nix: update inputs.julm-nix
[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
index 3c7623ab21aa1af42f0930d45e5ebac330280475..bcf9fb6c925387d8ae57f3fbc335c8f6386c6018 100644 (file)
@@ -1,78 +1,13 @@
-{ pkgs, lib, config, inputs, hostName, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, info, ... }:
 let
   domain = "sourcephile.fr";
   domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
   inherit (config) networking;
   inherit (config.services) knot;
-in
-{
-  services.knot.zones."${domain}" = {
-    conf = ''
-      remote:
-        - id: ns_iodine
-          address: 127.0.0.1@1053
-      acl:
-        - id: acl_localhost_acme_${domainID}
-          address: 127.0.0.1
-          action: update
-          update-owner: name
-          update-owner-match: equal
-          update-owner-name: [_acme-challenge]
-          update-type: [TXT]
-        - id: acl_tsig_acme_${domainID}
-          key: acme_${domainID}
-          action: update
-          update-owner: name
-          update-owner-match: equal
-          update-owner-name: [_acme-challenge]
-          update-type: [TXT]
-        - id: acl_tsig_losurdo_${domainID}
-          key: losurdo_${domainID}
-          action: update
-          update-owner: name
-          update-owner-match: equal
-          update-owner-name: [losurdo, lan.losurdo]
-          update-type: [A, AAAA]
-
-      mod-dnsproxy:
-        - id: proxy_iodine
-          remote: ns_iodine
-          fallback: off
-
-      zone:
-        - domain: ${domain}
-          file: ${domain}.zone
-          serial-policy: increment
-          semantic-checks: on
-          notify: secondary_gandi
-          acl: acl_gandi
-          acl: acl_localhost_acme_${domainID}
-          acl: acl_tsig_acme_${domainID}
-          acl: acl_tsig_losurdo_${domainID}
-          dnssec-signing: on
-          dnssec-policy: rsa
-
-        - domain: i.${domain}
-          module: mod-dnsproxy/proxy_iodine
-
-        - domain: whoami4.${domain}
-          module: mod-whoami
-          file: "${pkgs.writeText "whoami4.zone" ''
-            $TTL 1
-            @ SOA ns root.${domain}. (
-              0     ; SERIAL
-              86400 ; REFRESH
-              86400 ; RETRY
-              86400 ; EXPIRE
-              1 ; MINIMUM
-            )
-            $TTL 86400
-            @ NS ns
-            ns A ${hosts.mermet._module.args.ipv4}
-          ''}"
-    '';
+  inherit (config.users) users groups;
+  zoneData =
     # TODO: increase the TTL once things have settled down
-    data = ''
+    ''
       $ORIGIN ${domain}.
       $TTL 500
 
@@ -87,7 +22,7 @@ in
 
       ; NS (Name Server)
       @ NS ns
-      @ NS ns6.gandi.net.
+      @ NS ${info.gandi.dns.secondary.ns.name}.
       i NS ns
       whoami4 NS ns.whoami4
       ns.whoami4 A ${hosts.mermet._module.args.ipv4}
@@ -96,6 +31,7 @@ in
       @            A ${hosts.mermet._module.args.ipv4}
       mermet       A ${hosts.mermet._module.args.ipv4}
       autoconfig   A ${hosts.mermet._module.args.ipv4}
+      calibre      A ${hosts.mermet._module.args.ipv4}
       doc          A ${hosts.mermet._module.args.ipv4}
       git          A ${hosts.mermet._module.args.ipv4}
       imap         A ${hosts.mermet._module.args.ipv4}
@@ -119,6 +55,7 @@ in
       ; CNAME (Canonical Name)
       openconcerto     CNAME losurdo
       xmpp             CNAME mermet
+      salons           CNAME mermet
       tmp              CNAME mermet
       proxy65          CNAME mermet
       cryptpad         CNAME losurdo
@@ -144,11 +81,81 @@ in
       _xmpp-client._tcp         18000 IN SRV 0 5 5222 xmpp
       _xmpp-server._tcp         18000 IN SRV 0 5 5269 xmpp
       _xmpp-server._tcp.salons  18000 IN SRV 0 5 5269 xmpp
+      _xmpps-client._tcp        18000 IN SRV 0 5 5223 xmpp
+      _xmpps-server._tcp        18000 IN SRV 0 5 5270 xmpp
+      _xmpps-server._tcp.salons 18000 IN SRV 0 5 5270 xmpp
 
       ; CAA (Certificate Authority Authorization)
       ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
-      @ CAA 128 issue "letsencrypt.org"
+      @ CAA 128 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/78014180"
     '';
+in
+{
+  services.knot.settingsFreeform = {
+    remote.ns_iodine.address = "127.0.0.1@1053";
+    acl."acl_localhost_acme_${domainID}" = {
+      address = "127.0.0.1";
+      action = "update";
+      update-owner = "name";
+      update-owner-match = "equal";
+      update-owner-name = [ "_acme-challenge" ];
+      update-type = [ "TXT" ];
+    };
+    acl."acl_tsig_acme_${domainID}" = {
+      key = "acme_${domainID}";
+      action = "update";
+      update-owner = "name";
+      update-owner-match = "equal";
+      update-owner-name = [ "_acme-challenge" ];
+      update-type = [ "TXT" ];
+    };
+    acl."acl_tsig_losurdo_${domainID}" = {
+      key = "losurdo_${domainID}";
+      action = "update";
+      update-owner = "name";
+      update-owner-match = "equal";
+      update-owner-name = [ "losurdo" "lan.losurdo" ];
+      update-type = [ "A" "AAAA" ];
+    };
+    mod-dnsproxy.proxy_iodine = {
+      remote = "ns_iodine";
+      fallback = "off";
+    };
+    zone."${domain}" = {
+      file = "${domain}.zone";
+      serial-policy = "increment";
+      semantic-checks = true;
+      notify = [
+        "secondary_gandi"
+      ];
+      acl = [
+        "acl_gandi"
+        "acl_localhost_acme_${domainID}"
+        "acl_tsig_acme_${domainID}"
+        "acl_tsig_losurdo_${domainID}"
+      ];
+      dnssec-signing = true;
+      dnssec-policy = "rsa";
+    };
+    #zone."i.${domain}" = {
+    #  module = "mod-dnsproxy/proxy_iodine";
+    #};
+    zone."whoami4.${domain}" = {
+      module = "mod-whoami";
+      file = pkgs.writeText "whoami4.zone" ''
+        $TTL 1
+        @ SOA ns root.${domain}. (
+          0     ; SERIAL
+          86400 ; REFRESH
+          86400 ; RETRY
+          86400 ; EXPIRE
+          1 ; MINIMUM
+        )
+        $TTL 86400
+        @ NS ns
+        ns A ${hosts.mermet._module.args.ipv4}
+      '';
+    };
   };
   services.knot = {
     keyFiles = [
@@ -159,23 +166,23 @@ in
   };
   systemd.services.knot = {
     serviceConfig = {
+      ExecStartPre = [
+        ''
+          +${pkgs.coreutils}/bin/install -D -o ${users.knot.name} -g ${groups."knot".name} -m 700 \
+           ${pkgs.writeText "${domain}.zone" zoneData} \
+           /var/lib/knot/zones/${domain}.zone
+        ''
+      ];
       LoadCredentialEncrypted = [
-        "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/acme.conf.cred"
-        "losurdo.conf:${inputs.self}/hosts/${hostName}/knot/${domain}/losurdo.conf.cred"
+        "${domain}.acme.conf:${./. + "/${domain}/acme.conf.cred"}"
+        "losurdo.conf:${./. + "/${domain}/losurdo.conf.cred"}"
       ];
     };
   };
   networking.nftables.ruleset = ''
     table inet filter {
-      # Gandi DNS
-      set output-net-knot-ipv4 {
-        type ipv4_addr
-        elements = { 217.70.177.40 }
-      }
-      set output-net-knot-ipv6 {
-        type ipv6_addr
-        elements = { 2001:4b98:d:1::40 }
-      }
+      set output-net-knot-ipv4 { type ipv4_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv4} }; }
+      set output-net-knot-ipv6 { type ipv6_addr; elements = { ${info.gandi.dns.secondary.axfr.ipv6} }; }
     }
   '';
   /* Useless since the zone is public