-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, info, ... }:
let
inherit (lib) types;
inherit (config.services) knot;
inherit (config.users) users groups;
+ settingsFormat = pkgs.formats.yaml { };
in
{
imports = [
knot/sourcephile.fr.nix
];
options.services.knot = {
+ # WARNING: multiple settings do not merge yet
+ # https://github.com/NixOS/nixpkgs/pull/81460#pullrequestreview-1793815097
+ settingsFreeform = lib.mkOption {
+ type = types.submodule {
+ freeformType = settingsFormat.type;
+ };
+ default = { };
+ description = "";
+ };
zones = lib.mkOption {
default = { };
type = types.attrsOf (types.submodule ({ ... }: {
#config.domain = lib.mkDefault name;
options = {
- conf = lib.mkOption {
- type = types.lines;
- };
data = lib.mkOption {
type = types.nullOr types.lines;
};
enable = true;
extraArgs = [ "-v" ];
# https://www.knot-dns.cz/docs/2.6/html/reference.html
- extraConfig = ''
- server :
+ settingsFreeform = {
+ server.listen = [
# Listen on localhost to allow only there
# dynamic updates for ACME challenges.
- listen: 127.0.0.1@5353
-
- mod-rrl:
- - id: default
- rate-limit: 200
- slip: 2
-
- template:
- - id: default
- dnssec-signing: off
- # move databases below the state directory, because they need to be writable
- storage: /var/lib/knot/zones
- # Input-only zone files
- # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
- # prevents modification of the zonefiles, since the zonefiles are immutable
- #zonefile-sync: -1
- zonefile-load: difference
- journal-content: changes
- global-module: mod-rrl/default
-
- database:
- journal-db: /var/lib/knot/journal
- kasp-db: /var/lib/knot/kasp
- timer-db: /var/lib/knot/timer
-
- log:
- - target: syslog
- any: info
-
- remote:
- - id: local_resolver
- address: 127.0.0.1@53
-
- - id: secondary_gandi
- address: 217.70.177.40@53
-
- - id: secondary_muarf
- address: 78.192.65.63@53
-
- submission:
- - id: dnssec_validating_resolver
- parent: local_resolver
-
- policy:
- - id: rsa
- single-type-signing: false
- ksk-shared: false
- algorithm: RSASHA256
- ksk-size: 4096
- zsk-size: 2048
- zsk-lifetime: 30d
- ksk-lifetime: 365d
- ksk-submission: dnssec_validating_resolver
-
- - id: ed25519
- single-type-signing: false
- ksk-shared: false
- algorithm: ED25519
- ksk-size: 256
- zsk-size: 256
- zsk-lifetime: 30d
- ksk-lifetime: 365d
- cds-cdnskey-publish: always
- ksk-submission: dnssec_validating_resolver
-
- acl:
- # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
- - id: acl_gandi
- address: 217.70.177.40
- action: transfer
-
- - id: acl_muarf
- address: 78.192.65.63
- action: transfer
-
- '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (_domain: { conf, ... }: conf) knot.zones);
+ "127.0.0.1@5353"
+ ];
+ template.default = {
+ dnssec-signing = false;
+ # move databases below the state directory, because they need to be writable
+ storage = "/var/lib/knot/zones";
+ # Input-only zone files
+ # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
+ # prevents modification of the zonefiles, since the zonefiles are immutable
+ #zonefile-sync: -1
+ zonefile-load = "difference";
+ journal-content = "changes";
+ global-module = "mod-rrl/default";
+ };
+ mod-rrl.default = {
+ rate-limit = 200;
+ slip = 2;
+ };
+ database = {
+ journal-db = "/var/lib/knot/journal";
+ kasp-db = "/var/lib/knot/kasp";
+ timer-db = "/var/lib/knot/timer";
+ };
+ log.syslog.any = "info";
+ remote.local_resolver.address = "127.0.0.1@53";
+ remote.secondary_gandi.address = "${info.gandi.dns.secondary.transfer.ipv4}@53";
+ remote.secondary_muarf.address = "78.192.65.63@53";
+ submission.dnssec_validating_resolver = {
+ parent = "local_resolver";
+ };
+ policy.rsa = {
+ single-type-signing = false;
+ ksk-shared = false;
+ algorithm = "RSASHA256";
+ ksk-size = 4096;
+ zsk-size = 2048;
+ zsk-lifetime = "30d";
+ ksk-lifetime = "365d";
+ ksk-submission = "dnssec_validating_resolver";
+ };
+ policy.ed25519 = {
+ single-type-signing = false;
+ ksk-shared = false;
+ algorithm = "ED25519";
+ ksk-size = 256;
+ zsk-size = 256;
+ zsk-lifetime = "30d";
+ ksk-lifetime = "365d";
+ cds-cdnskey-publish = "always";
+ ksk-submission = "dnssec_validating_resolver";
+ };
+ acl.acl_gandi = {
+ address = info.gandi.dns.secondary.transfer.ipv4;
+ action = "transfer";
+ };
+ acl.acl_muarf = {
+ address = "78.192.65.63";
+ action = "transfer";
+ };
+ };
+ settings = knot.settingsFreeform;
};
};
}
sourcephile / git / sourcephile-nix.git / blobdiff