]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/knot.nix
nix: security.pass re-add convenient postStart
[sourcephile-nix.git] / servers / mermet / knot.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) knot;
5 inherit (config.users) users groups;
6 in
7 {
8 imports = [
9 knot/autogeree.net.nix
10 knot/sourcephile.fr.nix
11 ];
12 options.services.knot = {
13 zones = lib.mkOption {
14 default = {};
15 type = types.attrsOf (types.submodule ({name, ...}: {
16 #config.domain = lib.mkDefault name;
17 options = {
18 conf = lib.mkOption {
19 type = types.lines;
20 };
21 data = lib.mkOption {
22 type = types.nullOr types.lines;
23 };
24 };
25 }));
26 };
27 };
28 config = {
29 services.shorewall.configs.rules = ''
30 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
31 DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
32 '';
33 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
34 lib.optionalString (data != null) ''
35 install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
36 ${pkgs.writeText "${domain}.zone" data} \
37 /var/lib/knot/zones/${domain}.zone
38 '') knot.zones);
39 /*
40 systemd.services.knot.postStart = lib.mkAfter ''
41 PATH="/run/current-system/sw/bin:$PATH"
42 knotc zone-freeze ${domain}.
43 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
44 knotc zone-flush ${domain}.
45 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
46 knotc zone-reload ${domain}.
47 knotc zone-thaw ${domain}.
48 '';
49 */
50 services.knot = {
51 enable = true;
52 extraArgs = [ "-v" ];
53 # https://www.knot-dns.cz/docs/2.6/html/reference.html
54 extraConfig = ''
55 server :
56 # Listen on localhost to allow only there
57 # dynamic updates for ACME challenges.
58 listen: 127.0.0.1@5353
59
60 mod-rrl:
61 - id: default
62 rate-limit: 200
63 slip: 2
64
65 template:
66 - id: default
67 dnssec-signing: off
68 # move databases below the state directory, because they need to be writable
69 storage: /var/lib/knot/zones
70 # Input-only zone files
71 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
72 # prevents modification of the zonefiles, since the zonefiles are immutable
73 #zonefile-sync: -1
74 zonefile-load: difference
75 journal-content: changes
76 global-module: mod-rrl/default
77
78 database:
79 journal-db: /var/lib/knot/journal
80 kasp-db: /var/lib/knot/kasp
81 timer-db: /var/lib/knot/timer
82
83 log:
84 - target: syslog
85 any: info
86
87 remote:
88 - id: local_resolver
89 address: 127.0.0.1@53
90
91 - id: secondary_gandi
92 address: 217.70.177.40@53
93
94 - id: secondary_muarf
95 address: 78.192.65.63@53
96
97 submission:
98 - id: dnssec_validating_resolver
99 parent: local_resolver
100
101 policy:
102 - id: rsa
103 single-type-signing: false
104 ksk-shared: false
105 algorithm: RSASHA256
106 ksk-size: 4096
107 zsk-size: 2048
108 zsk-lifetime: 30d
109 ksk-lifetime: 365d
110 ksk-submission: dnssec_validating_resolver
111
112 - id: ed25519
113 single-type-signing: false
114 ksk-shared: false
115 algorithm: ED25519
116 ksk-size: 256
117 zsk-size: 256
118 zsk-lifetime: 30d
119 ksk-lifetime: 365d
120 cds-cdnskey-publish: always
121 ksk-submission: dnssec_validating_resolver
122
123 acl:
124 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
125 - id: acl_gandi
126 address: 217.70.177.40
127 action: transfer
128
129 - id: acl_muarf
130 address: 78.192.65.63
131 action: transfer
132
133 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
134 };
135 };
136 }