1 { pkgs, lib, config, ... }:
4 inherit (config.services) knot;
5 inherit (config.users) users groups;
10 knot/sourcephile.fr.nix
12 options.services.knot = {
13 zones = lib.mkOption {
15 type = types.attrsOf (types.submodule ({name, ...}: {
16 #config.domain = lib.mkDefault name;
22 type = types.nullOr types.lines;
29 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
30 lib.optionalString (data != null) ''
31 install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
32 ${pkgs.writeText "${domain}.zone" data} \
33 /var/lib/knot/zones/${domain}.zone
36 systemd.services.knot.postStart = lib.mkAfter ''
37 PATH="/run/current-system/sw/bin:$PATH"
38 knotc zone-freeze ${domain}.
39 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
40 knotc zone-flush ${domain}.
41 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
42 knotc zone-reload ${domain}.
43 knotc zone-thaw ${domain}.
46 networking.nftables.ruleset = ''
47 # for knot to notify ns6.gandi.net
48 add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 counter accept comment "DNS"
49 add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 counter accept comment "DNS"
50 # for knot to notify ns0.muarf.org
51 add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 counter accept comment "DNS"
52 add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 counter accept comment "DNS"
53 # for knot to receive queries
54 add rule inet filter net2fw udp dport 53 counter accept comment "DNS"
55 add rule inet filter net2fw tcp dport 53 counter accept comment "DNS"
60 # https://www.knot-dns.cz/docs/2.6/html/reference.html
63 # Listen on localhost to allow only there
64 # dynamic updates for ACME challenges.
65 listen: 127.0.0.1@5353
75 # move databases below the state directory, because they need to be writable
76 storage: /var/lib/knot/zones
77 # Input-only zone files
78 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
79 # prevents modification of the zonefiles, since the zonefiles are immutable
81 zonefile-load: difference
82 journal-content: changes
83 global-module: mod-rrl/default
86 journal-db: /var/lib/knot/journal
87 kasp-db: /var/lib/knot/kasp
88 timer-db: /var/lib/knot/timer
99 address: 217.70.177.40@53
101 - id: secondary_muarf
102 address: 78.192.65.63@53
105 - id: dnssec_validating_resolver
106 parent: local_resolver
110 single-type-signing: false
117 ksk-submission: dnssec_validating_resolver
120 single-type-signing: false
127 cds-cdnskey-publish: always
128 ksk-submission: dnssec_validating_resolver
131 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
133 address: 217.70.177.40
137 address: 78.192.65.63
140 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);