knot@surtr: firewall & inwx

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-05-29 16:56:36 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-05-29 16:56:36 +0200
commit: 88adc84f5386e2177731b0ee4ece3abecb9dec94 (patch)
tree: 1a9c91f087ee225c7d1cb47d09316d1ebf82f898 /hosts/surtr
parent: 4fa21b0705316e96c53a51b58a51646f274db773 (diff)
download: nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar
nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.gz
nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.bz2
nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.xz
nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.zip
1 files changed, 20 insertions, 0 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 790e6850..3fe76dbf 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -5,6 +5,15 @@
      { device = "surtr/safe/var-lib-knot";
        fsType = "zfs";
      };
+    firewall = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
    
    services.knot = {
      enable = true;
@@ -22,6 +31,8 @@
           zonefile-load: difference-no-serial
           semantic-checks: on
           dnssec-signing: on
+           notify: inwx
+           acl: [inwx_acl]
        policy:
          - id: rsa
@@ -30,6 +41,15 @@
            zsk-size: 2048
            zsk-lifetime: 30d
+        remote:
+          - id: inwx
+            address: 185.181.104.96@53
+        acl:
+          - id: inwx_acl
+            address: 185.181.104.96
+            action: transfer
        zone:
          - domain: yggdrasil.li
            file: ${./zones/li.yggdrasil.soa}
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-05-29 16:56:36 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-05-29 16:56:36 +0200
commit	88adc84f5386e2177731b0ee4ece3abecb9dec94 (patch)
tree	1a9c91f087ee225c7d1cb47d09316d1ebf82f898 /hosts/surtr
parent	4fa21b0705316e96c53a51b58a51646f274db773 (diff)
download	nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.gz nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.bz2 nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.tar.xz nixos-88adc84f5386e2177731b0ee4ece3abecb9dec94.zip

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 790e6850..3fe76dbf 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -5,6 +5,15 @@
5	{ device = "surtr/safe/var-lib-knot";	5	{ device = "surtr/safe/var-lib-knot";
6	fsType = "zfs";	6	fsType = "zfs";
7	};	7	};
		8
		9	firewall = {
		10	allowedTCPPorts = [
		11	53 # DNS
		12	];
		13	allowedUDPPorts = [
		14	53 # DNS
		15	];
		16	};
8		17
9	services.knot = {	18	services.knot = {
10	enable = true;	19	enable = true;
@@ -22,6 +31,8 @@
22	zonefile-load: difference-no-serial	31	zonefile-load: difference-no-serial
23	semantic-checks: on	32	semantic-checks: on
24	dnssec-signing: on	33	dnssec-signing: on
		34	notify: inwx
		35	acl: [inwx_acl]
25		36
26	policy:	37	policy:
27	- id: rsa	38	- id: rsa
@@ -30,6 +41,15 @@
30	zsk-size: 2048	41	zsk-size: 2048
31	zsk-lifetime: 30d	42	zsk-lifetime: 30d
32		43
		44	remote:
		45	- id: inwx
		46	address: 185.181.104.96@53
		47
		48	acl:
		49	- id: inwx_acl
		50	address: 185.181.104.96
		51	action: transfer
		52
33	zone:	53	zone:
34	- domain: yggdrasil.li	54	- domain: yggdrasil.li
35	file: ${./zones/li.yggdrasil.soa}	55	file: ${./zones/li.yggdrasil.soa}