200 lines
6.2 KiB
Nix
200 lines
6.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.sbruder.knot;
|
|
|
|
primaryHost = "vueko";
|
|
secondaryHosts = [ "okarin" ];
|
|
|
|
isPrimaryHost = config.networking.hostName == primaryHost;
|
|
isSecondaryHost = lib.elem config.networking.hostName secondaryHosts;
|
|
|
|
addresses = {
|
|
vueko = [ "168.119.176.53" "2a01:4f8:c012:2f4::1" ];
|
|
okarin = [ "82.165.242.252" "2001:8d8:1800:8627::1" ];
|
|
};
|
|
in
|
|
{
|
|
options = {
|
|
sbruder.knot.generated-zones = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.path;
|
|
default = { };
|
|
description = "List of zones generated by a nix expression";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf (isPrimaryHost || isSecondaryHost) {
|
|
services.knot = {
|
|
enable = true;
|
|
keyFiles = [
|
|
# Managed in separate repository.
|
|
# It includes all statically managed zones.
|
|
# Even though it is not a key,
|
|
# it needs to be included here
|
|
# so the module disables configuration checks.
|
|
"/var/lib/knot/static.conf"
|
|
];
|
|
extraConfig = ''
|
|
server:
|
|
${lib.concatStringsSep "\n" (map (address: " listen: ${address}@53") addresses.${config.networking.hostName})}
|
|
automatic-acl: on
|
|
|
|
log:
|
|
- target: syslog
|
|
server: info
|
|
control: warning # otherwise stats gets logged every scrape
|
|
zone: info
|
|
|
|
mod-stats:
|
|
- id: custom
|
|
edns-presence: on
|
|
flag-presence: on
|
|
query-size: on
|
|
query-type: on
|
|
reply-size: on
|
|
|
|
remote:
|
|
${lib.concatStrings (lib.mapAttrsToList (host: hostAddresses: ''
|
|
- id: ${host}
|
|
address: [${lib.concatStringsSep ", " hostAddresses}]
|
|
'') addresses)}
|
|
'' + (lib.optionalString isPrimaryHost ''
|
|
# HACK: this string just continues the previous section
|
|
- id: inwx
|
|
# INWX only allows the specification of one primary DNS,
|
|
# which limits the IP protocol usable for zone transfers to one.
|
|
address: [185.181.104.96]
|
|
|
|
policy:
|
|
- id: default
|
|
nsec3: on
|
|
|
|
template:
|
|
- id: default
|
|
storage: /var/lib/knot/zones/
|
|
semantic-checks: on
|
|
# auto increment serial
|
|
zonefile-sync: -1
|
|
zonefile-load: difference-no-serial
|
|
journal-content: all
|
|
# secondary
|
|
notify: [inwx, ${lib.concatStringsSep ", " secondaryHosts}]
|
|
# dnssec
|
|
dnssec-signing: on
|
|
dnssec-policy: default
|
|
# stats
|
|
module: mod-stats/custom
|
|
- id: nix-generated
|
|
storage: /var/lib/knot/nix-zones/
|
|
semantic-checks: on
|
|
# auto increment serial
|
|
zonefile-sync: -1
|
|
zonefile-load: difference-no-serial
|
|
journal-content: all
|
|
# stats
|
|
module: mod-stats/custom
|
|
|
|
zone:
|
|
${lib.concatMapStrings (domain: ''
|
|
- domain: ${domain}
|
|
template: nix-generated
|
|
'') (lib.attrNames cfg.generated-zones)}
|
|
'') + (lib.optionalString isSecondaryHost ''
|
|
acl:
|
|
- id: primary_notify
|
|
address: [${lib.concatStringsSep ", " (lib.flatten addresses.${primaryHost})}]
|
|
action: notify
|
|
|
|
template:
|
|
- id: default
|
|
master: [${primaryHost}]
|
|
acl: [primary_notify]
|
|
# stats
|
|
module: mod-stats/custom
|
|
'');
|
|
};
|
|
|
|
users.users.knot = {
|
|
openssh.authorizedKeys.keys = config.sbruder.pubkeys.trustedKeys;
|
|
shell = pkgs.bashInteractive;
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f /var/lib/knot/static.conf 0644 knot knot - -"
|
|
] ++ (lib.optionals isPrimaryHost [
|
|
"d /var/lib/knot/nix-zones 0755 knot knot - -"
|
|
]);
|
|
|
|
systemd.services.knot-generated-zones = lib.mkIf isPrimaryHost {
|
|
wantedBy = [ "knot.service" ];
|
|
after = [ "knot.service" ];
|
|
path = with pkgs; [ knot-dns ];
|
|
script = ''
|
|
set -euo pipefail
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: zonefile: ''
|
|
kzonecheck -o ${lib.escapeShellArg domain} ${lib.escapeShellArg zonefile}
|
|
target=/var/lib/knot/nix-zones/${lib.escapeShellArg domain}.zone
|
|
if [ -h "$target" ]; then
|
|
pre_target="$(readlink "$target")"
|
|
else
|
|
pre_target="/invalid/path"
|
|
fi
|
|
ln -sf ${lib.escapeShellArg zonefile} "$target"
|
|
if [ "$pre_target" != ${lib.escapeShellArg domain} ]; then
|
|
echo -n "Zone for ${lib.escapeShellArg domain} changed, reloading… "
|
|
knotc zone-reload ${lib.escapeShellArg domain}
|
|
fi
|
|
'') cfg.generated-zones)}
|
|
'';
|
|
restartTriggers = lib.attrValues cfg.generated-zones;
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
User = "knot";
|
|
|
|
BindReadOnlyPaths = [ "/run/knot/knot.sock" ];
|
|
CapabilityBoundingSet = ""; # clear
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
PrivateNetwork = true;
|
|
PrivateTmp = true;
|
|
PrivateUsers = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
ProtectSystem = true;
|
|
RemoveIPC = true;
|
|
RestrictAddressFamilies = [ "AF_UNIX" ]; # knot socket
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 ];
|
|
};
|
|
|
|
services.prometheus.exporters.knot = {
|
|
enable = true;
|
|
listenAddress = config.sbruder.wireguard.home.address;
|
|
};
|
|
|
|
assertions = [
|
|
{
|
|
assertion = isPrimaryHost -> (lib.hasAttr "vpn.sbruder.de" cfg.generated-zones);
|
|
message = "The authoritative DNS module requires the server the wg-home wireguard server to run on the same host.";
|
|
}
|
|
];
|
|
};
|
|
}
|