...

author: Gregor Kleen <gkleen@yggdrasil.li> 2023-01-30 12:41:51 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2023-01-30 12:41:51 +0100
commit: 39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a (patch)
tree: ae9412c9e38a8ccbdede30fd474bed674e0dca5a /hosts
parent: cfc871cce6aefaa0ff64619780a807cba761c6b2 (diff)
download: nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar
nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.gz
nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.bz2
nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.xz
nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.zip
3 files changed, 8 insertions, 6 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index e79f4bfb..ab2a3cd5 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -46,12 +46,12 @@ in {
    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
-      serviceConfig.LoadCredential = map ({name, ...}: "${name}:${config.sops.secrets.${name}.path}") knotKeys;
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
    };
    services.knot = {
      enable = true;
-      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}.yaml") knotKeys;
      extraConfig = ''
        server:
          listen: 127.0.0.1@53
@@ -109,20 +109,17 @@ in {
            algorithm: rsasha256
            ksk-size: 4096
            zsk-size: 2048
-            zsk-lifetime: 30d
            ksk-submission: validating-resolver
          - id: ed25519
            algorithm: ed25519
            nsec3: on
            nsec3-iterations: 0
-            ksk-lifetime: 360d
            signing-threads: 2
            ksk-submission: validating-resolver
          - id: ed25519_local-push
            algorithm: ed25519
            nsec3: on
            nsec3-iterations: 0
-            ksk-lifetime: 360d
            signing-threads: 2
            ksk-submission: validating-resolver
            cds-cdnskey-publish: double-ds
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index 2e943afc..ade884e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -79,9 +79,14 @@ in {
      };
    };
+    systemd.services.knot = {
+      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
+    };
    services.knot = {
      enable = true;
-      keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}.yaml") knotKeys;
      extraConfig = ''
        server:
          listen: 127.0.0.1@5353
diff --git a/hosts/vidhar/dns/keys/local_yaml b/hosts/vidhar/dns/keys/local
index f682f05e..f682f05e 100644
--- a/hosts/vidhar/dns/keys/local_yaml
+++ b/hosts/vidhar/dns/keys/local
author	Gregor Kleen <gkleen@yggdrasil.li>	2023-01-30 12:41:51 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2023-01-30 12:41:51 +0100
commit	39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a (patch)
tree	ae9412c9e38a8ccbdede30fd474bed674e0dca5a /hosts
parent	cfc871cce6aefaa0ff64619780a807cba761c6b2 (diff)
download	nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.gz nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.bz2 nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.tar.xz nixos-39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a.zip