hosts/mermet/knot/sourcephile.fr.nix

   1 { inputs, pkgs, lib, config, hosts, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   domainID = lib.replaceStrings ["."] ["_"] domain;
   5   inherit (config) networking;
   6   inherit (config.security) gnupg;
   7   inherit (config.services) knot;
   8   inherit (config.users) users;
   9 in
  10 {
  11 services.knot.zones."${domain}" = {
  12   conf = ''
  13     acl:
  14       - id: acl_localhost_acme_${domainID}
  15         address: 127.0.0.1
  16         action: update
  17         update-owner: name
  18         update-owner-match: equal
  19         update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
  20         update-type: [TXT]
  21       - id: acl_tsig_acme_${domainID}
  22         key: acme_${domainID}
  23         action: update
  24         update-owner: name
  25         update-owner-match: equal
  26         update-owner-name: [_acme-challenge]
  27         update-type: [TXT]
  28       - id: acl_tsig_bureau1_${domainID}
  29         key: bureau1_${domainID}
  30         action: update
  31         update-owner: name
  32         update-owner-match: equal
  33         update-owner-name: [bureau1, lan.losurdo]
  34         update-type: [A, AAAA]
  35
  36     zone:
  37       - domain: ${domain}
  38         file: ${domain}.zone
  39         serial-policy: increment
  40         semantic-checks: on
  41         notify: secondary_gandi
  42         acl: acl_gandi
  43         acl: acl_localhost_acme_${domainID}
  44         acl: acl_tsig_acme_${domainID}
  45         acl: acl_tsig_bureau1_${domainID}
  46         dnssec-signing: on
  47         dnssec-policy: rsa
  48       - domain: whoami4.${domain}
  49         module: mod-whoami
  50         file: "${pkgs.writeText "whoami4.zone" ''
  51           $TTL 1
  52           @ SOA ns root.${domain}. (
  53             0     ; SERIAL
  54             86400 ; REFRESH
  55             86400 ; RETRY
  56             86400 ; EXPIRE
  57             1 ; MINIMUM
  58           )
  59           $TTL 86400
  60           @ NS ns
  61           ns A ${hosts.mermet._module.args.ipv4}
  62         ''}"
  63   '';
  64   # TODO: increase the TTL once things have settled down
  65   data = ''
  66     $ORIGIN ${domain}.
  67     $TTL 500
  68
  69     ; SOA (Start Of Authority)
  70     @ SOA ns root (
  71       ${toString inputs.self.lastModified} ; Serial number
  72       24h   ; Refresh
  73       15m   ; Retry
  74       1000h ; Expire (1000h)
  75       1d    ; Negative caching
  76     )
  77
  78     ; NS (Name Server)
  79     @ NS ns
  80     @ NS ns6.gandi.net.
  81     whoami4 NS ns.whoami4
  82     ns.whoami4 A ${hosts.mermet._module.args.ipv4}
  83
  84     ; A (DNS -> IPv4)
  85     @            A ${hosts.mermet._module.args.ipv4}
  86     mermet       A ${hosts.mermet._module.args.ipv4}
  87     autoconfig   A ${hosts.mermet._module.args.ipv4}
  88     doc          A ${hosts.mermet._module.args.ipv4}
  89     git          A ${hosts.mermet._module.args.ipv4}
  90     imap         A ${hosts.mermet._module.args.ipv4}
  91     mail         A ${hosts.mermet._module.args.ipv4}
  92     mails        A ${hosts.mermet._module.args.ipv4}
  93     news         A ${hosts.mermet._module.args.ipv4}
  94     public-inbox A ${hosts.mermet._module.args.ipv4}
  95     ns           A ${hosts.mermet._module.args.ipv4}
  96     pop          A ${hosts.mermet._module.args.ipv4}
  97     smtp         A ${hosts.mermet._module.args.ipv4}
  98     submission   A ${hosts.mermet._module.args.ipv4}
  99     www          A ${hosts.mermet._module.args.ipv4}
 100     lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
 101     covid19      A ${hosts.mermet._module.args.ipv4}
 102     croc         A ${hosts.mermet._module.args.ipv4}
 103     stun         A ${hosts.mermet._module.args.ipv4}
 104     turn         A ${hosts.mermet._module.args.ipv4}
 105     whoami       A ${hosts.mermet._module.args.ipv4}
 106     code          A ${hosts.mermet._module.args.ipv4}
 107     builds.code   A ${hosts.mermet._module.args.ipv4}
 108     dispatch.code A ${hosts.mermet._module.args.ipv4}
 109     git.code      A ${hosts.mermet._module.args.ipv4}
 110     hg.code       A ${hosts.mermet._module.args.ipv4}
 111     hub.code      A ${hosts.mermet._module.args.ipv4}
 112     lists.code    A ${hosts.mermet._module.args.ipv4}
 113     meta.code     A ${hosts.mermet._module.args.ipv4}
 114     man.code      A ${hosts.mermet._module.args.ipv4}
 115     pages.code    A ${hosts.mermet._module.args.ipv4}
 116     paste.code    A ${hosts.mermet._module.args.ipv4}
 117     todo.code     A ${hosts.mermet._module.args.ipv4}
 118
 119     ; CNAME (Canonical Name)
 120     losurdo          CNAME bureau1
 121     openconcerto     CNAME losurdo
 122     xmpp             CNAME mermet
 123     tmp              CNAME mermet
 124     proxy65          CNAME mermet
 125     cryptpad         CNAME losurdo
 126     cryptpad-api     CNAME losurdo
 127     cryptpad-files   CNAME losurdo
 128     cryptpad-sandbox CNAME losurdo
 129     mumble           CNAME mermet
 130     freeciv          CNAME losurdo
 131     nix-serve        CNAME losurdo
 132     nix-extracache   CNAME losurdo
 133     nix-localcache   CNAME lan.losurdo
 134     hut              CNAME code
 135     builds.hut       CNAME builds.code
 136     dispatch.hut     CNAME dispatch.code
 137     git.hut          CNAME git.code
 138     hg.hut           CNAME hg.code
 139     hub.hut          CNAME hub.code
 140     lists.hut        CNAME lists.code
 141     meta.hut         CNAME meta.code
 142     man.hut          CNAME man.code
 143     pages.hut        CNAME pages.code
 144     paste.hut        CNAME paste.code
 145     todo.hut         CNAME todo.code
 146     sftp             CNAME losurdo
 147
 148     ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
 149     _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
 150
 151     ; SPF (Sender Policy Framework)
 152     @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
 153
 154     ; MX (Mail eXchange)
 155     @ 1800 MX 5 mail
 156     lists.code 1800 MX 5 mail
 157     todo.code  1800 MX 5 mail
 158
 159     ; SRV (SeRVice)
 160     _git._tcp.git             18000 IN SRV 0 0 9418 git
 161     _stun._udp                18000 IN SRV 0 5 3478 stun
 162     _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
 163     _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
 164     _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp
 165
 166     ; CAA (Certificate Authority Authorization)
 167     ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
 168     @ CAA 128 issue "letsencrypt.org"
 169   '';
 170 };
 171 users.groups.keys.members = [ users.knot.name ];
 172 services.knot = {
 173   keyFiles = [
 174     gnupg.secrets."knot/tsig/${domain}/acme.conf".path
 175     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
 176   ];
 177 };
 178 security.gnupg.secrets = {
 179   "knot/tsig/${domain}/acme.conf" = {
 180     # Generated with: keymgr -t acme_${domainID}
 181     user = users.knot.name;
 182   };
 183   "knot/tsig/${domain}/bureau1.conf" = {
 184     # Generated with: keymgr -t bureau1_${domainID}
 185     user = users.knot.name;
 186   };
 187 };
 188 systemd.services.knot = {
 189   after = [
 190     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 191     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 192   ];
 193   wants = [
 194     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 195     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 196   ];
 197 };
 198 /* Useless since the zone is public
 199 services.unbound.settings = {
 200   stub-zone = {
 201     name = domain;
 202     stub-addr = "127.0.0.1@5353";
 203   };
 204 };
 205 '';
 206 */
 207 }