]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
losurdo: acme: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, credentials, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 remote:
14 - id: ns_iodine
15 address: 127.0.0.1@1053
16 acl:
17 - id: acl_localhost_acme_${domainID}
18 address: 127.0.0.1
19 action: update
20 update-owner: name
21 update-owner-match: equal
22 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
23 update-type: [TXT]
24 - id: acl_tsig_acme_${domainID}
25 key: acme_${domainID}
26 action: update
27 update-owner: name
28 update-owner-match: equal
29 update-owner-name: [_acme-challenge]
30 update-type: [TXT]
31 - id: acl_tsig_losurdo_${domainID}
32 key: losurdo_${domainID}
33 action: update
34 update-owner: name
35 update-owner-match: equal
36 update-owner-name: [losurdo, lan.losurdo]
37 update-type: [A, AAAA]
38
39 mod-dnsproxy:
40 - id: proxy_iodine
41 remote: ns_iodine
42 fallback: off
43
44 zone:
45 - domain: ${domain}
46 file: ${domain}.zone
47 serial-policy: increment
48 semantic-checks: on
49 notify: secondary_gandi
50 acl: acl_gandi
51 acl: acl_localhost_acme_${domainID}
52 acl: acl_tsig_acme_${domainID}
53 acl: acl_tsig_losurdo_${domainID}
54 dnssec-signing: on
55 dnssec-policy: rsa
56
57 - domain: i.${domain}
58 module: mod-dnsproxy/proxy_iodine
59
60 - domain: whoami4.${domain}
61 module: mod-whoami
62 file: "${pkgs.writeText "whoami4.zone" ''
63 $TTL 1
64 @ SOA ns root.${domain}. (
65 0 ; SERIAL
66 86400 ; REFRESH
67 86400 ; RETRY
68 86400 ; EXPIRE
69 1 ; MINIMUM
70 )
71 $TTL 86400
72 @ NS ns
73 ns A ${hosts.mermet._module.args.ipv4}
74 ''}"
75 '';
76 # TODO: increase the TTL once things have settled down
77 data = ''
78 $ORIGIN ${domain}.
79 $TTL 500
80
81 ; SOA (Start Of Authority)
82 @ SOA ns root (
83 ${toString inputs.self.lastModified} ; Serial number
84 24h ; Refresh
85 15m ; Retry
86 1000h ; Expire (1000h)
87 1d ; Negative caching
88 )
89
90 ; NS (Name Server)
91 @ NS ns
92 @ NS ns6.gandi.net.
93 i NS ns
94 whoami4 NS ns.whoami4
95 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
96
97 ; A (DNS -> IPv4)
98 @ A ${hosts.mermet._module.args.ipv4}
99 mermet A ${hosts.mermet._module.args.ipv4}
100 autoconfig A ${hosts.mermet._module.args.ipv4}
101 doc A ${hosts.mermet._module.args.ipv4}
102 git A ${hosts.mermet._module.args.ipv4}
103 imap A ${hosts.mermet._module.args.ipv4}
104 mail A ${hosts.mermet._module.args.ipv4}
105 mails A ${hosts.mermet._module.args.ipv4}
106 news A ${hosts.mermet._module.args.ipv4}
107 public-inbox A ${hosts.mermet._module.args.ipv4}
108 ns A ${hosts.mermet._module.args.ipv4}
109 pop A ${hosts.mermet._module.args.ipv4}
110 smtp A ${hosts.mermet._module.args.ipv4}
111 submission A ${hosts.mermet._module.args.ipv4}
112 www A ${hosts.mermet._module.args.ipv4}
113 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
114 covid19 A ${hosts.mermet._module.args.ipv4}
115 croc A ${hosts.mermet._module.args.ipv4}
116 stun A ${hosts.mermet._module.args.ipv4}
117 turn A ${hosts.mermet._module.args.ipv4}
118 whoami A ${hosts.mermet._module.args.ipv4}
119 code A ${hosts.mermet._module.args.ipv4}
120 builds.code A ${hosts.mermet._module.args.ipv4}
121 dispatch.code A ${hosts.mermet._module.args.ipv4}
122 git.code A ${hosts.mermet._module.args.ipv4}
123 hg.code A ${hosts.mermet._module.args.ipv4}
124 hub.code A ${hosts.mermet._module.args.ipv4}
125 lists.code A ${hosts.mermet._module.args.ipv4}
126 meta.code A ${hosts.mermet._module.args.ipv4}
127 man.code A ${hosts.mermet._module.args.ipv4}
128 pages.code A ${hosts.mermet._module.args.ipv4}
129 paste.code A ${hosts.mermet._module.args.ipv4}
130 todo.code A ${hosts.mermet._module.args.ipv4}
131 miniflux A ${hosts.mermet._module.args.ipv4}
132
133 ; CNAME (Canonical Name)
134 openconcerto CNAME losurdo
135 xmpp CNAME mermet
136 tmp CNAME mermet
137 proxy65 CNAME mermet
138 cryptpad CNAME losurdo
139 cryptpad-api CNAME losurdo
140 cryptpad-files CNAME losurdo
141 cryptpad-sandbox CNAME losurdo
142 mumble CNAME mermet
143 freeciv CNAME losurdo
144 nix-serve CNAME losurdo
145 nix-extracache CNAME losurdo
146 nix-localcache CNAME lan.losurdo
147 hut CNAME code
148 builds.hut CNAME builds.code
149 dispatch.hut CNAME dispatch.code
150 git.hut CNAME git.code
151 hg.hut CNAME hg.code
152 hub.hut CNAME hub.code
153 lists.hut CNAME lists.code
154 meta.hut CNAME meta.code
155 man.hut CNAME man.code
156 pages.hut CNAME pages.code
157 paste.hut CNAME paste.code
158 todo.hut CNAME todo.code
159 sftp CNAME losurdo
160
161 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
162 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
163
164 ; SPF (Sender Policy Framework)
165 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
166
167 ; MX (Mail eXchange)
168 @ 1800 MX 5 mail
169 lists.code 1800 MX 5 mail
170 todo.code 1800 MX 5 mail
171
172 ; SRV (SeRVice)
173 _git._tcp.git 18000 IN SRV 0 0 9418 git
174 _stun._udp 18000 IN SRV 0 5 3478 stun
175 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
176 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
177 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
178
179 ; CAA (Certificate Authority Authorization)
180 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
181 @ CAA 128 issue "letsencrypt.org"
182 '';
183 };
184 users.groups.keys.members = [ users.knot.name ];
185 services.knot = {
186 keyFiles = [
187 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
188 # Generated with: keymgr -t losurdo_${domainID}
189 "/run/credentials/knot.service/losurdo.conf"
190 ];
191 };
192 networking.nftables.ruleset = ''
193 table inet filter {
194 # Gandi DNS
195 set output-net-knot-ipv4 {
196 type ipv4_addr
197 elements = { 217.70.177.40 }
198 }
199 set output-net-knot-ipv6 {
200 type ipv6_addr
201 elements = { 2001:4b98:d:1::40 }
202 }
203 }
204 '';
205 security.gnupg.secrets = {
206 "knot/tsig/${domain}/acme.conf" = {
207 # Generated with: keymgr -t acme_${domainID}
208 user = users.knot.name;
209 };
210 };
211 systemd.services.knot = {
212 serviceConfig = {
213 LoadCredentialEncrypted = "losurdo.conf:${credentials}/knot/tsig/losurdo.conf.secret";
214 };
215 /*
216 preStart = ''
217 test ! -d "$CREDENTIALS_DIRECTORY" ||
218 ln -fns "$CREDENTIALS_DIRECTORY" /var/lib/knot/credentials
219 '';
220 */
221 after = [
222 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
223 ];
224 wants = [
225 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
226 ];
227 };
228 /* Useless since the zone is public
229 services.unbound.settings = {
230 stub-zone = {
231 name = domain;
232 stub-addr = "127.0.0.1@5353";
233 };
234 };
235 '';
236 */
237 }