]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nsd/sourcephile.fr.nix
openldap: see if something can be upstreamed
[sourcephile-nix.git] / servers / mermet / nsd / sourcephile.fr.nix
1 { pkgs, lib, config, ... }:
2 with builtins;
3 let
4 inherit (builtins.extraBuiltins) pass git;
5 inherit (pkgs.lib) unlinesAttrs types;
6 inherit (config) networking;
7 inherit (config.services) nsd rspamd;
8 # Use the Git commit time of the ${domain}.nix file to set the serial number.
9 # WARNING: the ${domain}.nix must be committed into Git for this to work.
10 serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
11 /*
12 serial = file: lib.removeSuffix "\n" (readFile
13 (pkgs.runCommand "zone-serial"
14 { buildInputs = [ pkgs.git ];
15 buildDepends = [ (./. + file) ];
16 preferLocalBuild = true;
17 allowSubstitutes = false;
18 } ''
19 cd ${./.}
20 ${pkgs.git}/bin/git log -1 --format="%ct" -- ${file} >$out
21 ''));
22 */
23 # FIXME: make dedicated config options
24 #ipv4 = (elemAt networking.interfaces.enp1s0.ipv4.addresses 0).address;
25 mermetIPv4 = "80.67.180.129";
26 domain = "sourcephile.fr";
27 #ipv6 = (elemAt networking.interfaces.enp1s0.ipv6.addresses 0).address;
28 sourcephileZone = domain: ''
29 ; A (DNS -> IPv4)
30 @ A ${mermetIPv4}
31 mermet A ${mermetIPv4}
32 autoconfig A ${mermetIPv4}
33 code A ${mermetIPv4}
34 git A ${mermetIPv4}
35 imap A ${mermetIPv4}
36 mail A ${mermetIPv4}
37 ns A ${mermetIPv4}
38 pop A ${mermetIPv4}
39 smtp A ${mermetIPv4}
40 submission A ${mermetIPv4}
41 www A ${mermetIPv4}
42
43 ; SPF (Sender Policy Framework)
44 @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
45 @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
46
47 ; MX (Mail eXchange)
48 @ 180 MX 5 mail
49
50 ; SRV (SeRVice)
51 _git._tcp.git 18000 IN SRV 0 0 9418 git
52 '';
53 in
54 {
55 environment.systemPackages = [
56 (pkgs.bind.override { enablePython = true; })
57 ];
58 services.nsd.zones."${domain}" = {
59 # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
60 # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named
61 provideXFR = [ "217.70.177.40 NOKEY" ];
62 # Not allowed by 217.70.177.40
63 #notify = [ "217.70.177.40 NOKEY" ];
64 dnssec = true;
65 # TODO: increase the TTL once things have settled down
66 data = ''
67 $ORIGIN ${domain}.
68 $TTL 500
69
70 ; SOA (Start Of Authority)
71 @ SOA ns admin (
72 ${serial domain} ; Serial number
73 24h ; Refresh
74 15m ; Retry
75 1000h ; Expire (1000h)
76 1d ; Negative caching
77 )
78
79 ; NS (Name Server)
80 @ NS ns
81 @ NS ns6.gandi.net.
82 ''
83 + sourcephileZone "${domain}";
84 };
85 }