servers/mermet/knot.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config.services) knot;
   5 in
   6 {
   7 imports = [
   8   knot/sourcephile.fr.nix
   9 ];
  10 options.services.knot = {
  11   zones = lib.mkOption {
  12     default = {};
  13     type = types.attrsOf (types.submodule ({domain, ...}: {
  14       #config.domain = lib.mkDefault domain;
  15       options = {
  16         conf = lib.mkOption {
  17           type = types.lines;
  18         };
  19         data = lib.mkOption {
  20           type = types.nullOr types.lines;
  21         };
  22       };
  23     }));
  24   };
  25 };
  26 config = {
  27 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
  28   lib.optionalString (data != null) ''
  29     install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
  30   '') knot.zones);
  31 /*
  32 systemd.services.knot.postStart = lib.mkAfter ''
  33   PATH="/run/current-system/sw/bin:$PATH"
  34   knotc zone-freeze ${domain}.
  35   while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
  36   knotc zone-flush ${domain}.
  37   install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
  38   knotc zone-reload ${domain}.
  39   knotc zone-thaw ${domain}.
  40 '';
  41 */
  42 services.knot = {
  43   enable = true;
  44   extraArgs = [ "-v" ];
  45   # https://www.knot-dns.cz/docs/2.6/html/reference.html
  46   extraConfig = ''
  47     template:
  48       - id: default
  49         dnssec-signing: off
  50         # move databases below the state directory, because they need to be writable
  51         storage: /var/lib/knot/zones
  52         # Input-only zone files
  53         # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
  54         # prevents modification of the zonefiles, since the zonefiles are immutable
  55         #zonefile-sync: -1
  56         zonefile-load: difference
  57         journal-content: changes
  58
  59     database:
  60         journal-db: /var/lib/knot/journal
  61         kasp-db: /var/lib/knot/kasp
  62         timer-db: /var/lib/knot/timer
  63
  64     log:
  65       - target: syslog
  66         any: info
  67
  68     remote:
  69       - id: local_resolver
  70         address: 127.0.0.1@53
  71
  72       - id: secondary_gandi
  73         address: 217.70.177.40@53
  74
  75     submission:
  76       - id: dnssec_validating_resolver
  77         parent: local_resolver
  78
  79     policy:
  80       - id: rsa
  81         single-type-signing: false
  82         ksk-shared: false
  83         algorithm: RSASHA256
  84         ksk-size: 4096
  85         zsk-size: 2048
  86         zsk-lifetime: 30d
  87         ksk-lifetime: 365d
  88         ksk-submission: dnssec_validating_resolver
  89
  90       - id: ed25519
  91         single-type-signing: false
  92         ksk-shared: false
  93         algorithm: ED25519
  94         ksk-size: 256
  95         zsk-size: 256
  96         zsk-lifetime: 30d
  97         ksk-lifetime: 365d
  98         cds-cdnskey-publish: always
  99         ksk-submission: dnssec_validating_resolver
 100
 101     acl:
 102       - id: acl_localhost
 103         address: 127.0.0.1
 104         action: transfer
 105
 106       # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
 107       - id: acl_gandi
 108         address: 217.70.177.40
 109         action: transfer
 110
 111   '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
 112 };
 113 };
 114 }