]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/knot.nix
knot: replace nsd as authoritative DNS
[sourcephile-nix.git] / servers / mermet / knot.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) knot;
5 in
6 {
7 imports = [
8 knot/sourcephile.fr.nix
9 ];
10 options.services.knot = {
11 zones = lib.mkOption {
12 default = {};
13 type = types.attrsOf (types.submodule ({domain, ...}: {
14 #config.domain = lib.mkDefault domain;
15 options = {
16 conf = lib.mkOption {
17 type = types.lines;
18 };
19 data = lib.mkOption {
20 type = types.nullOr types.lines;
21 };
22 };
23 }));
24 };
25 };
26 config = {
27 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
28 lib.optionalString (data != null) ''
29 install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
30 '') knot.zones);
31 /*
32 systemd.services.knot.postStart = lib.mkAfter ''
33 PATH="/run/current-system/sw/bin:$PATH"
34 knotc zone-freeze ${domain}.
35 while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
36 knotc zone-flush ${domain}.
37 install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
38 knotc zone-reload ${domain}.
39 knotc zone-thaw ${domain}.
40 '';
41 */
42 services.knot = {
43 enable = true;
44 extraArgs = [ "-v" ];
45 # https://www.knot-dns.cz/docs/2.6/html/reference.html
46 extraConfig = ''
47 template:
48 - id: default
49 dnssec-signing: off
50 # move databases below the state directory, because they need to be writable
51 storage: /var/lib/knot/zones
52 # Input-only zone files
53 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
54 # prevents modification of the zonefiles, since the zonefiles are immutable
55 #zonefile-sync: -1
56 zonefile-load: difference
57 journal-content: changes
58
59 database:
60 journal-db: /var/lib/knot/journal
61 kasp-db: /var/lib/knot/kasp
62 timer-db: /var/lib/knot/timer
63
64 log:
65 - target: syslog
66 any: info
67
68 remote:
69 - id: local_resolver
70 address: 127.0.0.1@53
71
72 - id: secondary_gandi
73 address: 217.70.177.40@53
74
75 submission:
76 - id: dnssec_validating_resolver
77 parent: local_resolver
78
79 policy:
80 - id: rsa
81 single-type-signing: false
82 ksk-shared: false
83 algorithm: RSASHA256
84 ksk-size: 4096
85 zsk-size: 2048
86 zsk-lifetime: 30d
87 ksk-lifetime: 365d
88 ksk-submission: dnssec_validating_resolver
89
90 - id: ed25519
91 single-type-signing: false
92 ksk-shared: false
93 algorithm: ED25519
94 ksk-size: 256
95 zsk-size: 256
96 zsk-lifetime: 30d
97 ksk-lifetime: 365d
98 cds-cdnskey-publish: always
99 ksk-submission: dnssec_validating_resolver
100
101 acl:
102 - id: acl_localhost
103 address: 127.0.0.1
104 action: transfer
105
106 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
107 - id: acl_gandi
108 address: 217.70.177.40
109 action: transfer
110
111 '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
112 };
113 };
114 }