services/knot: init

nixos/hosts/reisen-fra0/default.nix

@@ -1,10 +1,16 @@
 {
   suites,
+  profiles,
   mylib,
   ...
 }:
 {
-  imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix");
+  imports =
+    suites.server
+    ++ (with profiles; [
+      services.knot.primary
+    ])
+    ++ (mylib.path.scanPaths ./. "default.nix");
 
   system.stateVersion = "24.11";
 }

nixos/hosts/reisen-nrt0/default.nix

@@ -1,10 +1,16 @@
 {
   suites,
+  profiles,
   mylib,
   ...
 }:
 {
-  imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix");
+  imports =
+    suites.server
+    ++ (with profiles; [
+      services.knot.secondary
+    ])
+    ++ (mylib.path.scanPaths ./. "default.nix");
 
   system.stateVersion = "24.11";
 }

nixos/hosts/reisen-sea0/default.nix

@@ -1,10 +1,16 @@
 {
   suites,
+  profiles,
   mylib,
   ...
 }:
 {
-  imports = suites.server ++ (mylib.path.scanPaths ./. "default.nix");
+  imports =
+    suites.server
+    ++ (with profiles; [
+      services.knot.secondary
+    ])
+    ++ (mylib.path.scanPaths ./. "default.nix");
 
   system.stateVersion = "24.11";
 }

nixos/profiles/services/knot/primary.nix

@@ -0,0 +1,119 @@
+# Portions of this file are sourced from
+# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/nixos/hcloud/iad0/knot.nix
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  common = import ../../../../zones/common.nix;
+  secondary = lib.listToAttrs (
+    builtins.map (
+      name:
+      lib.nameValuePair name {
+        id = name;
+        address = [
+          (builtins.elemAt common.hosts.${name}.endpoints_v4 0)
+          (builtins.elemAt common.hosts.${name}.endpoints_v6 0)
+        ];
+      }
+    ) common.secondary
+  );
+in
+{
+  services.knot = {
+    enable = true;
+    settings = {
+      server = {
+        async-start = true;
+        tcp-reuseport = true;
+        tcp-fastopen = true;
+        edns-client-subnet = true;
+        automatic-acl = true;
+        listen = [
+          "0.0.0.0"
+          "::"
+        ];
+      };
+      log = [
+        {
+          target = "syslog";
+          any = "info";
+        }
+      ];
+      remote = [
+        {
+          id = "cloudflare";
+          address = [
+            "1.1.1.1"
+            "1.0.0.1"
+            "2606:4700:4700::1111"
+            "2606:4700:4700::1001"
+          ];
+        }
+      ] ++ builtins.attrValues secondary;
+      remotes = [
+        {
+          id = "secondary";
+          remote = builtins.attrNames secondary;
+        }
+      ];
+      template = [
+        {
+          id = "default";
+          notify = "secondary";
+          global-module = "mod-rrl/default";
+          catalog-role = "member";
+          catalog-zone = "catalog";
+          serial-policy = "unixtime";
+          semantic-checks = true;
+          zonefile-load = "difference-no-serial";
+          zonefile-sync = "-1";
+          journal-content = "all";
+          zonemd-generate = "zonemd-sha512";
+        }
+        {
+          id = "catalog";
+          notify = "secondary";
+          catalog-role = "generate";
+          serial-policy = "unixtime";
+          zonefile-load = "difference-no-serial";
+          zonefile-sync = "-1";
+          journal-content = "all";
+        }
+      ];
+      mod-rrl = [
+        {
+          id = "default";
+          rate-limit = "200";
+          slip = "2";
+        }
+      ];
+      zone = [
+        {
+          domain = "catalog";
+          template = "catalog";
+        }
+        {
+          domain = "rebmit.link";
+          file = pkgs.writeText "db.link.rebmit" (
+            import ../../../../zones/rebmit.link.nix {
+              inherit (inputs) dns;
+              inherit lib;
+            }
+          );
+        }
+        {
+          domain = "rebmit.moe";
+          file = pkgs.writeText "db.moe.rebmit" (
+            import ../../../../zones/rebmit.moe.nix {
+              inherit (inputs) dns;
+              inherit lib;
+            }
+          );
+        }
+      ];
+    };
+  };
+}

nixos/profiles/services/knot/secondary.nix

@@ -0,0 +1,66 @@
+# Portions of this file are sourced from
+# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/dns/secondary/default.nix
+{ ... }:
+let
+  common = import ../../../../zones/common.nix;
+  primary = common.hosts.${common.primary};
+in
+{
+  services.knot = {
+    enable = true;
+    settings = {
+      server = {
+        async-start = true;
+        tcp-reuseport = true;
+        tcp-fastopen = true;
+        edns-client-subnet = true;
+        automatic-acl = true;
+        listen = [
+          "0.0.0.0"
+          "::"
+        ];
+      };
+      log = [
+        {
+          target = "syslog";
+          any = "info";
+        }
+      ];
+      remote = [
+        {
+          id = "transfer";
+          address = [
+            (builtins.elemAt primary.endpoints_v4 0)
+            (builtins.elemAt primary.endpoints_v6 0)
+          ];
+        }
+      ];
+      template = [
+        {
+          id = "default";
+          global-module = "mod-rrl/default";
+        }
+        {
+          id = "member";
+          master = "transfer";
+          zonemd-verify = true;
+        }
+      ];
+      mod-rrl = [
+        {
+          id = "default";
+          rate-limit = "200";
+          slip = "2";
+        }
+      ];
+      zone = [
+        {
+          domain = "catalog";
+          master = "transfer";
+          catalog-role = "interpret";
+          catalog-template = "member";
+        }
+      ];
+    };
+  };
+}

nixos/profiles/services/resolved/default.nix

@@ -5,6 +5,7 @@
     llmnr = "false";
     extraConfig = ''
       MulticastDNS=off
+      DNSStubListener=no
     '';
   };
 }