{ pkgs, lib, config, ... }:
let
inherit (lib) types;
inherit (config.services) knot;
inherit (config.users) users groups;
in
{
imports = [
knot/autogeree.net.nix
knot/sourcephile.fr.nix
];
options.services.knot = {
zones = lib.mkOption {
default = { };
type = types.attrsOf (types.submodule ({ ... }: {
#config.domain = lib.mkDefault name;
options = {
conf = lib.mkOption {
type = types.lines;
};
data = lib.mkOption {
type = types.nullOr types.lines;
};
};
}));
};
};
config = {
systemd.services.knot.serviceConfig.ExecStartPre =
lib.mapAttrsToList
(domain: { data, ... }: ''
+${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
${pkgs.writeText "${domain}.zone" data} \
/var/lib/knot/zones/${domain}.zone
'')
knot.zones;
/*
systemd.services.knot.postStart = lib.mkAfter ''
PATH="/run/current-system/sw/bin:$PATH"
knotc zone-freeze ${domain}.
while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
knotc zone-flush ${domain}.
install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
knotc zone-reload ${domain}.
knotc zone-thaw ${domain}.
'';
*/
networking.nftables.ruleset = ''
table inet filter {
chain input-net {
meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
}
set output-net-knot-ipv4 { type ipv4_addr; }
set output-net-knot-ipv6 { type ipv6_addr; }
chain output-net {
skuid ${users.knot.name} \
meta l4proto { udp, tcp } th dport domain \
ip daddr @output-net-knot-ipv4 \
counter accept \
comment "knot: DNS notify"
skuid ${users.knot.name} \
meta l4proto { udp, tcp } th dport domain \
ip6 daddr @output-net-knot-ipv6 \
counter accept \
comment "knot: DNS notify"
}
}
'';
services.knot = {
enable = true;
extraArgs = [ "-v" ];
# https://www.knot-dns.cz/docs/2.6/html/reference.html
extraConfig = ''
server :
# Listen on localhost to allow only there
# dynamic updates for ACME challenges.
listen: 127.0.0.1@5353
mod-rrl:
- id: default
rate-limit: 200
slip: 2
template:
- id: default
dnssec-signing: off
# move databases below the state directory, because they need to be writable
storage: /var/lib/knot/zones
# Input-only zone files
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
# prevents modification of the zonefiles, since the zonefiles are immutable
#zonefile-sync: -1
zonefile-load: difference
journal-content: changes
global-module: mod-rrl/default
database:
journal-db: /var/lib/knot/journal
kasp-db: /var/lib/knot/kasp
timer-db: /var/lib/knot/timer
log:
- target: syslog
any: info
remote:
- id: local_resolver
address: 127.0.0.1@53
- id: secondary_gandi
address: 217.70.177.40@53
- id: secondary_muarf
address: 78.192.65.63@53
submission:
- id: dnssec_validating_resolver
parent: local_resolver
policy:
- id: rsa
single-type-signing: false
ksk-shared: false
algorithm: RSASHA256
ksk-size: 4096
zsk-size: 2048
zsk-lifetime: 30d
ksk-lifetime: 365d
ksk-submission: dnssec_validating_resolver
- id: ed25519
single-type-signing: false
ksk-shared: false
algorithm: ED25519
ksk-size: 256
zsk-size: 256
zsk-lifetime: 30d
ksk-lifetime: 365d
cds-cdnskey-publish: always
ksk-submission: dnssec_validating_resolver
acl:
# DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
- id: acl_gandi
address: 217.70.177.40
action: transfer
- id: acl_muarf
address: 78.192.65.63
action: transfer
'' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);
};
};
}