carotte: zfs: disable

[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix

diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix
index b666c98a9e8c87b16f500ac85f6af95cdca9bb15..664a2f644ba2d6642ad61ab784923e8db30c0d19 100644 (file)
--- a/hosts/mermet/knot/sourcephile.fr.nix
+++ b/hosts/mermet/knot/sourcephile.fr.nix
@@ -22,7 +22,7 @@ let
 
       ; NS (Name Server)
       @ NS ns
-      @ NS ${info.gandi.dns.secondary.ns.name}.
+      ;@ NS ${info.gandi.dns.secondary.ns.name}.
       i NS ns
       whoami4 NS ns.whoami4
       ns.whoami4 A ${hosts.mermet._module.args.ipv4}
@@ -31,6 +31,7 @@ let
       @            A ${hosts.mermet._module.args.ipv4}
       mermet       A ${hosts.mermet._module.args.ipv4}
       autoconfig   A ${hosts.mermet._module.args.ipv4}
+      calibre      A ${hosts.mermet._module.args.ipv4}
       doc          A ${hosts.mermet._module.args.ipv4}
       git          A ${hosts.mermet._module.args.ipv4}
       imap         A ${hosts.mermet._module.args.ipv4}
@@ -43,7 +44,6 @@ let
       smtp         A ${hosts.mermet._module.args.ipv4}
       submission   A ${hosts.mermet._module.args.ipv4}
       www          A ${hosts.mermet._module.args.ipv4}
-      lemoutona5pattes A ${hosts.mermet._module.args.ipv4}
       croc         A ${hosts.mermet._module.args.ipv4}
       stun         A ${hosts.mermet._module.args.ipv4}
       turn         A ${hosts.mermet._module.args.ipv4}
@@ -51,6 +51,9 @@ let
       code          A ${hosts.mermet._module.args.ipv4}
       miniflux      A ${hosts.mermet._module.args.ipv4}
 
+      ; MX (Mail eXchange)
+      @ 500 MX 5 mail
+
       ; CNAME (Canonical Name)
       openconcerto     CNAME losurdo
       xmpp             CNAME mermet
@@ -67,6 +70,9 @@ let
       nix-extracache   CNAME losurdo
       nix-localcache   CNAME lan.losurdo
       sftp             CNAME losurdo
+      radicle-mermet   CNAME mermet
+      radicle          CNAME mermet
+      radicle-explorer CNAME radicle
 
       ; DMARC (Domain-based Message Authentication, Reporting and Conformance)
       _dmarc 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:root+dmarc+aggregate@sourcephile.fr; ruf=mailto:root+dmarc+forensic@sourcephile.fr"
@@ -86,8 +92,10 @@ let
 
       ; CAA (Certificate Authority Authorization)
       ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
-      @ CAA 128 issue "letsencrypt.org"
+      @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
     '';
+  # Incorrect:
+  # accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180
 in
 {
   services.knot.settingsFreeform = {
@@ -113,28 +121,41 @@ in
       action = "update";
       update-owner = "name";
       update-owner-match = "equal";
-      update-owner-name = "[losurdo, lan.losurdo]";
+      update-owner-name = [ "losurdo" "lan.losurdo" ];
       update-type = [ "A" "AAAA" ];
     };
+    acl."acl_lebureau_${domainID}" = {
+      address =
+        info.lebureau.dns.secondary.transfer.ipv4 ++
+        info.lebureau.dns.secondary.transfer.ipv6;
+      action = "transfer";
+      key = "lebureau_${domainID}";
+    };
     mod-dnsproxy.proxy_iodine = {
       remote = "ns_iodine";
       fallback = "off";
     };
+    remote."secondary_lebureau_${domainID}" = {
+      address = map (x: "${x}@53")
+        (info.lebureau.dns.secondary.transfer.ipv4 ++
+          info.lebureau.dns.secondary.transfer.ipv6);
+      key = "lebureau_${domainID}";
+    };
     zone."${domain}" = {
       file = "${domain}.zone";
       serial-policy = "increment";
       semantic-checks = true;
       notify = [
-        "secondary_gandi"
+        "secondary_lebureau_${domainID}"
       ];
       acl = [
-        "acl_gandi"
         "acl_localhost_acme_${domainID}"
         "acl_tsig_acme_${domainID}"
         "acl_tsig_losurdo_${domainID}"
+        "acl_lebureau_${domainID}"
       ];
       dnssec-signing = true;
-      dnssec-policy = "rsa";
+      dnssec-policy = "ed25519";
     };
     #zone."i.${domain}" = {
     #  module = "mod-dnsproxy/proxy_iodine";
@@ -161,6 +182,8 @@ in
       "/run/credentials/knot.service/${domain}.acme.conf"
       # Generated with: keymgr -t losurdo_${domainID}
       "/run/credentials/knot.service/losurdo.conf"
+      # Generated with: keymgr -t lebureau_${domainID}
+      "/run/credentials/knot.service/${domain}.lebureau.conf"
     ];
   };
   systemd.services.knot = {
@@ -173,15 +196,16 @@ in
         ''
       ];
       LoadCredentialEncrypted = [
-        "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
-        "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
+        "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
+        "${domain}.lebureau.conf:${builtins.path { path = ./. + "/${domain}/lebureau.conf.cred"; }}"
+        "losurdo.conf:${builtins.path { path = ./. + "/${domain}/losurdo.conf.cred"; }}"
       ];
     };
   };
   networking.nftables.ruleset = ''
     table inet filter {
-      set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
-      set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
+      set output-net-knot-ipv4 { type ipv4_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv4} }; }
+      set output-net-knot-ipv6 { type ipv6_addr; elements = { ${lib.concatStringsSep ", " info.lebureau.dns.secondary.transfer.ipv6} }; }
     }
   '';
   /* Useless since the zone is public