]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: knot: sourcephile.fr: fix secondary
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hosts, info, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
5 inherit (config) networking;
6 inherit (config.services) knot;
7 inherit (config.users) users groups;
8 zoneData =
9 # TODO: increase the TTL once things have settled down
10 ''
11 $ORIGIN ${domain}.
12 $TTL 500
13
14 ; SOA (Start Of Authority)
15 @ SOA ns root (
16 ${toString inputs.self.lastModified} ; Serial number
17 24h ; Refresh
18 15m ; Retry
19 1000h ; Expire (1000h)
20 1d ; Negative caching
21 )
22
23 ; NS (Name Server)
24 @ NS ns
25 ${lib.concatMapStringsSep "\n" ({name, ...}: "@ NS ${name}.") info.lebureau.dns.secondary.ns}
26 i NS ns
27 whoami4 NS ns.whoami4
28 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
29
30 ; A (DNS -> IPv4)
31 @ A ${hosts.mermet._module.args.ipv4}
32 mermet A ${hosts.mermet._module.args.ipv4}
33 autoconfig A ${hosts.mermet._module.args.ipv4}
34 calibre A ${hosts.mermet._module.args.ipv4}
35 doc A ${hosts.mermet._module.args.ipv4}
36 git A ${hosts.mermet._module.args.ipv4}
37 imap A ${hosts.mermet._module.args.ipv4}
38 mail A ${hosts.mermet._module.args.ipv4}
39 mails A ${hosts.mermet._module.args.ipv4}
40 news A ${hosts.mermet._module.args.ipv4}
41 public-inbox A ${hosts.mermet._module.args.ipv4}
42 ns A ${hosts.mermet._module.args.ipv4}
43 pop A ${hosts.mermet._module.args.ipv4}
44 smtp A ${hosts.mermet._module.args.ipv4}
45 submission A ${hosts.mermet._module.args.ipv4}
46 www A ${hosts.mermet._module.args.ipv4}
47 croc A ${hosts.mermet._module.args.ipv4}
48 stun A ${hosts.mermet._module.args.ipv4}
49 turn A ${hosts.mermet._module.args.ipv4}
50 whoami A ${hosts.mermet._module.args.ipv4}
51 code A ${hosts.mermet._module.args.ipv4}
52 miniflux A ${hosts.mermet._module.args.ipv4}
53
54 ; MX (Mail eXchange)
55 @ 500 MX 5 mail
56
57 ; CNAME (Canonical Name)
58 openconcerto CNAME losurdo
59 xmpp CNAME mermet
60 salons CNAME mermet
61 tmp CNAME mermet
62 proxy65 CNAME mermet
63 cryptpad CNAME losurdo
64 cryptpad-api CNAME losurdo
65 cryptpad-files CNAME losurdo
66 cryptpad-sandbox CNAME losurdo
67 mumble CNAME mermet
68 nix-serve CNAME losurdo
69 nix-extracache CNAME losurdo
70 nix-localcache CNAME lan.losurdo
71 sftp CNAME losurdo
72 radicle-mermet CNAME mermet
73 radicle CNAME mermet
74 radicle-explorer CNAME radicle
75
76 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
77 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
78
79 ; SPF (Sender Policy Framework)
80 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
81
82 ; SRV (SeRVice)
83 _git._tcp.git 18000 IN SRV 0 0 9418 git
84 _stun._udp 18000 IN SRV 0 5 3478 stun
85 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
86 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
87 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
88 _xmpps-client._tcp 18000 IN SRV 0 5 5223 xmpp
89 _xmpps-server._tcp 18000 IN SRV 0 5 5270 xmpp
90 _xmpps-server._tcp.salons 18000 IN SRV 0 5 5270 xmpp
91
92 ; CAA (Certificate Authority Authorization)
93 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
94 @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
95 '';
96 # Incorrect:
97 # accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180
98 in
99 {
100 services.knot.settingsFreeform = {
101 remote.ns_iodine.address = "127.0.0.1@1053";
102 acl."acl_localhost_acme_${domainID}" = {
103 address = "127.0.0.1";
104 action = "update";
105 update-owner = "name";
106 update-owner-match = "equal";
107 update-owner-name = [ "_acme-challenge" ];
108 update-type = [ "TXT" ];
109 };
110 acl."acl_tsig_acme_${domainID}" = {
111 key = "acme_${domainID}";
112 action = "update";
113 update-owner = "name";
114 update-owner-match = "equal";
115 update-owner-name = [ "_acme-challenge" ];
116 update-type = [ "TXT" ];
117 };
118 acl."acl_tsig_losurdo_${domainID}" = {
119 key = "losurdo_${domainID}";
120 action = "update";
121 update-owner = "name";
122 update-owner-match = "equal";
123 update-owner-name = [ "losurdo" "lan.losurdo" ];
124 update-type = [ "A" "AAAA" ];
125 };
126 acl."acl_lebureau_${domainID}" = {
127 action = "transfer";
128 address = [
129 info.lebureau.dns.secondary.transfer.ns1.ipv4
130 info.lebureau.dns.secondary.transfer.ns1.ipv6
131 info.lebureau.dns.secondary.transfer.ns2.ipv4
132 info.lebureau.dns.secondary.transfer.ns2.ipv6
133 ];
134 key = "lebureau_${domainID}";
135 };
136 mod-dnsproxy.proxy_iodine = {
137 remote = "ns_iodine";
138 fallback = "off";
139 };
140 remote."secondary1_lebureau_${domainID}" = {
141 address = [
142 "${info.lebureau.dns.secondary.transfer.ns1.ipv4}@53"
143 "${info.lebureau.dns.secondary.transfer.ns1.ipv6}@53"
144 ];
145 key = "lebureau_${domainID}";
146 };
147 remote."secondary2_lebureau_${domainID}" = {
148 address = [
149 "${info.lebureau.dns.secondary.transfer.ns2.ipv4}@53"
150 "${info.lebureau.dns.secondary.transfer.ns2.ipv6}@53"
151 ];
152 key = "lebureau_${domainID}";
153 };
154 zone."${domain}" = {
155 file = "${domain}.zone";
156 serial-policy = "increment";
157 semantic-checks = true;
158 notify = [
159 "secondary1_lebureau_${domainID}"
160 "secondary2_lebureau_${domainID}"
161 ];
162 acl = [
163 "acl_localhost_acme_${domainID}"
164 "acl_tsig_acme_${domainID}"
165 "acl_tsig_losurdo_${domainID}"
166 "acl_lebureau_${domainID}"
167 ];
168 dnssec-signing = true;
169 dnssec-policy = "ed25519";
170 };
171 #zone."i.${domain}" = {
172 # module = "mod-dnsproxy/proxy_iodine";
173 #};
174 zone."whoami4.${domain}" = {
175 module = "mod-whoami";
176 file = pkgs.writeText "whoami4.zone" ''
177 $TTL 1
178 @ SOA ns root.${domain}. (
179 0 ; SERIAL
180 86400 ; REFRESH
181 86400 ; RETRY
182 86400 ; EXPIRE
183 1 ; MINIMUM
184 )
185 $TTL 86400
186 @ NS ns
187 ns A ${hosts.mermet._module.args.ipv4}
188 '';
189 };
190 };
191 services.knot = {
192 keyFiles = [
193 "/run/credentials/knot.service/${domain}.acme.conf"
194 # Generated with: keymgr -t losurdo_${domainID}
195 "/run/credentials/knot.service/losurdo.conf"
196 # Generated with: keymgr -t lebureau_${domainID}
197 "/run/credentials/knot.service/${domain}.lebureau.conf"
198 ];
199 };
200 systemd.services.knot = {
201 serviceConfig = {
202 ExecStartPre = [
203 ''
204 +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
205 ${pkgs.writeText "${domain}.zone" zoneData} \
206 /var/lib/knot/zones/${domain}.zone
207 ''
208 ];
209 LoadCredentialEncrypted = [
210 "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
211 "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
212 "losurdo.conf:${builtins.path { path = ./. + "/${domain}/losurdo.conf.cred"; }}"
213 ];
214 };
215 };
216 networking.nftables.ruleset = ''
217 table inet filter {
218 set output-net-knot-ipv4 { type ipv4_addr; elements = {
219 ${info.lebureau.dns.secondary.transfer.ns1.ipv4},
220 ${info.lebureau.dns.secondary.transfer.ns2.ipv4}
221 }; }
222 set output-net-knot-ipv6 { type ipv6_addr; elements = {
223 ${info.lebureau.dns.secondary.transfer.ns1.ipv6},
224 ${info.lebureau.dns.secondary.transfer.ns2.ipv6}
225 }; }
226 }
227 '';
228 /* Useless since the zone is public
229 services.unbound.settings = {
230 stub-zone = {
231 name = domain;
232 stub-addr = "127.0.0.1@5353";
233 };
234 };
235 '';
236 */
237 }
NixOS configurations for Sourcephile's infrastructure