-{ inputs, pkgs, lib, config, hosts, ... }:
+{ inputs, pkgs, lib, config, hosts, credentials, ... }:
let
domain = "sourcephile.fr";
domainID = lib.replaceStrings ["."] ["_"] domain;
{
services.knot.zones."${domain}" = {
conf = ''
+ remote:
+ - id: ns_iodine
+ address: 127.0.0.1@1053
acl:
- id: acl_localhost_acme_${domainID}
address: 127.0.0.1
update-owner-match: equal
update-owner-name: [_acme-challenge]
update-type: [TXT]
- - id: acl_tsig_bureau1_${domainID}
- key: bureau1_${domainID}
+ - id: acl_tsig_losurdo_${domainID}
+ key: losurdo_${domainID}
action: update
update-owner: name
update-owner-match: equal
- update-owner-name: [bureau1, lan.losurdo]
+ update-owner-name: [losurdo, lan.losurdo]
update-type: [A, AAAA]
+ mod-dnsproxy:
+ - id: proxy_iodine
+ remote: ns_iodine
+ fallback: off
+
zone:
- domain: ${domain}
file: ${domain}.zone
acl: acl_gandi
acl: acl_localhost_acme_${domainID}
acl: acl_tsig_acme_${domainID}
- acl: acl_tsig_bureau1_${domainID}
+ acl: acl_tsig_losurdo_${domainID}
dnssec-signing: on
dnssec-policy: rsa
+
+ - domain: i.${domain}
+ module: mod-dnsproxy/proxy_iodine
+
- domain: whoami4.${domain}
module: mod-whoami
file: "${pkgs.writeText "whoami4.zone" ''
; NS (Name Server)
@ NS ns
@ NS ns6.gandi.net.
+ i NS ns
whoami4 NS ns.whoami4
ns.whoami4 A ${hosts.mermet._module.args.ipv4}
pages.code A ${hosts.mermet._module.args.ipv4}
paste.code A ${hosts.mermet._module.args.ipv4}
todo.code A ${hosts.mermet._module.args.ipv4}
+ miniflux A ${hosts.mermet._module.args.ipv4}
; CNAME (Canonical Name)
- losurdo CNAME bureau1
openconcerto CNAME losurdo
xmpp CNAME mermet
tmp CNAME mermet
services.knot = {
keyFiles = [
gnupg.secrets."knot/tsig/${domain}/acme.conf".path
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
+ # Generated with: keymgr -t losurdo_${domainID}
+ "/run/credentials/knot.service/losurdo.conf"
];
};
+networking.nftables.ruleset = ''
+ table inet filter {
+ # Gandi DNS
+ set output-net-knot-ipv4 {
+ type ipv4_addr
+ elements = { 217.70.177.40 }
+ }
+ set output-net-knot-ipv6 {
+ type ipv6_addr
+ elements = { 2001:4b98:d:1::40 }
+ }
+ }
+'';
security.gnupg.secrets = {
"knot/tsig/${domain}/acme.conf" = {
# Generated with: keymgr -t acme_${domainID}
user = users.knot.name;
};
- "knot/tsig/${domain}/bureau1.conf" = {
- # Generated with: keymgr -t bureau1_${domainID}
- user = users.knot.name;
- };
};
systemd.services.knot = {
+ serviceConfig = {
+ LoadCredentialEncrypted = "losurdo.conf:${credentials}/knot/tsig/losurdo.conf.secret";
+ };
+ /*
+ preStart = ''
+ test ! -d "$CREDENTIALS_DIRECTORY" ||
+ ln -fns "$CREDENTIALS_DIRECTORY" /var/lib/knot/credentials
+ '';
+ */
after = [
gnupg.secrets."knot/tsig/${domain}/acme.conf".service
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
];
wants = [
gnupg.secrets."knot/tsig/${domain}/acme.conf".service
- gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
];
};
/* Useless since the zone is public
sourcephile / git / sourcephile-nix.git / blobdiff