diff options
Diffstat (limited to 'hosts/surtr/dns/default.nix')
| -rw-r--r-- | hosts/surtr/dns/default.nix | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 5f69c350..695ac292 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -25,6 +25,7 @@ in { | |||
| 25 | enable = true; | 25 | enable = true; |
| 26 | keyFiles = [ | 26 | keyFiles = [ |
| 27 | config.sops.secrets."rheperire.org_acme_key.yaml".path | 27 | config.sops.secrets."rheperire.org_acme_key.yaml".path |
| 28 | config.sops.secrets."knot_local_key.yaml".path | ||
| 28 | ]; | 29 | ]; |
| 29 | extraConfig = '' | 30 | extraConfig = '' |
| 30 | server: | 31 | server: |
| @@ -38,6 +39,9 @@ in { | |||
| 38 | address: 185.181.104.96@53 | 39 | address: 185.181.104.96@53 |
| 39 | - id: recursive | 40 | - id: recursive |
| 40 | address: ::1@5353 | 41 | address: ::1@5353 |
| 42 | - id: local | ||
| 43 | address: ::1@53 | ||
| 44 | key: local_key | ||
| 41 | 45 | ||
| 42 | acl: | 46 | acl: |
| 43 | - id: inwx_acl | 47 | - id: inwx_acl |
| @@ -46,6 +50,10 @@ in { | |||
| 46 | - id: rheperire.org_acme_acl | 50 | - id: rheperire.org_acme_acl |
| 47 | key: rheperire.org_acme_key | 51 | key: rheperire.org_acme_key |
| 48 | action: update | 52 | action: update |
| 53 | - id: local_acl | ||
| 54 | key: local_key | ||
| 55 | action: update | ||
| 56 | update-type: DS | ||
| 49 | 57 | ||
| 50 | mod-rrl: | 58 | mod-rrl: |
| 51 | - id: default | 59 | - id: default |
| @@ -75,6 +83,15 @@ in { | |||
| 75 | ksk-lifetime: 360d | 83 | ksk-lifetime: 360d |
| 76 | signing-threads: 2 | 84 | signing-threads: 2 |
| 77 | ksk-submission: validating-resolver | 85 | ksk-submission: validating-resolver |
| 86 | - id: ed25519_local-push | ||
| 87 | algorithm: ed25519 | ||
| 88 | nsec3: on | ||
| 89 | nsec3-iterations: 0 | ||
| 90 | ksk-lifetime: 360d | ||
| 91 | signing-threads: 2 | ||
| 92 | ksk-submission: validating-resolver | ||
| 93 | cds-cdnskey-publish: none | ||
| 94 | ds-push: [local] | ||
| 78 | 95 | ||
| 79 | template: | 96 | template: |
| 80 | - id: default | 97 | - id: default |
| @@ -98,7 +115,7 @@ in { | |||
| 98 | journal-content: all | 115 | journal-content: all |
| 99 | semantic-checks: on | 116 | semantic-checks: on |
| 100 | dnssec-signing: on | 117 | dnssec-signing: on |
| 101 | dnssec-policy: ed25519 | 118 | dnssec-policy: ed25519_local-push |
| 102 | 119 | ||
| 103 | zone: | 120 | zone: |
| 104 | - domain: yggdrasil.li | 121 | - domain: yggdrasil.li |
| @@ -145,6 +162,11 @@ in { | |||
| 145 | owner = "knot"; | 162 | owner = "knot"; |
| 146 | sopsFile = ./keys/rheperire.org_acme.yaml; | 163 | sopsFile = ./keys/rheperire.org_acme.yaml; |
| 147 | }; | 164 | }; |
| 165 | "knot_local_key.yaml" = { | ||
| 166 | format = "binary"; | ||
| 167 | owner = "knot"; | ||
| 168 | sopsFile = ./keys/local_key.yaml; | ||
| 169 | }; | ||
| 148 | }; | 170 | }; |
| 149 | 171 | ||
| 150 | 172 | ||