commit d1b171a76d550328228da84ffe208da18be748e5
parent 66f459b8560cdd58d35bb5b739f9da3d215d9544
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 28 Feb 2025 14:13:28 +0100
parent 66f459b8560cdd58d35bb5b739f9da3d215d9544
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 28 Feb 2025 14:13:28 +0100
modules/linux/dns: use catalog-zones
2 files changed, 98 insertions(+), 80 deletions(-)
M
|
176
+++++++++++++++++++++++++++++++++++++++++++------------------------------------
diff --git a/configurations/linux/services/dns.nix b/configurations/linux/services/dns.nix @@ -11,7 +11,7 @@ SOA = { nameServer = "ns1.ctu.cx."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! - serial = lib.toInt ("2023" + "03" + "04" + "1"); + serial = 0; }; in {
diff --git a/modules/linux/dns.nix b/modules/linux/dns.nix @@ -4,6 +4,14 @@ with lib; let cfg = config.dns; + getAddressesFunction = nodes: isPrimary: lib.flatten ( + lib.mapAttrsToList ( + name: node: [ + (lib.mkIf (node.config.networking.primaryIP != "") node.config.networking.primaryIP) + (lib.mkIf (node.config.networking.primaryIP4 != "") node.config.networking.primaryIP4) + ] + ) (lib.filterAttrs (name: node: node.config.dns.enable && node.config.dns.primary == isPrimary) nodes) + ); in { @@ -49,95 +57,105 @@ in { ) nodes ); - environment.etc = (lib.mapAttrs' (name: zone: { - name = "${cfg.zonesDir}/${name}.zone"; - value = { source = pkgs.dns.util."${currentSystem}".writeZone name zone; }; - }) cfg.allZones); + environment.etc = (lib.mapAttrs' (name: zone: { + name = "${cfg.zonesDir}/${name}.zone"; + value = { source = pkgs.dns.util."${currentSystem}".writeZone name zone; }; + }) cfg.allZones); - services.knot = { + services.knot = let + primaryAddresses = getAddressesFunction nodes true; + secondaryAddresses = getAddressesFunction nodes false; + in { enable = true; keyFiles = []; settings = { - log.syslog.any = "info"; - - server = { - automatic-acl = true; - listen = [ - (lib.mkIf (config.networking.primaryIP != "") "${config.networking.primaryIP}@53") - (lib.mkIf (config.networking.primaryIP4 != "") "${config.networking.primaryIP4}@53") - ]; - }; - - remote = [ - { - id = "primary"; - address = lib.concatLists ( - lib.mapAttrsToList ( - name: node: [ - (lib.mkIf (node.config.networking.primaryIP != "") node.config.networking.primaryIP) - (lib.mkIf (node.config.networking.primaryIP4 != "") node.config.networking.primaryIP4) - ] - ) (lib.filterAttrs (name: node: node.config.dns.enable && node.config.dns.primary) nodes) - ); - } - { - id = "secondary"; - address = lib.concatLists ( - lib.mapAttrsToList ( - name: node: [ - (lib.mkIf (node.config.networking.primaryIP != "") node.config.networking.primaryIP) - (lib.mkIf (node.config.networking.primaryIP4 != "") node.config.networking.primaryIP4) - ] - ) (lib.filterAttrs (name: node: node.config.dns.enable && !node.config.dns.primary) nodes) - ); - } - ]; - - template.default = { - storage = "${cfg.dataDir}/zones"; - zonefile-sync = -1; - zonefile-load = "difference-no-serial"; - journal-content = "all"; - notify = lib.mkIf cfg.primary "secondary"; - master = lib.mkIf (!cfg.primary) "primary"; - }; - - zone = lib.mapAttrs (name: zone: {}) cfg.allZones; + log.syslog.any = "info"; + + server.listen = [ + (lib.mkIf (config.networking.primaryIP != "") "${config.networking.primaryIP}@53") + (lib.mkIf (config.networking.primaryIP4 != "") "${config.networking.primaryIP4}@53") + ]; + + mod-rrl.default.rate-limit = 200; + mod-rrl.default.slip = 2; + + remote.primary.address = primaryAddresses; + remote.secondary.address = secondaryAddresses; + + acl.primary.address = secondaryAddresses; + acl.primary.action = "transfer"; + + acl.secondary.address = primaryAddresses; + acl.secondary.action = "notify"; + + template.default = { + semantic-checks = true; + global-module = "mod-rrl/default"; + }; + + template.primaryZone = { + storage = "${cfg.dataDir}/zones"; + + journal-content = "all"; + + zonefile-sync = -1; + zonefile-load = "difference-no-serial"; + + acl = "primary"; + notify = "secondary"; + + catalog-role = "member"; + catalog-zone = "catalog."; + }; + + template.secondaryZone = { + acl = "secondary"; + master = "primary"; + }; + + zone = if !cfg.primary then { + "catalog.".catalog-role = "interpret"; + "catalog.".catalog-template = "secondaryZone"; + } else { + "catalog.".catalog-role = "generate"; + } // (lib.mapAttrs (name: zone: { + template = "primaryZone"; + }) cfg.allZones); }; }; - systemd.tmpfiles.settings = { - dataDir."${cfg.dataDir}".d = { - group = "knot"; - user = "knot"; - mode = "770"; - age = "-"; + systemd.tmpfiles.settings = { + knotDataDir."${cfg.dataDir}".d = { + group = "knot"; + user = "knot"; + mode = "770"; + age = "-"; }; - zones."${cfg.dataDir}/zones".d = { - group = "knot"; - user = "knot"; - mode = "770"; - age = "-"; - }; - }; + knotZones."${cfg.dataDir}/zones".d = lib.mkIf cfg.primary { + group = "knot"; + user = "knot"; + mode = "770"; + age = "-"; + }; + }; - systemd.services.knot = lib.mkIf cfg.primary { - reloadTriggers = lib.mapAttrsToList (name: zone: pkgs.dns.util."${currentSystem}".writeZone name zone) cfg.allZones; - - preStart = '' - set -euo pipefail - cp --dereference /etc/${cfg.zonesDir}/* ${cfg.dataDir}/zones - chmod -R 770 ${cfg.dataDir}/zones - ''; - - serviceConfig.ExecReload = lib.mkForce (pkgs.writeShellScript "knot-reload" '' - set -eou pipefail - cp --dereference /etc/${cfg.zonesDir}/* ${cfg.dataDir}/zones - chmod -R 770 ${cfg.dataDir}/zones - ${config.services.knot.package}/bin/knotc reload - ''); - }; + systemd.services.knot = lib.mkIf cfg.primary { + reloadTriggers = lib.mapAttrsToList (name: zone: pkgs.dns.util."${currentSystem}".writeZone name zone) cfg.allZones; + + preStart = '' + set -euo pipefail + cp --dereference /etc/${cfg.zonesDir}/* ${cfg.dataDir}/zones + chmod -R 770 ${cfg.dataDir}/zones + ''; + + serviceConfig.ExecReload = lib.mkForce (pkgs.writeShellScript "knot-reload" '' + set -eou pipefail + cp --dereference /etc/${cfg.zonesDir}/* ${cfg.dataDir}/zones + chmod -R 770 ${cfg.dataDir}/zones + ${config.services.knot.package}/bin/knotc reload + ''); + }; }; }