From 4298169a2ab58e019577ac32618cc46f19e45786 Mon Sep 17 00:00:00 2001
From: Nguyễn Gia Phong <cnx@loang.net>
Date: Wed, 4 Oct 2023 15:23:01 +0900
Subject: Use nix value to config Knot

---
 dns.nix | 159 ++++++++++++++++++++++++++++++----------------------------------
 1 file changed, 74 insertions(+), 85 deletions(-)

(limited to 'dns.nix')

diff --git a/dns.nix b/dns.nix
index 2a55ba3..1e1b0ea 100644
--- a/dns.nix
+++ b/dns.nix
@@ -18,38 +18,18 @@
 
 { ... }:
 let
-  cercleLibreZone = builtins.toFile "cercle.libre.zone" ''
-    @ SOA  danh.loang.net. cnx.loang.net. 2023021702 14400 3600 604800 3600
-    @ NS   danh.loang.net.
-    @ A    37.205.11.127
-    @ AAAA 2a03:3b40:100::1:2
-  '';
-  musikePirateZone = builtins.toFile "musike.pirate.zone" ''
-    @ SOA  danh.loang.net. cnx.loang.net. 2023071727 14400 3600 604800 3600
-    @ NS   danh.loang.net.
-    @ A    37.205.11.127
-    @ AAAA 2a03:3b40:100::1:2
-  '';
-  rubParodyZone = builtins.toFile "rub.parody.zone" ''
-    @ SOA  danh.loang.net. cnx.loang.net. 2023032101 14400 3600 604800 3600
-    @ NS   danh.loang.net.
-    @ A    37.205.11.127
-    @ AAAA 2a03:3b40:100::1:2
-  '';
-  sinyxIndyZone = builtins.toFile "sinyx.indy.zone" ''
-    @ SOA  danh.loang.net. cnx.loang.net. 2023022002 14400 3600 604800 3600
-    @ NS   danh.loang.net.
-    @ A    37.205.11.127
-    @ AAAA 2a03:3b40:100::1:2
-    * A    37.205.11.127
-    * AAAA 2a03:3b40:100::1:2
-  '';
-  stripromanPirateZone = builtins.toFile "striproman.pirate.zone" ''
-    @ SOA  danh.loang.net. mcsinyx.disroot.org. 2023022023 14400 3600 604800 3600
+  localZone = serial: let s = toString serial;
+  in ''
+    @ SOA  danh.loang.net. cnx.loang.net. ${s} 14400 3600 604800 3600
     @ NS   danh.loang.net.
     @ A    37.205.11.127
     @ AAAA 2a03:3b40:100::1:2
   '';
+  openNICZone = domain: serial: {
+    domain = domain;
+    file = builtins.toFile "${domain}.zone" (localZone serial);
+    dnssec-signing = false;
+  };
 in {
   networking.firewall = {
     allowedTCPPorts = [ 53 ];
@@ -58,65 +38,74 @@ in {
 
   services.knot = {
     enable = true;
-    extraConfig = ''
-      server:
-          listen: 0.0.0.0@53
-          listen: ::@53
-
-      remote:
-        - id: secondary
-          address: 204.87.183.53@53
-          address: 2607:7c80:54:6::53@53
-
-      log:
-        - target: syslog
-          any: info
-
-      acl:
-        - id: secondary
-          address: 204.87.183.53
-          address: 2607:7c80:54:6::53
-          action: transfer
-        - id: xarvos
-          key: xrvs.net
-          action: update
-          update-owner: key
-
-      template:
-        - id: default
-          storage: /var/lib/knot/zones
-          file: %s
-          dnssec-signing: on
-
-      zone:
-        - domain: cercle.libre
-          file: ${cercleLibreZone}
-          dnssec-signing: off
-        - domain: cnx.gdn
-          notify: secondary
-          acl: secondary
-        - domain: loang.net
-          notify: secondary
-          acl: secondary
-        - domain: musike.pirate
-          file: ${musikePirateZone}
-          dnssec-signing: off
-        - domain: rub.parody
-          file: ${rubParodyZone}
-          dnssec-signing: off
-        - domain: sinyx.indy
-          file: ${sinyxIndyZone}
-          dnssec-signing: off
-        - domain: striproman.pirate
-          file: ${stripromanPirateZone}
-          dnssec-signing: off
-        - domain: xrvs.net
-          notify: secondary
-          acl: secondary
-          acl: xarvos
-    '';
     keyFiles = [
       "/var/lib/knot/keys/update/xrvs.net"
     ];
+    settings = {
+      server.listen = [ "0.0.0.0@53" "::@53" ];
+      remote = [
+        {
+          id = "secondary";
+          address = [ "204.87.183.53@53" "2607:7c80:54:6::53@53" ];
+        }
+      ];
+      log = [
+        {
+          target = "syslog";
+          any = "info";
+        }
+      ];
+      acl = [
+        {
+          id = "secondary";
+          address = [ "204.87.183.53" "2607:7c80:54:6::53" ];
+          action = "transfer";
+        }
+        {
+          id = "xarvos";
+          key = "xrvs.net";
+          action = "update";
+          update-owner = "key";
+        }
+      ];
+      template = [
+        {
+          id = "default";
+          storage = "/var/lib/knot/zones";
+          file = "%s";
+          dnssec-signing = true;
+        }
+      ];
+      zone = [
+        (openNICZone "cercle.libre" 2023021702)
+        {
+          domain = "cnx.gdn";
+          notify = "secondary";
+          acl = [ "secondary" ];
+        }
+        {
+          domain = "loang.net";
+          notify = "secondary";
+          acl = [ "secondary" ];
+        }
+        (openNICZone "musike.pirate" 2023071727)
+        (openNICZone "rub.parody" 2023032101)
+        {
+          domain = "sinyx.indy";
+          file = builtins.toFile "sinyx.indy.zone"
+            ((localZone 2023022002) + ''
+              * A    37.205.11.127
+              * AAAA 2a03:3b40:100::1:2
+            '');
+          dnssec-signing = false;
+        }
+        (openNICZone "striproman.pirate" 2023022023)
+        {
+          domain = "xrvs.net";
+          notify = "secondary";
+          acl = [ "secondary" "xarvos" ];
+        }
+      ];
+    };
   };
 }
-- 
cgit 1.4.1