From 2734bc70c4bfd3cff92ff226c3143f4afa981a56 Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Mon, 16 Dec 2024 00:14:43 +0800
Subject: [PATCH] services/knot: enable dnssec

---
 nixos/profiles/services/knot/primary.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/nixos/profiles/services/knot/primary.nix b/nixos/profiles/services/knot/primary.nix
index f77fb9a..dba757c 100644
--- a/nixos/profiles/services/knot/primary.nix
+++ b/nixos/profiles/services/knot/primary.nix
@@ -59,6 +59,26 @@ in
           remote = builtins.attrNames secondary;
         }
       ];
+      policy = [
+        {
+          algorithm = "ed25519";
+          id = "default";
+          ksk-lifetime = "365d";
+          ksk-shared = true;
+          ksk-submission = "default";
+          nsec3 = true;
+          nsec3-iterations = "0";
+          nsec3-salt-length = "0";
+          signing-threads = "4";
+        }
+      ];
+      submission = [
+        {
+          check-interval = "10m";
+          id = "default";
+          parent = "cloudflare";
+        }
+      ];
       template = [
         {
           id = "default";
@@ -66,6 +86,8 @@ in
           global-module = "mod-rrl/default";
           catalog-role = "member";
           catalog-zone = "catalog";
+          dnssec-policy = "default";
+          dnssec-signing = true;
           serial-policy = "unixtime";
           semantic-checks = true;
           zonefile-load = "difference-no-serial";
@@ -116,4 +138,6 @@ in
       ];
     };
   };
+
+  services.restic.backups.b2.paths = [ "/var/lib/knot" ];
 }