zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit 148309f050938d11a0e8543fdcbf2e5c5cfe752e
parent 87838de18557893d1783e1ac7b2d18f1fe8a4ce1
Author: Katja (zaphyra) <git@ctu.cx>
Date: Fri, 23 May 2025 22:32:20 +0200

config/nixos/modules/services/knotACME: store acme-zone as mutable file

2 files changed, 47 insertions(+), 21 deletions(-)
M
config/nixos/modules/services/knot.nix
|
1
+
M
config/nixos/modules/services/knotACME.nix
|
67
++++++++++++++++++++++++++++++++++++++++++++++---------------------
diff --git a/config/nixos/modules/services/knot.nix b/config/nixos/modules/services/knot.nix
@@ -122,6 +122,7 @@ in
             (lib.mkIf (hostConfig.networking.ip6Address != "") "${hostConfig.networking.ip6Address}@53")
             (lib.mkIf (hostConfig.networking.ip4Address != "") "${hostConfig.networking.ip4Address}@53")
             "::1@53"
+            "127.0.0.2@53"
           ];
 
           mod-rrl.default.rate-limit = 200;

diff --git a/config/nixos/modules/services/knotACME.nix b/config/nixos/modules/services/knotACME.nix
@@ -85,33 +85,58 @@ in
         |> lib.listToAttrs
       );
 
+      systemd.services.knot =
+        let
+          acmeZoneFile = pkgs.writeTextFile {
+            name = "${cfg.zone}.zone";
+            text = dnsNix.types.zoneToString cfg.zone (
+              dnsNix.evalZone cfg.zone (
+                with dnsNix.combinators;
+                {
+                  NS = cfg.nameServers;
+                  SOA = {
+                    nameServer = lib.elemAt cfg.nameServers 0;
+                    adminEmail = "dns@${cfg.zone}"; # Email address with a real `@`!
+                    serial = 0;
+                  };
+                }
+              )
+            );
+          };
+        in
+        {
+          reloadTriggers = [
+            "${config.modules.services.knot.dataDir}/acme.zone"
+          ];
+          serviceConfig = {
+            ExecStartPre = [
+              (pkgs.writeShellScript "knot-acmeZone-preStart" ''
+                set -eou pipefail
+                cp --dereference ${acmeZoneFile} ${config.modules.services.knot.dataDir}/acme.zone
+                chmod -R 770 ${config.modules.services.knot.dataDir}/acme.zone
+              '')
+            ];
+            ExecReload = lib.mkForce (
+              pkgs.writeShellScript "knot-reload" ''
+                set -eou pipefail
+                cp --dereference ${acmeZoneFile} ${config.modules.services.knot.dataDir}/acme.zone
+                chmod -R 770 ${config.modules.services.knot.dataDir}/acme.zone
+                ${config.services.knot.package}/bin/knotc reload
+              ''
+            );
+          };
+        };
+
       modules.services.knot = {
         keyFiles = [ cfg.keyFile ];
         zones = {
           "${cfg.zone}" = {
-            file = toString (
-              pkgs.writeTextFile {
-                name = "${cfg.zone}.zone";
-                text = dnsNix.types.zoneToString cfg.zone (
-                  dnsNix.evalZone cfg.zone (
-                    with dnsNix.combinators;
-                    {
-                      NS = cfg.nameServers;
-                      SOA = {
-                        nameServer = lib.elemAt cfg.nameServers 0;
-                        adminEmail = "dns@${cfg.zone}"; # Email address with a real `@`!
-                        serial = 0;
-                      };
-                    }
-                  )
-                );
-              }
-            );
+            file = "${config.modules.services.knot.dataDir}/acme.zone";
 
-            zonefile-sync = -1;
-            zonefile-load = "difference";
+            zonefile-sync = 0;
+            zonefile-load = "difference-no-serial";
 
-            journal-content = "changes";
+            journal-content = "all";
 
             acl = lib.mkIf ((lib.attrNames nodesWithACMERecords) != [ ]) (
               nodesWithACMERecords |> lib.mapAttrsToList (hostName: _: "acme-nix-${hostName}")