]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/autogeree.net.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
shell: fix nixos-enter
[sourcephile-nix.git] / hosts / mermet / knot / autogeree.net.nix
1 {
2 pkgs,
3 lib,
4 config,
5 inputs,
6 hosts,
7 info,
8 ...
9 }:
10 let
11 domain = "autogeree.net";
12 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
13 inherit (config) networking;
14 inherit (config.services) knot;
15 inherit (config.users) users groups;
16 zoneData =
17 # TODO: increase the TTL once things have settled down
18 ''
19 $ORIGIN ${domain}.
20 $TTL 500
21
22 ; SOA (Start Of Authority)
23 @ SOA ns root (
24 ${toString inputs.self.lastModified} ; Serial number
25 24h ; Refresh
26 15m ; Retry
27 1000h ; Expire (1000h)
28 1d ; Negative caching
29 )
30
31 ; NS (Name Server)
32 @ NS ns
33 ${lib.concatMapStringsSep "\n" ({ name, ... }: "@ NS ${name}.") info.lebureau.dns.secondary.ns}
34
35 ; A (DNS -> IPv4)
36 @ A ${hosts.mermet._module.args.ipv4}
37 mermet A ${hosts.mermet._module.args.ipv4}
38 autoconfig A ${hosts.mermet._module.args.ipv4}
39 code A ${hosts.mermet._module.args.ipv4}
40 git A ${hosts.mermet._module.args.ipv4}
41 imap A ${hosts.mermet._module.args.ipv4}
42 mail A ${hosts.mermet._module.args.ipv4}
43 ns A ${hosts.mermet._module.args.ipv4}
44 pleroma A ${hosts.mermet._module.args.ipv4}
45 pop A ${hosts.mermet._module.args.ipv4}
46 smtp A ${hosts.mermet._module.args.ipv4}
47 submission A ${hosts.mermet._module.args.ipv4}
48 www A ${hosts.mermet._module.args.ipv4}
49 chomsky A 91.216.110.36
50 alpes A 195.88.84.51
51
52 ; SPF (Sender Policy Framework)
53 @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
54 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
55
56 ; MX (Mail eXchange)
57 @ 180 MX 5 mail
58
59 ; SRV (SeRVice)
60 _git._tcp.git 18000 IN SRV 0 0 9418 git
61
62 ; CAA (Certificate Authority Authorization)
63 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
64 @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
65 '';
66 in
67 # Incorrect:
68 #@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79737822"
69 {
70 services.knot.settingsFreeform = {
71 acl."acl_localhost_acme_${domainID}" = {
72 address = "127.0.0.1";
73 action = "update";
74 update-owner = "name";
75 update-owner-match = "equal";
76 update-owner-name = [ "_acme-challenge" ];
77 update-type = [ "TXT" ];
78 };
79 acl."acl_tsig_acme_${domainID}" = {
80 key = "acme_${domainID}";
81 action = "update";
82 update-owner = "name";
83 update-owner-match = "equal";
84 update-owner-name = [ "_acme-challenge" ];
85 update-type = [ "TXT" ];
86 };
87 acl."acl_lebureau_${domainID}" = {
88 action = "transfer";
89 address = [
90 info.lebureau.dns.secondary.transfer.ns1.ipv4
91 info.lebureau.dns.secondary.transfer.ns1.ipv6
92 info.lebureau.dns.secondary.transfer.ns2.ipv4
93 info.lebureau.dns.secondary.transfer.ns2.ipv6
94 ];
95 key = "lebureau_${domainID}";
96 };
97 remote."secondary1_lebureau_${domainID}" = {
98 address = [
99 "${info.lebureau.dns.secondary.transfer.ns1.ipv4}@53"
100 "${info.lebureau.dns.secondary.transfer.ns1.ipv6}@53"
101 ];
102 key = "lebureau_${domainID}";
103 };
104 remote."secondary2_lebureau_${domainID}" = {
105 address = [
106 "${info.lebureau.dns.secondary.transfer.ns2.ipv4}@53"
107 "${info.lebureau.dns.secondary.transfer.ns2.ipv6}@53"
108 ];
109 key = "lebureau_${domainID}";
110 };
111 zone."${domain}" = {
112 file = "${domain}.zone";
113 serial-policy = "increment";
114 semantic-checks = true;
115 notify = [
116 "secondary1_lebureau_${domainID}"
117 "secondary2_lebureau_${domainID}"
118 ];
119 acl = [
120 #"acl_muarf"
121 "acl_localhost_acme_${domainID}"
122 "acl_tsig_acme_${domainID}"
123 "acl_lebureau_${domainID}"
124 ];
125 dnssec-signing = true;
126 dnssec-policy = "ed25519";
127 };
128 };
129 services.knot = {
130 keyFiles = [
131 "/run/credentials/knot.service/${domain}.acme.conf"
132 # Generated with: keymgr -t lebureau_${domainID}
133 "/run/credentials/knot.service/${domain}.lebureau.conf"
134 ];
135 };
136 systemd.services.knot = {
137 serviceConfig = {
138 ExecStartPre = [
139 ''
140 +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
141 ${pkgs.writeText "${domain}.zone" zoneData} \
142 /var/lib/knot/zones/${domain}.zone
143 ''
144 ];
145 LoadCredentialEncrypted = [
146 "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
147 "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
148 ];
149 };
150 };
151 networking.nftables.ruleset = ''
152 table inet filter {
153 set output-net-knot-ipv4 { type ipv4_addr; elements = {
154 ${info.lebureau.dns.secondary.transfer.ns1.ipv4},
155 ${info.lebureau.dns.secondary.transfer.ns2.ipv4}
156 }; }
157 set output-net-knot-ipv6 { type ipv6_addr; elements = {
158 ${info.lebureau.dns.secondary.transfer.ns1.ipv6},
159 ${info.lebureau.dns.secondary.transfer.ns2.ipv6}
160 }; }
161 }
162 '';
163 /*
164 Useless since the zone is public
165 services.unbound.settings = {
166 stub-zone = {
167 name = domain;
168 stub-addr = "127.0.0.1@5353";
169 };
170 };
171 '';
172 */
173 }
NixOS configurations for Sourcephile's infrastructure