Berwn
807785cdab
- Knot authoritative DNS: ns1 primary, ns2 secondary serving cnx.network, buildfor.life and cnx.email over TSIG-secured zone transfer (modules/dns) - Knot listens publicly + over ZeroTier; firewall opens port 53 - Complete clan inventory: name/domain, admin SSH key, control as the zerotier controller, tor on all nixos machines - Enable age yubikey/fido2-hmac secret plugins
42 lines
1.4 KiB
Nix
42 lines
1.4 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
# ZeroTier addresses — zone transfers run over the mesh, not the public net.
|
|
ns1zt = "fd06:1bad:ece2:92ad:ba99:939d:766d:8974";
|
|
ns2zt = "fd06:1bad:ece2:92ad:ba99:9323:61be:a09e";
|
|
in
|
|
{
|
|
# Shared TSIG key, generated once and copied to every machine that imports
|
|
# this module, so primary and secondary authenticate transfers with the same key.
|
|
clan.core.vars.generators.dns-tsig = {
|
|
share = true;
|
|
files."tsig.conf".secret = true;
|
|
runtimeInputs = [ pkgs.knot-dns ];
|
|
script = ''
|
|
keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
|
|
services.knot = {
|
|
enable = true;
|
|
# Including the key via keyFiles keeps the secret out of the Nix store.
|
|
keyFiles = [ config.clan.core.vars.generators.dns-tsig.files."tsig.conf".path ];
|
|
settings = {
|
|
server.listen = [ "0.0.0.0@53" "::@53" ];
|
|
log = [ { target = "syslog"; any = "info"; } ];
|
|
|
|
remote = [
|
|
{ id = "ns1"; address = [ ns1zt ]; key = "cnx_xfr"; }
|
|
{ id = "ns2"; address = [ ns2zt ]; key = "cnx_xfr"; }
|
|
];
|
|
|
|
acl = [
|
|
{ id = "acl_ns1"; address = [ ns1zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; }
|
|
{ id = "acl_ns2"; address = [ ns2zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; }
|
|
];
|
|
};
|
|
};
|
|
}
|