r
Radicle
Git
{
pkgs,
config,
inputs,
...
}: let
writeZone = name: text: pkgs.writeText "${name}.zone" text;
acme = domain: ns:
writeZone "_acme-challenge.${domain}" ''
$TTL 600
@ IN SOA _acme-challenge.${domain}. ${ns}. 2024060801 7200 3600 86400 3600
IN NS ${ns}.
'';
update = domain: ns:
writeZone "${domain}" ''
$TTL 600
@ IN SOA ${domain}. ${ns}. 2024060801 7200 3600 86400 3600
IN NS ${ns}
'';
path = ./. + "/zone";
in {
environment.etc."knot/common.zone".source = ./zone/common.zone;
environment.etc."knot/secondaries.zone".source = ./zone/secondaries.zone;
environment.etc."knot/bootstrap.radicle.network.zone".text = ''
$TTL 3600
@ SOA ns1 lorenz\.leutgeb.radicle.dev. 2025101002 14400 3600 1209600 3600
$INCLUDE common.zone
$INCLUDE dns-sd.zone
'';
networking.firewall = let
dns = [53];
in {
allowedTCPPorts = dns;
allowedUDPPorts = dns;
};
services = {
knot = {
enable = true;
settings = {
server = {
listen = [
"65.108.87.205" # Hetzner
"2a01:4f9:c011:b666::1" # Hetzner
];
automatic-acl = true;
};
remote = [
{
id = "slave.dns.he.net";
address = ["2001:470:600::2" "216.218.133.2"];
}
{
id = "ns1.he.net";
address = [
# NOTE: Looks like ns1.he.net prefers to receive zone updates via IPv4?
# "2001:470:100::2"
"216.218.130.2"
];
}
{
id = "ns2.afraid.org";
address = [
"69.65.50.192"
# NOTE: afraid.org seems to only pull and allow our A, but not AAAA records.
#"2001:1850:1:5:800::6b"
];
}
{
id = "puck.nether.net";
address = [
"2602:fe55:5::5"
# NOTE: Only our IPv6 is allowlisted on their end.
#"204.42.254.5"
];
}
{
id = "1984.is";
address = "93.95.224.6";
}
{
id = "quad9";
address = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
}
{
id = "hetzner";
address = [
"213.239.242.238"
"213.133.100.103"
"193.47.99.3"
"2a01:4f8:0:a101::a:1"
"2a01:4f8:0:1::5ddc:2"
"2001:67c:192c::add:a3"
];
}
];
remotes = [
{
id = "notify";
remote = [
"ns1.he.net"
"ns2.afraid.org"
"puck.nether.net"
"1984.is"
"hetzner"
];
}
{
id = "transfer";
remote = [
"slave.dns.he.net"
"ns2.afraid.org"
"puck.nether.net"
"1984.is"
"hetzner"
];
}
];
log = [
{
target = "syslog";
any = "debug";
}
];
acl = [
{
id = "transfer";
action = [
"query"
"transfer"
];
remote = "transfer";
}
/*
{
id = "acme";
action = "update";
key = "acme";
}
*/
];
mod-rrl = [
{
id = "default";
rate-limit = 500;
slip = 2;
}
];
mod-dnsproxy = [
{
id = "default";
remote = "quad9";
fallback = true;
}
];
template = [
{
id = "default";
semantic-checks = "on";
global-module = [
"mod-rrl/default"
];
zonefile-load = "difference-no-serial";
zonefile-sync = "-1";
journal-content = "all";
}
{
id = "primary";
acl = [
"transfer"
];
}
];
zone = [
{
file = "/etc/knot/bootstrap.zone";
domain = "bootstrap.radicle.network";
template = "primary";
dnssec-signing = true;
}
];
};
};
};
}