carotte: zfs: disable

[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix

diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix
index 44d931e18217cf410a39e337a7b85abe26b5a402..664a2f644ba2d6642ad61ab784923e8db30c0d19 100644 (file)
--- a/hosts/mermet/knot/sourcephile.fr.nix
+++ b/hosts/mermet/knot/sourcephile.fr.nix
@@ -22,7 +22,7 @@ let
 
       ; NS (Name Server)
       @ NS ns
-      @ NS ${info.gandi.dns.secondary.ns.name}.
+      ;@ NS ${info.gandi.dns.secondary.ns.name}.
       i NS ns
       whoami4 NS ns.whoami4
       ns.whoami4 A ${hosts.mermet._module.args.ipv4}
@@ -124,22 +124,35 @@ in
       update-owner-name = [ "losurdo" "lan.losurdo" ];
       update-type = [ "A" "AAAA" ];
     };
+    acl."acl_lebureau_${domainID}" = {
+      address =
+        info.lebureau.dns.secondary.transfer.ipv4 ++
+        info.lebureau.dns.secondary.transfer.ipv6;
+      action = "transfer";
+      key = "lebureau_${domainID}";
+    };
     mod-dnsproxy.proxy_iodine = {
       remote = "ns_iodine";
       fallback = "off";
     };
+    remote."secondary_lebureau_${domainID}" = {
+      address = map (x: "${x}@53")
+        (info.lebureau.dns.secondary.transfer.ipv4 ++
+          info.lebureau.dns.secondary.transfer.ipv6);
+      key = "lebureau_${domainID}";
+    };
     zone."${domain}" = {
       file = "${domain}.zone";
       serial-policy = "increment";
       semantic-checks = true;
       notify = [
-        "secondary_gandi"
+        "secondary_lebureau_${domainID}"
       ];
       acl = [
-        "acl_gandi"
         "acl_localhost_acme_${domainID}"
         "acl_tsig_acme_${domainID}"
         "acl_tsig_losurdo_${domainID}"
+        "acl_lebureau_${domainID}"
       ];
       dnssec-signing = true;
       dnssec-policy = "ed25519";
@@ -169,6 +182,8 @@ in
       "/run/credentials/knot.service/${domain}.acme.conf"
       # Generated with: keymgr -t losurdo_${domainID}
       "/run/credentials/knot.service/losurdo.conf"
+      # Generated with: keymgr -t lebureau_${domainID}
+      "/run/credentials/knot.service/${domain}.lebureau.conf"
     ];
   };
   systemd.services.knot = {
@@ -181,15 +196,16 @@ in
         ''
       ];
       LoadCredentialEncrypted = [
-        "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
-        "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
+        "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
+        "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
+        "losurdo.conf:${builtins.path { path = ./. + "/${domain}/losurdo.conf.cred"; }}"
       ];
     };
   };
   networking.nftables.ruleset = ''
     table inet filter {
-      set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
-      set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
+      set output-net-knot-ipv4 { type ipv4_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv4} }; }
+      set output-net-knot-ipv6 { type ipv6_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv6} }; }
     }
   '';
   /* Useless since the zone is public