inherit (config.users) users groups;
in
{
-imports = [
- knot/autogeree.net.nix
- knot/sourcephile.fr.nix
-];
-options.services.knot = {
- zones = lib.mkOption {
- default = {};
- type = types.attrsOf (types.submodule ({name, ...}: {
- #config.domain = lib.mkDefault name;
- options = {
- conf = lib.mkOption {
- type = types.lines;
+ imports = [
+ knot/autogeree.net.nix
+ knot/sourcephile.fr.nix
+ ];
+ options.services.knot = {
+ zones = lib.mkOption {
+ default = { };
+ type = types.attrsOf (types.submodule ({ ... }: {
+ #config.domain = lib.mkDefault name;
+ options = {
+ conf = lib.mkOption {
+ type = types.lines;
+ };
+ data = lib.mkOption {
+ type = types.nullOr types.lines;
+ };
};
- data = lib.mkOption {
- type = types.nullOr types.lines;
- };
- };
- }));
+ }));
+ };
};
-};
-config = {
-systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
- lib.optionalString (data != null) ''
- install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
- ${pkgs.writeText "${domain}.zone" data} \
- /var/lib/knot/zones/${domain}.zone
- '') knot.zones);
-/*
-systemd.services.knot.postStart = lib.mkAfter ''
- PATH="/run/current-system/sw/bin:$PATH"
- knotc zone-freeze ${domain}.
- while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
- knotc zone-flush ${domain}.
- install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
- knotc zone-reload ${domain}.
- knotc zone-thaw ${domain}.
-'';
-*/
-networking.nftables.ruleset = ''
- # for knot to notify ns6.gandi.net
- add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 counter accept comment "DNS"
- add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 counter accept comment "DNS"
- # for knot to notify ns0.muarf.org
- add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 counter accept comment "DNS"
- add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 counter accept comment "DNS"
- # for knot to receive queries
- add rule inet filter net2fw udp dport 53 counter accept comment "DNS"
- add rule inet filter net2fw tcp dport 53 counter accept comment "DNS"
-'';
-services.knot = {
- enable = true;
- extraArgs = [ "-v" ];
- # https://www.knot-dns.cz/docs/2.6/html/reference.html
- extraConfig = ''
- server :
- # Listen on localhost to allow only there
- # dynamic updates for ACME challenges.
- listen: 127.0.0.1@5353
+ config = {
+ systemd.services.knot.serviceConfig.ExecStartPre =
+ lib.mapAttrsToList
+ (domain: { data, ... }: ''
+ +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
+ ${pkgs.writeText "${domain}.zone" data} \
+ /var/lib/knot/zones/${domain}.zone
+ '')
+ knot.zones;
+ /*
+ systemd.services.knot.postStart = lib.mkAfter ''
+ PATH="/run/current-system/sw/bin:$PATH"
+ knotc zone-freeze ${domain}.
+ while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
+ knotc zone-flush ${domain}.
+ install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
+ knotc zone-reload ${domain}.
+ knotc zone-thaw ${domain}.
+ '';
+ */
+ networking.nftables.ruleset = ''
+ table inet filter {
+ chain input-net {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
+ }
+ set output-net-knot-ipv4 { type ipv4_addr; }
+ set output-net-knot-ipv6 { type ipv6_addr; }
+ chain output-net {
+ skuid ${users.knot.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip daddr @output-net-knot-ipv4 \
+ counter accept \
+ comment "knot: DNS notify"
+ skuid ${users.knot.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip6 daddr @output-net-knot-ipv6 \
+ counter accept \
+ comment "knot: DNS notify"
+ }
+ }
+ '';
+ services.knot = {
+ enable = true;
+ extraArgs = [ "-v" ];
+ # https://www.knot-dns.cz/docs/2.6/html/reference.html
+ extraConfig = ''
+ server :
+ # Listen on localhost to allow only there
+ # dynamic updates for ACME challenges.
+ listen: 127.0.0.1@5353
- mod-rrl:
- - id: default
- rate-limit: 200
- slip: 2
+ mod-rrl:
+ - id: default
+ rate-limit: 200
+ slip: 2
- template:
- - id: default
- dnssec-signing: off
- # move databases below the state directory, because they need to be writable
- storage: /var/lib/knot/zones
- # Input-only zone files
- # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
- # prevents modification of the zonefiles, since the zonefiles are immutable
- #zonefile-sync: -1
- zonefile-load: difference
- journal-content: changes
- global-module: mod-rrl/default
+ template:
+ - id: default
+ dnssec-signing: off
+ # move databases below the state directory, because they need to be writable
+ storage: /var/lib/knot/zones
+ # Input-only zone files
+ # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
+ # prevents modification of the zonefiles, since the zonefiles are immutable
+ #zonefile-sync: -1
+ zonefile-load: difference
+ journal-content: changes
+ global-module: mod-rrl/default
- database:
- journal-db: /var/lib/knot/journal
- kasp-db: /var/lib/knot/kasp
- timer-db: /var/lib/knot/timer
+ database:
+ journal-db: /var/lib/knot/journal
+ kasp-db: /var/lib/knot/kasp
+ timer-db: /var/lib/knot/timer
- log:
- - target: syslog
- any: info
+ log:
+ - target: syslog
+ any: info
- remote:
- - id: local_resolver
- address: 127.0.0.1@53
+ remote:
+ - id: local_resolver
+ address: 127.0.0.1@53
- - id: secondary_gandi
- address: 217.70.177.40@53
+ - id: secondary_gandi
+ address: 217.70.177.40@53
- - id: secondary_muarf
- address: 78.192.65.63@53
+ - id: secondary_muarf
+ address: 78.192.65.63@53
- submission:
- - id: dnssec_validating_resolver
- parent: local_resolver
+ submission:
+ - id: dnssec_validating_resolver
+ parent: local_resolver
- policy:
- - id: rsa
- single-type-signing: false
- ksk-shared: false
- algorithm: RSASHA256
- ksk-size: 4096
- zsk-size: 2048
- zsk-lifetime: 30d
- ksk-lifetime: 365d
- ksk-submission: dnssec_validating_resolver
+ policy:
+ - id: rsa
+ single-type-signing: false
+ ksk-shared: false
+ algorithm: RSASHA256
+ ksk-size: 4096
+ zsk-size: 2048
+ zsk-lifetime: 30d
+ ksk-lifetime: 365d
+ ksk-submission: dnssec_validating_resolver
- - id: ed25519
- single-type-signing: false
- ksk-shared: false
- algorithm: ED25519
- ksk-size: 256
- zsk-size: 256
- zsk-lifetime: 30d
- ksk-lifetime: 365d
- cds-cdnskey-publish: always
- ksk-submission: dnssec_validating_resolver
+ - id: ed25519
+ single-type-signing: false
+ ksk-shared: false
+ algorithm: ED25519
+ ksk-size: 256
+ zsk-size: 256
+ zsk-lifetime: 30d
+ ksk-lifetime: 365d
+ cds-cdnskey-publish: always
+ ksk-submission: dnssec_validating_resolver
- acl:
- # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
- - id: acl_gandi
- address: 217.70.177.40
- action: transfer
+ acl:
+ # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
+ - id: acl_gandi
+ address: 217.70.177.40
+ action: transfer
- - id: acl_muarf
- address: 78.192.65.63
- action: transfer
+ - id: acl_muarf
+ address: 78.192.65.63
+ action: transfer
- '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
-};
-};
+ '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);
+ };
+ };
}