simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

authoritative-dns: Migrate to settings

23.11
Simon Bruder 2023-12-02 17:06:33 +01:00
parent ba843ac8c0
commit e126adc38d
Signed by: simon
GPG Key ID: 8D3C82F9F309F8EC
1 changed files with 86 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
modules/authoritative-dns.nix
View File

@ -33,87 +33,100 @@ in
# so the module disables configuration checks.
"/var/lib/knot/static.conf"
];
# TODO migrate to settings
settingsFile = pkgs.writeText "knot.conf" (''
include: /var/lib/knot/static.conf
settings = lib.mkMerge [
{
server = {
listen = map (address: "${address}@53") addresses.${config.networking.hostName};
automatic-acl = true;
};
server:
${lib.concatStringsSep "\n" (map (address: " listen: ${address}@53") addresses.${config.networking.hostName})}
automatic-acl: on
log = lib.singleton {
target = "syslog";
server = "info";
control = "warning"; # otherwise stats gets logged every scrape
zone = "info";
};
log:
- target: syslog
server: info
control: warning # otherwise stats gets logged every scrape
zone: info
mod-stats = lib.singleton {
id = "custom";
edns-presence = true;
flag-presence = true;
query-size = true;
query-type = true;
reply-size = true;
};
mod-stats:
- id: custom
edns-presence: on
flag-presence: on
query-size: on
query-type: on
reply-size: on
remote:
${lib.concatStrings (lib.mapAttrsToList (host: hostAddresses: ''
- id: ${host}
address: [${lib.concatStringsSep ", " hostAddresses}]
'') addresses)}
'' + (lib.optionalString isPrimaryHost ''
# HACK: this string just continues the previous section
- id: inwx
remote = (lib.mapAttrsToList
(host: hostAddresses: {
id = host;
address = hostAddresses;
})
addresses) ++ lib.optional isPrimaryHost {
id = "inwx";
# INWX only allows the specification of one primary DNS,
# which limits the IP protocol usable for zone transfers to one.
address: [185.181.104.96]
address = lib.singleton "185.181.104.96";
};
}
(lib.mkIf isPrimaryHost {
policy = lib.singleton {
id = "default";
nsec3 = true;
};
policy:
- id: default
nsec3: on
template = [
{
id = "default";
storage = "/var/lib/knot/zones/";
semantic-checks = true;
# auto increment serial
zonefile-sync = -1;
zonefile-load = "difference-no-serial";
journal-content = "all";
# secondary
notify = [ "inwx" ] ++ secondaryHosts;
# dnssec
dnssec-signing = true;
dnssec-policy = "default";
# stats
module = "mod-stats/custom";
}
{
id = "nix-generated";
storage = "/var/lib/knot/nix-zones/";
semantic-checks = true;
# auto increment serial
zonefile-sync = -1;
zonefile-load = "difference-no-serial";
journal-content = "all";
# stats
module = "mod-stats/custom";
}
];
template:
- id: default
storage: /var/lib/knot/zones/
semantic-checks: on
# auto increment serial
zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all
# secondary
notify: [inwx, ${lib.concatStringsSep ", " secondaryHosts}]
# dnssec
dnssec-signing: on
dnssec-policy: default
zone = map
(domain: {
inherit domain;
template = "nix-generated";
})
(lib.attrNames cfg.generated-zones);
})
(lib.mkIf isSecondaryHost {
acl = lib.singleton {
id = "primary_notify";
address = lib.flatten addresses.${primaryHost};
action = "notify";
};
template = lib.singleton {
id = "default";
master = [ primaryHost ];
acl = [ "primary_notify" ];
# stats
module: mod-stats/custom
- id: nix-generated
storage: /var/lib/knot/nix-zones/
semantic-checks: on
# auto increment serial
zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all
# stats
module: mod-stats/custom
zone:
${lib.concatMapStrings (domain: ''
- domain: ${domain}
template: nix-generated
'') (lib.attrNames cfg.generated-zones)}
'') + (lib.optionalString isSecondaryHost ''
acl:
- id: primary_notify
address: [${lib.concatStringsSep ", " (lib.flatten addresses.${primaryHost})}]
action: notify
template:
- id: default
master: [${primaryHost}]
acl: [primary_notify]
# stats
module: mod-stats/custom
''));
module = "mod-stats/custom";
};
})
];
};
users.users.knot = {