hosts/vidhar/dns/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

{ config, lib, pkgs, ... }:

with lib;

let
  knotKeys = let
    dir = ./keys;
    toKeyInfo = name: v:
      if v == "regular" || v == "symlink"
      then { path = dir + "/${name}"; inherit name; }
      else null;
  in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir));
in {
  config = {
    services.knot-resolver = {
      enable = true;
      settings = {
        network.listen = [
          { interface = "lo"; }
          { interface = "lan"; freebind = true; }
        ];
        forward = [
          {
            subtree = "yggdrasil.";
            servers = [ { address = "::1@5353"; } ];
            options.dnssec = false;
          }
          {
            subtree = "141.10.in-addr.arpa.";
            servers = [ { address = "::1@5353"; } ];
            options.dnssec = false;
          }
          {
            subtree = "1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa.";
            servers = [ { address = "::1@5353"; } ];
            options.dnssec = false;
          }
        ];
      };
    };
    fileSystems."/var/cache/knot-resolver" = {
      fsType = "tmpfs";
      options = [ "size=200M" "nosuid" "nodev" "noexec" "mode=0700" ];
    };

    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
    };

    services.knot = {
      enable = true;
      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}.yaml") knotKeys;
      extraConfig = ''
        server:
          listen: 127.0.0.1@5353
          listen: ::1@5353

          listen: 10.141.1.1@53
          listen: 10.141.2.1@53
          listen: 2a03:4000:52:ada:1:1::@53

        acl:
          - id: local_acl
            key: local_key
            action: update

        template:
          - id: local_zone
            storage: /var/lib/knot
            zonefile-sync: -1
            zonefile-load: difference-no-serial
            serial-policy: dateserial
            journal-content: all
            semantic-checks: on
            acl: [local_acl]

        zone:
          - domain: yggdrasil
            template: local_zone
            file: ${./zones/yggdrasil.soa}
          - domain: 141.10.in-addr.arpa
            template: local_zone
            file: ${./zones/arpa.in-addr.10.141.soa}
          - domain: 1.0.0.0.a.d.a.0.2.5.0.0.0.0.0.4.3.0.a.2.ip6.arpa
            template: local_zone
            file: ${./zones/arpa.ip6.2.a.0.3.4.0.0.0.0.0.5.2.0.a.d.a.0.0.0.1.soa}
      '';
    };

    sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
      format = "binary";
      owner = "knot";
      sopsFile = path;
    }) knotKeys);
  };
}