From 1977ffdb9d1a902e59cda4f2e9f1f5cab4da202c Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Wed, 4 Mar 2020 17:37:37 +0100
Subject: [PATCH] nsd: re-add autogeree.net zone
---
servers/mermet/knot.nix | 8 ++
servers/mermet/knot/autogeree.net.nix | 103 ++++++++++++++++++++++++
servers/mermet/knot/sourcephile.fr.nix | 2 +-
servers/mermet/production/shorewall.nix | 1 +
4 files changed, 113 insertions(+), 1 deletion(-)
create mode 100644 servers/mermet/knot/autogeree.net.nix
diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix
index d925c80..17302fe 100644
--- a/servers/mermet/knot.nix
+++ b/servers/mermet/knot.nix
@@ -5,6 +5,7 @@ let
in
{
imports = [
+ knot/autogeree.net.nix
knot/sourcephile.fr.nix
];
options.services.knot = {
@@ -92,6 +93,9 @@ services.knot = {
- id: secondary_gandi
address: 217.70.177.40@53
+ - id: secondary_muarf
+ address: 78.192.65.63@53
+
submission:
- id: dnssec_validating_resolver
parent: local_resolver
@@ -124,6 +128,10 @@ services.knot = {
address: 217.70.177.40
action: transfer
+ - id: acl_muarf
+ address: 78.192.65.63
+ action: transfer
+
'' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
};
};
diff --git a/servers/mermet/knot/autogeree.net.nix b/servers/mermet/knot/autogeree.net.nix
new file mode 100644
index 0000000..b6f485d
--- /dev/null
+++ b/servers/mermet/knot/autogeree.net.nix
@@ -0,0 +1,103 @@
+{ pkgs, lib, config, ... }:
+let
+ inherit (builtins.extraBuiltins) pass git;
+ inherit (pkgs.lib) unlinesAttrs types;
+ inherit (config) networking;
+ inherit (config.services) knot;
+ inherit (config) users;
+ # Use the Git commit time of the ${domain}.nix file to set the serial number.
+ # WARNING: the ${domain}.nix must be committed into Git for this to work.
+ # WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
+ serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
+ mermetIPv4 = "80.67.180.129";
+ domain = "autogeree.net";
+in
+{
+security.acme.certs."${domain}" = {
+ email = "root+letsencrypt@${domain}";
+ extraDomains = {
+ "*.${domain}" = null;
+ };
+ group = users.groups.acme.name;
+ allowKeysForGroup = true;
+ keyType = "rsa4096";
+ dnsProvider = "rfc2136";
+ credentialsFile = pkgs.writeText "credentials" ''
+ RFC2136_NAMESERVER=127.0.0.1:5353
+ LEGO_EXPERIMENTAL_CNAME_SUPPORT=1
+ '';
+};
+services.knot.zones."${domain}" = {
+ conf = ''
+ acl:
+ - id: acl_acme_challenge_autogeree_net
+ address: 127.0.0.1
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [_acme-challenge.${domain}]
+ update-type: [TXT]
+
+ zone:
+ - domain: ${domain}
+ file: ${domain}.zone
+ serial-policy: increment
+ semantic-checks: on
+ notify: secondary_gandi
+ notify: secondary_muarf
+ acl: acl_gandi
+ acl: acl_muarf
+ acl: acl_acme_challenge_autogeree_net
+ dnssec-signing: off
+ dnssec-policy: ed25519
+ '';
+ # TODO: increase the TTL once things have settled down
+ data = ''
+ $ORIGIN ${domain}.
+ $TTL 500
+
+ ; SOA (Start Of Authority)
+ @ SOA ns admin (
+ ${serial domain} ; Serial number
+ 24h ; Refresh
+ 15m ; Retry
+ 1000h ; Expire (1000h)
+ 1d ; Negative caching
+ )
+
+ ; NS (Name Server)
+ @ NS ns
+ @ NS ns6.gandi.net.
+
+ ; A (DNS -> IPv4)
+ @ A ${mermetIPv4}
+ mermet A ${mermetIPv4}
+ autoconfig A ${mermetIPv4}
+ code A ${mermetIPv4}
+ git A ${mermetIPv4}
+ imap A ${mermetIPv4}
+ mail A ${mermetIPv4}
+ ns A ${mermetIPv4}
+ pop A ${mermetIPv4}
+ smtp A ${mermetIPv4}
+ submission A ${mermetIPv4}
+ www A ${mermetIPv4}
+ chomsky A 91.216.110.36
+ alpes A 195.88.84.51
+
+ ; SPF (Sender Policy Framework)
+ @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
+ @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
+
+ ; MX (Mail eXchange)
+ @ 180 MX 5 mail
+
+ ; SRV (SeRVice)
+ _git._tcp.git 18000 IN SRV 0 0 9418 git
+
+ ; CAA (Certificate Authority Authorization)
+ ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+ @ CAA 128 issue "letsencrypt.org"
+ '';
+};
+}
diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix
index e79ac47..4201805 100644
--- a/servers/mermet/knot/sourcephile.fr.nix
+++ b/servers/mermet/knot/sourcephile.fr.nix
@@ -68,7 +68,7 @@ services.knot.zones."${domain}" = {
@ NS ns6.gandi.net.
; A (DNS -> IPv4)
- @ A ${mermetIPv4}
+ @ A ${mermetIPv4}
mermet A ${mermetIPv4}
autoconfig A ${mermetIPv4}
code A ${mermetIPv4}
diff --git a/servers/mermet/production/shorewall.nix b/servers/mermet/production/shorewall.nix
index 16159bb..d8ab15a 100644
--- a/servers/mermet/production/shorewall.nix
+++ b/servers/mermet/production/shorewall.nix
@@ -11,6 +11,7 @@ let
# By port
DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
+ DNS(ACCEPT) $FW net:78.192.65.63 # for knot to notify ns0.muarf.org
Git(ACCEPT) $FW net
HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
HTTP(ACCEPT) $FW net
--
2.47.2