falkenstein: enable dnssec

hosts/falkenstein/modules/dns/default.nix

@@ -1,21 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
-{
+let
-  services.bind = {
+  zonefile = pkgs.writeText "rfive.de.zone.txt" ''
-    enable = true;
-    zones = {
-      "rfive.de" = {
-        master = true;
-        slaves = [
-          "185.181.104.96"
-        ];
-        extraConfig = ''
-          also-notify {185.181.104.96;};
-        '';
-        file = pkgs.writeText "rfive.de_zone.txt" ''
     $TTL 3600
     $ORIGIN rfive.de.
         
-          rfive.de.  86400  IN  SOA ns.rfive.de. hostmaster.rfive.de. 2024030836 10800 3600 604800 3600
+    rfive.de.  86400  IN  SOA ns.rfive.de. hostmaster.rfive.de. 2024030838 10800 3600 604800 3600
     @ NS ns0.rfive.de.
     @ NS ns.inwx.de.
     @ NS ns2.inwx.de.
@@ -59,9 +48,30 @@
     trucks     CNAME falkenstein.rfive.de.
     vault      CNAME nuc.rfive.de.
   '';
+in
+{
+  services.bind = rec {
+    enable = true;
+    directory = "/var/lib/bind";
+    zones = {
+      "rfive.de" = {
+        master = true;
+        slaves = [
+          "185.181.104.96"
+        ];
+        extraConfig = ''
+          also-notify {185.181.104.96;};
+          dnssec-policy default;
+          inline-signing yes;
+        '';
+        file = "${directory}/rfive.de.zone.txt";
       };
     };
   };
+  systemd.services.bind.preStart = ''
+    # copy the file manually to its destination since signing requires a writable directory
+    ${pkgs.coreutils}/bin/cp ${zonefile} ${config.services.bind.directory}/rfive.de.zone.txt
+  '';
   networking.firewall.allowedUDPPorts = [ 53 ];
   networking.firewall.allowedTCPPorts = [ 53 ];
 }