nixfiles-emily/config/services/dns-knot/default.nix

{ lib, inputs, ... }: {
  kyouma.deployment.tags = [ "dns" ];
  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
  services.knot = {
    enable = true;
    settings = {
      server.listen = [
        "0.0.0.0@53"
        "::@53"
      ];
      acl.transfer = {
        action = "transfer";
        address = [
          "2a0f:be01:0:100::b00b"
          "45.150.123.11"
          "2603:c020:8001:9fff::b00b"
          "130.162.45.58"
          "2a03:4000:27:74::b00b"
          "185.244.193.190"
        ];
      };
      policy.ecdsa = {
        algorithm = "ecdsap256sha256";
        nsec3 = true;
        signing-threads = 4;
        zsk-lifetime = "60d";
      };
      remote = {
        ns1.address = [ "2a03:4000:27:74::b00b" ];
        ns2.address = [ "2603:c020:8001:9fff::b00b" ];
      };
      template = {
        unsigned = {
          acl = "transfer";
          notify = [ "ns1" "ns2" ];
          zonefile-load = "difference";
        };
        signed = {
          acl = "transfer";
          dnssec-signing = true;
          dnssec-policy = "ecdsa";
          notify = [ "ns1" "ns2" ];
          semantic-checks = true;
          zonefile-load = "difference";
        };
      };
      zone = let
        dns = inputs.dns;
        ztemp = import ./template.nix { inherit dns; };
        zones = map (fileName: lib.removeSuffix ".nix" fileName) (
          builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones)));
        zoneCfg = domain: {
          file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone;
          template = "signed";
        };
      in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) {
        "frotti.ng" = {
          template = "unsigned";
        };
      };
    };
  };
}
added unfished knot config 2024-05-16 21:57:00 +02:00			`{ lib, inputs, ... }: {`
			`kyouma.deployment.tags = [ "dns" ];`
			`networking.firewall.allowedTCPPorts = [ 53 ];`
			`networking.firewall.allowedUDPPorts = [ 53 ];`
			`services.knot = {`
			`enable = true;`
			`settings = {`
			`server.listen = [`
			`"0.0.0.0@53"`
			`"::@53"`
			`];`
			`acl.transfer = {`
			`action = "transfer";`
			`address = [`
			`"2a0f:be01:0:100::b00b"`
			`"45.150.123.11"`
			`"2603:c020:8001:9fff::b00b"`
			`"130.162.45.58"`
			`"2a03:4000:27:74::b00b"`
			`"185.244.193.190"`
			`];`
			`};`
			`policy.ecdsa = {`
			`algorithm = "ecdsap256sha256";`
			`nsec3 = true;`
			`signing-threads = 4;`
			`zsk-lifetime = "60d";`
			`};`
			`remote = {`
			`ns1.address = [ "2a03:4000:27:74::b00b" ];`
			`ns2.address = [ "2603:c020:8001:9fff::b00b" ];`
			`};`
			`template = {`
			`unsigned = {`
			`acl = "transfer";`
			`notify = [ "ns1" "ns2" ];`
			`zonefile-load = "difference";`
			`};`
			`signed = {`
			`acl = "transfer";`
			`dnssec-signing = true;`
			`dnssec-policy = "ecdsa";`
			`notify = [ "ns1" "ns2" ];`
			`semantic-checks = true;`
			`zonefile-load = "difference";`
			`};`
			`};`
			`zone = let`
			`dns = inputs.dns;`
			`ztemp = import ./template.nix { inherit dns; };`
			`zones = map (fileName: lib.removeSuffix ".nix" fileName) (`
			`builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones)));`
			`zoneCfg = domain: {`
			`file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone;`
			`template = "signed";`
			`};`
			`in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) {`
			`"frotti.ng" = {`
			`template = "unsigned";`
			`};`
			`};`
			`};`
			`};`
			`}`