1 { inputs, pkgs, lib, config, hosts, ... }:
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
11 services.knot.zones."${domain}" = {
14 - id: acl_localhost_acme_${domainID}
18 update-owner-match: equal
19 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
21 - id: acl_tsig_acme_${domainID}
25 update-owner-match: equal
26 update-owner-name: [_acme-challenge]
28 - id: acl_tsig_bureau1_${domainID}
29 key: bureau1_${domainID}
32 update-owner-match: equal
33 update-owner-name: [bureau1, lan.losurdo]
34 update-type: [A, AAAA]
39 serial-policy: increment
41 notify: secondary_gandi
43 acl: acl_localhost_acme_${domainID}
44 acl: acl_tsig_acme_${domainID}
45 acl: acl_tsig_bureau1_${domainID}
48 - domain: whoami4.${domain}
50 file: "${pkgs.writeText "whoami4.zone" ''
52 @ SOA ns root.${domain}. (
61 ns A ${hosts.mermet.extraArgs.ipv4}
64 # TODO: increase the TTL once things have settled down
69 ; SOA (Start Of Authority)
71 ${toString inputs.self.lastModified} ; Serial number
74 1000h ; Expire (1000h)
82 ns.whoami4 A ${hosts.mermet.extraArgs.ipv4}
85 @ A ${hosts.mermet.extraArgs.ipv4}
86 mermet A ${hosts.mermet.extraArgs.ipv4}
87 autoconfig A ${hosts.mermet.extraArgs.ipv4}
88 doc A ${hosts.mermet.extraArgs.ipv4}
89 git A ${hosts.mermet.extraArgs.ipv4}
90 imap A ${hosts.mermet.extraArgs.ipv4}
91 mail A ${hosts.mermet.extraArgs.ipv4}
92 mails A ${hosts.mermet.extraArgs.ipv4}
93 news A ${hosts.mermet.extraArgs.ipv4}
94 public-inbox A ${hosts.mermet.extraArgs.ipv4}
95 ns A ${hosts.mermet.extraArgs.ipv4}
96 pop A ${hosts.mermet.extraArgs.ipv4}
97 smtp A ${hosts.mermet.extraArgs.ipv4}
98 submission A ${hosts.mermet.extraArgs.ipv4}
99 www A ${hosts.mermet.extraArgs.ipv4}
100 lemoutona5pattes A ${hosts.mermet.extraArgs.ipv4}
101 covid19 A ${hosts.mermet.extraArgs.ipv4}
102 croc A ${hosts.mermet.extraArgs.ipv4}
103 stun A ${hosts.mermet.extraArgs.ipv4}
104 turn A ${hosts.mermet.extraArgs.ipv4}
105 whoami A ${hosts.mermet.extraArgs.ipv4}
106 code A ${hosts.mermet.extraArgs.ipv4}
107 builds.code A ${hosts.mermet.extraArgs.ipv4}
108 dispatch.code A ${hosts.mermet.extraArgs.ipv4}
109 git.code A ${hosts.mermet.extraArgs.ipv4}
110 hg.code A ${hosts.mermet.extraArgs.ipv4}
111 hub.code A ${hosts.mermet.extraArgs.ipv4}
112 lists.code A ${hosts.mermet.extraArgs.ipv4}
113 meta.code A ${hosts.mermet.extraArgs.ipv4}
114 man.code A ${hosts.mermet.extraArgs.ipv4}
115 pages.code A ${hosts.mermet.extraArgs.ipv4}
116 paste.code A ${hosts.mermet.extraArgs.ipv4}
117 todo.code A ${hosts.mermet.extraArgs.ipv4}
119 ; CNAME (Canonical Name)
120 losurdo CNAME bureau1
121 openconcerto CNAME losurdo
125 cryptpad CNAME losurdo
126 cryptpad-api CNAME losurdo
127 cryptpad-files CNAME losurdo
128 cryptpad-sandbox CNAME losurdo
130 freeciv CNAME losurdo
131 nix-serve CNAME losurdo
132 nix-extracache CNAME losurdo
133 nix-localcache CNAME lan.losurdo
135 builds.hut CNAME builds.code
136 dispatch.hut CNAME dispatch.code
137 git.hut CNAME git.code
139 hub.hut CNAME hub.code
140 lists.hut CNAME lists.code
141 meta.hut CNAME meta.code
142 man.hut CNAME man.code
143 pages.hut CNAME pages.code
144 paste.hut CNAME paste.code
145 todo.hut CNAME todo.code
148 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
149 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
151 ; SPF (Sender Policy Framework)
152 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
156 lists.code 1800 MX 5 mail
157 todo.code 1800 MX 5 mail
160 _git._tcp.git 18000 IN SRV 0 0 9418 git
161 _stun._udp 18000 IN SRV 0 5 3478 stun
162 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
163 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
164 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
166 ; CAA (Certificate Authority Authorization)
167 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
168 @ CAA 128 issue "letsencrypt.org"
171 users.groups.keys.members = [ users.knot.name ];
174 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
175 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
178 security.gnupg.secrets = {
179 "knot/tsig/${domain}/acme.conf" = {
180 # Generated with: keymgr -t acme_${domainID}
181 user = users.knot.name;
183 "knot/tsig/${domain}/bureau1.conf" = {
184 # Generated with: keymgr -t bureau1_${domainID}
185 user = users.knot.name;
188 systemd.services.knot = {
190 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
191 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
194 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
195 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
198 /* Useless since the zone is public
199 services.unbound.settings = {
202 stub-addr = "127.0.0.1@5353";