creds: finish to migrate to systemd-creds.nix

[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix

{ pkgs, lib, config, inputs, hostName, hosts, ... }:
let
  domain = "sourcephile.fr";
  domainID = lib.replaceStrings ["."] ["_"] domain;
  inherit (config) networking;
  inherit (config.services) knot;
  inherit (config.users) users;
in
{
services.knot.zones."${domain}" = {
  conf = ''
    remote:
      - id: ns_iodine
        address: 127.0.0.1@1053
    acl:
      - id: acl_localhost_acme_${domainID}
        address: 127.0.0.1
        action: update
        update-owner: name
        update-owner-match: equal
        update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
        update-type: [TXT]
      - id: acl_tsig_acme_${domainID}
        key: acme_${domainID}
        action: update
        update-owner: name
        update-owner-match: equal
        update-owner-name: [_acme-challenge]
        update-type: [TXT]
      - id: acl_tsig_losurdo_${domainID}
        key: losurdo_${domainID}
        action: update
        update-owner: name
        update-owner-match: equal
        update-owner-name: [losurdo, lan.losurdo]
        update-type: [A, AAAA]

    mod-dnsproxy:
      - id: proxy_iodine
        remote: ns_iodine
        fallback: off

    zone:
      - domain: ${domain}
        file: ${domain}.zone
        serial-policy: increment
        semantic-checks: on
        notify: secondary_gandi
        acl: acl_gandi
        acl: acl_localhost_acme_${domainID}
        acl: acl_tsig_acme_${domainID}
        acl: acl_tsig_losurdo_${domainID}
        dnssec-signing: on
        dnssec-policy: rsa

      - domain: i.${domain}
        module: mod-dnsproxy/proxy_iodine

      - domain: whoami4.${domain}
        module: mod-whoami
        file: "${pkgs.writeText "whoami4.zone" ''
          $TTL 1
          @ SOA ns root.${domain}. (
            0     ; SERIAL
            86400 ; REFRESH
            86400 ; RETRY
            86400 ; EXPIRE
            1 ; MINIMUM
          )
          $TTL 86400
          @ NS ns
          ns A ${hosts.mermet._module.args.ipv4}
        ''}"
  '';
  # TODO: increase the TTL once things have settled down
  data = ''
    $ORIGIN ${domain}.
    $TTL 500

    ; SOA (Start Of Authority)
    @ SOA ns root (
      ${toString inputs.self.lastModified} ; Serial number
      24h   ; Refresh
      15m   ; Retry
      1000h ; Expire (1000h)
      1d    ; Negative caching
    )

    ; NS (Name Server)
    @ NS ns
    @ NS ns6.gandi.net.
    i NS ns
    whoami4 NS ns.whoami4
    ns.whoami4 A ${hosts.mermet._module.args.ipv4}

    ; A (DNS -> IPv4)
    @            A ${hosts.mermet._module.args.ipv4}
    mermet       A ${hosts.mermet._module.args.ipv4}
    autoconfig   A ${hosts.mermet._module.args.ipv4}
    doc          A ${hosts.mermet._module.args.ipv4}
    git          A ${hosts.mermet._module.args.ipv4}
    imap         A ${hosts.mermet._module.args.ipv4}
    mail         A ${hosts.mermet._module.args.ipv4}
    mails        A ${hosts.mermet._module.args.ipv4}
    news         A ${hosts.mermet._module.args.ipv4}
    public-inbox A ${hosts.mermet._module.args.ipv4}
    ns           A ${hosts.mermet._module.args.ipv4}
    pop          A ${hosts.mermet._module.args.ipv4}
    smtp         A ${hosts.mermet._module.args.ipv4}
    submission   A ${hosts.mermet._module.args.ipv4}
    www          A ${hosts.mermet._module.args.ipv4}
    lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
    covid19      A ${hosts.mermet._module.args.ipv4}
    croc         A ${hosts.mermet._module.args.ipv4}
    stun         A ${hosts.mermet._module.args.ipv4}
    turn         A ${hosts.mermet._module.args.ipv4}
    whoami       A ${hosts.mermet._module.args.ipv4}
    code          A ${hosts.mermet._module.args.ipv4}
    builds.code   A ${hosts.mermet._module.args.ipv4}
    dispatch.code A ${hosts.mermet._module.args.ipv4}
    git.code      A ${hosts.mermet._module.args.ipv4}
    hg.code       A ${hosts.mermet._module.args.ipv4}
    hub.code      A ${hosts.mermet._module.args.ipv4}
    lists.code    A ${hosts.mermet._module.args.ipv4}
    meta.code     A ${hosts.mermet._module.args.ipv4}
    man.code      A ${hosts.mermet._module.args.ipv4}
    pages.code    A ${hosts.mermet._module.args.ipv4}
    paste.code    A ${hosts.mermet._module.args.ipv4}
    todo.code     A ${hosts.mermet._module.args.ipv4}
    miniflux      A ${hosts.mermet._module.args.ipv4}

    ; CNAME (Canonical Name)
    openconcerto     CNAME losurdo
    xmpp             CNAME mermet
    tmp              CNAME mermet
    proxy65          CNAME mermet
    cryptpad         CNAME losurdo
    cryptpad-api     CNAME losurdo
    cryptpad-files   CNAME losurdo
    cryptpad-sandbox CNAME losurdo
    mumble           CNAME mermet
    freeciv          CNAME losurdo
    nix-serve        CNAME losurdo
    nix-extracache   CNAME losurdo
    nix-localcache   CNAME lan.losurdo
    hut              CNAME code
    builds.hut       CNAME builds.code
    dispatch.hut     CNAME dispatch.code
    git.hut          CNAME git.code
    hg.hut           CNAME hg.code
    hub.hut          CNAME hub.code
    lists.hut        CNAME lists.code
    meta.hut         CNAME meta.code
    man.hut          CNAME man.code
    pages.hut        CNAME pages.code
    paste.hut        CNAME paste.code
    todo.hut         CNAME todo.code
    sftp             CNAME losurdo

    ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
    _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"

    ; SPF (Sender Policy Framework)
    @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"

    ; MX (Mail eXchange)
    @ 1800 MX 5 mail
    lists.code 1800 MX 5 mail
    todo.code  1800 MX 5 mail

    ; SRV (SeRVice)
    _git._tcp.git             18000 IN SRV 0 0 9418 git
    _stun._udp                18000 IN SRV 0 5 3478 stun
    _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
    _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
    _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp

    ; CAA (Certificate Authority Authorization)
    ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
    @ CAA 128 issue "letsencrypt.org"
  '';
};
services.knot = {
  keyFiles = [
    "/run/credentials/knot.service/${domain}.acme.conf"
    # Generated with: keymgr -t losurdo_${domainID}
    "/run/credentials/knot.service/losurdo.conf"
  ];
};
systemd.services.knot = {
  serviceConfig = {
    LoadCredentialEncrypted = [
      "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
      "losurdo.conf:${inputs.self}/hosts/${hostName}/${domain}/losurdo.conf.cred"
    ];
  };
};
networking.nftables.ruleset = ''
  table inet filter {
    # Gandi DNS
    set output-net-knot-ipv4 {
      type ipv4_addr
      elements = { 217.70.177.40 }
    }
    set output-net-knot-ipv6 {
      type ipv6_addr
      elements = { 2001:4b98:d:1::40 }
    }
  }
'';
/* Useless since the zone is public
services.unbound.settings = {
  stub-zone = {
    name = domain;
    stub-addr = "127.0.0.1@5353";
  };
};
'';
*/
}