dynamic dns updates

2026-01-16 01:25:09 +01:00 · 2025-08-13 20:36:27 +02:00 · 2025-08-13 20:36:27 +02:00 · 3c1ec0f287
commit 3c1ec0f287
parent 56cf4e9212
35 changed files with 109 additions and 67 deletions
--- a/nix/modules/dns/default.nix
+++ b/nix/modules/dns/default.nix
@ -1,6 +1,12 @@
-{ pkgs, lib, networkingConfig, ... }:
+{ pkgs, lib, networkingConfig, config, ... }:
 let metricsPort = 9433; in
 {
+  age.secrets.knot_dns_rfc2136_key_config = {
+    file =
+      ../../secrets/knot_dns_rfc2136_key_config.age;
+    owner = "knot";
+  };
+
  # get the package for the debugging tools
  environment.systemPackages = with pkgs; [ knot-dns ];

@ -21,12 +27,25 @@ let metricsPort = 9433; in

  services.knot = {
    enable = true;
+    keyFiles = [ config.age.secrets.knot_dns_rfc2136_key_config.path ];
    settingsFile = pkgs.writeTextFile {
      name = "knot.conf";
      text = ''
        server:
            listen: 0.0.0.0@53
            listen: ::@53
+        
+        key:
+          - id: rfc2136-update
+            algorithm: hmac-sha256
+            secret: QRpeYCJLokRWyzT/tWrxaly5Seb5yTkE6/Ub66edWds=
+        
+        acl:
+          - id: update_acl
+            address: 10.0.0.0/24
+            key: rfc2136-update
+            action: update
+            update-type: [TXT]

        zone:
          - domain: noratrieb.dev
@ -35,6 +54,7 @@ let metricsPort = 9433; in
          - domain: nilstrieb.dev
            storage: /var/lib/knot/zones/
            file: ${import ./nilstrieb.dev.nix { inherit pkgs lib networkingConfig; }}
+            acl: update_acl
        log:
          - target: syslog
            any: info
--- a/nix/modules/dns/noratrieb.dev.nix
+++ b/nix/modules/dns/noratrieb.dev.nix
@ -51,6 +51,9 @@ let
        ns1 = dns1;
        ns2 = dns2;

+        # --- ACME setup for caddy
+        _acme-challenge.CNAME = [ (cname "_acme-challenge.nilstrieb.dev.") ];
+
        # --- website stuff
        blog = vps1;
        www = vps1;