-{ inputs, pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hostName, hosts, ... }:
let
domain = "autogeree.net";
domainID = lib.replaceStrings ["."] ["_"] domain;
inherit (builtins) attrValues;
inherit (config) networking;
- inherit (config.security) gnupg;
inherit (config.services) knot;
inherit (config.users) users;
in
{
-services.knot.zones."${domain}" = {
+services.knot.zones.${domain} = {
conf = ''
acl:
- id: acl_localhost_acme_${domainID}
serial-policy: increment
semantic-checks: on
notify: secondary_gandi
- notify: secondary_muarf
+ #notify: secondary_muarf
acl: acl_gandi
- acl: acl_muarf
+ #acl: acl_muarf
acl: acl_localhost_acme_${domainID}
acl: acl_tsig_acme_${domainID}
dnssec-signing: off
; NS (Name Server)
@ NS ns
@ NS ns6.gandi.net.
- @ NS ns0.muarf.org.
+ ;@ NS ns0.muarf.org.
; A (DNS -> IPv4)
- @ A ${hosts.mermet.extraArgs.ipv4}
- mermet A ${hosts.mermet.extraArgs.ipv4}
- autoconfig A ${hosts.mermet.extraArgs.ipv4}
- code A ${hosts.mermet.extraArgs.ipv4}
- git A ${hosts.mermet.extraArgs.ipv4}
- imap A ${hosts.mermet.extraArgs.ipv4}
- mail A ${hosts.mermet.extraArgs.ipv4}
- ns A ${hosts.mermet.extraArgs.ipv4}
- pop A ${hosts.mermet.extraArgs.ipv4}
- smtp A ${hosts.mermet.extraArgs.ipv4}
- submission A ${hosts.mermet.extraArgs.ipv4}
- www A ${hosts.mermet.extraArgs.ipv4}
+ @ A ${hosts.mermet._module.args.ipv4}
+ mermet A ${hosts.mermet._module.args.ipv4}
+ autoconfig A ${hosts.mermet._module.args.ipv4}
+ code A ${hosts.mermet._module.args.ipv4}
+ git A ${hosts.mermet._module.args.ipv4}
+ imap A ${hosts.mermet._module.args.ipv4}
+ mail A ${hosts.mermet._module.args.ipv4}
+ ns A ${hosts.mermet._module.args.ipv4}
+ pop A ${hosts.mermet._module.args.ipv4}
+ smtp A ${hosts.mermet._module.args.ipv4}
+ submission A ${hosts.mermet._module.args.ipv4}
+ www A ${hosts.mermet._module.args.ipv4}
chomsky A 91.216.110.36
alpes A 195.88.84.51
; SPF (Sender Policy Framework)
- @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
- @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
+ @ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
+ @ 3600 IN TXT "v=spf1 mx ip4:${hosts.mermet._module.args.ipv4} -all"
; MX (Mail eXchange)
@ 180 MX 5 mail
@ CAA 128 issue "letsencrypt.org"
'';
};
-users.groups.keys.members = [ users.knot.name ];
+networking.nftables.ruleset = ''
+ table inet filter {
+ # Gandi DNS
+ set output-net-knot-ipv4 { type ipv4_addr; elements = { 217.70.177.40 }; }
+ set output-net-knot-ipv6 { type ipv6_addr; elements = { 2001:4b98:d:1::40 }; }
+ }
+'';
services.knot = {
- keyFiles = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".path ];
-};
-security.gnupg.secrets."knot/tsig/${domain}/acme.conf" = {
- # Generated with: keymgr -t acme_${domainID}
- user = users.knot.name;
+ keyFiles = [
+ "/run/credentials/knot.service/${domain}.acme.conf"
+ ];
};
-systemd.services.knot = {
- after = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
- wants = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
+systemd.services.knot.serviceConfig = {
+ LoadCredentialEncrypted = [
+ "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
+ ];
};
/* Useless since the zone is public
services.unbound.settings = {
sourcephile / git / sourcephile-nix.git / blobdiff