postgresql: lower the allowed connection rate

[sourcephile-nix.git] / servers / mermet / knot / sourcephile.fr.nix

diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix
index c9303ef6880e3efdbe94fa49ad20f33d57b3ba29..bab450acd96a610c6df90828c3b85280d206e2a2 100644 (file)
--- a/servers/mermet/knot/sourcephile.fr.nix
+++ b/servers/mermet/knot/sourcephile.fr.nix
@@ -1,46 +1,48 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, servers, ... }:
 let
+  domain = "sourcephile.fr";
+  domainID = lib.replaceStrings ["."] ["_"] domain;
+  inherit (builtins) attrValues;
   inherit (builtins.extraBuiltins) pass git;
-  inherit (pkgs.lib) unlinesAttrs types;
   inherit (config) networking;
   inherit (config.services) knot;
-  inherit (config) users;
+  inherit (config.users) users groups;
   # Use the Git commit time of the ${domain}.nix file to set the serial number.
   # WARNING: the ${domain}.nix must be committed into Git for this to work.
   # WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
   serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
-  mermetIPv4 = "80.67.180.129";
-  losurdoIPv4 = "80.67.180.251";
-  domain = "sourcephile.fr";
+  includes = {
+    "${domain}/acme.conf" = "/var/lib/knot/tsig/${domain}/acme.conf";
+  };
 in
 {
-systemd.services."acme-${domain}".after = [
-  "unbound.service"
-];
-security.acme.certs."${domain}" = {
-  email = "root@${domain}";
-  extraDomains = {
-    "*.${domain}" = null;
-  };
-  group = users.groups.acme.name;
-  allowKeysForGroup = true;
-  keyType = "rsa4096";
-  dnsProvider = "rfc2136";
-  credentialsFile = pkgs.writeText "credentials" ''
-    RFC2136_NAMESERVER=127.0.0.1:5353
-    LEGO_EXPERIMENTAL_CNAME_SUPPORT=1
-  '';
+install.shellHook = ''
+  # Generated with: keymgr -t acme_${domainID}
+  pass "servers/mermet/knot/${domain}/acme.conf" |
+  ssh "$target" install -D -m 0400 -o ${users."knot".name} -g root /dev/stdin \
+    ${includes."${domain}/acme.conf"}
+'';
+services.knot = {
+  keyFiles = attrValues includes;
 };
 services.knot.zones."${domain}" = {
   conf = ''
     acl:
-      - id: acl_acme_challenge_sourcephile_fr
+      - id: acl_localhost_acme_${domainID}
         address: 127.0.0.1
         action: update
         update-owner: name
         update-owner-match: equal
         update-owner-name: [_acme-challenge.${domain}]
         update-type: [TXT]
+      - id: acl_tsig_acme_${domainID}
+        address: ${servers.losurdo.ipv4}
+        key: acme_${domainID}
+        action: update
+        update-owner: name
+        update-owner-match: equal
+        update-owner-name: [_acme-challenge.${domain}]
+        update-type: [TXT]
 
     zone:
       - domain: ${domain}
@@ -49,7 +51,8 @@ services.knot.zones."${domain}" = {
         semantic-checks: on
         notify: secondary_gandi
         acl: acl_gandi
-        acl: acl_acme_challenge_sourcephile_fr
+        acl: acl_localhost_acme_${domainID}
+        acl: acl_tsig_acme_${domainID}
         dnssec-signing: on
         dnssec-policy: rsa
       - domain: whoami4.${domain}
@@ -65,7 +68,7 @@ services.knot.zones."${domain}" = {
           )
           $TTL 86400
           @ NS ns
-          ns A ${mermetIPv4}
+          ns A ${servers.mermet.ipv4}
         ''}"
   '';
   # TODO: increase the TTL once things have settled down
@@ -86,29 +89,33 @@ services.knot.zones."${domain}" = {
     @ NS ns
     @ NS ns6.gandi.net.
     whoami4 NS ns.whoami4
-    ns.whoami4 A ${mermetIPv4}
+    ns.whoami4 A ${servers.mermet.ipv4}
 
     ; A (DNS -> IPv4)
-    @          A ${mermetIPv4}
-    mermet     A ${mermetIPv4}
-    losurdo    A ${losurdoIPv4}
-    autoconfig A ${mermetIPv4}
-    doc        A ${mermetIPv4}
-    code       A ${mermetIPv4}
-    git        A ${mermetIPv4}
-    imap       A ${mermetIPv4}
-    mail       A ${mermetIPv4}
-    ns         A ${mermetIPv4}
-    pop        A ${mermetIPv4}
-    smtp       A ${mermetIPv4}
-    submission A ${mermetIPv4}
-    www        A ${mermetIPv4}
-    lemoutona5pattes A ${mermetIPv4}
-    covid19    A ${mermetIPv4}
+    @            A ${servers.mermet.ipv4}
+    mermet       A ${servers.mermet.ipv4}
+    losurdo      A ${servers.losurdo.ipv4}
+    autoconfig   A ${servers.mermet.ipv4}
+    doc          A ${servers.mermet.ipv4}
+    code         A ${servers.mermet.ipv4}
+    git          A ${servers.mermet.ipv4}
+    imap         A ${servers.mermet.ipv4}
+    mail         A ${servers.mermet.ipv4}
+    mails        A ${servers.mermet.ipv4}
+    news         A ${servers.mermet.ipv4}
+    public-inbox A ${servers.mermet.ipv4}
+    ns           A ${servers.mermet.ipv4}
+    pop          A ${servers.mermet.ipv4}
+    smtp         A ${servers.mermet.ipv4}
+    submission   A ${servers.mermet.ipv4}
+    www          A ${servers.mermet.ipv4}
+    lemoutona5pattes A ${servers.mermet.ipv4}
+    covid19      A ${servers.mermet.ipv4}
+    openconcerto A ${servers.losurdo.ipv4}
 
     ; SPF (Sender Policy Framework)
-    @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
-    @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
+    @ 3600 IN SPF "v=spf1 mx ip4:${servers.mermet.ipv4} -all"
+    @ 3600 IN TXT "v=spf1 mx ip4:${servers.mermet.ipv4} -all"
 
     ; MX (Mail eXchange)
     @ 180 MX 5 mail