hosts/mermet/knot/autogeree.net.nix

   1 { pkgs, lib, config, inputs, hosts, info, ... }:
   2 let
   3   domain = "autogeree.net";
   4   domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
   5   inherit (config) networking;
   6   inherit (config.services) knot;
   7   inherit (config.users) users groups;
   8   zoneData =
   9     # TODO: increase the TTL once things have settled down
  10     ''
  11       $ORIGIN ${domain}.
  12       $TTL 500
  13
  14       ; SOA (Start Of Authority)
  15       @ SOA ns root (
  16         ${toString inputs.self.lastModified} ; Serial number
  17         24h   ; Refresh
  18         15m   ; Retry
  19         1000h ; Expire (1000h)
  20         1d    ; Negative caching
  21       )
  22
  23       ; NS (Name Server)
  24       @ NS ns
  25       @ NS ${info.gandi.dns.secondary.ns.name}.
  26       ;@ NS ns0.muarf.org.
  27
  28       ; A (DNS -> IPv4)
  29       @          A ${hosts.mermet._module.args.ipv4}
  30       mermet     A ${hosts.mermet._module.args.ipv4}
  31       autoconfig A ${hosts.mermet._module.args.ipv4}
  32       code       A ${hosts.mermet._module.args.ipv4}
  33       git        A ${hosts.mermet._module.args.ipv4}
  34       imap       A ${hosts.mermet._module.args.ipv4}
  35       mail       A ${hosts.mermet._module.args.ipv4}
  36       ns         A ${hosts.mermet._module.args.ipv4}
  37       pleroma    A ${hosts.mermet._module.args.ipv4}
  38       pop        A ${hosts.mermet._module.args.ipv4}
  39       smtp       A ${hosts.mermet._module.args.ipv4}
  40       submission A ${hosts.mermet._module.args.ipv4}
  41       www        A ${hosts.mermet._module.args.ipv4}
  42       chomsky    A 91.216.110.36
  43       alpes      A 195.88.84.51
  44
  45       ; SPF (Sender Policy Framework)
  46       @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
  47       @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
  48
  49       ; MX (Mail eXchange)
  50       @ 180 MX 5 mail
  51
  52       ; SRV (SeRVice)
  53       _git._tcp.git 18000 IN SRV 0 0 9418 git
  54
  55       ; CAA (Certificate Authority Authorization)
  56       ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
  57       @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
  58     '';
  59   # Incorrect:
  60   #@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79737822"
  61 in
  62 {
  63   services.knot.settingsFreeform = {
  64     acl."acl_localhost_acme_${domainID}" = {
  65       address = "127.0.0.1";
  66       action = "update";
  67       update-owner = "name";
  68       update-owner-match = "equal";
  69       update-owner-name = [ "_acme-challenge" ];
  70       update-type = [ "TXT" ];
  71     };
  72     acl."acl_tsig_acme_${domainID}" = {
  73       key = "acme_${domainID}";
  74       action = "update";
  75       update-owner = "name";
  76       update-owner-match = "equal";
  77       update-owner-name = [ "_acme-challenge" ];
  78       update-type = [ "TXT" ];
  79     };
  80     zone."${domain}" = {
  81       file = "${domain}.zone";
  82       serial-policy = "increment";
  83       semantic-checks = true;
  84       notify = [
  85         "secondary_gandi"
  86         #"secondary_muarf"
  87       ];
  88       acl = [
  89         "acl_gandi"
  90         #"acl_muarf"
  91         "acl_localhost_acme_${domainID}"
  92         "acl_tsig_acme_${domainID}"
  93       ];
  94       dnssec-signing = false;
  95       dnssec-policy = "ed25519";
  96     };
  97   };
  98   networking.nftables.ruleset = ''
  99     table inet filter {
 100       set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
 101       set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
 102     }
 103   '';
 104   services.knot = {
 105     keyFiles = [
 106       "/run/credentials/knot.service/${domain}.acme.conf"
 107     ];
 108   };
 109   systemd.services.knot = {
 110     serviceConfig = {
 111       ExecStartPre = [
 112         ''
 113           +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
 114            ${pkgs.writeText "${domain}.zone" zoneData} \
 115            /var/lib/knot/zones/${domain}.zone
 116         ''
 117       ];
 118       LoadCredentialEncrypted = [
 119         "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
 120       ];
 121     };
 122   };
 123   /* Useless since the zone is public
 124     services.unbound.settings = {
 125     stub-zone = {
 126     name = domain;
 127     stub-addr = "127.0.0.1@5353";
 128     };
 129     };
 130     '';
 131   */
 132 }