{ pkgs, lib, config, ... }:
-with builtins;
let
inherit (builtins.extraBuiltins) pass git;
inherit (pkgs.lib) unlinesAttrs types;
inherit (config) networking;
inherit (config.services) knot;
+ inherit (config) users;
# Use the Git commit time of the ${domain}.nix file to set the serial number.
# WARNING: the ${domain}.nix must be committed into Git for this to work.
# WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
mermetIPv4 = "80.67.180.129";
+ losurdoIPv4 = "80.67.180.251";
domain = "sourcephile.fr";
- # TODO: increase the TTL once things have settled down
in
{
+systemd.services."acme-${domain}".after = [
+ "unbound.service"
+];
+security.acme.certs."${domain}" = {
+ email = "root@${domain}";
+ extraDomains = {
+ "*.${domain}" = null;
+ };
+ group = users.groups.acme.name;
+ allowKeysForGroup = true;
+ keyType = "rsa4096";
+ dnsProvider = "rfc2136";
+ credentialsFile = pkgs.writeText "credentials" ''
+ RFC2136_NAMESERVER=127.0.0.1:5353
+ LEGO_EXPERIMENTAL_CNAME_SUPPORT=1
+ '';
+};
services.knot.zones."${domain}" = {
conf = ''
+ acl:
+ - id: acl_acme_challenge_sourcephile_fr
+ address: 127.0.0.1
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [_acme-challenge.${domain}]
+ update-type: [TXT]
+
zone:
- domain: ${domain}
file: ${domain}.zone
semantic-checks: on
notify: secondary_gandi
acl: acl_gandi
- acl: acl_localhost
+ acl: acl_acme_challenge_sourcephile_fr
dnssec-signing: on
dnssec-policy: rsa
+ - domain: whoami4.${domain}
+ module: mod-whoami
+ file: "${pkgs.writeText "whoami4.zone" ''
+ $TTL 1
+ @ SOA ns root.${domain}. (
+ ${serial domain} ; SERIAL
+ 86400 ; REFRESH
+ 86400 ; RETRY
+ 86400 ; EXPIRE
+ 1 ; MINIMUM
+ )
+ $TTL 86400
+ @ NS ns
+ ns A ${mermetIPv4}
+ ''}"
'';
+ # TODO: increase the TTL once things have settled down
data = ''
$ORIGIN ${domain}.
$TTL 500
; SOA (Start Of Authority)
- @ SOA ns admin (
+ @ SOA ns root (
${serial domain} ; Serial number
24h ; Refresh
15m ; Retry
; NS (Name Server)
@ NS ns
@ NS ns6.gandi.net.
+ whoami4 NS ns.whoami4
+ ns.whoami4 A ${mermetIPv4}
; A (DNS -> IPv4)
- @ A ${mermetIPv4}
+ @ A ${mermetIPv4}
mermet A ${mermetIPv4}
+ losurdo A ${losurdoIPv4}
autoconfig A ${mermetIPv4}
+ doc A ${mermetIPv4}
code A ${mermetIPv4}
git A ${mermetIPv4}
imap A ${mermetIPv4}
smtp A ${mermetIPv4}
submission A ${mermetIPv4}
www A ${mermetIPv4}
+ lemoutona5pattes A ${mermetIPv4}
+ covid19 A ${mermetIPv4}
; SPF (Sender Policy Framework)
@ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
; SRV (SeRVice)
_git._tcp.git 18000 IN SRV 0 0 9418 git
+
+ ; CAA (Certificate Authority Authorization)
+ ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+ @ CAA 128 issue "letsencrypt.org"
'';
};
+/* Useless since the zone is public
+services.unbound.extraConfig = ''
+ stub-zone:
+ name: "sourcephile.fr"
+ stub-addr: 127.0.0.1@5353
+'';
+*/
}