From 88adc84f5386e2177731b0ee4ece3abecb9dec94 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 29 May 2021 16:56:36 +0200
Subject: knot@surtr: firewall & inwx

---
 hosts/surtr/dns/default.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 790e6850..3fe76dbf 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -5,6 +5,15 @@
       { device = "surtr/safe/var-lib-knot";
         fsType = "zfs";
       };
+
+    firewall = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
     
     services.knot = {
       enable = true;
@@ -22,6 +31,8 @@
            zonefile-load: difference-no-serial
            semantic-checks: on
            dnssec-signing: on
+           notify: inwx
+           acl: [inwx_acl]
 
         policy:
           - id: rsa
@@ -30,6 +41,15 @@
             zsk-size: 2048
             zsk-lifetime: 30d
 
+        remote:
+          - id: inwx
+            address: 185.181.104.96@53
+
+        acl:
+          - id: inwx_acl
+            address: 185.181.104.96
+            action: transfer
+
         zone:
           - domain: yggdrasil.li
             file: ${./zones/li.yggdrasil.soa}
-- 
cgit v1.2.3