1 { pkgs, lib, config, ... }:
4 inherit (config.services) knot;
5 inherit (config.users) users groups;
10 knot/sourcephile.fr.nix
12 options.services.knot = {
13 zones = lib.mkOption {
15 type = types.attrsOf (types.submodule ({ ... }: {
16 #config.domain = lib.mkDefault name;
22 type = types.nullOr types.lines;
29 systemd.services.knot.serviceConfig.ExecStartPre =
31 (domain: { data, ... }: ''
32 +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
33 ${pkgs.writeText "${domain}.zone" data} \
34 /var/lib/knot/zones/${domain}.zone
38 systemd.services.knot.postStart = lib.mkAfter ''
39 PATH="/run/current-system/sw/bin:$PATH"
40 knotc zone-freeze ${domain}.
41 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
42 knotc zone-flush ${domain}.
43 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
44 knotc zone-reload ${domain}.
45 knotc zone-thaw ${domain}.
48 networking.nftables.ruleset = ''
51 meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
53 set output-net-knot-ipv4 { type ipv4_addr; }
54 set output-net-knot-ipv6 { type ipv6_addr; }
56 skuid ${users.knot.name} \
57 meta l4proto { udp, tcp } th dport domain \
58 ip daddr @output-net-knot-ipv4 \
60 comment "knot: DNS notify"
61 skuid ${users.knot.name} \
62 meta l4proto { udp, tcp } th dport domain \
63 ip6 daddr @output-net-knot-ipv6 \
65 comment "knot: DNS notify"
72 # https://www.knot-dns.cz/docs/2.6/html/reference.html
75 # Listen on localhost to allow only there
76 # dynamic updates for ACME challenges.
77 listen: 127.0.0.1@5353
87 # move databases below the state directory, because they need to be writable
88 storage: /var/lib/knot/zones
89 # Input-only zone files
90 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
91 # prevents modification of the zonefiles, since the zonefiles are immutable
93 zonefile-load: difference
94 journal-content: changes
95 global-module: mod-rrl/default
98 journal-db: /var/lib/knot/journal
99 kasp-db: /var/lib/knot/kasp
100 timer-db: /var/lib/knot/timer
108 address: 127.0.0.1@53
110 - id: secondary_gandi
111 address: 217.70.177.40@53
113 - id: secondary_muarf
114 address: 78.192.65.63@53
117 - id: dnssec_validating_resolver
118 parent: local_resolver
122 single-type-signing: false
129 ksk-submission: dnssec_validating_resolver
132 single-type-signing: false
139 cds-cdnskey-publish: always
140 ksk-submission: dnssec_validating_resolver
143 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
145 address: 217.70.177.40
149 address: 78.192.65.63
152 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);