-{ pkgs, lib, config, machines, ... }:
+{ inputs, pkgs, lib, config, machines, ... }:
let
domain = "sourcephile.fr";
domainID = lib.replaceStrings ["."] ["_"] domain;
- inherit (builtins) attrValues;
- inherit (builtins.extraBuiltins) git;
inherit (config) networking;
inherit (config.security) gnupg;
inherit (config.services) knot;
inherit (config.users) users;
- # Use the Git commit time of the ${domain}.nix file to set the serial number.
- # WARNING: the ${domain}.nix must be committed into Git for this to work.
- # WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
- serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
in
{
services.knot.zones."${domain}" = {
action: update
update-owner: name
update-owner-match: equal
- update-owner-name: [_acme-challenge.${domain}]
+ update-owner-name: [_acme-challenge]
update-type: [TXT]
- id: acl_tsig_acme_${domainID}
- address: ${machines.losurdo.extraArgs.ipv4}
key: acme_${domainID}
action: update
update-owner: name
update-owner-match: equal
- update-owner-name: [_acme-challenge.${domain}]
+ update-owner-name: [_acme-challenge]
update-type: [TXT]
+ - id: acl_tsig_bureau1_${domainID}
+ key: bureau1_${domainID}
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [bureau1, lan.losurdo]
+ update-type: [A, AAAA]
zone:
- domain: ${domain}
acl: acl_gandi
acl: acl_localhost_acme_${domainID}
acl: acl_tsig_acme_${domainID}
+ acl: acl_tsig_bureau1_${domainID}
dnssec-signing: on
dnssec-policy: rsa
- domain: whoami4.${domain}
file: "${pkgs.writeText "whoami4.zone" ''
$TTL 1
@ SOA ns root.${domain}. (
- ${serial domain} ; SERIAL
+ 0 ; SERIAL
86400 ; REFRESH
86400 ; RETRY
86400 ; EXPIRE
; SOA (Start Of Authority)
@ SOA ns root (
- ${serial domain} ; Serial number
+ ${toString inputs.self.lastModified} ; Serial number
24h ; Refresh
15m ; Retry
1000h ; Expire (1000h)
; A (DNS -> IPv4)
@ A ${machines.mermet.extraArgs.ipv4}
mermet A ${machines.mermet.extraArgs.ipv4}
- losurdo A ${machines.losurdo.extraArgs.ipv4}
autoconfig A ${machines.mermet.extraArgs.ipv4}
doc A ${machines.mermet.extraArgs.ipv4}
code A ${machines.mermet.extraArgs.ipv4}
www A ${machines.mermet.extraArgs.ipv4}
lemoutona5pattes A ${machines.mermet.extraArgs.ipv4}
covid19 A ${machines.mermet.extraArgs.ipv4}
- openconcerto A ${machines.losurdo.extraArgs.ipv4}
croc A ${machines.mermet.extraArgs.ipv4}
- xmpp A ${machines.losurdo.extraArgs.ipv4}
+ stun A ${machines.mermet.extraArgs.ipv4}
turn A ${machines.mermet.extraArgs.ipv4}
+ whoami A ${machines.mermet.extraArgs.ipv4}
+
+ ; CNAME (Canonical Name)
+ losurdo CNAME bureau1
+ openconcerto CNAME losurdo
+ xmpp CNAME losurdo
+ tmp CNAME losurdo
+ proxy65 CNAME losurdo
+ cryptpad CNAME losurdo
+ cryptpad-api CNAME losurdo
+ cryptpad-files CNAME losurdo
+ cryptpad-sandbox CNAME losurdo
; SPF (Sender Policy Framework)
@ 3600 IN SPF "v=spf1 mx ip4:${machines.mermet.extraArgs.ipv4} -all"
@ 180 MX 5 mail
; SRV (SeRVice)
- _git._tcp.git 18000 IN SRV 0 0 9418 git
-
+ _git._tcp.git 18000 IN SRV 0 0 9418 git
+ _stun._udp 18000 IN SRV 0 5 3478 stun
_xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
_xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
_xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
- _xmpp-server._tcp.proxy65 18000 IN SRV 0 5 5000 xmpp
; CAA (Certificate Authority Authorization)
; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
};
users.groups.keys.members = [ users.knot.name ];
services.knot = {
- keyFiles = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".path ];
+ keyFiles = [
+ gnupg.secrets."knot/tsig/${domain}/acme.conf".path
+ gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
+ ];
};
-security.gnupg.secrets."knot/tsig/${domain}/acme.conf" = {
- # Generated with: keymgr -t acme_${domainID}
- user = users.knot.name;
+security.gnupg.secrets = {
+ "knot/tsig/${domain}/acme.conf" = {
+ # Generated with: keymgr -t acme_${domainID}
+ user = users.knot.name;
+ };
+ "knot/tsig/${domain}/bureau1.conf" = {
+ # Generated with: keymgr -t bureau1_${domainID}
+ user = users.knot.name;
+ };
};
systemd.services.knot = {
- after = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
- wants = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
+ after = [
+ gnupg.secrets."knot/tsig/${domain}/acme.conf".service
+ gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
+ ];
+ wants = [
+ gnupg.secrets."knot/tsig/${domain}/acme.conf".service
+ gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
+ ];
};
/* Useless since the zone is public
services.unbound.extraConfig = ''