nftables: wg-intra: cleanup
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { inputs, pkgs, lib, config, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config) networking;
6 inherit (config.security) gnupg;
7 inherit (config.services) knot;
8 inherit (config.users) users;
9 in
10 {
11 services.knot.zones."${domain}" = {
12 conf = ''
13 acl:
14 - id: acl_localhost_acme_${domainID}
15 address: 127.0.0.1
16 action: update
17 update-owner: name
18 update-owner-match: equal
19 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
20 update-type: [TXT]
21 - id: acl_tsig_acme_${domainID}
22 key: acme_${domainID}
23 action: update
24 update-owner: name
25 update-owner-match: equal
26 update-owner-name: [_acme-challenge]
27 update-type: [TXT]
28 - id: acl_tsig_bureau1_${domainID}
29 key: bureau1_${domainID}
30 action: update
31 update-owner: name
32 update-owner-match: equal
33 update-owner-name: [bureau1, lan.losurdo]
34 update-type: [A, AAAA]
35
36 zone:
37 - domain: ${domain}
38 file: ${domain}.zone
39 serial-policy: increment
40 semantic-checks: on
41 notify: secondary_gandi
42 acl: acl_gandi
43 acl: acl_localhost_acme_${domainID}
44 acl: acl_tsig_acme_${domainID}
45 acl: acl_tsig_bureau1_${domainID}
46 dnssec-signing: on
47 dnssec-policy: rsa
48 - domain: whoami4.${domain}
49 module: mod-whoami
50 file: "${pkgs.writeText "whoami4.zone" ''
51 $TTL 1
52 @ SOA ns root.${domain}. (
53 0 ; SERIAL
54 86400 ; REFRESH
55 86400 ; RETRY
56 86400 ; EXPIRE
57 1 ; MINIMUM
58 )
59 $TTL 86400
60 @ NS ns
61 ns A ${hosts.mermet._module.args.ipv4}
62 ''}"
63 '';
64 # TODO: increase the TTL once things have settled down
65 data = ''
66 $ORIGIN ${domain}.
67 $TTL 500
68
69 ; SOA (Start Of Authority)
70 @ SOA ns root (
71 ${toString inputs.self.lastModified} ; Serial number
72 24h ; Refresh
73 15m ; Retry
74 1000h ; Expire (1000h)
75 1d ; Negative caching
76 )
77
78 ; NS (Name Server)
79 @ NS ns
80 @ NS ns6.gandi.net.
81 whoami4 NS ns.whoami4
82 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
83
84 ; A (DNS -> IPv4)
85 @ A ${hosts.mermet._module.args.ipv4}
86 mermet A ${hosts.mermet._module.args.ipv4}
87 autoconfig A ${hosts.mermet._module.args.ipv4}
88 doc A ${hosts.mermet._module.args.ipv4}
89 git A ${hosts.mermet._module.args.ipv4}
90 imap A ${hosts.mermet._module.args.ipv4}
91 mail A ${hosts.mermet._module.args.ipv4}
92 mails A ${hosts.mermet._module.args.ipv4}
93 news A ${hosts.mermet._module.args.ipv4}
94 public-inbox A ${hosts.mermet._module.args.ipv4}
95 ns A ${hosts.mermet._module.args.ipv4}
96 pop A ${hosts.mermet._module.args.ipv4}
97 smtp A ${hosts.mermet._module.args.ipv4}
98 submission A ${hosts.mermet._module.args.ipv4}
99 www A ${hosts.mermet._module.args.ipv4}
100 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
101 covid19 A ${hosts.mermet._module.args.ipv4}
102 croc A ${hosts.mermet._module.args.ipv4}
103 stun A ${hosts.mermet._module.args.ipv4}
104 turn A ${hosts.mermet._module.args.ipv4}
105 whoami A ${hosts.mermet._module.args.ipv4}
106 code A ${hosts.mermet._module.args.ipv4}
107 builds.code A ${hosts.mermet._module.args.ipv4}
108 dispatch.code A ${hosts.mermet._module.args.ipv4}
109 git.code A ${hosts.mermet._module.args.ipv4}
110 hg.code A ${hosts.mermet._module.args.ipv4}
111 hub.code A ${hosts.mermet._module.args.ipv4}
112 lists.code A ${hosts.mermet._module.args.ipv4}
113 meta.code A ${hosts.mermet._module.args.ipv4}
114 man.code A ${hosts.mermet._module.args.ipv4}
115 pages.code A ${hosts.mermet._module.args.ipv4}
116 paste.code A ${hosts.mermet._module.args.ipv4}
117 todo.code A ${hosts.mermet._module.args.ipv4}
118 miniflux A ${hosts.mermet._module.args.ipv4}
119
120 ; CNAME (Canonical Name)
121 losurdo CNAME bureau1
122 openconcerto CNAME losurdo
123 xmpp CNAME mermet
124 tmp CNAME mermet
125 proxy65 CNAME mermet
126 cryptpad CNAME losurdo
127 cryptpad-api CNAME losurdo
128 cryptpad-files CNAME losurdo
129 cryptpad-sandbox CNAME losurdo
130 mumble CNAME mermet
131 freeciv CNAME losurdo
132 nix-serve CNAME losurdo
133 nix-extracache CNAME losurdo
134 nix-localcache CNAME lan.losurdo
135 hut CNAME code
136 builds.hut CNAME builds.code
137 dispatch.hut CNAME dispatch.code
138 git.hut CNAME git.code
139 hg.hut CNAME hg.code
140 hub.hut CNAME hub.code
141 lists.hut CNAME lists.code
142 meta.hut CNAME meta.code
143 man.hut CNAME man.code
144 pages.hut CNAME pages.code
145 paste.hut CNAME paste.code
146 todo.hut CNAME todo.code
147 sftp CNAME losurdo
148
149 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
150 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
151
152 ; SPF (Sender Policy Framework)
153 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
154
155 ; MX (Mail eXchange)
156 @ 1800 MX 5 mail
157 lists.code 1800 MX 5 mail
158 todo.code 1800 MX 5 mail
159
160 ; SRV (SeRVice)
161 _git._tcp.git 18000 IN SRV 0 0 9418 git
162 _stun._udp 18000 IN SRV 0 5 3478 stun
163 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
164 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
165 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
166
167 ; CAA (Certificate Authority Authorization)
168 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
169 @ CAA 128 issue "letsencrypt.org"
170 '';
171 };
172 users.groups.keys.members = [ users.knot.name ];
173 services.knot = {
174 keyFiles = [
175 gnupg.secrets."knot/tsig/${domain}/acme.conf".path
176 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
177 ];
178 };
179 security.gnupg.secrets = {
180 "knot/tsig/${domain}/acme.conf" = {
181 # Generated with: keymgr -t acme_${domainID}
182 user = users.knot.name;
183 };
184 "knot/tsig/${domain}/bureau1.conf" = {
185 # Generated with: keymgr -t bureau1_${domainID}
186 user = users.knot.name;
187 };
188 };
189 systemd.services.knot = {
190 after = [
191 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
192 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
193 ];
194 wants = [
195 gnupg.secrets."knot/tsig/${domain}/acme.conf".service
196 gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
197 ];
198 };
199 /* Useless since the zone is public
200 services.unbound.settings = {
201 stub-zone = {
202 name = domain;
203 stub-addr = "127.0.0.1@5353";
204 };
205 };
206 '';
207 */
208 }