diff options
Diffstat (limited to 'hosts/surtr/dns/default.nix')
| -rw-r--r-- | hosts/surtr/dns/default.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 790e6850..3fe76dbf 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -5,6 +5,15 @@ | |||
| 5 | { device = "surtr/safe/var-lib-knot"; | 5 | { device = "surtr/safe/var-lib-knot"; |
| 6 | fsType = "zfs"; | 6 | fsType = "zfs"; |
| 7 | }; | 7 | }; |
| 8 | |||
| 9 | firewall = { | ||
| 10 | allowedTCPPorts = [ | ||
| 11 | 53 # DNS | ||
| 12 | ]; | ||
| 13 | allowedUDPPorts = [ | ||
| 14 | 53 # DNS | ||
| 15 | ]; | ||
| 16 | }; | ||
| 8 | 17 | ||
| 9 | services.knot = { | 18 | services.knot = { |
| 10 | enable = true; | 19 | enable = true; |
| @@ -22,6 +31,8 @@ | |||
| 22 | zonefile-load: difference-no-serial | 31 | zonefile-load: difference-no-serial |
| 23 | semantic-checks: on | 32 | semantic-checks: on |
| 24 | dnssec-signing: on | 33 | dnssec-signing: on |
| 34 | notify: inwx | ||
| 35 | acl: [inwx_acl] | ||
| 25 | 36 | ||
| 26 | policy: | 37 | policy: |
| 27 | - id: rsa | 38 | - id: rsa |
| @@ -30,6 +41,15 @@ | |||
| 30 | zsk-size: 2048 | 41 | zsk-size: 2048 |
| 31 | zsk-lifetime: 30d | 42 | zsk-lifetime: 30d |
| 32 | 43 | ||
| 44 | remote: | ||
| 45 | - id: inwx | ||
| 46 | address: 185.181.104.96@53 | ||
| 47 | |||
| 48 | acl: | ||
| 49 | - id: inwx_acl | ||
| 50 | address: 185.181.104.96 | ||
| 51 | action: transfer | ||
| 52 | |||
| 33 | zone: | 53 | zone: |
| 34 | - domain: yggdrasil.li | 54 | - domain: yggdrasil.li |
| 35 | file: ${./zones/li.yggdrasil.soa} | 55 | file: ${./zones/li.yggdrasil.soa} |