]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: knot: remove sourcehut
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
5 inherit (config) networking;
6 inherit (config.services) knot;
7 in
8 {
9 services.knot.zones."${domain}" = {
10 conf = ''
11 remote:
12 - id: ns_iodine
13 address: 127.0.0.1@1053
14 acl:
15 - id: acl_localhost_acme_${domainID}
16 address: 127.0.0.1
17 action: update
18 update-owner: name
19 update-owner-match: equal
20 update-owner-name: [_acme-challenge]
21 update-type: [TXT]
22 - id: acl_tsig_acme_${domainID}
23 key: acme_${domainID}
24 action: update
25 update-owner: name
26 update-owner-match: equal
27 update-owner-name: [_acme-challenge]
28 update-type: [TXT]
29 - id: acl_tsig_losurdo_${domainID}
30 key: losurdo_${domainID}
31 action: update
32 update-owner: name
33 update-owner-match: equal
34 update-owner-name: [losurdo, lan.losurdo]
35 update-type: [A, AAAA]
36
37 mod-dnsproxy:
38 - id: proxy_iodine
39 remote: ns_iodine
40 fallback: off
41
42 zone:
43 - domain: ${domain}
44 file: ${domain}.zone
45 serial-policy: increment
46 semantic-checks: on
47 notify: secondary_gandi
48 acl: acl_gandi
49 acl: acl_localhost_acme_${domainID}
50 acl: acl_tsig_acme_${domainID}
51 acl: acl_tsig_losurdo_${domainID}
52 dnssec-signing: on
53 dnssec-policy: rsa
54
55 - domain: i.${domain}
56 module: mod-dnsproxy/proxy_iodine
57
58 - domain: whoami4.${domain}
59 module: mod-whoami
60 file: "${pkgs.writeText "whoami4.zone" ''
61 $TTL 1
62 @ SOA ns root.${domain}. (
63 0 ; SERIAL
64 86400 ; REFRESH
65 86400 ; RETRY
66 86400 ; EXPIRE
67 1 ; MINIMUM
68 )
69 $TTL 86400
70 @ NS ns
71 ns A ${hosts.mermet._module.args.ipv4}
72 ''}"
73 '';
74 # TODO: increase the TTL once things have settled down
75 data = ''
76 $ORIGIN ${domain}.
77 $TTL 500
78
79 ; SOA (Start Of Authority)
80 @ SOA ns root (
81 ${toString inputs.self.lastModified} ; Serial number
82 24h ; Refresh
83 15m ; Retry
84 1000h ; Expire (1000h)
85 1d ; Negative caching
86 )
87
88 ; NS (Name Server)
89 @ NS ns
90 @ NS ns6.gandi.net.
91 i NS ns
92 whoami4 NS ns.whoami4
93 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
94
95 ; A (DNS -> IPv4)
96 @ A ${hosts.mermet._module.args.ipv4}
97 mermet A ${hosts.mermet._module.args.ipv4}
98 autoconfig A ${hosts.mermet._module.args.ipv4}
99 doc A ${hosts.mermet._module.args.ipv4}
100 git A ${hosts.mermet._module.args.ipv4}
101 imap A ${hosts.mermet._module.args.ipv4}
102 mail A ${hosts.mermet._module.args.ipv4}
103 mails A ${hosts.mermet._module.args.ipv4}
104 news A ${hosts.mermet._module.args.ipv4}
105 public-inbox A ${hosts.mermet._module.args.ipv4}
106 ns A ${hosts.mermet._module.args.ipv4}
107 pop A ${hosts.mermet._module.args.ipv4}
108 smtp A ${hosts.mermet._module.args.ipv4}
109 submission A ${hosts.mermet._module.args.ipv4}
110 www A ${hosts.mermet._module.args.ipv4}
111 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
112 covid19 A ${hosts.mermet._module.args.ipv4}
113 croc A ${hosts.mermet._module.args.ipv4}
114 stun A ${hosts.mermet._module.args.ipv4}
115 turn A ${hosts.mermet._module.args.ipv4}
116 whoami A ${hosts.mermet._module.args.ipv4}
117 code A ${hosts.mermet._module.args.ipv4}
118 miniflux A ${hosts.mermet._module.args.ipv4}
119
120 ; CNAME (Canonical Name)
121 openconcerto CNAME losurdo
122 xmpp CNAME mermet
123 tmp CNAME mermet
124 proxy65 CNAME mermet
125 cryptpad CNAME losurdo
126 cryptpad-api CNAME losurdo
127 cryptpad-files CNAME losurdo
128 cryptpad-sandbox CNAME losurdo
129 mumble CNAME mermet
130 freeciv CNAME losurdo
131 nix-serve CNAME losurdo
132 nix-extracache CNAME losurdo
133 nix-localcache CNAME lan.losurdo
134 sftp CNAME losurdo
135
136 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
137 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
138
139 ; SPF (Sender Policy Framework)
140 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
141
142 ; SRV (SeRVice)
143 _git._tcp.git 18000 IN SRV 0 0 9418 git
144 _stun._udp 18000 IN SRV 0 5 3478 stun
145 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
146 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
147 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
148
149 ; CAA (Certificate Authority Authorization)
150 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
151 @ CAA 128 issue "letsencrypt.org"
152 '';
153 };
154 services.knot = {
155 keyFiles = [
156 "/run/credentials/knot.service/${domain}.acme.conf"
157 # Generated with: keymgr -t losurdo_${domainID}
158 "/run/credentials/knot.service/losurdo.conf"
159 ];
160 };
161 systemd.services.knot = {
162 serviceConfig = {
163 LoadCredentialEncrypted = [
164 "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/acme.conf.cred"
165 "losurdo.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/losurdo.conf.cred"
166 ];
167 };
168 };
169 networking.nftables.ruleset = ''
170 table inet filter {
171 # Gandi DNS
172 set output-net-knot-ipv4 {
173 type ipv4_addr
174 elements = { 217.70.177.40 }
175 }
176 set output-net-knot-ipv6 {
177 type ipv6_addr
178 elements = { 2001:4b98:d:1::40 }
179 }
180 }
181 '';
182 /* Useless since the zone is public
183 services.unbound.settings = {
184 stub-zone = {
185 name = domain;
186 stub-addr = "127.0.0.1@5353";
187 };
188 };
189 '';
190 */
191 }
NixOS configurations for Sourcephile's infrastructure