nix: update switch from julm-nix
[sourcephile-nix.git] / hosts / mermet / knot.nix
index 33970673a8a54aee02d806209c4bfa4da5cff481..04aada3da6a47cc9fe36ea6fe271f8e289d5188c 100644 (file)
@@ -5,139 +5,151 @@ let
   inherit (config.users) users groups;
 in
 {
-imports = [
-  knot/autogeree.net.nix
-  knot/sourcephile.fr.nix
-];
-options.services.knot = {
-  zones = lib.mkOption {
-    default = {};
-    type = types.attrsOf (types.submodule ({name, ...}: {
-      #config.domain = lib.mkDefault name;
-      options = {
-        conf = lib.mkOption {
-          type = types.lines;
+  imports = [
+    knot/autogeree.net.nix
+    knot/sourcephile.fr.nix
+  ];
+  options.services.knot = {
+    zones = lib.mkOption {
+      default = { };
+      type = types.attrsOf (types.submodule ({ ... }: {
+        #config.domain = lib.mkDefault name;
+        options = {
+          conf = lib.mkOption {
+            type = types.lines;
+          };
+          data = lib.mkOption {
+            type = types.nullOr types.lines;
+          };
         };
-        data = lib.mkOption {
-          type = types.nullOr types.lines;
-        };
-      };
-    }));
+      }));
+    };
   };
-};
-config = {
-systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
-  lib.optionalString (data != null) ''
-    install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
-     ${pkgs.writeText "${domain}.zone" data} \
-     /var/lib/knot/zones/${domain}.zone
-  '') knot.zones);
-/*
-systemd.services.knot.postStart = lib.mkAfter ''
-  PATH="/run/current-system/sw/bin:$PATH"
-  knotc zone-freeze ${domain}.
-  while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
-  knotc zone-flush ${domain}.
-  install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
-  knotc zone-reload ${domain}.
-  knotc zone-thaw ${domain}.
-'';
-*/
-networking.nftables.ruleset = ''
-  # for knot to notify ns6.gandi.net
-  add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 counter accept comment "DNS"
-  add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 counter accept comment "DNS"
-  # for knot to notify ns0.muarf.org
-  add rule inet filter fw2net ip daddr  78.192.65.63 udp dport 53 counter accept comment "DNS"
-  add rule inet filter fw2net ip daddr  78.192.65.63 tcp dport 53 counter accept comment "DNS"
-  # for knot to receive queries
-  add rule inet filter net2fw udp dport 53 counter accept comment "DNS"
-  add rule inet filter net2fw tcp dport 53 counter accept comment "DNS"
-'';
-services.knot = {
-  enable = true;
-  extraArgs = [ "-v" ];
-  # https://www.knot-dns.cz/docs/2.6/html/reference.html
-  extraConfig = ''
-    server :
-      # Listen on localhost to allow only there
-      # dynamic updates for ACME challenges.
-      listen: 127.0.0.1@5353
+  config = {
+    systemd.services.knot.serviceConfig.ExecStartPre =
+      lib.mapAttrsToList
+        (domain: { data, ... }: ''
+          +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
+           ${pkgs.writeText "${domain}.zone" data} \
+           /var/lib/knot/zones/${domain}.zone
+        '')
+        knot.zones;
+    /*
+      systemd.services.knot.postStart = lib.mkAfter ''
+      PATH="/run/current-system/sw/bin:$PATH"
+      knotc zone-freeze ${domain}.
+      while ! knotc zone-status ${domain}. +freeze | grep -q 'freeze: yes'; do sleep 1; done
+      knotc zone-flush ${domain}.
+      install -o knot -g knot -m 700 ${zone} /var/lib/knot/signed/${domain}.zone
+      knotc zone-reload ${domain}.
+      knotc zone-thaw ${domain}.
+      '';
+    */
+    networking.nftables.ruleset = ''
+      table inet filter {
+        chain input-net {
+          meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
+        }
+        set output-net-knot-ipv4 { type ipv4_addr; }
+        set output-net-knot-ipv6 { type ipv6_addr; }
+        chain output-net {
+          skuid ${users.knot.name} \
+            meta l4proto { udp, tcp } th dport domain \
+            ip daddr @output-net-knot-ipv4 \
+            counter accept \
+            comment "knot: DNS notify"
+          skuid ${users.knot.name} \
+            meta l4proto { udp, tcp } th dport domain \
+            ip6 daddr @output-net-knot-ipv6 \
+            counter accept \
+            comment "knot: DNS notify"
+        }
+      }
+    '';
+    services.knot = {
+      enable = true;
+      extraArgs = [ "-v" ];
+      # https://www.knot-dns.cz/docs/2.6/html/reference.html
+      extraConfig = ''
+        server :
+          # Listen on localhost to allow only there
+          # dynamic updates for ACME challenges.
+          listen: 127.0.0.1@5353
 
-    mod-rrl:
-      - id: default
-        rate-limit: 200
-        slip: 2
+        mod-rrl:
+          - id: default
+            rate-limit: 200
+            slip: 2
 
-    template:
-      - id: default
-        dnssec-signing: off
-        # move databases below the state directory, because they need to be writable
-        storage: /var/lib/knot/zones
-        # Input-only zone files
-        # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
-        # prevents modification of the zonefiles, since the zonefiles are immutable
-        #zonefile-sync: -1
-        zonefile-load: difference
-        journal-content: changes
-        global-module: mod-rrl/default
+        template:
+          - id: default
+            dnssec-signing: off
+            # move databases below the state directory, because they need to be writable
+            storage: /var/lib/knot/zones
+            # Input-only zone files
+            # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
+            # prevents modification of the zonefiles, since the zonefiles are immutable
+            #zonefile-sync: -1
+            zonefile-load: difference
+            journal-content: changes
+            global-module: mod-rrl/default
 
-    database:
-        journal-db: /var/lib/knot/journal
-        kasp-db: /var/lib/knot/kasp
-        timer-db: /var/lib/knot/timer
+        database:
+            journal-db: /var/lib/knot/journal
+            kasp-db: /var/lib/knot/kasp
+            timer-db: /var/lib/knot/timer
 
-    log:
-      - target: syslog
-        any: info
+        log:
+          - target: syslog
+            any: info
 
-    remote:
-      - id: local_resolver
-        address: 127.0.0.1@53
+        remote:
+          - id: local_resolver
+            address: 127.0.0.1@53
 
-      - id: secondary_gandi
-        address: 217.70.177.40@53
+          - id: secondary_gandi
+            address: 217.70.177.40@53
 
-      - id: secondary_muarf
-        address: 78.192.65.63@53
+          - id: secondary_muarf
+            address: 78.192.65.63@53
 
-    submission:
-      - id: dnssec_validating_resolver
-        parent: local_resolver
+        submission:
+          - id: dnssec_validating_resolver
+            parent: local_resolver
 
-    policy:
-      - id: rsa
-        single-type-signing: false
-        ksk-shared: false
-        algorithm: RSASHA256
-        ksk-size: 4096
-        zsk-size: 2048
-        zsk-lifetime: 30d
-        ksk-lifetime: 365d
-        ksk-submission: dnssec_validating_resolver
+        policy:
+          - id: rsa
+            single-type-signing: false
+            ksk-shared: false
+            algorithm: RSASHA256
+            ksk-size: 4096
+            zsk-size: 2048
+            zsk-lifetime: 30d
+            ksk-lifetime: 365d
+            ksk-submission: dnssec_validating_resolver
 
-      - id: ed25519
-        single-type-signing: false
-        ksk-shared: false
-        algorithm: ED25519
-        ksk-size: 256
-        zsk-size: 256
-        zsk-lifetime: 30d
-        ksk-lifetime: 365d
-        cds-cdnskey-publish: always
-        ksk-submission: dnssec_validating_resolver
+          - id: ed25519
+            single-type-signing: false
+            ksk-shared: false
+            algorithm: ED25519
+            ksk-size: 256
+            zsk-size: 256
+            zsk-lifetime: 30d
+            ksk-lifetime: 365d
+            cds-cdnskey-publish: always
+            ksk-submission: dnssec_validating_resolver
 
-    acl:
-      # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
-      - id: acl_gandi
-        address: 217.70.177.40
-        action: transfer
+        acl:
+          # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
+          - id: acl_gandi
+            address: 217.70.177.40
+            action: transfer
 
-      - id: acl_muarf
-        address: 78.192.65.63
-        action: transfer
+          - id: acl_muarf
+            address: 78.192.65.63
+            action: transfer
 
-  '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
-};
-};
+      '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);
+    };
+  };
 }