From b99ee2913a6183a89aecc6d92c5a9b4ab6d9a13f Mon Sep 17 00:00:00 2001 From: Lu Wang Date: Sun, 15 Dec 2024 22:34:29 +0800 Subject: [PATCH] services/knot: init --- nixos/hosts/reisen-fra0/default.nix | 8 +- nixos/hosts/reisen-nrt0/default.nix | 8 +- nixos/hosts/reisen-sea0/default.nix | 8 +- nixos/profiles/services/knot/primary.nix | 119 +++++++++++++++++++ nixos/profiles/services/knot/secondary.nix | 66 ++++++++++ nixos/profiles/services/resolved/default.nix | 1 + 6 files changed, 207 insertions(+), 3 deletions(-) create mode 100644 nixos/profiles/services/knot/primary.nix create mode 100644 nixos/profiles/services/knot/secondary.nix diff --git a/nixos/hosts/reisen-fra0/default.nix b/nixos/hosts/reisen-fra0/default.nix index 9bef6dc..191620b 100644 --- a/nixos/hosts/reisen-fra0/default.nix +++ b/nixos/hosts/reisen-fra0/default.nix @@ -1,10 +1,16 @@ { suites, + profiles, mylib, ... }: { - imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix"); + imports = + suites.server + ++ (with profiles; [ + services.knot.primary + ]) + ++ (mylib.path.scanPaths ./. "default.nix"); system.stateVersion = "24.11"; } diff --git a/nixos/hosts/reisen-nrt0/default.nix b/nixos/hosts/reisen-nrt0/default.nix index 9bef6dc..e8ec737 100644 --- a/nixos/hosts/reisen-nrt0/default.nix +++ b/nixos/hosts/reisen-nrt0/default.nix @@ -1,10 +1,16 @@ { suites, + profiles, mylib, ... }: { - imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix"); + imports = + suites.server + ++ (with profiles; [ + services.knot.secondary + ]) + ++ (mylib.path.scanPaths ./. "default.nix"); system.stateVersion = "24.11"; } diff --git a/nixos/hosts/reisen-sea0/default.nix b/nixos/hosts/reisen-sea0/default.nix index 9bef6dc..e8ec737 100644 --- a/nixos/hosts/reisen-sea0/default.nix +++ b/nixos/hosts/reisen-sea0/default.nix @@ -1,10 +1,16 @@ { suites, + profiles, mylib, ... }: { - imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix"); + imports = + suites.server + ++ (with profiles; [ + services.knot.secondary + ]) + ++ (mylib.path.scanPaths ./. "default.nix"); system.stateVersion = "24.11"; } diff --git a/nixos/profiles/services/knot/primary.nix b/nixos/profiles/services/knot/primary.nix new file mode 100644 index 0000000..f77fb9a --- /dev/null +++ b/nixos/profiles/services/knot/primary.nix @@ -0,0 +1,119 @@ +# Portions of this file are sourced from +# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/nixos/hcloud/iad0/knot.nix +{ + inputs, + lib, + pkgs, + ... +}: +let + common = import ../../../../zones/common.nix; + secondary = lib.listToAttrs ( + builtins.map ( + name: + lib.nameValuePair name { + id = name; + address = [ + (builtins.elemAt common.hosts.${name}.endpoints_v4 0) + (builtins.elemAt common.hosts.${name}.endpoints_v6 0) + ]; + } + ) common.secondary + ); +in +{ + services.knot = { + enable = true; + settings = { + server = { + async-start = true; + tcp-reuseport = true; + tcp-fastopen = true; + edns-client-subnet = true; + automatic-acl = true; + listen = [ + "0.0.0.0" + "::" + ]; + }; + log = [ + { + target = "syslog"; + any = "info"; + } + ]; + remote = [ + { + id = "cloudflare"; + address = [ + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + ]; + } + ] ++ builtins.attrValues secondary; + remotes = [ + { + id = "secondary"; + remote = builtins.attrNames secondary; + } + ]; + template = [ + { + id = "default"; + notify = "secondary"; + global-module = "mod-rrl/default"; + catalog-role = "member"; + catalog-zone = "catalog"; + serial-policy = "unixtime"; + semantic-checks = true; + zonefile-load = "difference-no-serial"; + zonefile-sync = "-1"; + journal-content = "all"; + zonemd-generate = "zonemd-sha512"; + } + { + id = "catalog"; + notify = "secondary"; + catalog-role = "generate"; + serial-policy = "unixtime"; + zonefile-load = "difference-no-serial"; + zonefile-sync = "-1"; + journal-content = "all"; + } + ]; + mod-rrl = [ + { + id = "default"; + rate-limit = "200"; + slip = "2"; + } + ]; + zone = [ + { + domain = "catalog"; + template = "catalog"; + } + { + domain = "rebmit.link"; + file = pkgs.writeText "db.link.rebmit" ( + import ../../../../zones/rebmit.link.nix { + inherit (inputs) dns; + inherit lib; + } + ); + } + { + domain = "rebmit.moe"; + file = pkgs.writeText "db.moe.rebmit" ( + import ../../../../zones/rebmit.moe.nix { + inherit (inputs) dns; + inherit lib; + } + ); + } + ]; + }; + }; +} diff --git a/nixos/profiles/services/knot/secondary.nix b/nixos/profiles/services/knot/secondary.nix new file mode 100644 index 0000000..0917208 --- /dev/null +++ b/nixos/profiles/services/knot/secondary.nix @@ -0,0 +1,66 @@ +# Portions of this file are sourced from +# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/dns/secondary/default.nix +{ ... }: +let + common = import ../../../../zones/common.nix; + primary = common.hosts.${common.primary}; +in +{ + services.knot = { + enable = true; + settings = { + server = { + async-start = true; + tcp-reuseport = true; + tcp-fastopen = true; + edns-client-subnet = true; + automatic-acl = true; + listen = [ + "0.0.0.0" + "::" + ]; + }; + log = [ + { + target = "syslog"; + any = "info"; + } + ]; + remote = [ + { + id = "transfer"; + address = [ + (builtins.elemAt primary.endpoints_v4 0) + (builtins.elemAt primary.endpoints_v6 0) + ]; + } + ]; + template = [ + { + id = "default"; + global-module = "mod-rrl/default"; + } + { + id = "member"; + master = "transfer"; + zonemd-verify = true; + } + ]; + mod-rrl = [ + { + id = "default"; + rate-limit = "200"; + slip = "2"; + } + ]; + zone = [ + { + domain = "catalog"; + master = "transfer"; + catalog-role = "interpret"; + catalog-template = "member"; + } + ]; + }; + }; +} diff --git a/nixos/profiles/services/resolved/default.nix b/nixos/profiles/services/resolved/default.nix index 4d74222..0891e07 100644 --- a/nixos/profiles/services/resolved/default.nix +++ b/nixos/profiles/services/resolved/default.nix @@ -5,6 +5,7 @@ llmnr = "false"; extraConfig = '' MulticastDNS=off + DNSStubListener=no ''; }; }