};
};
config = {
-systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
- lib.optionalString (data != null) ''
- install -D -o ${users."knot".name} -g ${groups."knot".name} -m 700 \
+systemd.services.knot.serviceConfig.ExecStartPre =
+ lib.mapAttrsToList (domain: {data, ...}: ''
+ +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
${pkgs.writeText "${domain}.zone" data} \
/var/lib/knot/zones/${domain}.zone
- '') knot.zones);
+ '') knot.zones;
/*
systemd.services.knot.postStart = lib.mkAfter ''
PATH="/run/current-system/sw/bin:$PATH"
'';
*/
networking.nftables.ruleset = ''
- # for knot to notify ns6.gandi.net
- add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 counter accept comment "DNS"
- add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 counter accept comment "DNS"
- # for knot to notify ns0.muarf.org
- add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 counter accept comment "DNS"
- add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 counter accept comment "DNS"
- # for knot to receive queries
- add rule inet filter net2fw udp dport 53 counter accept comment "DNS"
- add rule inet filter net2fw tcp dport 53 counter accept comment "DNS"
+ table inet filter {
+ chain input-net {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "knot: DNS"
+ }
+ set output-net-knot-ipv4 { type ipv4_addr; }
+ set output-net-knot-ipv6 { type ipv6_addr; }
+ chain output-net {
+ skuid ${users.knot.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip daddr @output-net-knot-ipv4 \
+ counter accept \
+ comment "knot: DNS notify"
+ skuid ${users.knot.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip6 daddr @output-net-knot-ipv6 \
+ counter accept \
+ comment "knot: DNS notify"
+ }
+ }
'';
services.knot = {
enable = true;
sourcephile / git / sourcephile-nix.git / blobdiff