1 files changed, 92 insertions, 0 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
new file mode 100644
index 00000000..ce909b72
--- /dev/null
+++ b/hosts/surtr/dns/default.nix
@@ -0,0 +1,92 @@
+{...}:
+{
+  config = {
+    fileSystems."/var/lib/knot" =
+      { device = "surtr/safe/var-lib-knot";
+        fsType = "zfs";
+      };
+    systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+    networking.firewall = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
+    
+    services.knot = {
+      enable = true;
+      extraConfig = ''
+        server:
+          listen: 127.0.0.1@53
+          listen: ::1@53
+          listen: 202.61.241.61@53
+          listen: 2a03:4000:52:ada::@53
+        remote:
+          - id: inwx_notify
+            address: 185.181.104.96@53
+        acl:
+          - id: inwx_acl
+            address: 185.181.104.96
+            action: transfer
+        template:
+          - id: inwx_zone
+            storage: /var/lib/knot
+            zonefile-sync: -1
+            zonefile-load: difference-no-serial
+            serial-policy: dateserial
+            journal-content: all
+            semantic-checks: on
+            dnssec-signing: on
+            notify: [inwx_notify]
+            acl: [inwx_acl]
+        policy:
+          - id: rsa
+            algorithm: rsasha256
+            ksk-size: 4096
+            zsk-size: 2048
+            zsk-lifetime: 30d
+        zone:
+          - domain: yggdrasil.li
+            template: inwx_zone
+            file: ${./zones/li.yggdrasil.soa}
+          - domain: nights.email
+            template: inwx_zone
+            file: ${./zones/email.nights.soa}
+          - domain: 141.li
+            template: inwx_zone
+            file: ${./zones/li.141.soa}
+          - domain: kleen.li
+            template: inwx_zone
+            file: ${./zones/li.kleen.soa}
+          - domain: xmpp.li
+            template: inwx_zone
+            file: ${./zones/li.xmpp.soa}
+          - domain: dirty-haskell.org
+            template: inwx_zone
+            file: ${./zones/org.dirty-haskell.soa}
+          - domain: praseodym.org
+            template: inwx_zone
+            file: ${./zones/org.praseodym.soa}
+          - domain: rheperire.org
+            template: inwx_zone
+            file: ${./zones/org.rheperire.soa}
+      '';
+    };
+  };
+}

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix new file mode 100644 index 00000000..ce909b72 --- /dev/null +++ b/hosts/surtr/dns/default.nix
@@ -0,0 +1,92 @@
	1	{...}:
	2	{
	3	config = {
	4	fileSystems."/var/lib/knot" =
	5	{ device = "surtr/safe/var-lib-knot";
	6	fsType = "zfs";
	7	};
	8
	9	systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
	10
	11	networking.firewall = {
	12	allowedTCPPorts = [
	13	53 # DNS
	14	];
	15	allowedUDPPorts = [
	16	53 # DNS
	17	];
	18	};
	19
	20	services.knot = {
	21	enable = true;
	22	extraConfig = ''
	23	server:
	24	listen: 127.0.0.1@53
	25	listen: ::1@53
	26	listen: 202.61.241.61@53
	27	listen: 2a03:4000:52:ada::@53
	28
	29	remote:
	30	- id: inwx_notify
	31	address: 185.181.104.96@53
	32
	33	acl:
	34	- id: inwx_acl
	35	address: 185.181.104.96
	36	action: transfer
	37
	38	template:
	39	- id: inwx_zone
	40	storage: /var/lib/knot
	41	zonefile-sync: -1
	42	zonefile-load: difference-no-serial
	43	serial-policy: dateserial
	44	journal-content: all
	45	semantic-checks: on
	46	dnssec-signing: on
	47	notify: [inwx_notify]
	48	acl: [inwx_acl]
	49
	50	policy:
	51	- id: rsa
	52	algorithm: rsasha256
	53	ksk-size: 4096
	54	zsk-size: 2048
	55	zsk-lifetime: 30d
	56
	57	zone:
	58	- domain: yggdrasil.li
	59	template: inwx_zone
	60	file: ${./zones/li.yggdrasil.soa}
	61
	62	- domain: nights.email
	63	template: inwx_zone
	64	file: ${./zones/email.nights.soa}
	65
	66	- domain: 141.li
	67	template: inwx_zone
	68	file: ${./zones/li.141.soa}
	69
	70	- domain: kleen.li
	71	template: inwx_zone
	72	file: ${./zones/li.kleen.soa}
	73
	74	- domain: xmpp.li
	75	template: inwx_zone
	76	file: ${./zones/li.xmpp.soa}
	77
	78	- domain: dirty-haskell.org
	79	template: inwx_zone
	80	file: ${./zones/org.dirty-haskell.soa}
	81
	82	- domain: praseodym.org
	83	template: inwx_zone
	84	file: ${./zones/org.praseodym.soa}
	85
	86	- domain: rheperire.org
	87	template: inwx_zone
	88	file: ${./zones/org.rheperire.soa}
	89	'';
	90	};
	91	};
	92	}