]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: knot: sourcephile.fr: add openpgpkey
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hosts,
7 info,
8 ...
9 }:
10 let
11 domain = "sourcephile.fr";
12 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
13 inherit (config) networking;
14 inherit (config.services) knot;
15 inherit (config.users) users groups;
16 zoneData =
17 # TODO: increase the TTL once things have settled down
18 ''
19 $ORIGIN ${domain}.
20 $TTL 500
21
22 ; SOA (Start Of Authority)
23 @ SOA ns root (
24 ${toString inputs.self.lastModified} ; Serial number
25 24h ; Refresh
26 15m ; Retry
27 1000h ; Expire (1000h)
28 1d ; Negative caching
29 )
30
31 ; NS (Name Server)
32 @ NS ns
33 ${lib.concatMapStringsSep "\n" ({ name, ... }: "@ NS ${name}.") info.lebureau.dns.secondary.ns}
34 i NS ns
35 whoami4 NS ns.whoami4
36 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
37
38 ; A (DNS -> IPv4)
39 @ A ${hosts.mermet._module.args.ipv4}
40 mermet A ${hosts.mermet._module.args.ipv4}
41 autoconfig A ${hosts.mermet._module.args.ipv4}
42 calibre A ${hosts.mermet._module.args.ipv4}
43 doc A ${hosts.mermet._module.args.ipv4}
44 git A ${hosts.mermet._module.args.ipv4}
45 imap A ${hosts.mermet._module.args.ipv4}
46 mail A ${hosts.mermet._module.args.ipv4}
47 mails A ${hosts.mermet._module.args.ipv4}
48 news A ${hosts.mermet._module.args.ipv4}
49 public-inbox A ${hosts.mermet._module.args.ipv4}
50 ns A ${hosts.mermet._module.args.ipv4}
51 pop A ${hosts.mermet._module.args.ipv4}
52 smtp A ${hosts.mermet._module.args.ipv4}
53 submission A ${hosts.mermet._module.args.ipv4}
54 www A ${hosts.mermet._module.args.ipv4}
55 croc A ${hosts.mermet._module.args.ipv4}
56 stun A ${hosts.mermet._module.args.ipv4}
57 turn A ${hosts.mermet._module.args.ipv4}
58 whoami A ${hosts.mermet._module.args.ipv4}
59 code A ${hosts.mermet._module.args.ipv4}
60 miniflux A ${hosts.mermet._module.args.ipv4}
61
62 ; MX (Mail eXchange)
63 @ 500 MX 5 mail
64
65 ; CNAME (Canonical Name)
66 openconcerto CNAME losurdo
67 xmpp CNAME mermet
68 salons CNAME mermet
69 tmp CNAME mermet
70 proxy65 CNAME mermet
71 cryptpad CNAME losurdo
72 cryptpad-api CNAME losurdo
73 cryptpad-files CNAME losurdo
74 cryptpad-sandbox CNAME losurdo
75 mumble CNAME mermet
76 nix-serve CNAME losurdo
77 nix-extracache CNAME losurdo
78 nix-localcache CNAME lan.losurdo
79 ; See https://keys.openpgp.org/about/usage#wkd-as-a-service
80 openpgpkey CNAME wkd.keys.openpgp.org.
81 sftp CNAME losurdo
82 radicle-mermet CNAME mermet
83 radicle CNAME mermet
84 radicle-explorer CNAME radicle
85
86 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
87 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
88
89 ; SPF (Sender Policy Framework)
90 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
91
92 ; SRV (SeRVice)
93 _git._tcp.git 18000 IN SRV 0 0 9418 git
94 _stun._udp 18000 IN SRV 0 5 3478 stun
95 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
96 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
97 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
98 _xmpps-client._tcp 18000 IN SRV 0 5 5223 xmpp
99 _xmpps-server._tcp 18000 IN SRV 0 5 5270 xmpp
100 _xmpps-server._tcp.salons 18000 IN SRV 0 5 5270 xmpp
101
102 ; CAA (Certificate Authority Authorization)
103 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
104 @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
105 '';
106 in
107 # Incorrect:
108 # accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180
109 {
110 services.knot.settingsFreeform = {
111 remote.ns_iodine.address = "127.0.0.1@1053";
112 acl."acl_localhost_acme_${domainID}" = {
113 address = "127.0.0.1";
114 action = "update";
115 update-owner = "name";
116 update-owner-match = "equal";
117 update-owner-name = [ "_acme-challenge" ];
118 update-type = [ "TXT" ];
119 };
120 acl."acl_tsig_acme_${domainID}" = {
121 key = "acme_${domainID}";
122 action = "update";
123 update-owner = "name";
124 update-owner-match = "equal";
125 update-owner-name = [ "_acme-challenge" ];
126 update-type = [ "TXT" ];
127 };
128 acl."acl_tsig_losurdo_${domainID}" = {
129 key = "losurdo_${domainID}";
130 action = "update";
131 update-owner = "name";
132 update-owner-match = "equal";
133 update-owner-name = [
134 "losurdo"
135 "lan.losurdo"
136 ];
137 update-type = [
138 "A"
139 "AAAA"
140 ];
141 };
142 acl."acl_lebureau_${domainID}" = {
143 action = "transfer";
144 address = [
145 info.lebureau.dns.secondary.transfer.ns1.ipv4
146 info.lebureau.dns.secondary.transfer.ns1.ipv6
147 info.lebureau.dns.secondary.transfer.ns2.ipv4
148 info.lebureau.dns.secondary.transfer.ns2.ipv6
149 ];
150 key = "lebureau_${domainID}";
151 };
152 mod-dnsproxy.proxy_iodine = {
153 remote = "ns_iodine";
154 fallback = "off";
155 };
156 remote."secondary1_lebureau_${domainID}" = {
157 address = [
158 "${info.lebureau.dns.secondary.transfer.ns1.ipv4}@53"
159 "${info.lebureau.dns.secondary.transfer.ns1.ipv6}@53"
160 ];
161 key = "lebureau_${domainID}";
162 };
163 remote."secondary2_lebureau_${domainID}" = {
164 address = [
165 "${info.lebureau.dns.secondary.transfer.ns2.ipv4}@53"
166 "${info.lebureau.dns.secondary.transfer.ns2.ipv6}@53"
167 ];
168 key = "lebureau_${domainID}";
169 };
170 zone."${domain}" = {
171 file = "${domain}.zone";
172 serial-policy = "increment";
173 semantic-checks = true;
174 notify = [
175 "secondary1_lebureau_${domainID}"
176 "secondary2_lebureau_${domainID}"
177 ];
178 acl = [
179 "acl_localhost_acme_${domainID}"
180 "acl_tsig_acme_${domainID}"
181 "acl_tsig_losurdo_${domainID}"
182 "acl_lebureau_${domainID}"
183 ];
184 dnssec-signing = true;
185 dnssec-policy = "ed25519";
186 };
187 #zone."i.${domain}" = {
188 # module = "mod-dnsproxy/proxy_iodine";
189 #};
190 zone."whoami4.${domain}" = {
191 module = "mod-whoami";
192 file = pkgs.writeText "whoami4.zone" ''
193 $TTL 1
194 @ SOA ns root.${domain}. (
195 0 ; SERIAL
196 86400 ; REFRESH
197 86400 ; RETRY
198 86400 ; EXPIRE
199 1 ; MINIMUM
200 )
201 $TTL 86400
202 @ NS ns
203 ns A ${hosts.mermet._module.args.ipv4}
204 '';
205 };
206 };
207 services.knot = {
208 keyFiles = [
209 "/run/credentials/knot.service/${domain}.acme.conf"
210 # Generated with: keymgr -t losurdo_${domainID}
211 "/run/credentials/knot.service/losurdo.conf"
212 # Generated with: keymgr -t lebureau_${domainID}
213 "/run/credentials/knot.service/${domain}.lebureau.conf"
214 ];
215 };
216 systemd.services.knot = {
217 serviceConfig = {
218 ExecStartPre = [
219 ''
220 +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
221 ${pkgs.writeText "${domain}.zone" zoneData} \
222 /var/lib/knot/zones/${domain}.zone
223 ''
224 ];
225 LoadCredentialEncrypted = [
226 "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
227 "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
228 "losurdo.conf:${builtins.path { path = ./. + "/${domain}/losurdo.conf.cred"; }}"
229 ];
230 };
231 };
232 networking.nftables.ruleset = ''
233 table inet filter {
234 set output-net-knot-ipv4 { type ipv4_addr; elements = {
235 ${info.lebureau.dns.secondary.transfer.ns1.ipv4},
236 ${info.lebureau.dns.secondary.transfer.ns2.ipv4}
237 }; }
238 set output-net-knot-ipv6 { type ipv6_addr; elements = {
239 ${info.lebureau.dns.secondary.transfer.ns1.ipv6},
240 ${info.lebureau.dns.secondary.transfer.ns2.ipv6}
241 }; }
242 }
243 '';
244 /*
245 Useless since the zone is public
246 services.unbound.settings = {
247 stub-zone = {
248 name = domain;
249 stub-addr = "127.0.0.1@5353";
250 };
251 };
252 '';
253 */
254 }
NixOS configurations for Sourcephile's infrastructure