From e126adc38d014943664d6cace3b0dda3d5a7c2c3 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sat, 2 Dec 2023 17:06:33 +0100 Subject: [PATCH] authoritative-dns: Migrate to settings --- modules/authoritative-dns.nix | 159 ++++++++++++++++++---------------- 1 file changed, 86 insertions(+), 73 deletions(-) diff --git a/modules/authoritative-dns.nix b/modules/authoritative-dns.nix index 50ac06f..5630cbf 100644 --- a/modules/authoritative-dns.nix +++ b/modules/authoritative-dns.nix @@ -33,87 +33,100 @@ in # so the module disables configuration checks. "/var/lib/knot/static.conf" ]; - # TODO migrate to settings - settingsFile = pkgs.writeText "knot.conf" ('' - include: /var/lib/knot/static.conf + settings = lib.mkMerge [ + { + server = { + listen = map (address: "${address}@53") addresses.${config.networking.hostName}; + automatic-acl = true; + }; - server: - ${lib.concatStringsSep "\n" (map (address: " listen: ${address}@53") addresses.${config.networking.hostName})} - automatic-acl: on + log = lib.singleton { + target = "syslog"; + server = "info"; + control = "warning"; # otherwise stats gets logged every scrape + zone = "info"; + }; - log: - - target: syslog - server: info - control: warning # otherwise stats gets logged every scrape - zone: info + mod-stats = lib.singleton { + id = "custom"; + edns-presence = true; + flag-presence = true; + query-size = true; + query-type = true; + reply-size = true; + }; - mod-stats: - - id: custom - edns-presence: on - flag-presence: on - query-size: on - query-type: on - reply-size: on - - remote: - ${lib.concatStrings (lib.mapAttrsToList (host: hostAddresses: '' - - id: ${host} - address: [${lib.concatStringsSep ", " hostAddresses}] - '') addresses)} - '' + (lib.optionalString isPrimaryHost '' - # HACK: this string just continues the previous section - - id: inwx + remote = (lib.mapAttrsToList + (host: hostAddresses: { + id = host; + address = hostAddresses; + }) + addresses) ++ lib.optional isPrimaryHost { + id = "inwx"; # INWX only allows the specification of one primary DNS, # which limits the IP protocol usable for zone transfers to one. - address: [185.181.104.96] + address = lib.singleton "185.181.104.96"; + }; + } + (lib.mkIf isPrimaryHost { + policy = lib.singleton { + id = "default"; + nsec3 = true; + }; - policy: - - id: default - nsec3: on + template = [ + { + id = "default"; + storage = "/var/lib/knot/zones/"; + semantic-checks = true; + # auto increment serial + zonefile-sync = -1; + zonefile-load = "difference-no-serial"; + journal-content = "all"; + # secondary + notify = [ "inwx" ] ++ secondaryHosts; + # dnssec + dnssec-signing = true; + dnssec-policy = "default"; + # stats + module = "mod-stats/custom"; + } + { + id = "nix-generated"; + storage = "/var/lib/knot/nix-zones/"; + semantic-checks = true; + # auto increment serial + zonefile-sync = -1; + zonefile-load = "difference-no-serial"; + journal-content = "all"; + # stats + module = "mod-stats/custom"; + } + ]; - template: - - id: default - storage: /var/lib/knot/zones/ - semantic-checks: on - # auto increment serial - zonefile-sync: -1 - zonefile-load: difference-no-serial - journal-content: all - # secondary - notify: [inwx, ${lib.concatStringsSep ", " secondaryHosts}] - # dnssec - dnssec-signing: on - dnssec-policy: default + zone = map + (domain: { + inherit domain; + template = "nix-generated"; + }) + (lib.attrNames cfg.generated-zones); + }) + (lib.mkIf isSecondaryHost { + acl = lib.singleton { + id = "primary_notify"; + address = lib.flatten addresses.${primaryHost}; + action = "notify"; + }; + + template = lib.singleton { + id = "default"; + master = [ primaryHost ]; + acl = [ "primary_notify" ]; # stats - module: mod-stats/custom - - id: nix-generated - storage: /var/lib/knot/nix-zones/ - semantic-checks: on - # auto increment serial - zonefile-sync: -1 - zonefile-load: difference-no-serial - journal-content: all - # stats - module: mod-stats/custom - - zone: - ${lib.concatMapStrings (domain: '' - - domain: ${domain} - template: nix-generated - '') (lib.attrNames cfg.generated-zones)} - '') + (lib.optionalString isSecondaryHost '' - acl: - - id: primary_notify - address: [${lib.concatStringsSep ", " (lib.flatten addresses.${primaryHost})}] - action: notify - - template: - - id: default - master: [${primaryHost}] - acl: [primary_notify] - # stats - module: mod-stats/custom - '')); + module = "mod-stats/custom"; + }; + }) + ]; }; users.users.knot = {