diff --git a/config/services/dns-knot/default.nix b/config/services/dns-knot/default.nix new file mode 100644 index 0000000..ca9f684 --- /dev/null +++ b/config/services/dns-knot/default.nix @@ -0,0 +1,64 @@ +{ lib, inputs, ... }: { + kyouma.deployment.tags = [ "dns" ]; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + services.knot = { + enable = true; + settings = { + server.listen = [ + "0.0.0.0@53" + "::@53" + ]; + acl.transfer = { + action = "transfer"; + address = [ + "2a0f:be01:0:100::b00b" + "45.150.123.11" + "2603:c020:8001:9fff::b00b" + "130.162.45.58" + "2a03:4000:27:74::b00b" + "185.244.193.190" + ]; + }; + policy.ecdsa = { + algorithm = "ecdsap256sha256"; + nsec3 = true; + signing-threads = 4; + zsk-lifetime = "60d"; + }; + remote = { + ns1.address = [ "2a03:4000:27:74::b00b" ]; + ns2.address = [ "2603:c020:8001:9fff::b00b" ]; + }; + template = { + unsigned = { + acl = "transfer"; + notify = [ "ns1" "ns2" ]; + zonefile-load = "difference"; + }; + signed = { + acl = "transfer"; + dnssec-signing = true; + dnssec-policy = "ecdsa"; + notify = [ "ns1" "ns2" ]; + semantic-checks = true; + zonefile-load = "difference"; + }; + }; + zone = let + dns = inputs.dns; + ztemp = import ./template.nix { inherit dns; }; + zones = map (fileName: lib.removeSuffix ".nix" fileName) ( + builtins.attrNames (lib.filterAttrs (name: type: type == "regular") (builtins.readDir ./zones))); + zoneCfg = domain: { + file = dns.util.writeZone "${domain}" (import zones/${domain}.nix { inherit dns ztemp; }).zone; + template = "signed"; + }; + in lib.recursiveUpdate (lib.genAttrs zones (zoneCfg)) { + "frotti.ng" = { + template = "unsigned"; + }; + }; + }; + }; +}