]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
losurdo: zfs: fix setup
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 acl:
14 - id: acl_localhost_acme_${domainID}
15 address: 127.0.0.1
16 action: update
17 update-owner: name
18 update-owner-match: equal
19 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
20 update-type: [TXT]
21 - id: acl_tsig_acme_${domainID}
22 key: acme_${domainID}
23 action: update
24 update-owner: name
25 update-owner-match: equal
26 update-owner-name: [_acme-challenge]
27 update-type: [TXT]
28 - id: acl_tsig_bureau1_${domainID}
29 key: bureau1_${domainID}
30 action: update
31 update-owner: name
32 update-owner-match: equal
33 update-owner-name: [bureau1, lan.losurdo]
34 update-type: [A, AAAA]
35
36 zone:
37 - domain: ${domain}
38 file: ${domain}.zone
39 serial-policy: increment
40 semantic-checks: on
41 notify: secondary_gandi
42 acl: acl_gandi
43 acl: acl_localhost_acme_${domainID}
44 acl: acl_tsig_acme_${domainID}
45 acl: acl_tsig_bureau1_${domainID}
46 dnssec-signing: on
47 dnssec-policy: rsa
48 - domain: whoami4.${domain}
49 module: mod-whoami
50 file: "${pkgs.writeText "whoami4.zone" ''
51 $TTL 1
52 @ SOA ns root.${domain}. (
53 0 ; SERIAL
54 86400 ; REFRESH
55 86400 ; RETRY
56 86400 ; EXPIRE
57 1 ; MINIMUM
58 )
59 $TTL 86400
60 @ NS ns
61 ns A ${hosts.mermet.extraArgs.ipv4}
62 ''}"
63 '';
64 # TODO: increase the TTL once things have settled down
65 data = ''
66 $ORIGIN ${domain}.
67 $TTL 500
68
69 ; SOA (Start Of Authority)
70 @ SOA ns root (
71 ${toString inputs.self.lastModified} ; Serial number
72 24h ; Refresh
73 15m ; Retry
74 1000h ; Expire (1000h)
75 1d ; Negative caching
76 )
77
78 ; NS (Name Server)
79 @ NS ns
80 @ NS ns6.gandi.net.
81 whoami4 NS ns.whoami4
82 ns.whoami4 A ${hosts.mermet.extraArgs.ipv4}
83
84 ; A (DNS -> IPv4)
85 @ A ${hosts.mermet.extraArgs.ipv4}
86 mermet A ${hosts.mermet.extraArgs.ipv4}
87 autoconfig A ${hosts.mermet.extraArgs.ipv4}
88 doc A ${hosts.mermet.extraArgs.ipv4}
89 git A ${hosts.mermet.extraArgs.ipv4}
90 imap A ${hosts.mermet.extraArgs.ipv4}
91 mail A ${hosts.mermet.extraArgs.ipv4}
92 mails A ${hosts.mermet.extraArgs.ipv4}
93 news A ${hosts.mermet.extraArgs.ipv4}
94 public-inbox A ${hosts.mermet.extraArgs.ipv4}
95 ns A ${hosts.mermet.extraArgs.ipv4}
96 pop A ${hosts.mermet.extraArgs.ipv4}
97 smtp A ${hosts.mermet.extraArgs.ipv4}
98 submission A ${hosts.mermet.extraArgs.ipv4}
99 www A ${hosts.mermet.extraArgs.ipv4}
100 lemoutona5pattes A ${hosts.mermet.extraArgs.ipv4}
101 covid19 A ${hosts.mermet.extraArgs.ipv4}
102 croc A ${hosts.mermet.extraArgs.ipv4}
103 stun A ${hosts.mermet.extraArgs.ipv4}
104 turn A ${hosts.mermet.extraArgs.ipv4}
105 whoami A ${hosts.mermet.extraArgs.ipv4}
106 code A ${hosts.mermet.extraArgs.ipv4}
107 builds.code A ${hosts.mermet.extraArgs.ipv4}
108 dispatch.code A ${hosts.mermet.extraArgs.ipv4}
109 git.code A ${hosts.mermet.extraArgs.ipv4}
110 hg.code A ${hosts.mermet.extraArgs.ipv4}
111 hub.code A ${hosts.mermet.extraArgs.ipv4}
112 lists.code A ${hosts.mermet.extraArgs.ipv4}
113 meta.code A ${hosts.mermet.extraArgs.ipv4}
114 man.code A ${hosts.mermet.extraArgs.ipv4}
115 pages.code A ${hosts.mermet.extraArgs.ipv4}
116 paste.code A ${hosts.mermet.extraArgs.ipv4}
117 todo.code A ${hosts.mermet.extraArgs.ipv4}
118
119 ; CNAME (Canonical Name)
120 losurdo CNAME bureau1
121 openconcerto CNAME losurdo
122 xmpp CNAME mermet
123 tmp CNAME mermet
124 proxy65 CNAME mermet
125 cryptpad CNAME losurdo
126 cryptpad-api CNAME losurdo
127 cryptpad-files CNAME losurdo
128 cryptpad-sandbox CNAME losurdo
129 mumble CNAME mermet
130 freeciv CNAME losurdo
131 nix-serve CNAME losurdo
132 nix-extracache CNAME losurdo
133 nix-localcache CNAME lan.losurdo
134 hut CNAME code
135 builds.hut CNAME builds.code
136 dispatch.hut CNAME dispatch.code
137 git.hut CNAME git.code
138 hg.hut CNAME hg.code
139 hub.hut CNAME hub.code
140 lists.hut CNAME lists.code
141 meta.hut CNAME meta.code
142 man.hut CNAME man.code
143 pages.hut CNAME pages.code
144 paste.hut CNAME paste.code
145 todo.hut CNAME todo.code
146 sftp CNAME losurdo
147
148 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
149 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
150
151 ; SPF (Sender Policy Framework)
152 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
153
154 ; MX (Mail eXchange)
155 @ 1800 MX 5 mail
156 lists.code 1800 MX 5 mail
157 todo.code 1800 MX 5 mail
158
159 ; SRV (SeRVice)
160 _git._tcp.git 18000 IN SRV 0 0 9418 git
161 _stun._udp 18000 IN SRV 0 5 3478 stun
162 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
163 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
164 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
165
166 ; CAA (Certificate Authority Authorization)
167 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
168 @ CAA 128 issue "letsencrypt.org"
169 '';
170 };
171 users.groups.keys.members = [ users.knot.name ];
172 services.knot = {
173 keyFiles = [
174 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
175 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
176 ];
177 };
178 security.gnupg.secrets = {
179 "knot/tsig/${domain}/acme.conf" = {
180 # Generated with: keymgr -t acme_${domainID}
181 user = users.knot.name;
182 };
183 "knot/tsig/${domain}/bureau1.conf" = {
184 # Generated with: keymgr -t bureau1_${domainID}
185 user = users.knot.name;
186 };
187 };
188 systemd.services.knot = {
189 after = [
190 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
191 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
192 ];
193 wants = [
194 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
195 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
196 ];
197 };
198 /* Useless since the zone is public
199 services.unbound.settings = {
200 stub-zone = {
201 name = domain;
202 stub-addr = "127.0.0.1@5353";
203 };
204 };
205 '';
206 */
207 }