new tor

Flake lock file updates:

• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7?narHash=sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg%3D' (2024-11-06)
  → 'github:NixOS/nixos-hardware/184687ae1a3139faa4746168baf071f60d0310c8?narHash=sha256-0ctfVp27ingWtY7dbP5%2BQpSQ98HaOZleU0teyHQUAw0%3D' (2024-11-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07)
  → 'github:NixOS/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884?narHash=sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc%3D' (2024-11-10)

hosts/alpha/knot-dns.nix

@@ -53,12 +53,22 @@
           # Enable ACME ACL on all zones
           acl = ["acme"];
           # Enable automatic DNSSEC signing on all zones. The KSK must be
-          # configured in the parent zone. Use the following command to get the
-          # required record(s):
+          # configured in the parent zone through the registrar. Either the
+          # DNSKEY or DS, depending on registrar:
+          #
+          # > sudo keymgr caspervk.net dnskey
+          # [<zone> <record-type> <key-type> <protocol> <algorithm-type> <public-key>]
+          #
+          # OR
+          #
           # > sudo keymgr caspervk.net ds
           # [<zone> <record-type> <key-tag> <algorithm-type> <digest-type> <digest>]
+          #
           # https://knot.readthedocs.io/en/master/configuration.html#automatic-dnssec-signing
-          # DNSSEC can be validated using https://dnsviz.net.
+          #
+          # DNSSEC can be validated using:
+          #  - https://dnssec-debugger.verisignlabs.com
+          #  - https://dnsviz.net
           dnssec-signing = "on";
           dnssec-policy = "default";
           # Knot overwrites the zonefiles with auto-generated DNSSEC records by