knot: nearly working state

2026-02-09 12:29:19 -08:00 · 2021-08-30 20:54:29 +01:00 · 2021-08-30 20:54:29 +01:00 · bf369e6496
commit bf369e6496
parent 5b6bb10a42
6 changed files with 42 additions and 11 deletions
--- a/config/profiles/base/network.nix
+++ b/config/profiles/base/network.nix
@ -6,7 +6,7 @@
    nftables.enable = true;
    dns = {
      enable = true;
-      email = "kat@kittywit.ch";
+      email = "acme@kittywit.ch";
      tld = "kittywit.ch.";
    };
  };
--- a/config/services/knot/default.nix
+++ b/config/services/knot/default.nix
@ -1,4 +1,4 @@
-{ config, tf, pkgs, ... }:
+{ config, lib, tf, pkgs, ... }:

 {
  kw.secrets = [ "knot-dnsupdate" ];
@ -14,9 +14,9 @@
    group = "knot";
  };

-  /*  environment.etc."katdns/zones/kittywit.ch.zone".text = let
+/*  environment.etc."katdns/zones/kittywit.ch.zone".text = let
    dns = pkgs.dns;
-    in dns.lib.toString "kittywit.ch." (import ./kittywit.ch.nix {inherit dns; }); */
+    in dns.lib.toString "kittywit.ch" (import ./kittywit.ch.nix { inherit dns lib; }); */

  services.knot = {
    enable = true;
--- a/config/services/knot/kittywit.ch.nix
+++ b/config/services/knot/kittywit.ch.nix
@ -1,4 +1,4 @@
-{ dns }:
+{ dns, lib }:

 with dns.lib.combinators;

@ -6,11 +6,15 @@ with dns.lib.combinators;
  SOA = {
    nameServer = "ns1";
    adminEmail = "kat@kittywit.ch";
-    serial = 0;
+    serial = 2021083001;
+    ttl = 3600;
  };

+  CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
+
  NS = [
    "ns1.kittywit.ch."
-    "ns2.kittywit.ch."
+    "rdns1.benjojo.co.uk."
+    "rdns2.benjojo.co.uk."
  ];
 }
--- a/config/services/knot/knot.yaml
+++ b/config/services/knot/knot.yaml
@ -2,20 +2,29 @@ server:
    listen: 0.0.0.0@53
    listen: ::@53

+remote:
+  - id: benjojo
+    address: 185.230.223.84
+    address: 2a0c:2f07:4896:666:216:3eff:fedb:c742
+
 acl:
  - id: update_acl
    key: dnsupdate
    address: 0.0.0.0/0
    address: ::/0
    action: update
+  - id: benjojo_acl
+    remote: benjojo
+    action: transfer

 zone:
  - domain: kittywit.ch
    semantic-checks: on
-    storage: /etc/katdns/zones/
+    storage: /var/lib/knot/zones/
    file: kittywit.ch.zone
    dnssec-signing: on
-    acl: update_acl
+    notify: benjojo
+    acl: [ benjojo_acl, update_acl ]

 log:
  - target: syslog
--- a/config/targets/common/default.nix
+++ b/config/targets/common/default.nix
@ -12,7 +12,25 @@
    externalSecret = true;
  };

-  dns.zones."kittywit.ch." = { provider = "dns"; };
+  variables.katdns-name = {
+    externalSecret = true;
+  };
+
+  variables.katdns-key = {
+    externalSecret = true;
+  };
+
+  providers.katdns = {
+    type = "dns";
+    inputs.update = {
+      server = "ns1.kittywit.ch";
+      key_name = "kittywit.ch.";
+      key_secret = config.variables.katdns-key.ref;
+      key_algorithm = "hmac-sha512";
+    };
+  };
+
+  dns.zones."kittywit.ch." = { provider = "dns.katdns"; };

  providers.dns = {
    inputs.update = {
--- a/overlays/dns/default.nix
+++ b/overlays/dns/default.nix
@ -1,3 +1,3 @@
 { sources, ... }: final: prev: {
-  dns = import (sources.kirelagin + "/dns") { pkgs = final; };
+  dns = import sources.nix-dns;
 }