5 files changed, 159 insertions, 0 deletions

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.forgejo/workflows/resign-root-dnssec.yaml b/.forgejo/workflows/resign-root-dnssec.yaml
new file mode 100644
index 0000000..b8d47ff
--- /dev/null
+++ b/.forgejo/workflows/resign-root-dnssec.yaml
@@ -0,0 +1,18 @@
+name: build signed-dns-root
+on:
+  push:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  deploy:
+    runs-on: debian-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Nix on the host
+        uses: https://forgejo.spacetime.technology/actions/nix/install@main
+        with:
+          install-url: "https://nixos.org/nix/install"
+      - name: make-root-zone
+        run: nix run .#apps.x86_64-linux.sign-root-zone
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ac51a8d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/result
+.direnv
+*.private
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..f6d13e2
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,80 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "ref": "refs/heads/main",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/nix-mirrors/flake-parts"
+      },
+      "original": {
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/nix-mirrors/flake-parts"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1746576598,
+        "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=",
+        "ref": "nixpkgs-unstable",
+        "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55",
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/nix-mirrors/nixpkgs"
+      },
+      "original": {
+        "ref": "nixpkgs-unstable",
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/nix-mirrors/nixpkgs"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1743296961,
+        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs",
+        "system": "system"
+      }
+    },
+    "system": {
+      "locked": {
+        "lastModified": 1732204055,
+        "narHash": "sha256-mHtkcHm37MDme/NSxU7hFU8SxM9GaX5tjznWAWBCxc8=",
+        "ref": "refs/heads/master",
+        "rev": "19d677525610a6169835e353678bf463600489ac",
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/arbel/nix-system"
+      },
+      "original": {
+        "shallow": true,
+        "type": "git",
+        "url": "https://forgejo.spacetime.technology/arbel/nix-system"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..b4c70d0
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,57 @@
+{
+  description = "resign-dnssec";
+
+  inputs = {
+    nixpkgs.url = "git+https://forgejo.spacetime.technology/nix-mirrors/nixpkgs?ref=nixpkgs-unstable&shallow=1";
+    flake-parts.url = "git+https://forgejo.spacetime.technology/nix-mirrors/flake-parts?shallow=1";
+    system.url = "git+https://forgejo.spacetime.technology/arbel/nix-system?shallow=1";
+  };
+
+  outputs = { self, ... }@inputs:
+  inputs.flake-parts.lib.mkFlake { inherit inputs self; } {
+  flake = {
+  };
+  systems = inputs.system.arches;
+    perSystem = { pkgs, ... }: {
+      devShells = {
+        default = pkgs.mkShell {
+          nativeBuildInputs = [
+            pkgs.dig
+            pkgs.bind
+          ];
+        };
+      };
+      apps = {
+        default = self.apps.sign-root-zone;
+        sign-root-zone = {
+          type = "app";
+          program = pkgs.writeShellApplication {
+            name = "sign-root-zone";
+            runtimeInputs = [ pkgs.bind pkgs.git ];
+            text = /*bash*/ ''
+              set -x
+              tmpdir="$(mktemp -d)"
+              cleanup () {
+                if [ -n "$tmpdir" ]; then
+                  rm -r "$tmpdir"
+                fi
+              }
+              trap cleanup EXIT
+
+              dnssec-keygen -K "$tmpdir" -f KSK -a ECDSA384 -b 4096 -n ZONE .
+              cp "$tmpdir/"*.key ./output/anchor.key
+              dnssec-dsfromkey "$tmpdir/"*.key > ./output/anchor.ds
+
+              mkdir -p "$tmpdir/zonekey"
+              dnssec-keygen -K "$tmpdir/zonekey" -a ECDSA384 -b 4096 -n ZONE .
+
+
+              echo "$tmpdir"
+
+            '';
+          };
+        };
+      };
+    };
+  };
+}