{ pkgs, lib, config, ... }: let inherit (lib) types; inherit (config.services) knot; in { imports = [ knot/sourcephile.fr.nix ]; options.services.knot = { zones = lib.mkOption { default = {}; type = types.attrsOf (types.submodule ({domain, ...}: { #config.domain = lib.mkDefault domain; options = { conf = lib.mkOption { type = types.lines; }; data = lib.mkOption { type = types.nullOr types.lines; }; }; })); }; }; config = { security.acme = { acceptTerms = true; }; environment.systemPackages = [ pkgs.lego ]; users = { groups = { acme = {}; }; }; systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}: lib.optionalString (data != null) '' install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone '') knot.zones); /* systemd.services.knot.postStart = lib.mkAfter '' PATH="/run/current-system/sw/bin:$PATH" knotc zone-freeze ${domain}. while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done knotc zone-flush ${domain}. install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone knotc zone-reload ${domain}. knotc zone-thaw ${domain}. ''; */ services.knot = { enable = true; extraArgs = [ "-v" ]; # https://www.knot-dns.cz/docs/2.6/html/reference.html extraConfig = '' server : listen: 127.0.0.1@5353 mod-rrl: - id: default rate-limit: 200 slip: 2 template: - id: default dnssec-signing: off # move databases below the state directory, because they need to be writable storage: /var/lib/knot/zones # Input-only zone files # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 # prevents modification of the zonefiles, since the zonefiles are immutable #zonefile-sync: -1 zonefile-load: difference journal-content: changes global-module: mod-rrl/default database: journal-db: /var/lib/knot/journal kasp-db: /var/lib/knot/kasp timer-db: /var/lib/knot/timer log: - target: syslog any: info remote: - id: local_resolver address: 127.0.0.1@53 - id: secondary_gandi address: 217.70.177.40@53 submission: - id: dnssec_validating_resolver parent: local_resolver policy: - id: rsa single-type-signing: false ksk-shared: false algorithm: RSASHA256 ksk-size: 4096 zsk-size: 2048 zsk-lifetime: 30d ksk-lifetime: 365d ksk-submission: dnssec_validating_resolver - id: ed25519 single-type-signing: false ksk-shared: false algorithm: ED25519 ksk-size: 256 zsk-size: 256 zsk-lifetime: 30d ksk-lifetime: 365d cds-cdnskey-publish: always ksk-submission: dnssec_validating_resolver acl: # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html - id: acl_gandi address: 217.70.177.40 action: transfer '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones); }; }; }