]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sanoid: dispatch datasets
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 acl:
14 - id: acl_localhost_acme_${domainID}
15 address: 127.0.0.1
16 action: update
17 update-owner: name
18 update-owner-match: equal
19 update-owner-name: [_acme-challenge]
20 update-type: [TXT]
21 - id: acl_tsig_acme_${domainID}
22 key: acme_${domainID}
23 action: update
24 update-owner: name
25 update-owner-match: equal
26 update-owner-name: [_acme-challenge]
27 update-type: [TXT]
28 - id: acl_tsig_bureau1_${domainID}
29 key: bureau1_${domainID}
30 action: update
31 update-owner: name
32 update-owner-match: equal
33 update-owner-name: [bureau1, lan.losurdo]
34 update-type: [A, AAAA]
35
36 zone:
37 - domain: ${domain}
38 file: ${domain}.zone
39 serial-policy: increment
40 semantic-checks: on
41 notify: secondary_gandi
42 acl: acl_gandi
43 acl: acl_localhost_acme_${domainID}
44 acl: acl_tsig_acme_${domainID}
45 acl: acl_tsig_bureau1_${domainID}
46 dnssec-signing: on
47 dnssec-policy: rsa
48 - domain: whoami4.${domain}
49 module: mod-whoami
50 file: "${pkgs.writeText "whoami4.zone" ''
51 $TTL 1
52 @ SOA ns root.${domain}. (
53 0 ; SERIAL
54 86400 ; REFRESH
55 86400 ; RETRY
56 86400 ; EXPIRE
57 1 ; MINIMUM
58 )
59 $TTL 86400
60 @ NS ns
61 ns A ${hosts.mermet.extraArgs.ipv4}
62 ''}"
63 '';
64 # TODO: increase the TTL once things have settled down
65 data = ''
66 $ORIGIN ${domain}.
67 $TTL 500
68
69 ; SOA (Start Of Authority)
70 @ SOA ns root (
71 ${toString inputs.self.lastModified} ; Serial number
72 24h ; Refresh
73 15m ; Retry
74 1000h ; Expire (1000h)
75 1d ; Negative caching
76 )
77
78 ; NS (Name Server)
79 @ NS ns
80 @ NS ns6.gandi.net.
81 whoami4 NS ns.whoami4
82 ns.whoami4 A ${hosts.mermet.extraArgs.ipv4}
83
84 ; A (DNS -> IPv4)
85 @ A ${hosts.mermet.extraArgs.ipv4}
86 mermet A ${hosts.mermet.extraArgs.ipv4}
87 autoconfig A ${hosts.mermet.extraArgs.ipv4}
88 doc A ${hosts.mermet.extraArgs.ipv4}
89 code A ${hosts.mermet.extraArgs.ipv4}
90 git A ${hosts.mermet.extraArgs.ipv4}
91 imap A ${hosts.mermet.extraArgs.ipv4}
92 mail A ${hosts.mermet.extraArgs.ipv4}
93 mails A ${hosts.mermet.extraArgs.ipv4}
94 news A ${hosts.mermet.extraArgs.ipv4}
95 public-inbox A ${hosts.mermet.extraArgs.ipv4}
96 ns A ${hosts.mermet.extraArgs.ipv4}
97 pop A ${hosts.mermet.extraArgs.ipv4}
98 smtp A ${hosts.mermet.extraArgs.ipv4}
99 submission A ${hosts.mermet.extraArgs.ipv4}
100 www A ${hosts.mermet.extraArgs.ipv4}
101 lemoutona5pattes A ${hosts.mermet.extraArgs.ipv4}
102 covid19 A ${hosts.mermet.extraArgs.ipv4}
103 croc A ${hosts.mermet.extraArgs.ipv4}
104 stun A ${hosts.mermet.extraArgs.ipv4}
105 turn A ${hosts.mermet.extraArgs.ipv4}
106 whoami A ${hosts.mermet.extraArgs.ipv4}
107
108 ; CNAME (Canonical Name)
109 losurdo CNAME bureau1
110 openconcerto CNAME losurdo
111 xmpp CNAME mermet
112 tmp CNAME mermet
113 proxy65 CNAME mermet
114 cryptpad CNAME losurdo
115 cryptpad-api CNAME losurdo
116 cryptpad-files CNAME losurdo
117 cryptpad-sandbox CNAME losurdo
118 mumble CNAME mermet
119 freeciv CNAME losurdo
120 nix-serve CNAME losurdo
121 nix-extracache CNAME losurdo
122 nix-localcache CNAME lan.losurdo
123
124 ; SPF (Sender Policy Framework)
125 @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
126 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
127
128 ; MX (Mail eXchange)
129 @ 180 MX 5 mail
130
131 ; SRV (SeRVice)
132 _git._tcp.git 18000 IN SRV 0 0 9418 git
133 _stun._udp 18000 IN SRV 0 5 3478 stun
134 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
135 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
136 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
137
138 ; CAA (Certificate Authority Authorization)
139 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
140 @ CAA 128 issue "letsencrypt.org"
141 '';
142 };
143 users.groups.keys.members = [ users.knot.name ];
144 services.knot = {
145 keyFiles = [
146 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
147 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
148 ];
149 };
150 security.gnupg.secrets = {
151 "knot/tsig/${domain}/acme.conf" = {
152 # Generated with: keymgr -t acme_${domainID}
153 user = users.knot.name;
154 };
155 "knot/tsig/${domain}/bureau1.conf" = {
156 # Generated with: keymgr -t bureau1_${domainID}
157 user = users.knot.name;
158 };
159 };
160 systemd.services.knot = {
161 after = [
162 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
163 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
164 ];
165 wants = [
166 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
167 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
168 ];
169 };
170 /* Useless since the zone is public
171 services.unbound.settings = {
172 stub-zone = {
173 name = domain;
174 stub-addr = "127.0.0.1@5353";
175 };
176 };
177 '';
178 */
179 }