summaryrefslogtreecommitdiff
path: root/hosts/surtr/dns/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/dns/default.nix')
-rw-r--r--hosts/surtr/dns/default.nix44
1 files changed, 42 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
1{ pkgs, ... }: 1{ pkgs, lib, ... }:
2{ 2
3with lib;
4
5let
6 acmeChallengeZonefile = domain: let
7 reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
8 in pkgs.writeText "${reverseDomain}.zone" ''
9 $ORIGIN ${domain}.
10 @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
11 $TTL 300
12
13 IN NS ns.yggdrasil.li.
14 '';
15in {
3 config = { 16 config = {
4 fileSystems."/var/lib/knot" = 17 fileSystems."/var/lib/knot" =
5 { device = "surtr/safe/var-lib-knot"; 18 { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
10 23
11 services.knot = { 24 services.knot = {
12 enable = true; 25 enable = true;
26 keyFiles = [
27 config.sops.secrets."acme_rheperire.org_key".path
28 ];
13 extraConfig = '' 29 extraConfig = ''
14 server: 30 server:
15 listen: 127.0.0.1@53 31 listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
27 - id: inwx_acl 43 - id: inwx_acl
28 address: 185.181.104.96 44 address: 185.181.104.96
29 action: transfer 45 action: transfer
46 - id: rheperire.org_acme_acl
47 key: rheperire.org_acme_key
48 action: update
30 49
31 mod-rrl: 50 mod-rrl:
32 - id: default 51 - id: default
@@ -71,6 +90,15 @@
71 dnssec-policy: ed25519 90 dnssec-policy: ed25519
72 notify: [inwx_notify] 91 notify: [inwx_notify]
73 acl: [inwx_acl] 92 acl: [inwx_acl]
93 - id: acme_zone
94 storage: /var/lib/knot
95 zonefile-sync: -1
96 zonefile-load: difference-no-serial
97 serial-policy: dateserial
98 journal-content: all
99 semantic-checks: on
100 dnssec-signing: on
101 dnssec-policy: ed25519
74 102
75 zone: 103 zone:
76 - domain: yggdrasil.li 104 - domain: yggdrasil.li
@@ -104,9 +132,21 @@
104 - domain: rheperire.org 132 - domain: rheperire.org
105 template: inwx_zone 133 template: inwx_zone
106 file: ${./zones/org.rheperire.soa} 134 file: ${./zones/org.rheperire.soa}
135 - domain: _acme-challenge.rheperire.org
136 template: acme_zone
137 acl: [ rheperire.org_acme_acl ]
138 file: ${acmeChallengeZonefile "rheperire.org"}
107 ''; 139 '';
108 }; 140 };
109 141
142 sops.secrets = {
143 "rheperire.org_acme_key.yaml" = {
144 format = "yaml";
145 owner = "knot";
146 sopsFile = ./keys/rheperire.org_acme.yaml;
147 };
148 };
149
110 150
111 fileSystems."/var/lib/unbound" = 151 fileSystems."/var/lib/unbound" =
112 { device = "surtr/local/var-lib-unbound"; 152 { device = "surtr/local/var-lib-unbound";