-{ pkgs, lib, config, inputs, hosts, info, ... }:
+{
+ pkgs,
+ lib,
+ config,
+ inputs,
+ hosts,
+ info,
+ ...
+}:
let
domain = "autogeree.net";
domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
; NS (Name Server)
@ NS ns
- @ NS ${info.gandi.dns.secondary.ns.name}.
- ;@ NS ns0.muarf.org.
+ ${lib.concatMapStringsSep "\n" ({ name, ... }: "@ NS ${name}.") info.lebureau.dns.secondary.ns}
; A (DNS -> IPv4)
@ A ${hosts.mermet._module.args.ipv4}
; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
'';
- # Incorrect:
- #@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79737822"
in
+# Incorrect:
+#@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79737822"
{
services.knot.settingsFreeform = {
acl."acl_localhost_acme_${domainID}" = {
update-owner-name = [ "_acme-challenge" ];
update-type = [ "TXT" ];
};
+ acl."acl_lebureau_${domainID}" = {
+ action = "transfer";
+ address = [
+ info.lebureau.dns.secondary.transfer.ns1.ipv4
+ info.lebureau.dns.secondary.transfer.ns1.ipv6
+ info.lebureau.dns.secondary.transfer.ns2.ipv4
+ info.lebureau.dns.secondary.transfer.ns2.ipv6
+ ];
+ key = "lebureau_${domainID}";
+ };
+ remote."secondary1_lebureau_${domainID}" = {
+ address = [
+ "${info.lebureau.dns.secondary.transfer.ns1.ipv4}@53"
+ "${info.lebureau.dns.secondary.transfer.ns1.ipv6}@53"
+ ];
+ key = "lebureau_${domainID}";
+ };
+ remote."secondary2_lebureau_${domainID}" = {
+ address = [
+ "${info.lebureau.dns.secondary.transfer.ns2.ipv4}@53"
+ "${info.lebureau.dns.secondary.transfer.ns2.ipv6}@53"
+ ];
+ key = "lebureau_${domainID}";
+ };
zone."${domain}" = {
file = "${domain}.zone";
serial-policy = "increment";
semantic-checks = true;
notify = [
- "secondary_gandi"
- #"secondary_muarf"
+ "secondary1_lebureau_${domainID}"
+ "secondary2_lebureau_${domainID}"
];
acl = [
- "acl_gandi"
#"acl_muarf"
"acl_localhost_acme_${domainID}"
"acl_tsig_acme_${domainID}"
+ "acl_lebureau_${domainID}"
];
- dnssec-signing = false;
+ dnssec-signing = true;
dnssec-policy = "ed25519";
};
};
- networking.nftables.ruleset = ''
- table inet filter {
- set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
- set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
- }
- '';
services.knot = {
keyFiles = [
"/run/credentials/knot.service/${domain}.acme.conf"
+ # Generated with: keymgr -t lebureau_${domainID}
+ "/run/credentials/knot.service/${domain}.lebureau.conf"
];
};
systemd.services.knot = {
];
LoadCredentialEncrypted = [
"${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
+ "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
];
};
};
- /* Useless since the zone is public
+ networking.nftables.ruleset = ''
+ table inet filter {
+ set output-net-knot-ipv4 { type ipv4_addr; elements = {
+ ${info.lebureau.dns.secondary.transfer.ns1.ipv4},
+ ${info.lebureau.dns.secondary.transfer.ns2.ipv4}
+ }; }
+ set output-net-knot-ipv6 { type ipv6_addr; elements = {
+ ${info.lebureau.dns.secondary.transfer.ns1.ipv6},
+ ${info.lebureau.dns.secondary.transfer.ns2.ipv6}
+ }; }
+ }
+ '';
+ /*
+ Useless since the zone is public
services.unbound.settings = {
stub-zone = {
name = domain;
sourcephile / git / sourcephile-nix.git / blobdiff