rrl/default
81
82 database:
83 journal-db: /var/lib/knot/journal
84 kasp-db: /var/lib/knot/kasp
85 timer-db: /var/lib/knot/timer
86
87 log:
88 - target: syslog
89 any: info
90
91 remote:
92 - id: local_resolver
93 address: 127.0.0.1@53
94
95 - id: secondary_gandi
96 address: 217.70.177.40@53
97
98 - id: secondary_muarf
99 address: 78.192.65.63@53
100
101 submission:
102 - id: dnssec_validating_resolver
103 parent: local_resolver
104
105 policy:
106 - id: rsa
107 single-type-signing: false
108 ksk-shared: false
109 algorithm: RSASHA256
110 ksk-size: 4096
111 zsk-size: 2048
112 zsk-lifetime: 30d
113 ksk-lifetime: 365d
114 ksk-submission: dnssec_validating_resolver
115
116 - id: ed25519
117 single-type-signing: false
118 ksk-shared: false
119 algorithm: ED25519
120 ksk-size: 256
121 zsk-size: 256
122 zsk-lifetime: 30d
123 ksk-lifetime: 365d
124 cds-cdnskey-publish: always
125 ksk-submission: dnssec_validating_resolver
126
127 acl:
128 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
129 - id: acl_gandi
130 address: 217.70.177.40
131 action: transfer
132
133 - id: acl_muarf
134 address: 78.192.65.63
135 action: transfer
136
137 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
138 };
139 };
140 }