authoritative-dns: Migrate to settings

2023-12-02 17:06:33 +01:00 · 2023-12-02 17:06:33 +01:00 · e126adc38d
parent ba843ac8c0
commit e126adc38d
1 changed files with 86 additions and 73 deletions
--- a/modules/authoritative-dns.nix
+++ b/modules/authoritative-dns.nix
@ -33,87 +33,100 @@ in
        # so the module disables configuration checks.
        "/var/lib/knot/static.conf"
      ];
-      # TODO migrate to settings
+      settings = lib.mkMerge [
-      settingsFile = pkgs.writeText "knot.conf" (''
+        {
-        include: /var/lib/knot/static.conf
+          server = {
            listen = map (address: "${address}@53") addresses.${config.networking.hostName};
            automatic-acl = true;
          };
-        server:
+          log = lib.singleton {
-        ${lib.concatStringsSep "\n" (map (address: "    listen: ${address}@53") addresses.${config.networking.hostName})}
+            target = "syslog";
-            automatic-acl: on
+            server = "info";
            control = "warning"; # otherwise stats gets logged every scrape
            zone = "info";
          };
-        log:
+          mod-stats = lib.singleton {
-          - target: syslog
+            id = "custom";
-            server: info
+            edns-presence = true;
-            control: warning # otherwise stats gets logged every scrape
+            flag-presence = true;
-            zone: info
+            query-size = true;
            query-type = true;
            reply-size = true;
          };
-        mod-stats:
+          remote = (lib.mapAttrsToList
-          - id: custom
+            (host: hostAddresses: {
-            edns-presence: on
+              id = host;
-            flag-presence: on
+              address = hostAddresses;
-            query-size: on
+            })
-            query-type: on
+            addresses) ++ lib.optional isPrimaryHost {
-            reply-size: on
+            id = "inwx";
        remote:
        ${lib.concatStrings (lib.mapAttrsToList (host: hostAddresses: ''
          - id: ${host}
            address: [${lib.concatStringsSep ", " hostAddresses}]
        '') addresses)}
      '' + (lib.optionalString isPrimaryHost ''
        # HACK: this string just continues the previous section
          - id: inwx
            # INWX only allows the specification of one primary DNS,
            # which limits the IP protocol usable for zone transfers to one.
-            address: [185.181.104.96]
+            address = lib.singleton "185.181.104.96";
          };
        }
        (lib.mkIf isPrimaryHost {
          policy = lib.singleton {
            id = "default";
            nsec3 = true;
          };
-        policy:
+          template = [
-          - id: default
+            {
-            nsec3: on
+              id = "default";
              storage = "/var/lib/knot/zones/";
              semantic-checks = true;
              # auto increment serial
              zonefile-sync = -1;
              zonefile-load = "difference-no-serial";
              journal-content = "all";
              # secondary
              notify = [ "inwx" ] ++ secondaryHosts;
              # dnssec
              dnssec-signing = true;
              dnssec-policy = "default";
              # stats
              module = "mod-stats/custom";
            }
            {
              id = "nix-generated";
              storage = "/var/lib/knot/nix-zones/";
              semantic-checks = true;
              # auto increment serial
              zonefile-sync = -1;
              zonefile-load = "difference-no-serial";
              journal-content = "all";
              # stats
              module = "mod-stats/custom";
            }
          ];
-        template:
+          zone = map
-          - id: default
+            (domain: {
-            storage: /var/lib/knot/zones/
+              inherit domain;
-            semantic-checks: on
+              template = "nix-generated";
-            # auto increment serial
+            })
-            zonefile-sync: -1
+            (lib.attrNames cfg.generated-zones);
-            zonefile-load: difference-no-serial
+        })
-            journal-content: all
+        (lib.mkIf isSecondaryHost {
-            # secondary
+          acl = lib.singleton {
-            notify: [inwx, ${lib.concatStringsSep ", " secondaryHosts}]
+            id = "primary_notify";
-            # dnssec
+            address = lib.flatten addresses.${primaryHost};
-            dnssec-signing: on
+            action = "notify";
-            dnssec-policy: default
+          };
          template = lib.singleton {
            id = "default";
            master = [ primaryHost ];
            acl = [ "primary_notify" ];
            # stats
-            module: mod-stats/custom
+            module = "mod-stats/custom";
-          - id: nix-generated
+          };
-            storage: /var/lib/knot/nix-zones/
+        })
-            semantic-checks: on
+      ];
            # auto increment serial
            zonefile-sync: -1
            zonefile-load: difference-no-serial
            journal-content: all
            # stats
            module: mod-stats/custom
        zone:
        ${lib.concatMapStrings (domain: ''
          - domain: ${domain}
            template: nix-generated
        '') (lib.attrNames cfg.generated-zones)}
      '') + (lib.optionalString isSecondaryHost ''
        acl:
          - id: primary_notify
            address: [${lib.concatStringsSep ", " (lib.flatten addresses.${primaryHost})}]
            action: notify
        template:
          - id: default
            master: [${primaryHost}]
            acl: [primary_notify]
            # stats
            module: mod-stats/custom
      ''));
    };
    users.users.knot = {