{...}: { config = { fileSystems."/var/lib/knot" = { device = "surtr/safe/var-lib-knot"; fsType = "zfs"; }; systemd.services.knot.unitConfig.RequiresMountsFor = [ "var-lib-knot.mount" ]; networking.firewall = { allowedTCPPorts = [ 53 # DNS ]; allowedUDPPorts = [ 53 # DNS ]; }; services.knot = { enable = true; extraConfig = '' server: listen: 127.0.0.1@53 listen: ::1@53 listen: 202.61.241.61@53 listen: 2a03:4000:52:ada::@53 remote: - id: inwx address: 185.181.104.96@53 acl: - id: inwx_acl address: 185.181.104.96 action: transfer template: - id: inwx_zone storage: /var/lib/knot zonefile-sync: -1 zonefile-load: difference-no-serial semantic-checks: on dnssec-signing: on notify: inwx acl: [inwx_acl] policy: - id: rsa algorithm: RSASHA256 ksk-size: 4096 zsk-size: 2048 zsk-lifetime: 30d zone: - template: inwx_zone domain: yggdrasil.li file: ${./zones/li.yggdrasil.soa} zone: - template: inwx_zone domain: nights.email file: ${./zones/email.nights.soa} zone: - template: inwx_zone domain: 141.li file: ${./zones/li.141.soa} zone: - template: inwx_zone domain: kleen.li file: ${./zones/li.kleen.soa} zone: - template: inwx_zone domain: xmpp.li file: ${./zones/li.xmpp.soa} zone: - template: inwx_zone domain: dirty-haskell.org file: ${./zones/org.dirty-haskell.soa} zone: - template: inwx_zone domain: praseodym.org file: ${./zones/org.praseodym.soa} zone: - template: inwx_zone domain: rheperire.org file: ${./zones/org.rheperire.soa} ''; }; }; }