hosts/mermet/knot/sourcephile.fr.nix

   1 { inputs, pkgs, lib, config, hosts, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   domainID = lib.replaceStrings ["."] ["_"] domain;
   5   inherit (config) networking;
   6   inherit (config.security) gnupg;
   7   inherit (config.services) knot;
   8   inherit (config.users) users;
   9 in
  10 {
  11 services.knot.zones."${domain}" = {
  12   conf = ''
  13     acl:
  14       - id: acl_localhost_acme_${domainID}
  15         address: 127.0.0.1
  16         action: update
  17         update-owner: name
  18         update-owner-match: equal
  19         update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
  20         update-type: [TXT]
  21       - id: acl_tsig_acme_${domainID}
  22         key: acme_${domainID}
  23         action: update
  24         update-owner: name
  25         update-owner-match: equal
  26         update-owner-name: [_acme-challenge]
  27         update-type: [TXT]
  28       - id: acl_tsig_bureau1_${domainID}
  29         key: bureau1_${domainID}
  30         action: update
  31         update-owner: name
  32         update-owner-match: equal
  33         update-owner-name: [bureau1, lan.losurdo]
  34         update-type: [A, AAAA]
  35
  36     zone:
  37       - domain: ${domain}
  38         file: ${domain}.zone
  39         serial-policy: increment
  40         semantic-checks: on
  41         notify: secondary_gandi
  42         acl: acl_gandi
  43         acl: acl_localhost_acme_${domainID}
  44         acl: acl_tsig_acme_${domainID}
  45         acl: acl_tsig_bureau1_${domainID}
  46         dnssec-signing: on
  47         dnssec-policy: rsa
  48       - domain: whoami4.${domain}
  49         module: mod-whoami
  50         file: "${pkgs.writeText "whoami4.zone" ''
  51           $TTL 1
  52           @ SOA ns root.${domain}. (
  53             0     ; SERIAL
  54             86400 ; REFRESH
  55             86400 ; RETRY
  56             86400 ; EXPIRE
  57             1 ; MINIMUM
  58           )
  59           $TTL 86400
  60           @ NS ns
  61           ns A ${hosts.mermet.extraArgs.ipv4}
  62         ''}"
  63   '';
  64   # TODO: increase the TTL once things have settled down
  65   data = ''
  66     $ORIGIN ${domain}.
  67     $TTL 500
  68
  69     ; SOA (Start Of Authority)
  70     @ SOA ns root (
  71       ${toString inputs.self.lastModified} ; Serial number
  72       24h   ; Refresh
  73       15m   ; Retry
  74       1000h ; Expire (1000h)
  75       1d    ; Negative caching
  76     )
  77
  78     ; NS (Name Server)
  79     @ NS ns
  80     @ NS ns6.gandi.net.
  81     whoami4 NS ns.whoami4
  82     ns.whoami4 A ${hosts.mermet.extraArgs.ipv4}
  83
  84     ; A (DNS -> IPv4)
  85     @            A ${hosts.mermet.extraArgs.ipv4}
  86     mermet       A ${hosts.mermet.extraArgs.ipv4}
  87     autoconfig   A ${hosts.mermet.extraArgs.ipv4}
  88     doc          A ${hosts.mermet.extraArgs.ipv4}
  89     git          A ${hosts.mermet.extraArgs.ipv4}
  90     imap         A ${hosts.mermet.extraArgs.ipv4}
  91     mail         A ${hosts.mermet.extraArgs.ipv4}
  92     mails        A ${hosts.mermet.extraArgs.ipv4}
  93     news         A ${hosts.mermet.extraArgs.ipv4}
  94     public-inbox A ${hosts.mermet.extraArgs.ipv4}
  95     ns           A ${hosts.mermet.extraArgs.ipv4}
  96     pop          A ${hosts.mermet.extraArgs.ipv4}
  97     smtp         A ${hosts.mermet.extraArgs.ipv4}
  98     submission   A ${hosts.mermet.extraArgs.ipv4}
  99     www          A ${hosts.mermet.extraArgs.ipv4}
 100     lemoutona5pattes A ${hosts.mermet.extraArgs.ipv4}
 101     covid19      A ${hosts.mermet.extraArgs.ipv4}
 102     croc         A ${hosts.mermet.extraArgs.ipv4}
 103     stun         A ${hosts.mermet.extraArgs.ipv4}
 104     turn         A ${hosts.mermet.extraArgs.ipv4}
 105     whoami       A ${hosts.mermet.extraArgs.ipv4}
 106     code          A ${hosts.mermet.extraArgs.ipv4}
 107     builds.code   A ${hosts.mermet.extraArgs.ipv4}
 108     dispatch.code A ${hosts.mermet.extraArgs.ipv4}
 109     git.code      A ${hosts.mermet.extraArgs.ipv4}
 110     hg.code       A ${hosts.mermet.extraArgs.ipv4}
 111     hub.code      A ${hosts.mermet.extraArgs.ipv4}
 112     lists.code    A ${hosts.mermet.extraArgs.ipv4}
 113     meta.code     A ${hosts.mermet.extraArgs.ipv4}
 114     man.code      A ${hosts.mermet.extraArgs.ipv4}
 115     pages.code    A ${hosts.mermet.extraArgs.ipv4}
 116     paste.code    A ${hosts.mermet.extraArgs.ipv4}
 117     todo.code     A ${hosts.mermet.extraArgs.ipv4}
 118
 119     ; CNAME (Canonical Name)
 120     losurdo          CNAME bureau1
 121     openconcerto     CNAME losurdo
 122     xmpp             CNAME mermet
 123     tmp              CNAME mermet
 124     proxy65          CNAME mermet
 125     cryptpad         CNAME losurdo
 126     cryptpad-api     CNAME losurdo
 127     cryptpad-files   CNAME losurdo
 128     cryptpad-sandbox CNAME losurdo
 129     mumble           CNAME mermet
 130     freeciv          CNAME losurdo
 131     nix-serve        CNAME losurdo
 132     nix-extracache   CNAME losurdo
 133     nix-localcache   CNAME lan.losurdo
 134     hut              CNAME code
 135     builds.hut       CNAME builds.code
 136     dispatch.hut     CNAME dispatch.code
 137     git.hut          CNAME git.code
 138     hg.hut           CNAME hg.code
 139     hub.hut          CNAME hub.code
 140     lists.hut        CNAME lists.code
 141     meta.hut         CNAME meta.code
 142     man.hut          CNAME man.code
 143     pages.hut        CNAME pages.code
 144     paste.hut        CNAME paste.code
 145     todo.hut         CNAME todo.code
 146
 147     ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
 148     _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
 149
 150     ; SPF (Sender Policy Framework)
 151     @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
 152
 153     ; MX (Mail eXchange)
 154     @ 1800 MX 5 mail
 155     lists.code 1800 MX 5 mail
 156     todo.code  1800 MX 5 mail
 157
 158     ; SRV (SeRVice)
 159     _git._tcp.git             18000 IN SRV 0 0 9418 git
 160     _stun._udp                18000 IN SRV 0 5 3478 stun
 161     _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
 162     _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
 163     _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp
 164
 165     ; CAA (Certificate Authority Authorization)
 166     ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
 167     @ CAA 128 issue "letsencrypt.org"
 168   '';
 169 };
 170 users.groups.keys.members = [ users.knot.name ];
 171 services.knot = {
 172   keyFiles = [
 173     gnupg.secrets."knot/tsig/${domain}/acme.conf".path
 174     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
 175   ];
 176 };
 177 security.gnupg.secrets = {
 178   "knot/tsig/${domain}/acme.conf" = {
 179     # Generated with: keymgr -t acme_${domainID}
 180     user = users.knot.name;
 181   };
 182   "knot/tsig/${domain}/bureau1.conf" = {
 183     # Generated with: keymgr -t bureau1_${domainID}
 184     user = users.knot.name;
 185   };
 186 };
 187 systemd.services.knot = {
 188   after = [
 189     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 190     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 191   ];
 192   wants = [
 193     gnupg.secrets."knot/tsig/${domain}/acme.conf".service
 194     gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
 195   ];
 196 };
 197 /* Useless since the zone is public
 198 services.unbound.settings = {
 199   stub-zone = {
 200     name = domain;
 201     stub-addr = "127.0.0.1@5353";
 202   };
 203 };
 204 '';
 205 */
 206 }