hosts/mermet/knot/sourcephile.fr.nix

   1 { inputs, pkgs, lib, config, hosts, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   domainID = lib.replaceStrings ["."] ["_"] domain;
   5   inherit (config) networking;
   6   inherit (config.security) gnupg;
   7   inherit (config.services) knot;
   8   inherit (config.users) users;
   9 in
  10 {
  11 services.knot.zones."${domain}" = {
  12   conf = ''
  13     acl:
  14       - id: acl_localhost_acme_${domainID}
  15         address: 127.0.0.1
  16         action: update
  17         update-owner: name
  18         update-owner-match: equal
  19         update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
  20         update-type: [TXT]
  21       - id: acl_tsig_acme_${domainID}
  22         key: acme_${domainID}
  23         action: update
  24         update-owner: name
  25         update-owner-match: equal
  26         update-owner-name: [_acme-challenge]
  27         update-type: [TXT]
  28       - id: acl_tsig_bureau1_${domainID}
  29         key: bureau1_${domainID}
  30         action: update
  31         update-owner: name
  32         update-owner-match: equal
  33         update-owner-name: [bureau1, lan.losurdo]
  34         update-type: [A, AAAA]
  35
  36     zone:
  37       - domain: ${domain}
  38         file: ${domain}.zone
  39         serial-policy: increment
  40         semantic-checks: on
  41         notify: secondary_gandi
  42         acl: acl_gandi
  43         acl: acl_localhost_acme_${domainID}
  44         acl: acl_tsig_acme_${domainID}
  45         acl: acl_tsig_bureau1_${domainID}
  46         dnssec-signing: on
  47         dnssec-policy: rsa
  48       - domain: whoami4.${domain}
  49         module: mod-whoami
  50         file: "${pkgs.writeText "whoami4.zone" ''
  51           $TTL 1
  52           @ SOA ns root.${domain}. (
  53             0     ; SERIAL
  54             86400 ; REFRESH
  55             86400 ; RETRY
  56             86400 ; EXPIRE
  57             1 ; MINIMUM
  58           )
  59           $TTL 86400
  60           @ NS ns
  61           ns A ${hosts.mermet._module.args.ipv4}
  62         ''}"
  63   '';
  64   # TODO: increase the TTL once things have settled down
  65   data = ''
  66     $ORIGIN ${domain}.
  67     $TTL 500
  68
  69     ; SOA (Start Of Authority)
  70     @ SOA ns root (
  71       ${toString inputs.self.lastModified} ; Serial number
  72       24h   ; Refresh
  73       15m   ; Retry
  74       1000h ; Expire (1000h)
  75       1d    ; Negative caching
  76     )
  77
  78     ; NS (Name Server)
  79     @ NS ns
  80     @ NS ns6.gandi.net.
  81     whoami4 NS ns.whoami4
  82     ns.whoami4 A ${hosts.mermet._module.args.ipv4}
  83
  84     ; A (DNS -> IPv4)
  85     @            A ${hosts.mermet._module.args.ipv4}
  86     mermet       A ${hosts.mermet._module.args.ipv4}
  87     autoconfig   A ${hosts.mermet._module.args.ipv4}
  88     doc          A ${hosts.mermet._module.args.ipv4}
  89     git          A ${hosts.mermet._module.args.ipv4}
  90     imap         A ${hosts.mermet._module.args.ipv4}
  91     mail         A ${hosts.mermet._module.args.ipv4}
  92     mails        A ${hosts.mermet._module.args.ipv4}
  93     news         A ${hosts.mermet._module.args.ipv4}
  94     public-inbox A ${hosts.mermet._module.args.ipv4}
  95     ns           A ${hosts.mermet._module.args.ipv4}
  96     pop          A ${hosts.mermet._module.args.ipv4}
  97     smtp         A ${hosts.mermet._module.args.ipv4}
  98     submission   A ${hosts.mermet._module.args.ipv4}
  99     www          A ${hosts.mermet._module.args.ipv4}
 100     lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
 101     covid19      A ${hosts.mermet._module.args.ipv4}
 102     croc         A ${hosts.mermet._module.args.ipv4}
 103     stun         A ${hosts.mermet._module.args.ipv4}
 104     turn         A ${hosts.mermet._module.args.ipv4}
 105     whoami       A ${hosts.mermet._module.args.ipv4}
 106     code          A ${hosts.mermet._module.args.ipv4}
 107     builds.code   A ${hosts.mermet._module.args.ipv4}
 108     dispatch.code A ${hosts.mermet._module.args.ipv4}
 109     git.code      A ${hosts.mermet._module.args.ipv4}
 110     hg.code       A ${hosts.mermet._module.args.ipv4}
 111     hub.code      A ${hosts.mermet._module.args.ipv4}
 112     lists.code    A ${hosts.mermet._module.args.ipv4}
 113     meta.code     A ${hosts.mermet._module.args.ipv4}
 114     man.code      A ${hosts.mermet._module.args.ipv4}
 115     pages.code    A ${hosts.mermet._module.args.ipv4}
 116     paste.code    A ${hosts.mermet._module.args.ipv4}
 117     todo.code     A ${hosts.mermet._module.args.ipv4}
 118     miniflux      A ${hosts.mermet._module.args.ipv4}
 119
 120     ; CNAME (Canonical Name)
 121     losurdo          CNAME bureau1
 122     openconcerto     CNAME losurdo
 123     xmpp             CNAME mermet
 124     tmp              CNAME mermet
 125     proxy65          CNAME mermet
 126     cryptpad         CNAME losurdo
 127     cryptpad-api     CNAME losurdo
 128     cryptpad-files   CNAME losurdo
 129     cryptpad-sandbox CNAME losurdo
 130     mumble           CNAME mermet
 131     freeciv          CNAME losurdo
 132     nix-serve        CNAME losurdo
 133     nix-extracache   CNAME losurdo
 134     nix-localcache   CNAME lan.losurdo
 135     hut              CNAME code
 136     builds.hut       CNAME builds.code
 137     dispatch.hut     CNAME dispatch.code
 138     git.hut          CNAME git.code
 139     hg.hut           CNAME hg.code
 140     hub.hut          CNAME hub.code
 141     lists.hut        CNAME lists.code
 142     meta.hut         CNAME meta.code
 143     man.hut          CNAME man.code
 144     pages.hut        CNAME pages.code
 145     paste.hut        CNAME paste.code
 146     todo.hut         CNAME todo.code
 147     sftp             CNAME losurdo
 148
 149     ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
 150     _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
 151
 152     ; SPF (Sender Policy Framework)
 153     @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
 154
 155     ; MX (Mail eXchange)
 156     @ 1800 MX 5 mail
 157     lists.code 1800 MX 5 mail
 158     todo.code  1800 MX 5 mail
 159
 160     ; SRV (SeRVice)
 161     _git._tcp.git             18000 IN SRV 0 0 9418 git
 162     _stun._udp                18000 IN SRV 0 5 3478 stun
 163     _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
 164     _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
 165     _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp
 166
 167     ; CAA (Certificate Authority Authorization)
 168     ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
 169     @ CAA 128 issue "letsencrypt.org"
 170   '';
 171 };
 172 users.groups.keys.members = [ users.knot.name ];
 173 services.knot = {
 174   keyFiles = [
 175     gnupg.secrets."knot/tsig/${domain}/acme.conf".path
 176     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
 177   ];
 178 };
 179 security.gnupg.secrets = {
 180   "knot/tsig/${domain}/acme.conf" = {
 181     # Generated with: keymgr -t acme_${domainID}
 182     user = users.knot.name;
 183   };
 184   "knot/tsig/${domain}/bureau1.conf" = {
 185     # Generated with: keymgr -t bureau1_${domainID}
 186     user = users.knot.name;
 187   };
 188 };
 189 systemd.services.knot = {
 190   after = [
 191     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 192     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 193   ];
 194   wants = [
 195     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 196     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 197   ];
 198 };
 199 /* Useless since the zone is public
 200 services.unbound.settings = {
 201   stub-zone = {
 202     name = domain;
 203     stub-addr = "127.0.0.1@5353";
 204   };
 205 };
 206 '';
 207 */
 208 }