-{ lib, config, inputs, hostName, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, info, ... }:
let
domain = "autogeree.net";
domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
inherit (config) networking;
inherit (config.services) knot;
-in
-{
- services.knot.zones.${domain} = {
- conf = ''
- acl:
- - id: acl_localhost_acme_${domainID}
- address: 127.0.0.1
- action: update
- update-owner: name
- update-owner-match: equal
- update-owner-name: [_acme-challenge]
- update-type: [TXT]
- - id: acl_tsig_acme_${domainID}
- key: acme_${domainID}
- action: update
- update-owner: name
- update-owner-match: equal
- update-owner-name: [_acme-challenge]
- update-type: [TXT]
-
- zone:
- - domain: ${domain}
- file: ${domain}.zone
- serial-policy: increment
- semantic-checks: on
- notify: secondary_gandi
- #notify: secondary_muarf
- acl: acl_gandi
- #acl: acl_muarf
- acl: acl_localhost_acme_${domainID}
- acl: acl_tsig_acme_${domainID}
- dnssec-signing: off
- dnssec-policy: ed25519
- '';
+ inherit (config.users) users groups;
+ zoneData =
# TODO: increase the TTL once things have settled down
- data = ''
+ ''
$ORIGIN ${domain}.
$TTL 500
; NS (Name Server)
@ NS ns
- @ NS ns6.gandi.net.
+ @ NS ${info.gandi.dns.secondary.ns.name}.
;@ NS ns0.muarf.org.
; A (DNS -> IPv4)
imap A ${hosts.mermet._module.args.ipv4}
mail A ${hosts.mermet._module.args.ipv4}
ns A ${hosts.mermet._module.args.ipv4}
+ pleroma A ${hosts.mermet._module.args.ipv4}
pop A ${hosts.mermet._module.args.ipv4}
smtp A ${hosts.mermet._module.args.ipv4}
submission A ${hosts.mermet._module.args.ipv4}
; CAA (Certificate Authority Authorization)
; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
- @ CAA 128 issue "letsencrypt.org"
+ @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
'';
+ # Incorrect:
+ #@ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79737822"
+in
+{
+ services.knot.settingsFreeform = {
+ acl."acl_localhost_acme_${domainID}" = {
+ address = "127.0.0.1";
+ action = "update";
+ update-owner = "name";
+ update-owner-match = "equal";
+ update-owner-name = [ "_acme-challenge" ];
+ update-type = [ "TXT" ];
+ };
+ acl."acl_tsig_acme_${domainID}" = {
+ key = "acme_${domainID}";
+ action = "update";
+ update-owner = "name";
+ update-owner-match = "equal";
+ update-owner-name = [ "_acme-challenge" ];
+ update-type = [ "TXT" ];
+ };
+ zone."${domain}" = {
+ file = "${domain}.zone";
+ serial-policy = "increment";
+ semantic-checks = true;
+ notify = [
+ "secondary_gandi"
+ #"secondary_muarf"
+ ];
+ acl = [
+ "acl_gandi"
+ #"acl_muarf"
+ "acl_localhost_acme_${domainID}"
+ "acl_tsig_acme_${domainID}"
+ ];
+ dnssec-signing = true;
+ dnssec-policy = "ed25519";
+ };
};
networking.nftables.ruleset = ''
table inet filter {
- # Gandi DNS
- set output-net-knot-ipv4 { type ipv4_addr; elements = { 217.70.177.40 }; }
- set output-net-knot-ipv6 { type ipv6_addr; elements = { 2001:4b98:d:1::40 }; }
+ set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.transfer.ipv4} }; }
+ set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.transfer.ipv6} }; }
}
'';
services.knot = {
"/run/credentials/knot.service/${domain}.acme.conf"
];
};
- systemd.services.knot.serviceConfig = {
- LoadCredentialEncrypted = [
- "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
- ];
+ systemd.services.knot = {
+ serviceConfig = {
+ ExecStartPre = [
+ ''
+ +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
+ ${pkgs.writeText "${domain}.zone" zoneData} \
+ /var/lib/knot/zones/${domain}.zone
+ ''
+ ];
+ LoadCredentialEncrypted = [
+ "${domain}.acme.conf:${builtins.path { path = ./. + "/${domain}/acme.conf.cred"; }}"
+ ];
+ };
};
/* Useless since the zone is public
services.unbound.settings = {
sourcephile / git / sourcephile-nix.git / blobdiff