nix: add tests.nix

[sourcephile-nix.git] / servers / mermet / knot.nix

diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix
index 2768e236c5d12abec2f5f36f9b28ef6a1cce374f..aac7e73b9bfe1e31a3997c7cbe6b57622108c8f4 100644 (file)
--- a/servers/mermet/knot.nix
+++ b/servers/mermet/knot.nix
@@ -5,6 +5,7 @@ let
 in
 {
 imports = [
+  knot/autogeree.net.nix
   knot/sourcephile.fr.nix
 ];
 options.services.knot = {
@@ -27,6 +28,14 @@ config = {
 security.acme = {
   acceptTerms = true;
 };
+environment.systemPackages = [
+  pkgs.lego
+];
+users = {
+  groups = {
+    acme = {};
+  };
+};
 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
   lib.optionalString (data != null) ''
     install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
@@ -48,6 +57,8 @@ services.knot = {
   # https://www.knot-dns.cz/docs/2.6/html/reference.html
   extraConfig = ''
     server :
+      # Listen on localhost to allow only there
+      # dynamic updates for ACME challenges.
       listen: 127.0.0.1@5353
 
     mod-rrl:
@@ -84,6 +95,9 @@ services.knot = {
       - id: secondary_gandi
         address: 217.70.177.40@53
 
+      - id: secondary_muarf
+        address: 78.192.65.63@53
+
     submission:
       - id: dnssec_validating_resolver
         parent: local_resolver
@@ -111,19 +125,15 @@ services.knot = {
         ksk-submission: dnssec_validating_resolver
 
     acl:
-      - id: acl_localhost
-        address: 127.0.0.1
-        action: transfer
-
-      - id: acl_lego
-        address: 127.0.0.1
-        action: update
-
       # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
       - id: acl_gandi
         address: 217.70.177.40
         action: transfer
 
+      - id: acl_muarf
+        address: 78.192.65.63
+        action: transfer
+
   '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
 };
 };