]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: prosody: more advanced configuration
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, hosts, info, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
5 inherit (config) networking;
6 inherit (config.services) knot;
7 in
8 {
9 services.knot.zones.${domain} = {
10 conf = ''
11 remote:
12 - id: ns_iodine
13 address: 127.0.0.1@1053
14 acl:
15 - id: acl_localhost_acme_${domainID}
16 address: 127.0.0.1
17 action: update
18 update-owner: name
19 update-owner-match: equal
20 update-owner-name: [_acme-challenge]
21 update-type: [TXT]
22 - id: acl_tsig_acme_${domainID}
23 key: acme_${domainID}
24 action: update
25 update-owner: name
26 update-owner-match: equal
27 update-owner-name: [_acme-challenge]
28 update-type: [TXT]
29 - id: acl_tsig_losurdo_${domainID}
30 key: losurdo_${domainID}
31 action: update
32 update-owner: name
33 update-owner-match: equal
34 update-owner-name: [losurdo, lan.losurdo]
35 update-type: [A, AAAA]
36
37 mod-dnsproxy:
38 - id: proxy_iodine
39 remote: ns_iodine
40 fallback: off
41
42 zone:
43 - domain: ${domain}
44 file: ${domain}.zone
45 serial-policy: increment
46 semantic-checks: on
47 notify: secondary_gandi
48 acl: acl_gandi
49 acl: acl_localhost_acme_${domainID}
50 acl: acl_tsig_acme_${domainID}
51 acl: acl_tsig_losurdo_${domainID}
52 dnssec-signing: on
53 dnssec-policy: rsa
54
55 #- domain: i.${domain}
56 # module: mod-dnsproxy/proxy_iodine
57
58 - domain: whoami4.${domain}
59 module: mod-whoami
60 file: "${pkgs.writeText "whoami4.zone" ''
61 $TTL 1
62 @ SOA ns root.${domain}. (
63 0 ; SERIAL
64 86400 ; REFRESH
65 86400 ; RETRY
66 86400 ; EXPIRE
67 1 ; MINIMUM
68 )
69 $TTL 86400
70 @ NS ns
71 ns A ${hosts.mermet._module.args.ipv4}
72 ''}"
73 '';
74 # TODO: increase the TTL once things have settled down
75 data = ''
76 $ORIGIN ${domain}.
77 $TTL 500
78
79 ; SOA (Start Of Authority)
80 @ SOA ns root (
81 ${toString inputs.self.lastModified} ; Serial number
82 24h ; Refresh
83 15m ; Retry
84 1000h ; Expire (1000h)
85 1d ; Negative caching
86 )
87
88 ; NS (Name Server)
89 @ NS ns
90 @ NS ${info.gandi.dns.secondary.ns.name}.
91 i NS ns
92 whoami4 NS ns.whoami4
93 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
94
95 ; A (DNS -> IPv4)
96 @ A ${hosts.mermet._module.args.ipv4}
97 mermet A ${hosts.mermet._module.args.ipv4}
98 autoconfig A ${hosts.mermet._module.args.ipv4}
99 doc A ${hosts.mermet._module.args.ipv4}
100 git A ${hosts.mermet._module.args.ipv4}
101 imap A ${hosts.mermet._module.args.ipv4}
102 mail A ${hosts.mermet._module.args.ipv4}
103 mails A ${hosts.mermet._module.args.ipv4}
104 news A ${hosts.mermet._module.args.ipv4}
105 public-inbox A ${hosts.mermet._module.args.ipv4}
106 ns A ${hosts.mermet._module.args.ipv4}
107 pop A ${hosts.mermet._module.args.ipv4}
108 smtp A ${hosts.mermet._module.args.ipv4}
109 submission A ${hosts.mermet._module.args.ipv4}
110 www A ${hosts.mermet._module.args.ipv4}
111 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
112 croc A ${hosts.mermet._module.args.ipv4}
113 stun A ${hosts.mermet._module.args.ipv4}
114 turn A ${hosts.mermet._module.args.ipv4}
115 whoami A ${hosts.mermet._module.args.ipv4}
116 code A ${hosts.mermet._module.args.ipv4}
117 miniflux A ${hosts.mermet._module.args.ipv4}
118
119 ; CNAME (Canonical Name)
120 openconcerto CNAME losurdo
121 xmpp CNAME mermet
122 salons CNAME mermet
123 tmp CNAME mermet
124 proxy65 CNAME mermet
125 cryptpad CNAME losurdo
126 cryptpad-api CNAME losurdo
127 cryptpad-files CNAME losurdo
128 cryptpad-sandbox CNAME losurdo
129 mumble CNAME mermet
130 freeciv CNAME losurdo
131 nix-serve CNAME losurdo
132 nix-extracache CNAME losurdo
133 nix-localcache CNAME lan.losurdo
134 sftp CNAME losurdo
135
136 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
137 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
138
139 ; SPF (Sender Policy Framework)
140 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
141
142 ; SRV (SeRVice)
143 _git._tcp.git 18000 IN SRV 0 0 9418 git
144 _stun._udp 18000 IN SRV 0 5 3478 stun
145 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
146 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
147 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
148 _xmpps-client._tcp 18000 IN SRV 0 5 5223 xmpp
149 _xmpps-server._tcp 18000 IN SRV 0 5 5270 xmpp
150 _xmpps-server._tcp.salons 18000 IN SRV 0 5 5270 xmpp
151
152 ; CAA (Certificate Authority Authorization)
153 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
154 @ CAA 128 issue "letsencrypt.org"
155 '';
156 };
157 services.knot = {
158 keyFiles = [
159 "/run/credentials/knot.service/${domain}.acme.conf"
160 # Generated with: keymgr -t losurdo_${domainID}
161 "/run/credentials/knot.service/losurdo.conf"
162 ];
163 };
164 systemd.services.knot = {
165 serviceConfig = {
166 LoadCredentialEncrypted = [
167 "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
168 "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
169 ];
170 };
171 };
172 networking.nftables.ruleset = ''
173 table inet filter {
174 set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
175 set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
176 }
177 '';
178 /* Useless since the zone is public
179 services.unbound.settings = {
180 stub-zone = {
181 name = domain;
182 stub-addr = "127.0.0.1@5353";
183 };
184 };
185 '';
186 */
187 }
NixOS configurations for Sourcephile's infrastructure