]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/autogeree.net.nix
wireguard: remove old cred
[sourcephile-nix.git] / hosts / mermet / knot / autogeree.net.nix
1 { lib, config, inputs, hostName, hosts, ... }:
2 let
3 domain = "autogeree.net";
4 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
5 inherit (config) networking;
6 inherit (config.services) knot;
7 in
8 {
9 services.knot.zones.${domain} = {
10 conf = ''
11 acl:
12 - id: acl_localhost_acme_${domainID}
13 address: 127.0.0.1
14 action: update
15 update-owner: name
16 update-owner-match: equal
17 update-owner-name: [_acme-challenge]
18 update-type: [TXT]
19 - id: acl_tsig_acme_${domainID}
20 key: acme_${domainID}
21 action: update
22 update-owner: name
23 update-owner-match: equal
24 update-owner-name: [_acme-challenge]
25 update-type: [TXT]
26
27 zone:
28 - domain: ${domain}
29 file: ${domain}.zone
30 serial-policy: increment
31 semantic-checks: on
32 notify: secondary_gandi
33 #notify: secondary_muarf
34 acl: acl_gandi
35 #acl: acl_muarf
36 acl: acl_localhost_acme_${domainID}
37 acl: acl_tsig_acme_${domainID}
38 dnssec-signing: off
39 dnssec-policy: ed25519
40 '';
41 # TODO: increase the TTL once things have settled down
42 data = ''
43 $ORIGIN ${domain}.
44 $TTL 500
45
46 ; SOA (Start Of Authority)
47 @ SOA ns root (
48 ${toString inputs.self.lastModified} ; Serial number
49 24h ; Refresh
50 15m ; Retry
51 1000h ; Expire (1000h)
52 1d ; Negative caching
53 )
54
55 ; NS (Name Server)
56 @ NS ns
57 @ NS ns6.gandi.net.
58 ;@ NS ns0.muarf.org.
59
60 ; A (DNS -> IPv4)
61 @ A ${hosts.mermet._module.args.ipv4}
62 mermet A ${hosts.mermet._module.args.ipv4}
63 autoconfig A ${hosts.mermet._module.args.ipv4}
64 code A ${hosts.mermet._module.args.ipv4}
65 git A ${hosts.mermet._module.args.ipv4}
66 imap A ${hosts.mermet._module.args.ipv4}
67 mail A ${hosts.mermet._module.args.ipv4}
68 ns A ${hosts.mermet._module.args.ipv4}
69 pop A ${hosts.mermet._module.args.ipv4}
70 smtp A ${hosts.mermet._module.args.ipv4}
71 submission A ${hosts.mermet._module.args.ipv4}
72 www A ${hosts.mermet._module.args.ipv4}
73 chomsky A 91.216.110.36
74 alpes A 195.88.84.51
75
76 ; SPF (Sender Policy Framework)
77 @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
78 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
79
80 ; MX (Mail eXchange)
81 @ 180 MX 5 mail
82
83 ; SRV (SeRVice)
84 _git._tcp.git 18000 IN SRV 0 0 9418 git
85
86 ; CAA (Certificate Authority Authorization)
87 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
88 @ CAA 128 issue "letsencrypt.org"
89 '';
90 };
91 networking.nftables.ruleset = ''
92 table inet filter {
93 # Gandi DNS
94 set output-net-knot-ipv4 { type ipv4_addr; elements = { 217.70.177.40 }; }
95 set output-net-knot-ipv6 { type ipv6_addr; elements = { 2001:4b98:d:1::40 }; }
96 }
97 '';
98 services.knot = {
99 keyFiles = [
100 "/run/credentials/knot.service/${domain}.acme.conf"
101 ];
102 };
103 systemd.services.knot.serviceConfig = {
104 LoadCredentialEncrypted = [
105 "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
106 ];
107 };
108 /* Useless since the zone is public
109 services.unbound.settings = {
110 stub-zone = {
111 name = domain;
112 stub-addr = "127.0.0.1@5353";
113 };
114 };
115 '';
116 */
117 }