added unfished knot config

config/services/dns-knot/default.nix

@@ -0,0 +1,64 @@
+{ lib, inputs, ... }: {
+  kyouma.deployment.tags = [ "dns" ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  services.knot = {
+    enable = true;
+    settings = {
+      server.listen = [
+        "0.0.0.0@53"
+        "::@53"
+      ];
+      acl.transfer = {
+        action = "transfer";
+        address = [
+          "2a0f:be01:0:100::b00b"
+          "45.150.123.11"
+          "2603:c020:8001:9fff::b00b"
+          "130.162.45.58"
+          "2a03:4000:27:74::b00b"
+          "185.244.193.190"
+        ];
+      };
+      policy.ecdsa = {
+        algorithm = "ecdsap256sha256";
+        nsec3 = true;
+        signing-threads = 4;
+        zsk-lifetime = "60d";
+      };
+      remote = {
+        ns1.address = [ "2a03:4000:27:74::b00b" ];
+        ns2.address = [ "2603:c020:8001:9fff::b00b" ];
+      };
+      template = {
+        unsigned = {
+          acl = "transfer";
+          notify = [ "ns1" "ns2" ];
+          zonefile-load = "difference";
+        };
+        signed = {
+          acl = "transfer";
+          dnssec-signing = true;
+          dnssec-policy = "ecdsa";
+          notify = [ "ns1" "ns2" ];
+          semantic-checks = true;
+          zonefile-load = "difference";
+        };
+      };
+      zone = let
+        dns = inputs.dns;
+        ztemp = import ./template.nix { inherit dns; };
+        zones = map (fileName: lib.removeSuffix ".nix" fileName) (
+          builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones)));
+        zoneCfg = domain: {
+          file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone;
+          template = "signed";
+        };
+      in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) {
+        "frotti.ng" = {
+          template = "unsigned";
+        };
+      };
+    };
+  };
+}