servers/mermet/knot.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config.services) knot;
   5 in
   6 {
   7 imports = [
   8   knot/sourcephile.fr.nix
   9 ];
  10 options.services.knot = {
  11   zones = lib.mkOption {
  12     default = {};
  13     type = types.attrsOf (types.submodule ({domain, ...}: {
  14       #config.domain = lib.mkDefault domain;
  15       options = {
  16         conf = lib.mkOption {
  17           type = types.lines;
  18         };
  19         data = lib.mkOption {
  20           type = types.nullOr types.lines;
  21         };
  22       };
  23     }));
  24   };
  25 };
  26 config = {
  27 security.acme = {
  28   acceptTerms = true;
  29 };
  30 environment.systemPackages = [
  31   pkgs.lego
  32 ];
  33 users = {
  34   groups = {
  35     acme = {};
  36   };
  37 };
  38 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
  39   lib.optionalString (data != null) ''
  40     install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
  41   '') knot.zones);
  42 /*
  43 systemd.services.knot.postStart = lib.mkAfter ''
  44   PATH="/run/current-system/sw/bin:$PATH"
  45   knotc zone-freeze ${domain}.
  46   while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
  47   knotc zone-flush ${domain}.
  48   install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
  49   knotc zone-reload ${domain}.
  50   knotc zone-thaw ${domain}.
  51 '';
  52 */
  53 services.knot = {
  54   enable = true;
  55   extraArgs = [ "-v" ];
  56   # https://www.knot-dns.cz/docs/2.6/html/reference.html
  57   extraConfig = ''
  58     server :
  59       listen: 127.0.0.1@5353
  60
  61     mod-rrl:
  62       - id: default
  63         rate-limit: 200
  64         slip: 2
  65
  66     template:
  67       - id: default
  68         dnssec-signing: off
  69         # move databases below the state directory, because they need to be writable
  70         storage: /var/lib/knot/zones
  71         # Input-only zone files
  72         # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
  73         # prevents modification of the zonefiles, since the zonefiles are immutable
  74         #zonefile-sync: -1
  75         zonefile-load: difference
  76         journal-content: changes
  77         global-module: mod-rrl/default
  78
  79     database:
  80         journal-db: /var/lib/knot/journal
  81         kasp-db: /var/lib/knot/kasp
  82         timer-db: /var/lib/knot/timer
  83
  84     log:
  85       - target: syslog
  86         any: info
  87
  88     remote:
  89       - id: local_resolver
  90         address: 127.0.0.1@53
  91
  92       - id: secondary_gandi
  93         address: 217.70.177.40@53
  94
  95     submission:
  96       - id: dnssec_validating_resolver
  97         parent: local_resolver
  98
  99     policy:
 100       - id: rsa
 101         single-type-signing: false
 102         ksk-shared: false
 103         algorithm: RSASHA256
 104         ksk-size: 4096
 105         zsk-size: 2048
 106         zsk-lifetime: 30d
 107         ksk-lifetime: 365d
 108         ksk-submission: dnssec_validating_resolver
 109
 110       - id: ed25519
 111         single-type-signing: false
 112         ksk-shared: false
 113         algorithm: ED25519
 114         ksk-size: 256
 115         zsk-size: 256
 116         zsk-lifetime: 30d
 117         ksk-lifetime: 365d
 118         cds-cdnskey-publish: always
 119         ksk-submission: dnssec_validating_resolver
 120
 121     acl:
 122       # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
 123       - id: acl_gandi
 124         address: 217.70.177.40
 125         action: transfer
 126
 127   '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
 128 };
 129 };
 130 }