-{ inputs, pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hostName, hosts, ... }:
let
domain = "sourcephile.fr";
- domainID = lib.replaceStrings ["."] ["_"] domain;
+ domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
inherit (config) networking;
- inherit (config.security) gnupg;
inherit (config.services) knot;
- inherit (config.users) users;
in
{
-services.knot.zones."${domain}" = {
- conf = ''
- remote:
- - id: ns_iodine
- address: 127.0.0.1@1053
- acl:
- - id: acl_localhost_acme_${domainID}
- address: 127.0.0.1
- action: update
- update-owner: name
- update-owner-match: equal
- update-owner-name: [_acme-challenge, _acme-challenge.hut, _acme-challenge.code]
- update-type: [TXT]
- - id: acl_tsig_acme_${domainID}
- key: acme_${domainID}
- action: update
- update-owner: name
- update-owner-match: equal
- update-owner-name: [_acme-challenge]
- update-type: [TXT]
- - id: acl_tsig_bureau1_${domainID}
- key: bureau1_${domainID}
- action: update
- update-owner: name
- update-owner-match: equal
- update-owner-name: [bureau1, lan.losurdo]
- update-type: [A, AAAA]
+ services.knot.zones."${domain}" = {
+ conf = ''
+ remote:
+ - id: ns_iodine
+ address: 127.0.0.1@1053
+ acl:
+ - id: acl_localhost_acme_${domainID}
+ address: 127.0.0.1
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [_acme-challenge]
+ update-type: [TXT]
+ - id: acl_tsig_acme_${domainID}
+ key: acme_${domainID}
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [_acme-challenge]
+ update-type: [TXT]
+ - id: acl_tsig_losurdo_${domainID}
+ key: losurdo_${domainID}
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [losurdo, lan.losurdo]
+ update-type: [A, AAAA]
- mod-dnsproxy:
- - id: proxy_iodine
- remote: ns_iodine
- fallback: off
+ mod-dnsproxy:
+ - id: proxy_iodine
+ remote: ns_iodine
+ fallback: off
- zone:
- - domain: ${domain}
- file: ${domain}.zone
- serial-policy: increment
- semantic-checks: on
- notify: secondary_gandi
- acl: acl_gandi
- acl: acl_localhost_acme_${domainID}
- acl: acl_tsig_acme_${domainID}
- acl: acl_tsig_bureau1_${domainID}
- dnssec-signing: on
- dnssec-policy: rsa
+ zone:
+ - domain: ${domain}
+ file: ${domain}.zone
+ serial-policy: increment
+ semantic-checks: on
+ notify: secondary_gandi
+ acl: acl_gandi
+ acl: acl_localhost_acme_${domainID}
+ acl: acl_tsig_acme_${domainID}
+ acl: acl_tsig_losurdo_${domainID}
+ dnssec-signing: on
+ dnssec-policy: rsa
- - domain: i.${domain}
- module: mod-dnsproxy/proxy_iodine
+ - domain: i.${domain}
+ module: mod-dnsproxy/proxy_iodine
- - domain: whoami4.${domain}
- module: mod-whoami
- file: "${pkgs.writeText "whoami4.zone" ''
- $TTL 1
- @ SOA ns root.${domain}. (
- 0 ; SERIAL
- 86400 ; REFRESH
- 86400 ; RETRY
- 86400 ; EXPIRE
- 1 ; MINIMUM
- )
- $TTL 86400
- @ NS ns
- ns A ${hosts.mermet._module.args.ipv4}
- ''}"
- '';
- # TODO: increase the TTL once things have settled down
- data = ''
- $ORIGIN ${domain}.
- $TTL 500
-
- ; SOA (Start Of Authority)
- @ SOA ns root (
- ${toString inputs.self.lastModified} ; Serial number
- 24h ; Refresh
- 15m ; Retry
- 1000h ; Expire (1000h)
- 1d ; Negative caching
- )
+ - domain: whoami4.${domain}
+ module: mod-whoami
+ file: "${pkgs.writeText "whoami4.zone" ''
+ $TTL 1
+ @ SOA ns root.${domain}. (
+ 0 ; SERIAL
+ 86400 ; REFRESH
+ 86400 ; RETRY
+ 86400 ; EXPIRE
+ 1 ; MINIMUM
+ )
+ $TTL 86400
+ @ NS ns
+ ns A ${hosts.mermet._module.args.ipv4}
+ ''}"
+ '';
+ # TODO: increase the TTL once things have settled down
+ data = ''
+ $ORIGIN ${domain}.
+ $TTL 500
- ; NS (Name Server)
- @ NS ns
- @ NS ns6.gandi.net.
- i NS ns
- whoami4 NS ns.whoami4
- ns.whoami4 A ${hosts.mermet._module.args.ipv4}
+ ; SOA (Start Of Authority)
+ @ SOA ns root (
+ ${toString inputs.self.lastModified} ; Serial number
+ 24h ; Refresh
+ 15m ; Retry
+ 1000h ; Expire (1000h)
+ 1d ; Negative caching
+ )
- ; A (DNS -> IPv4)
- @ A ${hosts.mermet._module.args.ipv4}
- mermet A ${hosts.mermet._module.args.ipv4}
- autoconfig A ${hosts.mermet._module.args.ipv4}
- doc A ${hosts.mermet._module.args.ipv4}
- git A ${hosts.mermet._module.args.ipv4}
- imap A ${hosts.mermet._module.args.ipv4}
- mail A ${hosts.mermet._module.args.ipv4}
- mails A ${hosts.mermet._module.args.ipv4}
- news A ${hosts.mermet._module.args.ipv4}
- public-inbox A ${hosts.mermet._module.args.ipv4}
- ns A ${hosts.mermet._module.args.ipv4}
- pop A ${hosts.mermet._module.args.ipv4}
- smtp A ${hosts.mermet._module.args.ipv4}
- submission A ${hosts.mermet._module.args.ipv4}
- www A ${hosts.mermet._module.args.ipv4}
- lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
- covid19 A ${hosts.mermet._module.args.ipv4}
- croc A ${hosts.mermet._module.args.ipv4}
- stun A ${hosts.mermet._module.args.ipv4}
- turn A ${hosts.mermet._module.args.ipv4}
- whoami A ${hosts.mermet._module.args.ipv4}
- code A ${hosts.mermet._module.args.ipv4}
- builds.code A ${hosts.mermet._module.args.ipv4}
- dispatch.code A ${hosts.mermet._module.args.ipv4}
- git.code A ${hosts.mermet._module.args.ipv4}
- hg.code A ${hosts.mermet._module.args.ipv4}
- hub.code A ${hosts.mermet._module.args.ipv4}
- lists.code A ${hosts.mermet._module.args.ipv4}
- meta.code A ${hosts.mermet._module.args.ipv4}
- man.code A ${hosts.mermet._module.args.ipv4}
- pages.code A ${hosts.mermet._module.args.ipv4}
- paste.code A ${hosts.mermet._module.args.ipv4}
- todo.code A ${hosts.mermet._module.args.ipv4}
- miniflux A ${hosts.mermet._module.args.ipv4}
+ ; NS (Name Server)
+ @ NS ns
+ @ NS ns6.gandi.net.
+ i NS ns
+ whoami4 NS ns.whoami4
+ ns.whoami4 A ${hosts.mermet._module.args.ipv4}
- ; CNAME (Canonical Name)
- losurdo CNAME bureau1
- openconcerto CNAME losurdo
- xmpp CNAME mermet
- tmp CNAME mermet
- proxy65 CNAME mermet
- cryptpad CNAME losurdo
- cryptpad-api CNAME losurdo
- cryptpad-files CNAME losurdo
- cryptpad-sandbox CNAME losurdo
- mumble CNAME mermet
- freeciv CNAME losurdo
- nix-serve CNAME losurdo
- nix-extracache CNAME losurdo
- nix-localcache CNAME lan.losurdo
- hut CNAME code
- builds.hut CNAME builds.code
- dispatch.hut CNAME dispatch.code
- git.hut CNAME git.code
- hg.hut CNAME hg.code
- hub.hut CNAME hub.code
- lists.hut CNAME lists.code
- meta.hut CNAME meta.code
- man.hut CNAME man.code
- pages.hut CNAME pages.code
- paste.hut CNAME paste.code
- todo.hut CNAME todo.code
- sftp CNAME losurdo
+ ; A (DNS -> IPv4)
+ @ A ${hosts.mermet._module.args.ipv4}
+ mermet A ${hosts.mermet._module.args.ipv4}
+ autoconfig A ${hosts.mermet._module.args.ipv4}
+ doc A ${hosts.mermet._module.args.ipv4}
+ git A ${hosts.mermet._module.args.ipv4}
+ imap A ${hosts.mermet._module.args.ipv4}
+ mail A ${hosts.mermet._module.args.ipv4}
+ mails A ${hosts.mermet._module.args.ipv4}
+ news A ${hosts.mermet._module.args.ipv4}
+ public-inbox A ${hosts.mermet._module.args.ipv4}
+ ns A ${hosts.mermet._module.args.ipv4}
+ pop A ${hosts.mermet._module.args.ipv4}
+ smtp A ${hosts.mermet._module.args.ipv4}
+ submission A ${hosts.mermet._module.args.ipv4}
+ www A ${hosts.mermet._module.args.ipv4}
+ lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
+ croc A ${hosts.mermet._module.args.ipv4}
+ stun A ${hosts.mermet._module.args.ipv4}
+ turn A ${hosts.mermet._module.args.ipv4}
+ whoami A ${hosts.mermet._module.args.ipv4}
+ code A ${hosts.mermet._module.args.ipv4}
+ miniflux A ${hosts.mermet._module.args.ipv4}
- ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
- _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
+ ; CNAME (Canonical Name)
+ openconcerto CNAME losurdo
+ xmpp CNAME mermet
+ tmp CNAME mermet
+ proxy65 CNAME mermet
+ cryptpad CNAME losurdo
+ cryptpad-api CNAME losurdo
+ cryptpad-files CNAME losurdo
+ cryptpad-sandbox CNAME losurdo
+ mumble CNAME mermet
+ freeciv CNAME losurdo
+ nix-serve CNAME losurdo
+ nix-extracache CNAME losurdo
+ nix-localcache CNAME lan.losurdo
+ sftp CNAME losurdo
- ; SPF (Sender Policy Framework)
- @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
+ ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
+ _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
- ; MX (Mail eXchange)
- @ 1800 MX 5 mail
- lists.code 1800 MX 5 mail
- todo.code 1800 MX 5 mail
+ ; SPF (Sender Policy Framework)
+ @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
- ; SRV (SeRVice)
- _git._tcp.git 18000 IN SRV 0 0 9418 git
- _stun._udp 18000 IN SRV 0 5 3478 stun
- _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
- _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
- _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
+ ; SRV (SeRVice)
+ _git._tcp.git 18000 IN SRV 0 0 9418 git
+ _stun._udp 18000 IN SRV 0 5 3478 stun
+ _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
+ _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
+ _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
- ; CAA (Certificate Authority Authorization)
- ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
- @ CAA 128 issue "letsencrypt.org"
- '';
-};
-users.groups.keys.members = [ users.knot.name ];
-services.knot = {
- keyFiles = [
- gnupg.secrets."knot/tsig/${domain}/acme.conf".path
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
- ];
-};
-security.gnupg.secrets = {
- "knot/tsig/${domain}/acme.conf" = {
- # Generated with: keymgr -t acme_${domainID}
- user = users.knot.name;
+ ; CAA (Certificate Authority Authorization)
+ ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+ @ CAA 128 issue "letsencrypt.org"
+ '';
};
- "knot/tsig/${domain}/bureau1.conf" = {
- # Generated with: keymgr -t bureau1_${domainID}
- user = users.knot.name;
+ services.knot = {
+ keyFiles = [
+ "/run/credentials/knot.service/${domain}.acme.conf"
+ # Generated with: keymgr -t losurdo_${domainID}
+ "/run/credentials/knot.service/losurdo.conf"
+ ];
};
-};
-systemd.services.knot = {
- after = [
- gnupg.secrets."knot/tsig/${domain}/acme.conf".service
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
- ];
- wants = [
- gnupg.secrets."knot/tsig/${domain}/acme.conf".service
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
- ];
-};
-/* Useless since the zone is public
-services.unbound.settings = {
- stub-zone = {
+ systemd.services.knot = {
+ serviceConfig = {
+ LoadCredentialEncrypted = [
+ "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
+ "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
+ ];
+ };
+ };
+ networking.nftables.ruleset = ''
+ table inet filter {
+ # Gandi DNS
+ set output-net-knot-ipv4 {
+ type ipv4_addr
+ elements = { 217.70.177.40 }
+ }
+ set output-net-knot-ipv6 {
+ type ipv6_addr
+ elements = { 2001:4b98:d:1::40 }
+ }
+ }
+ '';
+ /* Useless since the zone is public
+ services.unbound.settings = {
+ stub-zone = {
name = domain;
stub-addr = "127.0.0.1@5353";
- };
-};
-'';
-*/
+ };
+ };
+ '';
+ */
}