knot: fix acls

2024-03-17 14:34:56 +01:00 · 2024-03-17 14:34:56 +01:00 · ec63f15c64
parent 607fbc7b00
commit ec63f15c64
2 changed files with 24 additions and 7 deletions
--- a/hosts/knot/default.nix
+++ b/hosts/knot/default.nix
@ -40,17 +40,33 @@
      acl = [
        {
          id = "jabber";
-          key = "jabber";
+          key = "jabber.c3d2.de";
          action = "update";
          update-owner = "name";
          update-owner-match = "sub-or-equal";
          update-owner-name = [ "jabber.c3d2.de." ];
        }
+        {
+          id = "axfr";
+          address = [
+            # INWX
+            "2a0a:c980::53/128"
+            # Inbert
+            "2001:67c:1400:2240::1/128"
+            # dns.serv.zentralwerk.org
+            "172.20.73.2/32"
+            "2a00:8180:2c00:282:2::2"
+            # ns.spaceboyz.net
+            "95.217.229.209/32"
+            "2a01:4f9:4b:39ec::4/128"
+          ];
+          action = [ "transfer" "notify" ];
+        }
      ];

      log = [ {
        target = "syslog";
-        any = "info";
+        any = "debug";
      } ];

      mod-stats = [ {
@ -107,13 +123,14 @@
        zonefile-load = "difference-no-serial";
      } ];

-      zone = map (zone: {
+      zone = map ({ acl ? [], ... }@zone: {
        inherit (zone) domain;
        template = "default";
        notify = [ "all" ];
+        acl = [ "axfr" ] ++ acl;
      }) [
        { domain = "c3dd.de"; }
-        { domain = "c3d2.de"; }
+        { domain = "c3d2.de"; acl = [ "jabber" ]; }
        { domain = "hq.c3d2.de"; }
        { domain = "dyn.hq.c3d2.de"; }
        # TODO: consolidate
--- a/hosts/knot/secrets.yaml
+++ b/hosts/knot/secrets.yaml
@ -1,5 +1,5 @@
 knot:
-    keyFile: ENC[AES256_GCM,data:abZvm9g13J8yQ22OVkFQey9XGG4hl09qWUzqFJNNS8afEcT4vAbxZCLbrRSnCCI8uZn28/PgRMVPmKhV2l1VEBaiNt8Is2cWT0bf5CQK4P4P3f+/FY2LF6SzVEGpGkEioNM=,iv:x42ABoG+3qwj6K2l/SLySCQW3t2vgdMfazxwqWrQU9w=,tag:tovVGK6gJny8XR5bFo4QPg==,type:str]
+    keyFile: ENC[AES256_GCM,data:AIljRkmOy8qjkJHM3er0JVJdE3iD2oFJ/hDXsrBDvQ5u2G08/eqz+e9KQoYLaSg7GU5+Io1O6ADUPlCi2g5pGz4rkLFlhLFCVTOUFgex9dkchIQ9gMELPCAm6kAMZlPnfv2UnG9EaQCtT0LpCOItpQ==,iv:d3ARHmPo/+VU/4Dmxth2ar7y1AMF0ruO/7ddqPqTsdA=,tag:F7JuHNkusL92sTgp5a1oRg==,type:str]
 ssh-keys:
    knot:
        public: ENC[AES256_GCM,data:LxJqnVOjC7PD6Muup96Ep83/7MvhyIbE8iBB7Yxd2MkCIWZVuHhVcNgVBP9IaMs8cj4RPNq8NUJSP3AjRM0U+EDDXyRwend0GzpIERGoNEJOoqbCF1Ts9wVx4EEWrQ==,iv:RD8WYJURlTktuHP4CMo6KxS8N/H7adTt7pPttSEFuHM=,tag:e6JLyGvKJi+Nt1yP9gT2wA==,type:str]
@ -28,8 +28,8 @@ sops:
            RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7
            fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-28T00:01:53Z"
-    mac: ENC[AES256_GCM,data:h0KiAAn9uNCvcbhwlAl53SVZnG5q8JvC2OWinoC3Q0+U1HXePLynl2Hn1sV87KCig+KlcokbgmFot7NyA0pzOuvbRWcjwJr8FEsb3wRvjxipF+B9z+yLwZ/RXaDgnYoa6pdPkA6eoAA33PO43tlSpaLf+/yRW6Ya/1l3wE/GY20=,iv:A/7PmpYq09vhsPosxITkHBPJnQkCo7EVcu+biOF0yiQ=,tag:YevwhNkWvqCf/JNz7Wrdlw==,type:str]
+    lastmodified: "2024-03-17T13:30:09Z"
+    mac: ENC[AES256_GCM,data:iAqigiacq2TjY+TzoxGju7tuo0eEnH8KrRrm/cMGwBzDwaCIT96JkKxva7gxqD1TUW9P5sWaM7ZEYJd6l4CDxgdJ3/ayyjABhAKR2AeMuSUaRWomauePKP2I83V5w5BIUODDtw7eHitkyZpZAm8/at+YI1OlEhWb06sDG0T1KN4=,iv:AJ/Lf9w4zxm0kJxuoCsHmTvwGslQdWqqmOuCaYOwgWc=,tag:tXtZSupLTnXYASTtDmYfLQ==,type:str]
    pgp:
        - created_at: "2023-08-08T22:43:21Z"
          enc: |