dynamic dns updates

nix/modules/caddy/default.nix

@@ -4,6 +4,7 @@ let
   caddy = pkgs.caddy.withPlugins {
     plugins = [
       "github.com/noratrieb-mirrors/certmagic-s3@v1.1.3"
+      "github.com/caddy-dns/rfc2136@v1.0.0"
     ];
     hash = "sha256-HdCXbqrrGPZSdHv7bZvGz9T6loVbrfKydTbjTyt5Wt0=";
   };
@@ -47,6 +48,17 @@ in
         insecure true
       }
 
+      acme_dns rfc2136 {
+        key_name "test"
+        key_alg "hmac-sha256"
+        key ""
+        server "dns1.local:53"
+      }
+
+      tls {
+        dns_challenge_override_domain "nilstrieb.dev"
+      }
+
       servers {
         metrics
       }

nix/modules/dns/default.nix

@@ -1,6 +1,12 @@
-{ pkgs, lib, networkingConfig, ... }:
+{ pkgs, lib, networkingConfig, config, ... }:
 let metricsPort = 9433; in
 {
+  age.secrets.knot_dns_rfc2136_key_config = {
+    file =
+      ../../secrets/knot_dns_rfc2136_key_config.age;
+    owner = "knot";
+  };
+
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
@@ -21,12 +27,25 @@ let metricsPort = 9433; in
 
   services.knot = {
     enable = true;
+    keyFiles = [ config.age.secrets.knot_dns_rfc2136_key_config.path ];
     settingsFile = pkgs.writeTextFile {
       name = "knot.conf";
       text = ''
         server:
             listen: 0.0.0.0@53
             listen: ::@53
+        
+        key:
+          - id: rfc2136-update
+            algorithm: hmac-sha256
+            secret: QRpeYCJLokRWyzT/tWrxaly5Seb5yTkE6/Ub66edWds=
+        
+        acl:
+          - id: update_acl
+            address: 10.0.0.0/24
+            key: rfc2136-update
+            action: update
+            update-type: [TXT]
 
         zone:
           - domain: noratrieb.dev
@@ -35,6 +54,7 @@ let metricsPort = 9433; in
           - domain: nilstrieb.dev
             storage: /var/lib/knot/zones/
             file: ${import ./nilstrieb.dev.nix { inherit pkgs lib networkingConfig; }}
+            acl: update_acl
         log:
           - target: syslog
             any: info

nix/modules/dns/noratrieb.dev.nix

@@ -51,6 +51,9 @@ let
         ns1 = dns1;
         ns2 = dns2;
 
+        # --- ACME setup for caddy
+        _acme-challenge.CNAME = [ (cname "_acme-challenge.nilstrieb.dev.") ];
+
         # --- website stuff
         blog = vps1;
         www = vps1;