From ec63f15c64ce97d5b8acf043b16bc5aa8079bfed Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sun, 17 Mar 2024 14:34:56 +0100
Subject: [PATCH] knot: fix acls

---
 hosts/knot/default.nix  | 25 +++++++++++++++++++++----
 hosts/knot/secrets.yaml |  6 +++---
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/hosts/knot/default.nix b/hosts/knot/default.nix
index e2bf8a31..3919179a 100644
--- a/hosts/knot/default.nix
+++ b/hosts/knot/default.nix
@@ -40,17 +40,33 @@
       acl = [
         {
           id = "jabber";
-          key = "jabber";
+          key = "jabber.c3d2.de";
           action = "update";
           update-owner = "name";
           update-owner-match = "sub-or-equal";
           update-owner-name = [ "jabber.c3d2.de." ];
         }
+        {
+          id = "axfr";
+          address = [
+            # INWX
+            "2a0a:c980::53/128"
+            # Inbert
+            "2001:67c:1400:2240::1/128"
+            # dns.serv.zentralwerk.org
+            "172.20.73.2/32"
+            "2a00:8180:2c00:282:2::2"
+            # ns.spaceboyz.net
+            "95.217.229.209/32"
+            "2a01:4f9:4b:39ec::4/128"
+          ];
+          action = [ "transfer" "notify" ];
+        }
       ];
 
       log = [ {
         target = "syslog";
-        any = "info";
+        any = "debug";
       } ];
 
       mod-stats = [ {
@@ -107,13 +123,14 @@
         zonefile-load = "difference-no-serial";
       } ];
 
-      zone = map (zone: {
+      zone = map ({ acl ? [], ... }@zone: {
         inherit (zone) domain;
         template = "default";
         notify = [ "all" ];
+        acl = [ "axfr" ] ++ acl;
       }) [
         { domain = "c3dd.de"; }
-        { domain = "c3d2.de"; }
+        { domain = "c3d2.de"; acl = [ "jabber" ]; }
         { domain = "hq.c3d2.de"; }
         { domain = "dyn.hq.c3d2.de"; }
         # TODO: consolidate
diff --git a/hosts/knot/secrets.yaml b/hosts/knot/secrets.yaml
index 657750ee..768f331e 100644
--- a/hosts/knot/secrets.yaml
+++ b/hosts/knot/secrets.yaml
@@ -1,5 +1,5 @@
 knot:
-    keyFile: ENC[AES256_GCM,data:abZvm9g13J8yQ22OVkFQey9XGG4hl09qWUzqFJNNS8afEcT4vAbxZCLbrRSnCCI8uZn28/PgRMVPmKhV2l1VEBaiNt8Is2cWT0bf5CQK4P4P3f+/FY2LF6SzVEGpGkEioNM=,iv:x42ABoG+3qwj6K2l/SLySCQW3t2vgdMfazxwqWrQU9w=,tag:tovVGK6gJny8XR5bFo4QPg==,type:str]
+    keyFile: ENC[AES256_GCM,data:AIljRkmOy8qjkJHM3er0JVJdE3iD2oFJ/hDXsrBDvQ5u2G08/eqz+e9KQoYLaSg7GU5+Io1O6ADUPlCi2g5pGz4rkLFlhLFCVTOUFgex9dkchIQ9gMELPCAm6kAMZlPnfv2UnG9EaQCtT0LpCOItpQ==,iv:d3ARHmPo/+VU/4Dmxth2ar7y1AMF0ruO/7ddqPqTsdA=,tag:F7JuHNkusL92sTgp5a1oRg==,type:str]
 ssh-keys:
     knot:
         public: ENC[AES256_GCM,data:LxJqnVOjC7PD6Muup96Ep83/7MvhyIbE8iBB7Yxd2MkCIWZVuHhVcNgVBP9IaMs8cj4RPNq8NUJSP3AjRM0U+EDDXyRwend0GzpIERGoNEJOoqbCF1Ts9wVx4EEWrQ==,iv:RD8WYJURlTktuHP4CMo6KxS8N/H7adTt7pPttSEFuHM=,tag:e6JLyGvKJi+Nt1yP9gT2wA==,type:str]
@@ -28,8 +28,8 @@ sops:
             RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7
             fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-28T00:01:53Z"
-    mac: ENC[AES256_GCM,data:h0KiAAn9uNCvcbhwlAl53SVZnG5q8JvC2OWinoC3Q0+U1HXePLynl2Hn1sV87KCig+KlcokbgmFot7NyA0pzOuvbRWcjwJr8FEsb3wRvjxipF+B9z+yLwZ/RXaDgnYoa6pdPkA6eoAA33PO43tlSpaLf+/yRW6Ya/1l3wE/GY20=,iv:A/7PmpYq09vhsPosxITkHBPJnQkCo7EVcu+biOF0yiQ=,tag:YevwhNkWvqCf/JNz7Wrdlw==,type:str]
+    lastmodified: "2024-03-17T13:30:09Z"
+    mac: ENC[AES256_GCM,data:iAqigiacq2TjY+TzoxGju7tuo0eEnH8KrRrm/cMGwBzDwaCIT96JkKxva7gxqD1TUW9P5sWaM7ZEYJd6l4CDxgdJ3/ayyjABhAKR2AeMuSUaRWomauePKP2I83V5w5BIUODDtw7eHitkyZpZAm8/at+YI1OlEhWb06sDG0T1KN4=,iv:AJ/Lf9w4zxm0kJxuoCsHmTvwGslQdWqqmOuCaYOwgWc=,tag:tXtZSupLTnXYASTtDmYfLQ==,type:str]
     pgp:
         - created_at: "2023-08-08T22:43:21Z"
           enc: |