-{ pkgs, lib, config, inputs, hosts, info, ... }:
+{
+ pkgs,
+ lib,
+ config,
+ inputs,
+ hosts,
+ info,
+ ...
+}:
let
domain = "sourcephile.fr";
domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
; NS (Name Server)
@ NS ns
- ;@ NS ${info.gandi.dns.secondary.ns.name}.
+ ${lib.concatMapStringsSep "\n" ({ name, ... }: "@ NS ${name}.") info.lebureau.dns.secondary.ns}
i NS ns
whoami4 NS ns.whoami4
ns.whoami4 A ${hosts.mermet._module.args.ipv4}
stun A ${hosts.mermet._module.args.ipv4}
turn A ${hosts.mermet._module.args.ipv4}
whoami A ${hosts.mermet._module.args.ipv4}
- code A ${hosts.mermet._module.args.ipv4}
- miniflux A ${hosts.mermet._module.args.ipv4}
+ code A ${hosts.mermet._module.args.ipv4}
+ miniflux A ${hosts.mermet._module.args.ipv4}
; MX (Mail eXchange)
@ 500 MX 5 mail
cryptpad-files CNAME losurdo
cryptpad-sandbox CNAME losurdo
mumble CNAME mermet
- freeciv CNAME losurdo
nix-serve CNAME losurdo
nix-extracache CNAME losurdo
nix-localcache CNAME lan.losurdo
+ ; See https://keys.openpgp.org/about/usage#wkd-as-a-service
+ openpgpkey CNAME wkd.keys.openpgp.org.
sftp CNAME losurdo
radicle-mermet CNAME mermet
radicle CNAME mermet
; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
'';
- # Incorrect:
- # accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180
in
+# Incorrect:
+# accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180
{
services.knot.settingsFreeform = {
remote.ns_iodine.address = "127.0.0.1@1053";
action = "update";
update-owner = "name";
update-owner-match = "equal";
- update-owner-name = [ "losurdo" "lan.losurdo" ];
- update-type = [ "A" "AAAA" ];
+ update-owner-name = [
+ "losurdo"
+ "lan.losurdo"
+ ];
+ update-type = [
+ "A"
+ "AAAA"
+ ];
};
acl."acl_lebureau_${domainID}" = {
- address =
- info.lebureau.dns.secondary.transfer.ipv4 ++
- info.lebureau.dns.secondary.transfer.ipv6;
action = "transfer";
+ address = [
+ info.lebureau.dns.secondary.transfer.ns1.ipv4
+ info.lebureau.dns.secondary.transfer.ns1.ipv6
+ info.lebureau.dns.secondary.transfer.ns2.ipv4
+ info.lebureau.dns.secondary.transfer.ns2.ipv6
+ ];
key = "lebureau_${domainID}";
};
mod-dnsproxy.proxy_iodine = {
remote = "ns_iodine";
fallback = "off";
};
- remote."secondary_lebureau_${domainID}" = {
- address = map (x: "${x}@53")
- (info.lebureau.dns.secondary.transfer.ipv4 ++
- info.lebureau.dns.secondary.transfer.ipv6);
+ remote."secondary1_lebureau_${domainID}" = {
+ address = [
+ "${info.lebureau.dns.secondary.transfer.ns1.ipv4}@53"
+ "${info.lebureau.dns.secondary.transfer.ns1.ipv6}@53"
+ ];
+ key = "lebureau_${domainID}";
+ };
+ remote."secondary2_lebureau_${domainID}" = {
+ address = [
+ "${info.lebureau.dns.secondary.transfer.ns2.ipv4}@53"
+ "${info.lebureau.dns.secondary.transfer.ns2.ipv6}@53"
+ ];
key = "lebureau_${domainID}";
};
zone."${domain}" = {
serial-policy = "increment";
semantic-checks = true;
notify = [
- "secondary_lebureau_${domainID}"
+ "secondary1_lebureau_${domainID}"
+ "secondary2_lebureau_${domainID}"
];
acl = [
"acl_localhost_acme_${domainID}"
};
networking.nftables.ruleset = ''
table inet filter {
- set output-net-knot-ipv4 { type ipv4_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv4} }; }
- set output-net-knot-ipv6 { type ipv6_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv6} }; }
+ set output-net-knot-ipv4 { type ipv4_addr; elements = {
+ ${info.lebureau.dns.secondary.transfer.ns1.ipv4},
+ ${info.lebureau.dns.secondary.transfer.ns2.ipv4}
+ }; }
+ set output-net-knot-ipv6 { type ipv6_addr; elements = {
+ ${info.lebureau.dns.secondary.transfer.ns1.ipv6},
+ ${info.lebureau.dns.secondary.transfer.ns2.ipv6}
+ }; }
}
'';
- /* Useless since the zone is public
+ /*
+ Useless since the zone is public
services.unbound.settings = {
stub-zone = {
name = domain;
sourcephile / git / sourcephile-nix.git / blobdiff