]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: iodine: setup
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 remote:
14 - id: ns_iodine
15 address: 127.0.0.1@1053
16 acl:
17 - id: acl_localhost_acme_${domainID}
18 address: 127.0.0.1
19 action: update
20 update-owner: name
21 update-owner-match: equal
22 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
23 update-type: [TXT]
24 - id: acl_tsig_acme_${domainID}
25 key: acme_${domainID}
26 action: update
27 update-owner: name
28 update-owner-match: equal
29 update-owner-name: [_acme-challenge]
30 update-type: [TXT]
31 - id: acl_tsig_bureau1_${domainID}
32 key: bureau1_${domainID}
33 action: update
34 update-owner: name
35 update-owner-match: equal
36 update-owner-name: [bureau1, lan.losurdo]
37 update-type: [A, AAAA]
38
39 mod-dnsproxy:
40 - id: proxy_iodine
41 remote: ns_iodine
42 fallback: off
43
44 zone:
45 - domain: ${domain}
46 file: ${domain}.zone
47 serial-policy: increment
48 semantic-checks: on
49 notify: secondary_gandi
50 acl: acl_gandi
51 acl: acl_localhost_acme_${domainID}
52 acl: acl_tsig_acme_${domainID}
53 acl: acl_tsig_bureau1_${domainID}
54 dnssec-signing: on
55 dnssec-policy: rsa
56
57 - domain: i.${domain}
58 module: mod-dnsproxy/proxy_iodine
59
60 - domain: whoami4.${domain}
61 module: mod-whoami
62 file: "${pkgs.writeText "whoami4.zone" ''
63 $TTL 1
64 @ SOA ns root.${domain}. (
65 0 ; SERIAL
66 86400 ; REFRESH
67 86400 ; RETRY
68 86400 ; EXPIRE
69 1 ; MINIMUM
70 )
71 $TTL 86400
72 @ NS ns
73 ns A ${hosts.mermet._module.args.ipv4}
74 ''}"
75 '';
76 # TODO: increase the TTL once things have settled down
77 data = ''
78 $ORIGIN ${domain}.
79 $TTL 500
80
81 ; SOA (Start Of Authority)
82 @ SOA ns root (
83 ${toString inputs.self.lastModified} ; Serial number
84 24h ; Refresh
85 15m ; Retry
86 1000h ; Expire (1000h)
87 1d ; Negative caching
88 )
89
90 ; NS (Name Server)
91 @ NS ns
92 @ NS ns6.gandi.net.
93 i NS ns
94 whoami4 NS ns.whoami4
95 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
96
97 ; A (DNS -> IPv4)
98 @ A ${hosts.mermet._module.args.ipv4}
99 mermet A ${hosts.mermet._module.args.ipv4}
100 autoconfig A ${hosts.mermet._module.args.ipv4}
101 doc A ${hosts.mermet._module.args.ipv4}
102 git A ${hosts.mermet._module.args.ipv4}
103 imap A ${hosts.mermet._module.args.ipv4}
104 mail A ${hosts.mermet._module.args.ipv4}
105 mails A ${hosts.mermet._module.args.ipv4}
106 news A ${hosts.mermet._module.args.ipv4}
107 public-inbox A ${hosts.mermet._module.args.ipv4}
108 ns A ${hosts.mermet._module.args.ipv4}
109 pop A ${hosts.mermet._module.args.ipv4}
110 smtp A ${hosts.mermet._module.args.ipv4}
111 submission A ${hosts.mermet._module.args.ipv4}
112 www A ${hosts.mermet._module.args.ipv4}
113 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
114 covid19 A ${hosts.mermet._module.args.ipv4}
115 croc A ${hosts.mermet._module.args.ipv4}
116 stun A ${hosts.mermet._module.args.ipv4}
117 turn A ${hosts.mermet._module.args.ipv4}
118 whoami A ${hosts.mermet._module.args.ipv4}
119 code A ${hosts.mermet._module.args.ipv4}
120 builds.code A ${hosts.mermet._module.args.ipv4}
121 dispatch.code A ${hosts.mermet._module.args.ipv4}
122 git.code A ${hosts.mermet._module.args.ipv4}
123 hg.code A ${hosts.mermet._module.args.ipv4}
124 hub.code A ${hosts.mermet._module.args.ipv4}
125 lists.code A ${hosts.mermet._module.args.ipv4}
126 meta.code A ${hosts.mermet._module.args.ipv4}
127 man.code A ${hosts.mermet._module.args.ipv4}
128 pages.code A ${hosts.mermet._module.args.ipv4}
129 paste.code A ${hosts.mermet._module.args.ipv4}
130 todo.code A ${hosts.mermet._module.args.ipv4}
131 miniflux A ${hosts.mermet._module.args.ipv4}
132
133 ; CNAME (Canonical Name)
134 losurdo CNAME bureau1
135 openconcerto CNAME losurdo
136 xmpp CNAME mermet
137 tmp CNAME mermet
138 proxy65 CNAME mermet
139 cryptpad CNAME losurdo
140 cryptpad-api CNAME losurdo
141 cryptpad-files CNAME losurdo
142 cryptpad-sandbox CNAME losurdo
143 mumble CNAME mermet
144 freeciv CNAME losurdo
145 nix-serve CNAME losurdo
146 nix-extracache CNAME losurdo
147 nix-localcache CNAME lan.losurdo
148 hut CNAME code
149 builds.hut CNAME builds.code
150 dispatch.hut CNAME dispatch.code
151 git.hut CNAME git.code
152 hg.hut CNAME hg.code
153 hub.hut CNAME hub.code
154 lists.hut CNAME lists.code
155 meta.hut CNAME meta.code
156 man.hut CNAME man.code
157 pages.hut CNAME pages.code
158 paste.hut CNAME paste.code
159 todo.hut CNAME todo.code
160 sftp CNAME losurdo
161
162 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
163 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
164
165 ; SPF (Sender Policy Framework)
166 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
167
168 ; MX (Mail eXchange)
169 @ 1800 MX 5 mail
170 lists.code 1800 MX 5 mail
171 todo.code 1800 MX 5 mail
172
173 ; SRV (SeRVice)
174 _git._tcp.git 18000 IN SRV 0 0 9418 git
175 _stun._udp 18000 IN SRV 0 5 3478 stun
176 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
177 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
178 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
179
180 ; CAA (Certificate Authority Authorization)
181 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
182 @ CAA 128 issue "letsencrypt.org"
183 '';
184 };
185 users.groups.keys.members = [ users.knot.name ];
186 services.knot = {
187 keyFiles = [
188 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
189 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
190 ];
191 };
192 security.gnupg.secrets = {
193 "knot/tsig/${domain}/acme.conf" = {
194 # Generated with: keymgr -t acme_${domainID}
195 user = users.knot.name;
196 };
197 "knot/tsig/${domain}/bureau1.conf" = {
198 # Generated with: keymgr -t bureau1_${domainID}
199 user = users.knot.name;
200 };
201 };
202 systemd.services.knot = {
203 after = [
204 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
205 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
206 ];
207 wants = [
208 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
209 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
210 ];
211 };
212 /* Useless since the zone is public
213 services.unbound.settings = {
214 stub-zone = {
215 name = domain;
216 stub-addr = "127.0.0.1@5353";
217 };
218 };
219 '';
220 */
221 }
NixOS configurations for Sourcephile's infrastructure