nixfiles/config/services/dns-knot/default.nix

65 lines
1.8 KiB
Nix
Raw Permalink Normal View History

2024-05-16 21:57:00 +02:00
{ lib, inputs, ... }: {
kyouma.deployment.tags = [ "dns" ];
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.knot = {
enable = true;
settings = {
server.listen = [
"0.0.0.0@53"
"::@53"
];
acl.transfer = {
action = "transfer";
address = [
"2a0f:be01:0:100::b00b"
"45.150.123.11"
"2603:c020:8001:9fff::b00b"
"130.162.45.58"
"2a03:4000:27:74::b00b"
"185.244.193.190"
];
};
policy.ecdsa = {
algorithm = "ecdsap256sha256";
nsec3 = true;
signing-threads = 4;
zsk-lifetime = "60d";
};
remote = {
ns1.address = [ "2a03:4000:27:74::b00b" ];
ns2.address = [ "2603:c020:8001:9fff::b00b" ];
};
template = {
unsigned = {
acl = "transfer";
notify = [ "ns1" "ns2" ];
zonefile-load = "difference";
};
signed = {
acl = "transfer";
dnssec-signing = true;
dnssec-policy = "ecdsa";
notify = [ "ns1" "ns2" ];
semantic-checks = true;
zonefile-load = "difference";
};
};
zone = let
dns = inputs.dns;
ztemp = import ./template.nix { inherit dns; };
zones = map (fileName: lib.removeSuffix ".nix" fileName) (
builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones)));
zoneCfg = domain: {
file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone;
template = "signed";
};
in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) {
"frotti.ng" = {
template = "unsigned";
};
};
};
};
}