]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
syncoid: fix localTargetAllow
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 acl:
14 - id: acl_localhost_acme_${domainID}
15 address: 127.0.0.1
16 action: update
17 update-owner: name
18 update-owner-match: equal
19 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
20 update-type: [TXT]
21 - id: acl_tsig_acme_${domainID}
22 key: acme_${domainID}
23 action: update
24 update-owner: name
25 update-owner-match: equal
26 update-owner-name: [_acme-challenge]
27 update-type: [TXT]
28 - id: acl_tsig_bureau1_${domainID}
29 key: bureau1_${domainID}
30 action: update
31 update-owner: name
32 update-owner-match: equal
33 update-owner-name: [bureau1, lan.losurdo]
34 update-type: [A, AAAA]
35
36 zone:
37 - domain: ${domain}
38 file: ${domain}.zone
39 serial-policy: increment
40 semantic-checks: on
41 notify: secondary_gandi
42 acl: acl_gandi
43 acl: acl_localhost_acme_${domainID}
44 acl: acl_tsig_acme_${domainID}
45 acl: acl_tsig_bureau1_${domainID}
46 dnssec-signing: on
47 dnssec-policy: rsa
48 - domain: whoami4.${domain}
49 module: mod-whoami
50 file: "${pkgs.writeText "whoami4.zone" ''
51 $TTL 1
52 @ SOA ns root.${domain}. (
53 0 ; SERIAL
54 86400 ; REFRESH
55 86400 ; RETRY
56 86400 ; EXPIRE
57 1 ; MINIMUM
58 )
59 $TTL 86400
60 @ NS ns
61 ns A ${hosts.mermet.extraArgs.ipv4}
62 ''}"
63 '';
64 # TODO: increase the TTL once things have settled down
65 data = ''
66 $ORIGIN ${domain}.
67 $TTL 500
68
69 ; SOA (Start Of Authority)
70 @ SOA ns root (
71 ${toString inputs.self.lastModified} ; Serial number
72 24h ; Refresh
73 15m ; Retry
74 1000h ; Expire (1000h)
75 1d ; Negative caching
76 )
77
78 ; NS (Name Server)
79 @ NS ns
80 @ NS ns6.gandi.net.
81 whoami4 NS ns.whoami4
82 ns.whoami4 A ${hosts.mermet.extraArgs.ipv4}
83
84 ; A (DNS -> IPv4)
85 @ A ${hosts.mermet.extraArgs.ipv4}
86 mermet A ${hosts.mermet.extraArgs.ipv4}
87 autoconfig A ${hosts.mermet.extraArgs.ipv4}
88 doc A ${hosts.mermet.extraArgs.ipv4}
89 git A ${hosts.mermet.extraArgs.ipv4}
90 imap A ${hosts.mermet.extraArgs.ipv4}
91 mail A ${hosts.mermet.extraArgs.ipv4}
92 mails A ${hosts.mermet.extraArgs.ipv4}
93 news A ${hosts.mermet.extraArgs.ipv4}
94 public-inbox A ${hosts.mermet.extraArgs.ipv4}
95 ns A ${hosts.mermet.extraArgs.ipv4}
96 pop A ${hosts.mermet.extraArgs.ipv4}
97 smtp A ${hosts.mermet.extraArgs.ipv4}
98 submission A ${hosts.mermet.extraArgs.ipv4}
99 www A ${hosts.mermet.extraArgs.ipv4}
100 lemoutona5pattes A ${hosts.mermet.extraArgs.ipv4}
101 covid19 A ${hosts.mermet.extraArgs.ipv4}
102 croc A ${hosts.mermet.extraArgs.ipv4}
103 stun A ${hosts.mermet.extraArgs.ipv4}
104 turn A ${hosts.mermet.extraArgs.ipv4}
105 whoami A ${hosts.mermet.extraArgs.ipv4}
106 code A ${hosts.mermet.extraArgs.ipv4}
107 builds.code A ${hosts.mermet.extraArgs.ipv4}
108 dispatch.code A ${hosts.mermet.extraArgs.ipv4}
109 git.code A ${hosts.mermet.extraArgs.ipv4}
110 hg.code A ${hosts.mermet.extraArgs.ipv4}
111 hub.code A ${hosts.mermet.extraArgs.ipv4}
112 lists.code A ${hosts.mermet.extraArgs.ipv4}
113 meta.code A ${hosts.mermet.extraArgs.ipv4}
114 man.code A ${hosts.mermet.extraArgs.ipv4}
115 pages.code A ${hosts.mermet.extraArgs.ipv4}
116 paste.code A ${hosts.mermet.extraArgs.ipv4}
117 todo.code A ${hosts.mermet.extraArgs.ipv4}
118
119 ; CNAME (Canonical Name)
120 losurdo CNAME bureau1
121 openconcerto CNAME losurdo
122 xmpp CNAME mermet
123 tmp CNAME mermet
124 proxy65 CNAME mermet
125 cryptpad CNAME losurdo
126 cryptpad-api CNAME losurdo
127 cryptpad-files CNAME losurdo
128 cryptpad-sandbox CNAME losurdo
129 mumble CNAME mermet
130 freeciv CNAME losurdo
131 nix-serve CNAME losurdo
132 nix-extracache CNAME losurdo
133 nix-localcache CNAME lan.losurdo
134 hut CNAME code
135 builds.hut CNAME builds.code
136 dispatch.hut CNAME dispatch.code
137 git.hut CNAME git.code
138 hg.hut CNAME hg.code
139 hub.hut CNAME hub.code
140 lists.hut CNAME lists.code
141 meta.hut CNAME meta.code
142 man.hut CNAME man.code
143 pages.hut CNAME pages.code
144 paste.hut CNAME paste.code
145 todo.hut CNAME todo.code
146
147 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
148 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
149
150 ; SPF (Sender Policy Framework)
151 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
152
153 ; MX (Mail eXchange)
154 @ 1800 MX 5 mail
155 lists.code 1800 MX 5 mail
156 todo.code 1800 MX 5 mail
157
158 ; SRV (SeRVice)
159 _git._tcp.git 18000 IN SRV 0 0 9418 git
160 _stun._udp 18000 IN SRV 0 5 3478 stun
161 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
162 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
163 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
164
165 ; CAA (Certificate Authority Authorization)
166 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
167 @ CAA 128 issue "letsencrypt.org"
168 '';
169 };
170 users.groups.keys.members = [ users.knot.name ];
171 services.knot = {
172 keyFiles = [
173 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
174 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
175 ];
176 };
177 security.gnupg.secrets = {
178 "knot/tsig/${domain}/acme.conf" = {
179 # Generated with: keymgr -t acme_${domainID}
180 user = users.knot.name;
181 };
182 "knot/tsig/${domain}/bureau1.conf" = {
183 # Generated with: keymgr -t bureau1_${domainID}
184 user = users.knot.name;
185 };
186 };
187 systemd.services.knot = {
188 after = [
189 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
190 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
191 ];
192 wants = [
193 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
194 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
195 ];
196 };
197 /* Useless since the zone is public
198 services.unbound.settings = {
199 stub-zone = {
200 name = domain;
201 stub-addr = "127.0.0.1@5353";
202 };
203 };
204 '';
205 */
206 }