hosts/mermet/knot/sourcephile.fr.nix

   1 { pkgs, lib, config, inputs, hosts, info, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
   5   inherit (config) networking;
   6   inherit (config.services) knot;
   7   inherit (config.users) users groups;
   8   zoneData =
   9     # TODO: increase the TTL once things have settled down
  10     ''
  11       $ORIGIN ${domain}.
  12       $TTL 500
  13
  14       ; SOA (Start Of Authority)
  15       @ SOA ns root (
  16         ${toString inputs.self.lastModified} ; Serial number
  17         24h   ; Refresh
  18         15m   ; Retry
  19         1000h ; Expire (1000h)
  20         1d    ; Negative caching
  21       )
  22
  23       ; NS (Name Server)
  24       @ NS ns
  25       @ NS ${info.gandi.dns.secondary.ns.name}.
  26       i NS ns
  27       whoami4 NS ns.whoami4
  28       ns.whoami4 A ${hosts.mermet._module.args.ipv4}
  29
  30       ; A (DNS -> IPv4)
  31       @            A ${hosts.mermet._module.args.ipv4}
  32       mermet       A ${hosts.mermet._module.args.ipv4}
  33       autoconfig   A ${hosts.mermet._module.args.ipv4}
  34       doc          A ${hosts.mermet._module.args.ipv4}
  35       git          A ${hosts.mermet._module.args.ipv4}
  36       imap         A ${hosts.mermet._module.args.ipv4}
  37       mail         A ${hosts.mermet._module.args.ipv4}
  38       mails        A ${hosts.mermet._module.args.ipv4}
  39       news         A ${hosts.mermet._module.args.ipv4}
  40       public-inbox A ${hosts.mermet._module.args.ipv4}
  41       ns           A ${hosts.mermet._module.args.ipv4}
  42       pop          A ${hosts.mermet._module.args.ipv4}
  43       smtp         A ${hosts.mermet._module.args.ipv4}
  44       submission   A ${hosts.mermet._module.args.ipv4}
  45       www          A ${hosts.mermet._module.args.ipv4}
  46       lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
  47       croc         A ${hosts.mermet._module.args.ipv4}
  48       stun         A ${hosts.mermet._module.args.ipv4}
  49       turn         A ${hosts.mermet._module.args.ipv4}
  50       whoami       A ${hosts.mermet._module.args.ipv4}
  51       code          A ${hosts.mermet._module.args.ipv4}
  52       miniflux      A ${hosts.mermet._module.args.ipv4}
  53
  54       ; CNAME (Canonical Name)
  55       openconcerto     CNAME losurdo
  56       xmpp             CNAME mermet
  57       salons           CNAME mermet
  58       tmp              CNAME mermet
  59       proxy65          CNAME mermet
  60       cryptpad         CNAME losurdo
  61       cryptpad-api     CNAME losurdo
  62       cryptpad-files   CNAME losurdo
  63       cryptpad-sandbox CNAME losurdo
  64       mumble           CNAME mermet
  65       freeciv          CNAME losurdo
  66       nix-serve        CNAME losurdo
  67       nix-extracache   CNAME losurdo
  68       nix-localcache   CNAME lan.losurdo
  69       sftp             CNAME losurdo
  70
  71       ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
  72       _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
  73
  74       ; SPF (Sender Policy Framework)
  75       @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
  76
  77       ; SRV (SeRVice)
  78       _git._tcp.git             18000 IN SRV 0 0 9418 git
  79       _stun._udp                18000 IN SRV 0 5 3478 stun
  80       _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
  81       _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
  82       _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp
  83       _xmpps-client._tcp        18000 IN SRV 0 5 5223 xmpp
  84       _xmpps-server._tcp        18000 IN SRV 0 5 5270 xmpp
  85       _xmpps-server._tcp.salons 18000 IN SRV 0 5 5270 xmpp
  86
  87       ; CAA (Certificate Authority Authorization)
  88       ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
  89       @ CAA 128 issue "letsencrypt.org"
  90     '';
  91 in
  92 {
  93   services.knot.settingsFreeform = {
  94     remote.ns_iodine.address = "127.0.0.1@1053";
  95     acl."acl_localhost_acme_${domainID}" = {
  96       address = "127.0.0.1";
  97       action = "update";
  98       update-owner = "name";
  99       update-owner-match = "equal";
 100       update-owner-name = [ "_acme-challenge" ];
 101       update-type = [ "TXT" ];
 102     };
 103     acl."acl_tsig_acme_${domainID}" = {
 104       key = "acme_${domainID}";
 105       action = "update";
 106       update-owner = "name";
 107       update-owner-match = "equal";
 108       update-owner-name = [ "_acme-challenge" ];
 109       update-type = [ "TXT" ];
 110     };
 111     acl."acl_tsig_losurdo_${domainID}" = {
 112       key = "losurdo_${domainID}";
 113       action = "update";
 114       update-owner = "name";
 115       update-owner-match = "equal";
 116       update-owner-name = "[losurdo, lan.losurdo]";
 117       update-type = [ "A" "AAAA" ];
 118     };
 119     mod-dnsproxy.proxy_iodine = {
 120       remote = "ns_iodine";
 121       fallback = "off";
 122     };
 123     zone."${domain}" = {
 124       file = "${domain}.zone";
 125       serial-policy = "increment";
 126       semantic-checks = true;
 127       notify = [
 128         "secondary_gandi"
 129       ];
 130       acl = [
 131         "acl_gandi"
 132         "acl_localhost_acme_${domainID}"
 133         "acl_tsig_acme_${domainID}"
 134         "acl_tsig_losurdo_${domainID}"
 135       ];
 136       dnssec-signing = true;
 137       dnssec-policy = "rsa";
 138     };
 139     #zone."i.${domain}" = {
 140     #  module = "mod-dnsproxy/proxy_iodine";
 141     #};
 142     zone."whoami4.${domain}" = {
 143       module = "mod-whoami";
 144       file = pkgs.writeText "whoami4.zone" ''
 145         $TTL 1
 146         @ SOA ns root.${domain}. (
 147           0     ; SERIAL
 148           86400 ; REFRESH
 149           86400 ; RETRY
 150           86400 ; EXPIRE
 151           1 ; MINIMUM
 152         )
 153         $TTL 86400
 154         @ NS ns
 155         ns A ${hosts.mermet._module.args.ipv4}
 156       '';
 157     };
 158   };
 159   services.knot = {
 160     keyFiles = [
 161       "/run/credentials/knot.service/${domain}.acme.conf"
 162       # Generated with: keymgr -t losurdo_${domainID}
 163       "/run/credentials/knot.service/losurdo.conf"
 164     ];
 165   };
 166   systemd.services.knot = {
 167     serviceConfig = {
 168       ExecStartPre = [
 169         ''
 170           +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
 171            ${pkgs.writeText "${domain}.zone" zoneData} \
 172            /var/lib/knot/zones/${domain}.zone
 173         ''
 174       ];
 175       LoadCredentialEncrypted = [
 176         "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
 177         "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
 178       ];
 179     };
 180   };
 181   networking.nftables.ruleset = ''
 182     table inet filter {
 183       set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
 184       set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
 185     }
 186   '';
 187   /* Useless since the zone is public
 188     services.unbound.settings = {
 189     stub-zone = {
 190     name = domain;
 191     stub-addr = "127.0.0.1@5353";
 192     };
 193     };
 194     '';
 195   */
 196 }