]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/knot/sourcephile.fr.nix
nix: format all .nix files
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
1 { pkgs, lib, config, inputs, hostName, hosts, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
5 inherit (config) networking;
6 inherit (config.services) knot;
7 in
8 {
9 services.knot.zones."${domain}" = {
10 conf = ''
11 remote:
12 - id: ns_iodine
13 address: 127.0.0.1@1053
14 acl:
15 - id: acl_localhost_acme_${domainID}
16 address: 127.0.0.1
17 action: update
18 update-owner: name
19 update-owner-match: equal
20 update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
21 update-type: [TXT]
22 - id: acl_tsig_acme_${domainID}
23 key: acme_${domainID}
24 action: update
25 update-owner: name
26 update-owner-match: equal
27 update-owner-name: [_acme-challenge]
28 update-type: [TXT]
29 - id: acl_tsig_losurdo_${domainID}
30 key: losurdo_${domainID}
31 action: update
32 update-owner: name
33 update-owner-match: equal
34 update-owner-name: [losurdo, lan.losurdo]
35 update-type: [A, AAAA]
36
37 mod-dnsproxy:
38 - id: proxy_iodine
39 remote: ns_iodine
40 fallback: off
41
42 zone:
43 - domain: ${domain}
44 file: ${domain}.zone
45 serial-policy: increment
46 semantic-checks: on
47 notify: secondary_gandi
48 acl: acl_gandi
49 acl: acl_localhost_acme_${domainID}
50 acl: acl_tsig_acme_${domainID}
51 acl: acl_tsig_losurdo_${domainID}
52 dnssec-signing: on
53 dnssec-policy: rsa
54
55 - domain: i.${domain}
56 module: mod-dnsproxy/proxy_iodine
57
58 - domain: whoami4.${domain}
59 module: mod-whoami
60 file: "${pkgs.writeText "whoami4.zone" ''
61 $TTL 1
62 @ SOA ns root.${domain}. (
63 0 ; SERIAL
64 86400 ; REFRESH
65 86400 ; RETRY
66 86400 ; EXPIRE
67 1 ; MINIMUM
68 )
69 $TTL 86400
70 @ NS ns
71 ns A ${hosts.mermet._module.args.ipv4}
72 ''}"
73 '';
74 # TODO: increase the TTL once things have settled down
75 data = ''
76 $ORIGIN ${domain}.
77 $TTL 500
78
79 ; SOA (Start Of Authority)
80 @ SOA ns root (
81 ${toString inputs.self.lastModified} ; Serial number
82 24h ; Refresh
83 15m ; Retry
84 1000h ; Expire (1000h)
85 1d ; Negative caching
86 )
87
88 ; NS (Name Server)
89 @ NS ns
90 @ NS ns6.gandi.net.
91 i NS ns
92 whoami4 NS ns.whoami4
93 ns.whoami4 A ${hosts.mermet._module.args.ipv4}
94
95 ; A (DNS -> IPv4)
96 @ A ${hosts.mermet._module.args.ipv4}
97 mermet A ${hosts.mermet._module.args.ipv4}
98 autoconfig A ${hosts.mermet._module.args.ipv4}
99 doc A ${hosts.mermet._module.args.ipv4}
100 git A ${hosts.mermet._module.args.ipv4}
101 imap A ${hosts.mermet._module.args.ipv4}
102 mail A ${hosts.mermet._module.args.ipv4}
103 mails A ${hosts.mermet._module.args.ipv4}
104 news A ${hosts.mermet._module.args.ipv4}
105 public-inbox A ${hosts.mermet._module.args.ipv4}
106 ns A ${hosts.mermet._module.args.ipv4}
107 pop A ${hosts.mermet._module.args.ipv4}
108 smtp A ${hosts.mermet._module.args.ipv4}
109 submission A ${hosts.mermet._module.args.ipv4}
110 www A ${hosts.mermet._module.args.ipv4}
111 lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
112 covid19 A ${hosts.mermet._module.args.ipv4}
113 croc A ${hosts.mermet._module.args.ipv4}
114 stun A ${hosts.mermet._module.args.ipv4}
115 turn A ${hosts.mermet._module.args.ipv4}
116 whoami A ${hosts.mermet._module.args.ipv4}
117 code A ${hosts.mermet._module.args.ipv4}
118 builds.code A ${hosts.mermet._module.args.ipv4}
119 dispatch.code A ${hosts.mermet._module.args.ipv4}
120 git.code A ${hosts.mermet._module.args.ipv4}
121 hg.code A ${hosts.mermet._module.args.ipv4}
122 hub.code A ${hosts.mermet._module.args.ipv4}
123 lists.code A ${hosts.mermet._module.args.ipv4}
124 meta.code A ${hosts.mermet._module.args.ipv4}
125 man.code A ${hosts.mermet._module.args.ipv4}
126 pages.code A ${hosts.mermet._module.args.ipv4}
127 paste.code A ${hosts.mermet._module.args.ipv4}
128 todo.code A ${hosts.mermet._module.args.ipv4}
129 miniflux A ${hosts.mermet._module.args.ipv4}
130
131 ; CNAME (Canonical Name)
132 openconcerto CNAME losurdo
133 xmpp CNAME mermet
134 tmp CNAME mermet
135 proxy65 CNAME mermet
136 cryptpad CNAME losurdo
137 cryptpad-api CNAME losurdo
138 cryptpad-files CNAME losurdo
139 cryptpad-sandbox CNAME losurdo
140 mumble CNAME mermet
141 freeciv CNAME losurdo
142 nix-serve CNAME losurdo
143 nix-extracache CNAME losurdo
144 nix-localcache CNAME lan.losurdo
145 hut CNAME code
146 builds.hut CNAME builds.code
147 dispatch.hut CNAME dispatch.code
148 git.hut CNAME git.code
149 hg.hut CNAME hg.code
150 hub.hut CNAME hub.code
151 lists.hut CNAME lists.code
152 meta.hut CNAME meta.code
153 man.hut CNAME man.code
154 pages.hut CNAME pages.code
155 paste.hut CNAME paste.code
156 todo.hut CNAME todo.code
157 sftp CNAME losurdo
158
159 ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
160 _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
161
162 ; SPF (Sender Policy Framework)
163 @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
164
165 ; MX (Mail eXchange)
166 @ 1800 MX 5 mail
167 lists.code 1800 MX 5 mail
168 todo.code 1800 MX 5 mail
169
170 ; SRV (SeRVice)
171 _git._tcp.git 18000 IN SRV 0 0 9418 git
172 _stun._udp 18000 IN SRV 0 5 3478 stun
173 _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
174 _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
175 _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
176
177 ; CAA (Certificate Authority Authorization)
178 ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
179 @ CAA 128 issue "letsencrypt.org"
180 '';
181 };
182 services.knot = {
183 keyFiles = [
184 "/run/credentials/knot.service/${domain}.acme.conf"
185 # Generated with: keymgr -t losurdo_${domainID}
186 "/run/credentials/knot.service/losurdo.conf"
187 ];
188 };
189 systemd.services.knot = {
190 serviceConfig = {
191 LoadCredentialEncrypted = [
192 "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
193 "losurdo.conf:${inputs.self}/hosts/${hostName}/${domain}/losurdo.conf.cred"
194 ];
195 };
196 };
197 networking.nftables.ruleset = ''
198 table inet filter {
199 # Gandi DNS
200 set output-net-knot-ipv4 {
201 type ipv4_addr
202 elements = { 217.70.177.40 }
203 }
204 set output-net-knot-ipv6 {
205 type ipv6_addr
206 elements = { 2001:4b98:d:1::40 }
207 }
208 }
209 '';
210 /* Useless since the zone is public
211 services.unbound.settings = {
212 stub-zone = {
213 name = domain;
214 stub-addr = "127.0.0.1@5353";
215 };
216 };
217 '';
218 */
219 }