From f2c0054928fe04a644905bfe5955ab1ff3ade858 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Thu, 13 Feb 2020 04:18:09 +0100
Subject: [PATCH 01/16] nginx: use Let's Encrypt X.509 certificate

---
 servers/mermet/knot.nix                       |  8 ++
 servers/mermet/knot/sourcephile.fr.nix        | 14 +---
 servers/mermet/nginx.nix                      | 75 +++++++------------
 servers/mermet/nginx/sourcephile.fr.nix       |  7 ++
 .../{gitweb.nix => sourcephile.fr/git.nix}    | 13 ++--
 .../mermet/nginx/{ => sourcephile.fr}/www.nix |  6 +-
 6 files changed, 55 insertions(+), 68 deletions(-)
 create mode 100644 servers/mermet/nginx/sourcephile.fr.nix
 rename servers/mermet/nginx/{gitweb.nix => sourcephile.fr/git.nix} (91%)
 rename servers/mermet/nginx/{ => sourcephile.fr}/www.nix (75%)

diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix
index 2768e23..52f9ea3 100644
--- a/servers/mermet/knot.nix
+++ b/servers/mermet/knot.nix
@@ -27,6 +27,14 @@ config = {
 security.acme = {
   acceptTerms = true;
 };
+environment.systemPackages = [
+  pkgs.lego
+];
+users = {
+  groups = {
+    acme = {};
+  };
+};
 systemd.services.knot.preStart = lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {data, ...}:
   lib.optionalString (data != null) ''
     install -D -o knot -g knot -m 700 ${pkgs.writeText "${domain}.zone" data} /var/lib/knot/zones/${domain}.zone
diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix
index 6dc4711..a313fa1 100644
--- a/servers/mermet/knot/sourcephile.fr.nix
+++ b/servers/mermet/knot/sourcephile.fr.nix
@@ -13,16 +13,6 @@ let
   domain = "sourcephile.fr";
 in
 {
-environment.systemPackages = [
-  pkgs.lego
-];
-users = {
-  groups = {
-    acme = {
-      members = [ users.users.nginx.name ];
-    };
-  };
-};
 security.acme.certs."${domain}" = {
   email = "root@${domain}";
   extraDomains = {
@@ -92,6 +82,10 @@ services.knot.zones."${domain}" = {
 
     ; SRV (SeRVice)
     _git._tcp.git 18000 IN SRV 0 0 9418 git
+
+    ; CAA (Certificate Authority Authorization)
+    ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+    @ CAA 128 issue "letsencrypt.org"
   '';
 };
 }
diff --git a/servers/mermet/nginx.nix b/servers/mermet/nginx.nix
index 0c416ec..903b658 100644
--- a/servers/mermet/nginx.nix
+++ b/servers/mermet/nginx.nix
@@ -10,8 +10,7 @@ let
 in
 {
 imports = [
-  nginx/gitweb.nix
-  nginx/www.nix
+  nginx/sourcephile.fr.nix
 ];
 options = {
   services.nginx = {
@@ -37,10 +36,8 @@ config = {
        ${nginx.webDir} \
        ${nginx.logDir}
     '';
-    after = [
-      "${networking.domain}.key.pem-key.service"
-    ];
   };
+  users.groups."acme".members = [nginx.user];
   services.nginx = {
     enable = true;
     stateDir = "/dev/shm/nginx";
@@ -50,15 +47,22 @@ config = {
       worker_connections 1024;
     '';
     clientMaxBodySize = "20m";
+    recommendedGzipSettings = true;
+    recommendedOptimisation = false;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    resolver = {
+      addresses = [ "127.0.0.1:53" ];
+      valid = "";
+      ipv6 = networking.defaultGateway6 != null;
+    };
     serverTokens = false;
     # Only allow PFS-enabled ciphers with AES256
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
     #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
+    #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
     sslDhparam = ../../../sec/openssl/dh.pem;
-    #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
-    #sslProtocols = "TLSv1.2";
+    sslProtocols = "TLSv1.3 TLSv1.2";
     commonHttpConfig = ''
       log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
@@ -75,10 +79,11 @@ config = {
 
           # Add HSTS header with preloading to HTTPS requests.
           # Adding this header to HTTP requests is discouraged
-          #map $scheme $hsts_header {
-          #    https   "max-age=31536000; includeSubdomains; preload";
-          #}
-          #add_header Strict-Transport-Security $hsts_header;
+          # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
+          map $scheme $hsts_header {
+              https   "max-age=31536000; includeSubdomains; preload";
+          }
+          add_header Strict-Transport-Security $hsts_header;
 
           # Enable CSP for your services.
           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@@ -98,6 +103,9 @@ config = {
 
           # This might create errors
           proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+
+          # If a client has a session ticket, it can present it to the server and re-negotiation is not necessary.
+          ssl_session_tickets on;
         '';
         log = ''
           access_log ${nginx.logDir}/access.log main buffer=32k;
@@ -145,8 +153,8 @@ config = {
           tcp_nodelay on;
           keepalive_timeout 20;
           reset_timedout_connection on;
-          #types_hash_max_size 2048;
-          #server_names_hash_bucket_size 128;
+          types_hash_max_size 4096;
+          server_names_hash_bucket_size 128;
         '';
         map = ''
           # User agents that are to be blocked.
@@ -165,34 +173,6 @@ config = {
           #  127.0.0.1 0;
           #}
         '';
-        gzip = ''
-          gzip on;
-          gzip_buffers 16 8k;
-          gzip_comp_level 6;
-          gzip_disable "MSIE [1-6]\.";
-          gzip_http_version 1.1;
-          gzip_min_length 1024;
-          gzip_proxied any;
-          gzip_static on;
-          gzip_vary on;
-          gzip_types application/atom+xml
-                     application/javascript
-                     application/json
-                     application/rss+xml
-                     application/vnd.ms-fontobject
-                     application/x-font-ttf
-                     application/x-javascript
-                     application/xml
-                     application/xml+rss
-                     font/opentype
-                     font/truetype
-                     image/svg+xml
-                     text/css
-                     text/javascript
-                     text/plain
-                     text/x-component
-                     text/xml;
-        '';
         cache = ''
           client_body_buffer_size 4K;
             # getconf PAGESIZE
@@ -202,7 +182,7 @@ config = {
           client_header_buffer_size 1k;
           client_header_timeout 60;
           large_client_header_buffers 4 8k;
-          
+
           open_file_cache max=200000 inactive=20s;
           open_file_cache_errors on;
           open_file_cache_min_uses 2;
@@ -210,14 +190,11 @@ config = {
         '';
       });
     appendConfig = ''
-      worker_processes 4;
+      worker_processes ${toString config.nix.maxJobs};
     '';
     virtualHosts."_" = {
-      forceSSL = false;
-      # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it.
-      # NOTE: no ssl_stapling while the certificate remains self-signed.
-      sslCertificate = loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem");
-      sslCertificateKey = "/run/keys/${networking.domain}.key.pem";
+      forceSSL = true;
+      useACMEHost = networking.domain;
     };
   };
 };
diff --git a/servers/mermet/nginx/sourcephile.fr.nix b/servers/mermet/nginx/sourcephile.fr.nix
new file mode 100644
index 0000000..63d6148
--- /dev/null
+++ b/servers/mermet/nginx/sourcephile.fr.nix
@@ -0,0 +1,7 @@
+{ pkgs, lib, config, ... }:
+{
+imports = [
+  sourcephile.fr/www.nix
+  sourcephile.fr/git.nix
+];
+}
diff --git a/servers/mermet/nginx/gitweb.nix b/servers/mermet/nginx/sourcephile.fr/git.nix
similarity index 91%
rename from servers/mermet/nginx/gitweb.nix
rename to servers/mermet/nginx/sourcephile.fr/git.nix
index e258031..c1d5336 100644
--- a/servers/mermet/nginx/gitweb.nix
+++ b/servers/mermet/nginx/sourcephile.fr/git.nix
@@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 let inherit (config) networking;
     inherit (config.services) gitweb gitolite nginx;
+    domain = "sourcephile.fr";
     package = pkgs.gitweb.override (lib.optionalAttrs gitweb.gitwebTheme {
       gitwebTheme = true;
     });
@@ -19,13 +20,13 @@ in
 {
   services.nginx = {
     virtualHosts."git" = {
-      serverName = "git.${networking.domain}";
+      serverName = "git.${domain}";
       serverAliases =
         map (domainAlias: "git." + domainAlias)
             config.networking.domainAliases;
       forceSSL = false;
-      sslCertificate = nginx.virtualHosts."_".sslCertificate;
-      sslCertificateKey = nginx.virtualHosts."_".sslCertificateKey;
+      enableSSL = true;
+      useACMEHost = domain;
       locations = {
         "/" = {
           extraConfig = ''
@@ -67,7 +68,7 @@ in
     extraConfig = ''
       use utf8;
       my $s = $cgi->https() ? "s"  : "";
-      @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${networking.domain}"]);
+      @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${domain}"]);
       $site_name = "Git — Sourcephile";
       $home_link_str = "git";
       $projects_list = "${gitolite.dataDir}/projects.list";
@@ -78,8 +79,8 @@ in
       $export_ok = "git-daemon-export-ok";
       $prevent_xss = 0;
       @git_base_url_list =
-       ( "git://git.${networking.domain}"
-       , "git\@git.${networking.domain}:"
+       ( "git://git.${domain}"
+       , "git\@git.${domain}:"
        );
       # NOTE: more readable URL.
       $feature{'pathinfo'}{'default'} = [1];
diff --git a/servers/mermet/nginx/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix
similarity index 75%
rename from servers/mermet/nginx/www.nix
rename to servers/mermet/nginx/sourcephile.fr/www.nix
index 5c2ad3f..f4ea868 100644
--- a/servers/mermet/nginx/www.nix
+++ b/servers/mermet/nginx/sourcephile.fr/www.nix
@@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 let inherit (config) networking;
     inherit (config.services) nginx;
+    domain = "sourcephile.fr";
 in
 {
   services.nginx = {
@@ -12,9 +13,8 @@ in
         ++ map (domainAlias: "www." + domainAlias)
           config.networking.domainAliases;
       forceSSL = false;
-      enableSSL = false;
-      #sslCertificate = nginx.virtualHosts."_".sslCertificate;
-      #sslCertificateKey = nginx.virtualHosts."_".sslCertificateKey;
+      enableSSL = true;
+      useACMEHost = domain;
       globalRedirect = "git.${networking.domain}";
     };
   };
-- 
2.44.1


From d9b90231a8582712092a311d590e0bd8a6f6a3b9 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Thu, 13 Feb 2020 04:55:58 +0100
Subject: [PATCH 02/16] knot: allow only updates to _acme-challenge TXT

---
 servers/mermet/knot.nix                |  8 --------
 servers/mermet/knot/sourcephile.fr.nix | 12 ++++++++++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix
index 52f9ea3..d925c80 100644
--- a/servers/mermet/knot.nix
+++ b/servers/mermet/knot.nix
@@ -119,14 +119,6 @@ services.knot = {
         ksk-submission: dnssec_validating_resolver
 
     acl:
-      - id: acl_localhost
-        address: 127.0.0.1
-        action: transfer
-
-      - id: acl_lego
-        address: 127.0.0.1
-        action: update
-
       # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
       - id: acl_gandi
         address: 217.70.177.40
diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix
index a313fa1..e79ac47 100644
--- a/servers/mermet/knot/sourcephile.fr.nix
+++ b/servers/mermet/knot/sourcephile.fr.nix
@@ -29,6 +29,15 @@ security.acme.certs."${domain}" = {
 };
 services.knot.zones."${domain}" = {
   conf = ''
+    acl:
+      - id: acl_acme_challenge_sourcephile_fr
+        address: 127.0.0.1
+        action: update
+        update-owner: name
+        update-owner-match: equal
+        update-owner-name: [_acme-challenge.${domain}]
+        update-type: [TXT]
+
     zone:
       - domain: ${domain}
         file: ${domain}.zone
@@ -36,8 +45,7 @@ services.knot.zones."${domain}" = {
         semantic-checks: on
         notify: secondary_gandi
         acl: acl_gandi
-        acl: acl_lego
-        acl: acl_localhost
+        acl: acl_acme_challenge_sourcephile_fr
         dnssec-signing: on
         dnssec-policy: rsa
   '';
-- 
2.44.1


From 94b5661428c4d4e6e8ab82752c31eece4fe13085 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Thu, 13 Feb 2020 17:32:07 +0100
Subject: [PATCH 03/16] nginx: remove deprecated enableSSL

---
 servers/mermet/dovecot/sourcephile.fr.nix   | 2 ++
 servers/mermet/nginx/sourcephile.fr/git.nix | 1 -
 servers/mermet/nginx/sourcephile.fr/www.nix | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix
index 46f01c0..7271c05 100644
--- a/servers/mermet/dovecot/sourcephile.fr.nix
+++ b/servers/mermet/dovecot/sourcephile.fr.nix
@@ -53,6 +53,8 @@ services.nginx.virtualHosts."autoconfig.${domain}" = {
     access_log off;
     log_not_found off;
   '';
+  forceSSL = true;
+  useACMEHost = domain;
   root = pkgs.writeTextFile {
     name = "autoconfig";
     destination = "/mail/config-v1.1.xml";
diff --git a/servers/mermet/nginx/sourcephile.fr/git.nix b/servers/mermet/nginx/sourcephile.fr/git.nix
index c1d5336..c031b50 100644
--- a/servers/mermet/nginx/sourcephile.fr/git.nix
+++ b/servers/mermet/nginx/sourcephile.fr/git.nix
@@ -25,7 +25,6 @@ in
         map (domainAlias: "git." + domainAlias)
             config.networking.domainAliases;
       forceSSL = false;
-      enableSSL = true;
       useACMEHost = domain;
       locations = {
         "/" = {
diff --git a/servers/mermet/nginx/sourcephile.fr/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix
index f4ea868..9426af2 100644
--- a/servers/mermet/nginx/sourcephile.fr/www.nix
+++ b/servers/mermet/nginx/sourcephile.fr/www.nix
@@ -13,7 +13,6 @@ in
         ++ map (domainAlias: "www." + domainAlias)
           config.networking.domainAliases;
       forceSSL = false;
-      enableSSL = true;
       useACMEHost = domain;
       globalRedirect = "git.${networking.domain}";
     };
-- 
2.44.1


From 445baebce48848fd41a25a28a4beaa39c7fd1c21 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Fri, 14 Feb 2020 02:47:00 +0100
Subject: [PATCH 04/16] direnv: fix broken dump with new direnv_load

---
 .envrc | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.envrc b/.envrc
index 0f3621d..20c104d 100644
--- a/.envrc
+++ b/.envrc
@@ -53,7 +53,7 @@ if test -e ".cache/nix-shell/$hash/dump"
 then
   log_status "reusing .cache/nix-shell/$hash/"
   # Load the cached environment
-  direnv_load cat .cache/nix-shell/"$hash"/dump
+  direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH .cache/nix-shell/"$hash"/dump"
   # Re-run the shellHook to update envvars like GPG_TTY,
   # and run gpg-connect-agent updatestartuptty /bye
   eval "$shellHook"
@@ -72,12 +72,11 @@ else log_status "building .cache/nix-shell/$hash/"
    --indirect --add-root .cache/nix-shell/"$hash"/shell.dep \
    ${OFFLINE:+--option substituters ""} \
    --realise $(nix-store --query --references .cache/nix-shell/"$hash"/shell.drv) &&
-  nix-shell >"$dump" ${TRACE:+--show-trace} --pure \
-  --run "$(join_args "$direnv" dump)" \
-   ${OFFLINE:+--option substituters ""} &&
+  direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \
+   --run \"DIRENV_DUMP_FILE_PATH=$dump $direnv dump; cat $dump >\$DIRENV_DUMP_FILE_PATH\" \
+   ${OFFLINE:+--option substituters ""}" &&
   mv -f "$dump" .cache/nix-shell/"$hash"/dump &&
-  find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + &&
-  direnv_load cat .cache/nix-shell/"$hash"/dump || {
+  find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || {
     rm -rf "$PWD/.cache/nix-shell/$hash"
     log_error "cannot build shell.nix"
     return 1
-- 
2.44.1


From 17ecd1cd0475bba7572fe36bb7b5a90be102c489 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sat, 15 Feb 2020 04:51:52 +0100
Subject: [PATCH 05/16] direnv: use flock

---
 .envrc | 47 +++++++++++++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/.envrc b/.envrc
index 20c104d..111cab0 100644
--- a/.envrc
+++ b/.envrc
@@ -8,7 +8,9 @@ nixshell_sources=(.envrc shell.nix $(test ! -d shell || find shell -type f -not
 if ! has nix || test "$(nix --version)" != "nix (Nix) $nix_version"
 then log_status "installing Nix core tools"
   gpg2 --keyserver hkp://wwwkeys.de.pgp.net:80 --recv-keys "$nix_openpgp"
-  if test ! -e .config/nix/install -o ! -e .config/nix/install.asc
+  {
+  flock --exclusive 3
+  if test ! -s .config/nix/install -o ! -s .config/nix/install.asc
   then
     mkdir -p .config/nix
     (cd .config/nix; curl -OO https://nixos.org/releases/nix/nix-"$nix_version"/{install,install.asc})
@@ -21,17 +23,22 @@ then log_status "installing Nix core tools"
     }
   }
   . ~/.nix-profile/etc/profile.d/nix.sh
+  } 3>>.config/nix/install
 fi
 
 # nixpkgs
-if test ! -e .config/nixpkgs-channel/$nixpkgs_channel.nix
+mkdir -p .config/nixpkgs-channel
+{
+flock --exclusive 3
+if test ! -s .config/nixpkgs-channel/$nixpkgs_channel.nix
 then log_status "installing nixpkgs from $nixpkgs_channel (This may take some time. To update: delete .config/nixpkgs-channel/$nixpkgs_channel.nix)"
   rev=$(curl -L https://nixos.org/channels/"$nixpkgs_channel"/git-revision | head -n1 | tr -dC 'a-z0-9')
   sha256=$(nix-prefetch-url --unpack https://github.com/NixOS/nixpkgs-channels/archive/"$rev".tar.gz)
-  mkdir -p .config/nixpkgs-channel
-  echo >.config/nixpkgs-channel/$nixpkgs_channel.nix "builtins.fetchTarball {url=\"https://github.com/NixOS/nixpkgs-channels/archive/$rev.tar.gz\"; sha256=\"$sha256\";}"
+  echo >.config/nixpkgs-channel/$nixpkgs_channel.nix \
+   "builtins.fetchTarball {url=\"https://github.com/NixOS/nixpkgs-channels/archive/$rev.tar.gz\"; sha256=\"$sha256\";}"
 else log_status "using nixpkgs from .config/nixpkgs-channel/$nixpkgs_channel.nix"
 fi
+} 3>>.config/nixpkgs-channel/$nixpkgs_channel.nix
 watch_file .config/nixpkgs-channel/$nixpkgs_channel.nix
 # Used in shell.nix
 export nixpkgs_channel
@@ -49,36 +56,40 @@ has shasum || { log_error "shasum is needed to cache environment"; return 1; }
 for e in "${nixshell_sources[@]}"
 do watch_file "$e"; done
 hash=$(shasum -a 256 "${nixshell_sources[@]}" | shasum -a 256 | cut -c -64)
-if test -e ".cache/nix-shell/$hash/dump"
+cache=.cache/nix-shell/"$hash"
+if test -e "$cache/dump"
 then
-  log_status "reusing .cache/nix-shell/$hash/"
+  log_status "reusing $cache/"
+  {
+  flock --shared 3
   # Load the cached environment
-  direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH .cache/nix-shell/"$hash"/dump"
+  direnv_load sh -c "cat >\$DIRENV_DUMP_FILE_PATH $cache/dump"
   # Re-run the shellHook to update envvars like GPG_TTY,
   # and run gpg-connect-agent updatestartuptty /bye
   eval "$shellHook"
-else log_status "building .cache/nix-shell/$hash/"
-  mkdir -p ".cache/nix-shell/$hash"
-  local dump="$(mktemp .cache/nix-shell/$hash/dump-XXXXXXXX)"
+  } 3<$cache/dump
+else
+  log_status "building $cache/"
+  mkdir -p "$cache"
+  {
+  flock --exclusive 3
   # Register the derivation as a root for the garbage-collector,
   # then cache a dump of the environment from within the nix-shell,
   # then unregister previous derivations,
   # then load the cached environment.
-  nix-instantiate >/dev/null ./shell.nix \
-   --indirect --add-root .cache/nix-shell/"$hash"/shell.drv \
+  nix-instantiate >/dev/null ./shell.nix --indirect --add-root "$cache"/shell.drv \
    ${TRACE:+--show-trace} \
    ${OFFLINE:+--option substituters ""} &&
-  nix-store >/dev/null \
-   --indirect --add-root .cache/nix-shell/"$hash"/shell.dep \
-   ${OFFLINE:+--option substituters ""} \
-   --realise $(nix-store --query --references .cache/nix-shell/"$hash"/shell.drv) &&
+  nix-store >/dev/null --indirect --add-root "$cache"/shell.dep \
+   --realise $(nix-store --query --references $cache/shell.drv) \
+   ${OFFLINE:+--option substituters ""} &&
   direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \
-   --run \"DIRENV_DUMP_FILE_PATH=$dump $direnv dump; cat $dump >\$DIRENV_DUMP_FILE_PATH\" \
+   --run \"$direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \
    ${OFFLINE:+--option substituters ""}" &&
-  mv -f "$dump" .cache/nix-shell/"$hash"/dump &&
   find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || {
     rm -rf "$PWD/.cache/nix-shell/$hash"
     log_error "cannot build shell.nix"
     return 1
   }
+  } 3>$cache/dump
 fi
-- 
2.44.1


From 92bf53164f3ed01c191101d7ec46563d83bcf560 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sat, 15 Feb 2020 04:52:37 +0100
Subject: [PATCH 06/16] shell: gnupg: always update conf

---
 shell/modules/tools/security/gnupg.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/shell/modules/tools/security/gnupg.nix b/shell/modules/tools/security/gnupg.nix
index 39d968f..c5821be 100644
--- a/shell/modules/tools/security/gnupg.nix
+++ b/shell/modules/tools/security/gnupg.nix
@@ -202,10 +202,6 @@ let
     set -eu
     set -o pipefail
     ${info}
-    ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf}      ${gnupg.gnupgHome}/gpg.conf
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf}  ${gnupg.gnupgHome}/dirmngr.conf
     '' +
     generateKeys gnupg.keys
   );
@@ -472,6 +468,10 @@ config = lib.mkIf gnupg.enable {
   ];
   nix-shell.shellHook = ''
     # gnupg
+    ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf}      ${gnupg.gnupgHome}/gpg.conf
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf}  ${gnupg.gnupgHome}/dirmngr.conf
     export GNUPGHOME=${gnupg.gnupgHome}
     install -dm700 "$GNUPGHOME"
     export GPG_TTY=$(${pkgs.coreutils}/bin/tty)
-- 
2.44.1


From 9001352c0ab237a523f92b53709f4ae267555787 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sat, 15 Feb 2020 04:54:02 +0100
Subject: [PATCH 07/16] nix: remove useless rebuilding of the patched Nixpkgs
 derivation

---
 nixos/defaults.nix | 2 +-
 shell.nix          | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/nixos/defaults.nix b/nixos/defaults.nix
index b6be38e..1637e1a 100644
--- a/nixos/defaults.nix
+++ b/nixos/defaults.nix
@@ -18,7 +18,7 @@ config = {
       options = "--delete-older-than 30d";
     };
     nixPath = [
-      "nixpkgs=${pkgs.path}"
+      ("nixpkgs=" + toString pkgs.path)
     ];
   };
 
diff --git a/shell.nix b/shell.nix
index c142be8..57454b3 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,5 +1,6 @@
 let
-  originNixpkgs = import (.config/nixpkgs-channel + ("/" + builtins.getEnv "nixpkgs_channel" + ".nix"));
+  nixpkgs_channel = builtins.getEnv "nixpkgs_channel";
+  originNixpkgs = import (.config/nixpkgs-channel + ("/" + nixpkgs_channel + ".nix"));
   originPkgs = import originNixpkgs {
     config   = {}; # Make the config pure, ignoring user's config.
     overlays = [];
@@ -189,7 +190,8 @@ pkgs.mkShell {
     . ~/.nix-profile/etc/profile.d/hm-session-vars.sh
 
     PATH=$NIX_SHELL_PATH:$PATH
-    export NIX_PATH="nixpkgs=${pkgs.path}:nixpkgs-overlays="$PWD"/overlays"
+    export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays"
+    export nixpkgs_channel=${nixpkgs_channel}
 
     # Cleanup "../sec/tmp/"
     # This is done when exiting the nix-shell
-- 
2.44.1


From 8e57213ec8a0d82d116a571bf364a8140a039b75 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sun, 16 Feb 2020 15:53:34 +0100
Subject: [PATCH 08/16] nix: update to latest nixos-unstable

---
 .../nixpkgs-channel/nixos-unstable-small.nix   |  2 +-
 shell.nix                                      | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/.config/nixpkgs-channel/nixos-unstable-small.nix b/.config/nixpkgs-channel/nixos-unstable-small.nix
index 0de1a4c..be87549 100644
--- a/.config/nixpkgs-channel/nixos-unstable-small.nix
+++ b/.config/nixpkgs-channel/nixos-unstable-small.nix
@@ -1 +1 @@
-builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/eee784a1bb6b3e23491e2ee99814d7cb8700db5e.tar.gz"; sha256="1kf4vf2ls743mgqmligr2s9iwidn1y11cpz9pkip6g90fssmjds6";}
+builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/b94c1c89f69563a9fc2ceee487b9bc19e5234d6a.tar.gz"; sha256="0gqk3dlkd03yj0vgp6hzaz8y62i5bccjnw657xij7cq3qypc28v5";}
diff --git a/shell.nix b/shell.nix
index 57454b3..172101c 100644
--- a/shell.nix
+++ b/shell.nix
@@ -26,10 +26,20 @@ let
       sha256 = "0y255x74qksqy7fm4bdwlknhm3s55vgfgbv4dd7580p4lcavya0m";
     }
     */
+    /*
     { meta.description = "Replace simp-le with lego and support DNS-01 challenge";
       url = "https://github.com/NixOS/nixpkgs/pull/77578.diff";
       sha256 = "15zs2146zh54jg1gywrcwyqxpx7izc35vlakk3cvrlqwwsvlr2rf";
     }
+    */
+    { meta.description = "dstat: fix pluginpath";
+      url = "https://github.com/NixOS/nixpkgs/pull/80151.diff";
+      sha256 = "0jjw2gvp7b7v2n2m2d6yj0gw711j6p9lyjf5ywp2y9ql6905qf4b";
+    }
+    { meta.description = "shorewall: fix warnings due to types.loaOf being deprecated";
+      url = "https://github.com/NixOS/nixpkgs/pull/80154.diff";
+      sha256 = "0b216m1rib3jl6s3r5cbkd5h1bfhppikg4cz9ayr1fspsflr3bci";
+    }
   ];
   localNixpkgsPatches = [
   ];
@@ -114,7 +124,6 @@ pkgs.mkShell {
   #preferLocalBuild = true;
   #allowSubstitutes = false;
   buildInputs = modules.nix-shell.buildInputs ++ [
-    nixpkgs
     nixos.nixos-generate-config
     nixos.nixos-install
     nixos.nixos-enter
@@ -194,10 +203,9 @@ pkgs.mkShell {
     export nixpkgs_channel=${nixpkgs_channel}
 
     # Cleanup "../sec/tmp/"
-    # This is done when exiting the nix-shell
-    # (or when… entering the directory with direnv
-    # which spawns a nix-shell just to get the env).
-    trap "cd '$PWD' && find ../sec/tmp -type f -exec shred -fu {} +" EXIT
+    # This is done when entering the nix-shell
+    # because direnv already hooks trap EXIT.
+    (cd "$PWD" && find ../sec/tmp -type f -exec shred -fu {} +)
 
     ${modules.nix-shell.shellHook}
 
-- 
2.44.1


From 21cb3bb8067c444874cfc44b45f1deec14d507b4 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sun, 16 Feb 2020 15:54:19 +0100
Subject: [PATCH 09/16] nsd: remove overlay

---
 overlays.nix                 |  1 -
 overlays/servers/dns/nsd.nix | 18 ------------------
 2 files changed, 19 deletions(-)
 delete mode 100644 overlays/servers/dns/nsd.nix

diff --git a/overlays.nix b/overlays.nix
index 7abbe7c..fe0576c 100644
--- a/overlays.nix
+++ b/overlays.nix
@@ -1,7 +1,6 @@
 map import
 [ overlays/lib/filesystem.nix
   overlays/lib/strings.nix
-  overlays/servers/dns/nsd.nix
   #overlays/users-init.nix
 ] ++
 [ (self: super: { smartctl-tbw = super.callPackage pkgs/tools/system/smartmontools/smartctl-tbw {}; })
diff --git a/overlays/servers/dns/nsd.nix b/overlays/servers/dns/nsd.nix
deleted file mode 100644
index e297ff4..0000000
--- a/overlays/servers/dns/nsd.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-self: super: {
-  nsd = (super.nsd.override {
-    mmap = true;
-  }).overrideDerivation (attrs: {
-    # DOC: https://www.raspberrypi.org/forums/viewtopic.php?t=223628
-    configureFlags = attrs.configureFlags ++ [
-      # Allow to listen on that number of addresses
-      "--with-max-ips=8"
-      # You can disable the radix tree and use the red-black
-      # tree for the main lookups, the red-black tree uses
-      # less memory, but uses some more CPU.
-      #"--disable-radix-tree"
-      # Enable packed structure alignment, uses less memory,
-      # but unaligned reads.
-      "--enable-packed"
-    ];
-  });
-}
-- 
2.44.1


From 8658c4bcb900ae661a0af6cc5b40e5e1f7bf02eb Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Sun, 16 Feb 2020 15:55:02 +0100
Subject: [PATCH 10/16] nsd: remove configuration

---
 servers/mermet/nsd.nix                | 36 --------------
 servers/mermet/nsd/autogeree.net.nix  | 71 ---------------------------
 servers/mermet/nsd/sourcephile.fr.nix | 68 -------------------------
 3 files changed, 175 deletions(-)
 delete mode 100644 servers/mermet/nsd.nix
 delete mode 100644 servers/mermet/nsd/autogeree.net.nix
 delete mode 100644 servers/mermet/nsd/sourcephile.fr.nix

diff --git a/servers/mermet/nsd.nix b/servers/mermet/nsd.nix
deleted file mode 100644
index 341a87f..0000000
--- a/servers/mermet/nsd.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{pkgs, lib, config, ...}:
-let
-  inherit (config) networking;
-  inherit (config.services) nsd;
-in
-{
-imports = [
-  nsd/sourcephile.fr.nix
-  nsd/autogeree.net.nix
-];
-config = {
-environment.systemPackages = [
-  (pkgs.bind.override { enablePython = true; })
-];
-services.nsd = {
-  enable = true;
-  ipv4 = true;
-  ipv6 = true;
-  verbosity = 5;
-  #zones = {};
-  /*
-  interfaces = lib.unique [
-    #(builtins.elemAt networking.interfaces."${networking.defaultGateway.interface}".ipv4.addresses 0).address
-    #networking.privateIPv4
-  ];
-  */
-  # SEE: http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
-  ratelimit.enable = true;
-   # 100 less than the default to preserve a few Mio of RAM
-  ratelimit.size = 10000;
-  ratelimit.ratelimit = 200;
-  extraConfig = ''
-  '';
-};
-};
-}
diff --git a/servers/mermet/nsd/autogeree.net.nix b/servers/mermet/nsd/autogeree.net.nix
deleted file mode 100644
index 0bf5968..0000000
--- a/servers/mermet/nsd/autogeree.net.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{ pkgs, lib, config, ... }:
-with builtins;
-let
-  inherit (builtins.extraBuiltins) pass git;
-  inherit (lib) toInt;
-  inherit (pkgs.lib) unlinesAttrs types;
-  inherit (config) networking;
-  inherit (config.services) nsd rspamd;
-  # Use the Git commit time of the ${domain}.nix file to set the serial number.
-  # WARNING: the ${domain}.nix must be committed into Git for this to work.
-  serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
-  # FIXME: make dedicated config options
-  mermetIPv4 = "80.67.180.129";
-  chomskyIPv4 = "91.216.110.36";
-  domain = "autogeree.net";
-in
-{
-services.nsd.zones."${domain}" = {
-  # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
-  # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named
-  provideXFR = [ "217.70.177.40 NOKEY" ];
-  # Not allowed by 217.70.177.40
-  #notify     = [ "217.70.177.40 NOKEY" ];
-  dnssec = false;
-  # TODO: increase the TTL once things have settled down
-  data = ''
-    $ORIGIN ${domain}.
-    $TTL 500
-
-    ; SOA (Start Of Authority)
-    @ SOA ns admin (
-      ${toString (toInt (serial domain) - 1581021859 + 2016043001)} ; Serial number
-      24h   ; Refresh
-      15m   ; Retry
-      1000h ; Expire (1000h)
-      1d    ; Negative caching
-    )
-
-    ; NS (Name Server)
-    @ NS ns
-    @ NS ns6.gandi.net.
-
-    ; A (DNS -> IPv4)
-    @ A ${mermetIPv4}
-    chomsky A ${chomskyIPv4}
-    mermet  A ${mermetIPv4}
-
-    ; CNAME
-    autoconfig CNAME mermet
-    code       CNAME mermet
-    git        CNAME mermet
-    imap       CNAME mermet
-    mail       CNAME mermet
-    ns         CNAME mermet
-    pop        CNAME mermet
-    smtp       CNAME mermet
-    submission CNAME mermet
-    www        CNAME mermet
-
-    ; SPF (Sender Policy Framework)
-    @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
-    @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
-
-    ; MX (Mail eXchange)
-    @ 180 MX 5 mail
-
-    ; SRV (SeRVice)
-    _git._tcp.git 18000 IN SRV 0 0 9418 git
-  '';
-};
-}
diff --git a/servers/mermet/nsd/sourcephile.fr.nix b/servers/mermet/nsd/sourcephile.fr.nix
deleted file mode 100644
index ee3b0c3..0000000
--- a/servers/mermet/nsd/sourcephile.fr.nix
+++ /dev/null
@@ -1,68 +0,0 @@
-{ pkgs, lib, config, ... }:
-with builtins;
-let
-  inherit (builtins.extraBuiltins) pass git;
-  inherit (pkgs.lib) unlinesAttrs types;
-  inherit (config) networking;
-  inherit (config.services) nsd rspamd;
-  # Use the Git commit time of the ${domain}.nix file to set the serial number.
-  # WARNING: the ${domain}.nix must be committed into Git for this to work.
-  # WARNING: when dnssec=true, dnssec-signzone is used with -N date
-  # which will override the serial number in the SOA,
-  # used by slave nameservers decide whether they should update or not from the master nameserver.
-  serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
-  mermetIPv4 = "80.67.180.129";
-  domain = "sourcephile.fr";
-in
-{
-services.nsd.zones."${domain}" = {
-  # DOC: https://docs.gandi.net/en/domain_names/advanced_users/secondary_nameserver.html
-  # DOC: https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named
-  provideXFR = [ "217.70.177.40 NOKEY" ];
-  # Not allowed by 217.70.177.40
-  #notify     = [ "217.70.177.40 NOKEY" ];
-  dnssec = true;
-  # TODO: increase the TTL once things have settled down
-  data = ''
-    $ORIGIN ${domain}.
-    $TTL 500
-
-    ; SOA (Start Of Authority)
-    @ SOA ns admin (
-      ${serial domain} ; Serial number
-      24h   ; Refresh
-      15m   ; Retry
-      1000h ; Expire (1000h)
-      1d    ; Negative caching
-    )
-
-    ; NS (Name Server)
-    @ NS ns
-    @ NS ns6.gandi.net.
-
-    ; A (DNS -> IPv4)
-    @ A ${mermetIPv4}
-    mermet     A ${mermetIPv4}
-    autoconfig A ${mermetIPv4}
-    code       A ${mermetIPv4}
-    git        A ${mermetIPv4}
-    imap       A ${mermetIPv4}
-    mail       A ${mermetIPv4}
-    ns         A ${mermetIPv4}
-    pop        A ${mermetIPv4}
-    smtp       A ${mermetIPv4}
-    submission A ${mermetIPv4}
-    www        A ${mermetIPv4}
-
-    ; SPF (Sender Policy Framework)
-    @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
-    @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
-
-    ; MX (Mail eXchange)
-    @ 180 MX 5 mail
-
-    ; SRV (SeRVice)
-    _git._tcp.git 18000 IN SRV 0 0 9418 git
-  '';
-};
-}
-- 
2.44.1


From ed554899158cdd894671fe8307d16bc5dc3ed58d Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Mon, 17 Feb 2020 13:34:16 +0100
Subject: [PATCH 11/16] dovecot: fix passdb

---
 servers/mermet/dovecot.nix                    |  7 +-
 .../dovecot/autoconfig/mail/config-v1.1.xml   | 39 ++++++++
 servers/mermet/dovecot/autogeree.net.nix      | 95 ++++++------------
 servers/mermet/dovecot/sourcephile.fr.nix     | 98 ++++++-------------
 servers/mermet/openldap/sourcephile.fr.nix    |  5 -
 servers/mermet/postfix/sourcephile.fr.nix     |  8 +-
 6 files changed, 109 insertions(+), 143 deletions(-)
 create mode 100644 servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml

diff --git a/servers/mermet/dovecot.nix b/servers/mermet/dovecot.nix
index 3cb4ed3..0c82f07 100644
--- a/servers/mermet/dovecot.nix
+++ b/servers/mermet/dovecot.nix
@@ -68,7 +68,6 @@ systemd.services.dovecot2 = {
   after = [
     "postfix.service"
     "openldap.service"
-    "${networking.domain}.key.pem-key.service"
   ];
   /*
   preStart = ''
@@ -115,8 +114,8 @@ services.dovecot2 = {
     ssl_dh = <${../../../sec/openssl/dh.pem}
     ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL
     ssl_prefer_server_ciphers = yes
-    ssl_cert = <${loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem")}
-    ssl_key = </run/keys/${networking.domain}.key.pem
+    ssl_cert = </var/lib/acme/${networking.domain}/fullchain.pem
+    ssl_key = </var/lib/acme/${networking.domain}/key.pem
     #ssl_ca = <''${caPath}
     #ssl_verify_client_cert = yes
 
@@ -177,7 +176,7 @@ services.dovecot2 = {
     userdb {
       driver = ldap
       # A different path than passdb's args enables non-blocking LDAP requests
-      args = ${dovecot/ldap.conf}
+      args = ${pkgs.symlinkJoin {name="ldap"; paths=[./dovecot];}}/ldap.conf
       default_fields =
       override_fields =
     }
diff --git a/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml b/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml
new file mode 100644
index 0000000..9173454
--- /dev/null
+++ b/servers/mermet/dovecot/autoconfig/mail/config-v1.1.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+  <emailProvider id="%EMAILDOMAIN%">
+    <!-- <displayName></displayName> -->
+    <!-- <displayShortName></displayShortName> -->
+    <domain>%EMAILDOMAIN%</domain>
+    <incomingServer type="imap">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+    </incomingServer>
+    <!--
+    <incomingServer type="pop3">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>995</port>
+      <socketType>SSL</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+      <pop3>
+        <leaveMessagesOnServer>false</leaveMessagesOnServer>
+        <downloadOnBiff>true</downloadOnBiff>
+      </pop3>
+    </incomingServer>
+    -->
+    <outgoingServer type="smtp">
+      <hostname>mail.%EMAILDOMAIN%</hostname>
+      <port>465</port>
+      <socketType>SSL</socketType> <!-- see above -->
+      <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
+      <authentication>password-cleartext</authentication>
+      <!-- <restriction>client-IP-address</restriction> -->
+      <addThisServer>true</addThisServer>
+      <useGlobalPreferredServer>false</useGlobalPreferredServer>
+    </outgoingServer>
+  </emailProvider>
+  <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
+</clientConfig>
diff --git a/servers/mermet/dovecot/autogeree.net.nix b/servers/mermet/dovecot/autogeree.net.nix
index 8e67e75..514b56a 100644
--- a/servers/mermet/dovecot/autogeree.net.nix
+++ b/servers/mermet/dovecot/autogeree.net.nix
@@ -1,15 +1,41 @@
 { pkgs, lib, config, ... }:
 let
+  inherit (builtins) readFile;
   inherit (config.services) dovecot2;
   stateDir = "/var/lib/dovecot";
   domain = "autogeree.net";
   domainGroup = "autogeree";
-  domainConfig = ''
+in
+{
+services.dovecot2.extraConfig =
+  let domainConfig = ''
     ssl_cert = <${../../../../sec/openssl/autogeree.net/cert.self-signed.pem}
     ssl_key = </run/keys/${domain}.key.pem
   '';
-in
-{
+  in lib.mkAfter ''
+  local_name mail.${domain} {
+    ${domainConfig}
+  }
+  local_name imap.${domain} {
+    ${domainConfig}
+  }
+  passdb {
+    username_filter = *@${domain}
+    # Because auth_bind=yes and auth_bind_userdn are used,
+    # this cannot prefetch any userdb_*.
+    driver = ldap
+    # The path to the ldap.conf must be unique,
+    # otherwise dovecot caches the result from other passdb,
+    # which may be wrong because of username_filter.
+    args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+    default_fields =
+    override_fields =
+    skip = authenticated
+  }
+'';
+systemd.services.dovecot2.after = [
+  "${domain}.key.pem-key.service"
+];
 systemd.services.dovecot2 = {
   preStart = ''
     install -D -d -m 1770 \
@@ -27,25 +53,6 @@ systemd.services.dovecot2 = {
     chmod -t ${stateDir}/acl/${domain}
   '';
 };
-services.dovecot2 = {
-  extraConfig = lib.mkAfter ''
-    passdb {
-      username_filter = *@${domain}
-      driver = ldap
-      # Because auth_bind=yes and auth_bind_userdn are used,
-      # this cannot prefetch any userdb_*.
-      args = ${./ldap.conf}
-      default_fields =
-      override_fields =
-    }
-    local_name mail.${domain} {
-      ${domainConfig}
-    }
-    local_name imap.${domain} {
-      ${domainConfig}
-    }
-  '';
-};
 services.nginx.virtualHosts."autoconfig.${domain}" = {
   serverName = "autoconfig.${domain}";
   #addSSL = true;
@@ -53,48 +60,6 @@ services.nginx.virtualHosts."autoconfig.${domain}" = {
     access_log off;
     log_not_found off;
   '';
-  root = pkgs.writeTextFile {
-    name = "autoconfig";
-    destination = "/mail/config-v1.1.xml";
-    text = ''
-      <?xml version="1.0"?>
-      <clientConfig version="1.1">
-        <emailProvider id="%EMAILDOMAIN%">
-          <!-- <displayName></displayName> -->
-          <!-- <displayShortName></displayShortName> -->
-          <domain>%EMAILDOMAIN%</domain>
-          <incomingServer type="imap">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>993</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-          </incomingServer>
-          <incomingServer type="pop3">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>995</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-            <pop3>
-              <leaveMessagesOnServer>false</leaveMessagesOnServer>
-              <downloadOnBiff>true</downloadOnBiff>
-            </pop3>
-          </incomingServer>
-          <outgoingServer type="smtp">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>465</port>
-            <socketType>SSL</socketType> <!-- see above -->
-            <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
-            <authentication>password-cleartext</authentication>
-            <!-- <restriction>client-IP-address</restriction> -->
-            <addThisServer>true</addThisServer>
-            <useGlobalPreferredServer>false</useGlobalPreferredServer>
-          </outgoingServer>
-        </emailProvider>
-        <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
-      </clientConfig>
-    '';
-  };
+  root = ./autoconfig;
 };
 }
diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix
index 7271c05..f9a8efd 100644
--- a/servers/mermet/dovecot/sourcephile.fr.nix
+++ b/servers/mermet/dovecot/sourcephile.fr.nix
@@ -1,15 +1,42 @@
 { pkgs, lib, config, ... }:
 let
+  inherit (builtins) readFile;
   inherit (config.services) dovecot2;
   stateDir = "/var/lib/dovecot";
   domain = "sourcephile.fr";
   domainGroup = "sourcephile";
-  domainConfig = ''
-    ssl_cert = <${../../../../sec/openssl/sourcephile.fr/cert.self-signed.pem}
-    ssl_key = </run/keys/${domain}.key.pem
-  '';
 in
 {
+services.dovecot2.extraConfig =
+  let domainConfig = ''
+    ssl_cert = </var/lib/acme/${domain}/fullchain.pem
+    ssl_key = </var/lib/acme/${domain}/key.pem
+  '';
+  in lib.mkAfter ''
+  local_name mail.${domain} {
+    ${domainConfig}
+  }
+  local_name imap.${domain} {
+    ${domainConfig}
+  }
+  passdb {
+    username_filter = *@${domain}
+    # Because auth_bind=yes and auth_bind_userdn are used,
+    # this cannot prefetch any userdb_*.
+    driver = ldap
+    # The path to the ldap.conf must be unique,
+    # otherwise dovecot caches the result from other passdb,
+    # which may be wrong because of username_filter.
+    args = ${pkgs.writeText "${domain}-ldap.conf" (readFile ./ldap.conf)}
+    default_fields =
+    override_fields =
+    skip = authenticated
+  }
+'';
+users.groups.acme.members = [ dovecot2.user ];
+systemd.services.dovecot2.after = [
+  "acme-${domain}.service"
+];
 systemd.services.dovecot2 = {
   preStart = ''
     install -D -d -m 1770 \
@@ -27,25 +54,6 @@ systemd.services.dovecot2 = {
     chmod -t ${stateDir}/acl/${domain}
   '';
 };
-services.dovecot2 = {
-  extraConfig = lib.mkAfter ''
-    passdb {
-      username_filter = *@${domain}
-      driver = ldap
-      # Because auth_bind=yes and auth_bind_userdn are used,
-      # this cannot prefetch any userdb_*.
-      args = ${./ldap.conf}
-      default_fields =
-      override_fields =
-    }
-    local_name mail.${domain} {
-      ${domainConfig}
-    }
-    local_name imap.${domain} {
-      ${domainConfig}
-    }
-  '';
-};
 services.nginx.virtualHosts."autoconfig.${domain}" = {
   serverName = "autoconfig.${domain}";
   #addSSL = true;
@@ -55,48 +63,6 @@ services.nginx.virtualHosts."autoconfig.${domain}" = {
   '';
   forceSSL = true;
   useACMEHost = domain;
-  root = pkgs.writeTextFile {
-    name = "autoconfig";
-    destination = "/mail/config-v1.1.xml";
-    text = ''
-      <?xml version="1.0"?>
-      <clientConfig version="1.1">
-        <emailProvider id="%EMAILDOMAIN%">
-          <!-- <displayName></displayName> -->
-          <!-- <displayShortName></displayShortName> -->
-          <domain>%EMAILDOMAIN%</domain>
-          <incomingServer type="imap">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>993</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-          </incomingServer>
-          <incomingServer type="pop3">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>995</port>
-            <socketType>SSL</socketType>
-            <username>%EMAILADDRESS%</username>
-            <authentication>password-cleartext</authentication>
-            <pop3>
-              <leaveMessagesOnServer>false</leaveMessagesOnServer>
-              <downloadOnBiff>true</downloadOnBiff>
-            </pop3>
-          </incomingServer>
-          <outgoingServer type="smtp">
-            <hostname>mail.%EMAILDOMAIN%</hostname>
-            <port>465</port>
-            <socketType>SSL</socketType> <!-- see above -->
-            <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
-            <authentication>password-cleartext</authentication>
-            <!-- <restriction>client-IP-address</restriction> -->
-            <addThisServer>true</addThisServer>
-            <useGlobalPreferredServer>false</useGlobalPreferredServer>
-          </outgoingServer>
-        </emailProvider>
-        <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
-      </clientConfig>
-    '';
-  };
+  root = ./autoconfig;
 };
 }
diff --git a/servers/mermet/openldap/sourcephile.fr.nix b/servers/mermet/openldap/sourcephile.fr.nix
index 3094384..49caec9 100644
--- a/servers/mermet/openldap/sourcephile.fr.nix
+++ b/servers/mermet/openldap/sourcephile.fr.nix
@@ -122,11 +122,6 @@ services.openldap.databases."${domainSuffix}" = {
         # neither sorting them by date).
         "maildir:${stateDir}/home/${d}/${uid}/mail:LAYOUT=maildir++:UTF-8:CONTROL=${stateDir}/control/${d}/${uid}:INDEX=${stateDir}/index/${d}/${uid}";
     }
-    #{ uid="sevy"; uidNumber=10001; cn="Séverine Popek"; sn="sévy";
-    #  mailAlias = ["severine.popek" "ouais-ouais"]; }
-    #{ uid="nomail"; uidNumber=10002; mailAlias = ["noalias"]; mailEnabled = false; }
-    #{ uid="post"; mailForwardingAddress = ["ju@${domain}"]; }
-    #{ uid="host"; mailForwardingAddress = ["ju@${domain}"]; }
   ];
 };
 }
diff --git a/servers/mermet/postfix/sourcephile.fr.nix b/servers/mermet/postfix/sourcephile.fr.nix
index a7782c7..18701c4 100644
--- a/servers/mermet/postfix/sourcephile.fr.nix
+++ b/servers/mermet/postfix/sourcephile.fr.nix
@@ -1,12 +1,14 @@
 { pkgs, lib, config, ... }:
 let
   inherit (pkgs.lib) loadFile;
+  inherit (config.services) postfix;
   domain = "sourcephile.fr";
   domainSuffix = "dc=sourcephile,dc=fr";
 in
 {
+users.groups.acme.members = [ postfix.user ];
 systemd.services.postfix.after = [
-  "${domain}.key.pem-key.service"
+  "acme-${domain}.service"
 ];
 services.postfix = {
   extraAliases = ''
@@ -16,8 +18,8 @@ services.postfix = {
   '';
   tls_server_sni_maps =
     let chain = [
-      "/run/keys/${domain}.key.pem"
-      (loadFile (../../../../sec/openssl + "/${domain}/cert.self-signed.pem"))
+      "/var/lib/acme/${domain}/key.pem"
+      "/var/lib/acme/${domain}/fullchain.pem"
     ]; in {
     "smtp.${domain}" = chain;
     "mail.${domain}" = chain;
-- 
2.44.1


From 62a6beaab23f45c20201f3268762de08765ba720 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Mon, 24 Feb 2020 00:46:01 +0100
Subject: [PATCH 12/16] nslcd: quiet syslog

---
 servers/mermet/openldap.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/servers/mermet/openldap.nix b/servers/mermet/openldap.nix
index 7a55839..24ce2bb 100644
--- a/servers/mermet/openldap.nix
+++ b/servers/mermet/openldap.nix
@@ -24,7 +24,7 @@ users.ldap = {
   daemon = {
     enable = true;
     extraConfig = ''
-      log syslog debug
+      log syslog info
 
       sasl_mech EXTERNAL
       # NOTE: nslcd cannot use SASL to bind to rootpwmoddn
-- 
2.44.1


From ce048838306794d19960977ef94a4027f656c10a Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Wed, 26 Feb 2020 14:58:13 +0100
Subject: [PATCH 13/16] nix: disable --pure

---
 nixos/defaults.nix  |  6 ++++++
 patches/direnv.diff | 15 +++++++++++++++
 shell.nix           | 26 ++------------------------
 3 files changed, 23 insertions(+), 24 deletions(-)
 create mode 100644 patches/direnv.diff

diff --git a/nixos/defaults.nix b/nixos/defaults.nix
index 1637e1a..c41b2eb 100644
--- a/nixos/defaults.nix
+++ b/nixos/defaults.nix
@@ -71,6 +71,7 @@ config = {
   };
 
   environment = {
+    #checkConfigurationOptions = false;
     systemPackages = with pkgs; [
       binutils
       #dnsutils
@@ -125,6 +126,11 @@ config = {
         nixos-upstream="sudo nix-channel --list";
       };
     };
+    gnupg = {
+      agent = {
+        pinentryFlavor = "curses";
+      };
+    };
     mtr.enable = true;
   };
 };
diff --git a/patches/direnv.diff b/patches/direnv.diff
new file mode 100644
index 0000000..cf49e63
--- /dev/null
+++ b/patches/direnv.diff
@@ -0,0 +1,15 @@
+diff --git a/pkgs/tools/misc/direnv/default.nix b/pkgs/tools/misc/direnv/default.nix
+index c358e240..07c39542 100644
+--- a/pkgs/tools/misc/direnv/default.nix
++++ b/pkgs/tools/misc/direnv/default.nix
+@@ -8,8 +8,8 @@ buildGoPackage rec {
+   src = fetchFromGitHub {
+     owner = "direnv";
+     repo = "direnv";
+-    rev = "v${version}";
+-    sha256 = "0afpxx8pwa1zb66l79af57drzjaazn2rp6306w4pxvqfh0zi2bri";
++    rev = "767bb42ab614bad9d16013e8992035a78feed87c";
++    sha256 = "0ijl13pj96n4cnpxp8xyca391nyvk6gaywbpivmg7kq04d8xfrhb";
+   };
+ 
+   postConfigure = ''
diff --git a/shell.nix b/shell.nix
index 172101c..7c065cf 100644
--- a/shell.nix
+++ b/shell.nix
@@ -42,6 +42,7 @@ let
     }
   ];
   localNixpkgsPatches = [
+    patches/direnv.diff
   ];
   nixpkgs = originPkgs.stdenv.mkDerivation {
     name = "nixpkgs-patched";
@@ -180,24 +181,8 @@ pkgs.mkShell {
   #enableParallelBuilding = true;
   shellHook = ''
     echo >&2 "nix: running shellHook"
-    # WARNING: beware that sudo may reset the environment,
-    # and especially PATH, to some system's default.
-
-    NIX_SHELL_PATH=$PATH
-    unset __ETC_PROFILE_SOURCED
-    unset __NIXOS_SET_ENVIRONMENT_DONE
-    test ! -e /etc/profile || . /etc/profile
-    test ! -e ~/.profile || . ~/.profile
-
-    # nix
-    test ! -e ~/.nix-profile/etc/profile.d/nix.sh ||
-    . ~/.nix-profile/etc/profile.d/nix.sh
-
-    # home-manager
-    unset __HM_SESS_VARS_SOURCED
-    test ! -e ~/.nix-profile/etc/profile.d/hm-session-vars.sh ||
-    . ~/.nix-profile/etc/profile.d/hm-session-vars.sh
 
+    # Nix
     PATH=$NIX_SHELL_PATH:$PATH
     export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays"
     export nixpkgs_channel=${nixpkgs_channel}
@@ -220,13 +205,6 @@ pkgs.mkShell {
     export GPG_TTY=$(tty)
     gpg-connect-agent updatestartuptty /bye >/dev/null
 
-    # git
-    gitdir="$PWD"/.git
-    test ! -f "$gitdir" || while IFS=" :" read -r hdr gitdir; do [ "$hdr" != gitdir ] || break; done <"$gitdir"
-    ln -fnsr \
-     "$PWD"/.lib/git/hooks/prepare-commit-msg--longuest-common-prefix \
-     "$gitdir"/hooks/prepare-commit-msg
-
     # nixops
     #export NIXOPS_DEPLOYMENT="staging"
     export NIXOPS_STATE="$PWD"/../sec/nixops/state.nixops
-- 
2.44.1


From 4b39b5f4b0586391f337990faafe18a4038cc6b1 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Mon, 2 Mar 2020 14:42:41 +0100
Subject: [PATCH 14/16] direnv: fix dump

---
 .envrc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.envrc b/.envrc
index 111cab0..f47a9f3 100644
--- a/.envrc
+++ b/.envrc
@@ -57,6 +57,7 @@ for e in "${nixshell_sources[@]}"
 do watch_file "$e"; done
 hash=$(shasum -a 256 "${nixshell_sources[@]}" | shasum -a 256 | cut -c -64)
 cache=.cache/nix-shell/"$hash"
+unset DIRENV_DUMP_FILE_PATH
 if test -e "$cache/dump"
 then
   log_status "reusing $cache/"
@@ -83,8 +84,8 @@ else
   nix-store >/dev/null --indirect --add-root "$cache"/shell.dep \
    --realise $(nix-store --query --references $cache/shell.drv) \
    ${OFFLINE:+--option substituters ""} &&
-  direnv_load sh -c "nix-shell ${TRACE:+--show-trace} --pure \
-   --run \"$direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \
+  direnv_load sh -c "nix-shell ${TRACE:+--show-trace} \
+   --run \"DIRENV_DUMP_FILE_PATH= $direnv dump | tee $cache/dump >\$DIRENV_DUMP_FILE_PATH\" \
    ${OFFLINE:+--option substituters ""}" &&
   find .cache/nix-shell -mindepth 1 -maxdepth 1 -not -name "$hash" -exec rm -rf {} + || {
     rm -rf "$PWD/.cache/nix-shell/$hash"
-- 
2.44.1


From 3f0e5565afce964894141eb6a59d1eeb48fa02cf Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Mon, 2 Mar 2020 14:50:04 +0100
Subject: [PATCH 15/16] nslcd: disable ldap login

---
 servers/mermet.nix                         | 1 -
 servers/mermet/openldap.nix                | 4 ++--
 servers/mermet/openldap/sourcephile.fr.nix | 1 -
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/servers/mermet.nix b/servers/mermet.nix
index a9b1fb8..175dc7b 100644
--- a/servers/mermet.nix
+++ b/servers/mermet.nix
@@ -49,7 +49,6 @@ in
     mutableUsers = false;
     users = {
       root = {
-        hashedPassword = pass-chomp "servers/mermet/login/root/hashedPassword";
         openssh.authorizedKeys.keys = [
           (readFile ../../sec/ssh/julm.pub)
           (readFile ../../sec/ssh/julm-mob.pub)
diff --git a/servers/mermet/openldap.nix b/servers/mermet/openldap.nix
index 24ce2bb..e323a38 100644
--- a/servers/mermet/openldap.nix
+++ b/servers/mermet/openldap.nix
@@ -15,14 +15,14 @@ imports = [
 ];
 config = {
 users.ldap = {
-  enable = true;
+  enable = false;
   server = "ldapi:///";
   base = "ou=posix,${domainSuffix}";
   bind = {
     #distinguishedName = "cn=admin,${domainSuffix}";
   };
   daemon = {
-    enable = true;
+    enable = false;
     extraConfig = ''
       log syslog info
 
diff --git a/servers/mermet/openldap/sourcephile.fr.nix b/servers/mermet/openldap/sourcephile.fr.nix
index 49caec9..d62346c 100644
--- a/servers/mermet/openldap/sourcephile.fr.nix
+++ b/servers/mermet/openldap/sourcephile.fr.nix
@@ -56,7 +56,6 @@ services.openldap.databases."${domainSuffix}" = {
       by * none
     olcAccess: to dn.sub="ou=posix,${domainSuffix}"
       by self read
-      by dn="gidNumber=${toString groups.nslcd.gid}+uidNumber=${toString users.nslcd.uid},cn=peercred,cn=external,cn=auth" read
       ${lib.optionalString (hasAttr postfix.user users) ''by dn="gidNumber=${toString groups.postfix.gid}+uidNumber=${toString users.postfix.uid},cn=peercred,cn=external,cn=auth" read''}
       ${lib.optionalString (hasAttr dovecot2.user users) ''by dn="gidNumber=${toString groups.dovecot2.gid}+uidNumber=${toString users.dovecot2.uid},cn=peercred,cn=external,cn=auth" read''}
       by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
-- 
2.44.1


From 1977ffdb9d1a902e59cda4f2e9f1f5cab4da202c Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Wed, 4 Mar 2020 17:37:37 +0100
Subject: [PATCH 16/16] nsd: re-add autogeree.net zone

---
 servers/mermet/knot.nix                 |   8 ++
 servers/mermet/knot/autogeree.net.nix   | 103 ++++++++++++++++++++++++
 servers/mermet/knot/sourcephile.fr.nix  |   2 +-
 servers/mermet/production/shorewall.nix |   1 +
 4 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 servers/mermet/knot/autogeree.net.nix

diff --git a/servers/mermet/knot.nix b/servers/mermet/knot.nix
index d925c80..17302fe 100644
--- a/servers/mermet/knot.nix
+++ b/servers/mermet/knot.nix
@@ -5,6 +5,7 @@ let
 in
 {
 imports = [
+  knot/autogeree.net.nix
   knot/sourcephile.fr.nix
 ];
 options.services.knot = {
@@ -92,6 +93,9 @@ services.knot = {
       - id: secondary_gandi
         address: 217.70.177.40@53
 
+      - id: secondary_muarf
+        address: 78.192.65.63@53
+
     submission:
       - id: dnssec_validating_resolver
         parent: local_resolver
@@ -124,6 +128,10 @@ services.knot = {
         address: 217.70.177.40
         action: transfer
 
+      - id: acl_muarf
+        address: 78.192.65.63
+        action: transfer
+
   '' + lib.concatStringsSep "\n" (lib.mapAttrsToList (domain: {conf, ...}: conf) knot.zones);
 };
 };
diff --git a/servers/mermet/knot/autogeree.net.nix b/servers/mermet/knot/autogeree.net.nix
new file mode 100644
index 0000000..b6f485d
--- /dev/null
+++ b/servers/mermet/knot/autogeree.net.nix
@@ -0,0 +1,103 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (builtins.extraBuiltins) pass git;
+  inherit (pkgs.lib) unlinesAttrs types;
+  inherit (config) networking;
+  inherit (config.services) knot;
+  inherit (config) users;
+  # Use the Git commit time of the ${domain}.nix file to set the serial number.
+  # WARNING: the ${domain}.nix must be committed into Git for this to work.
+  # WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
+  serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
+  mermetIPv4 = "80.67.180.129";
+  domain = "autogeree.net";
+in
+{
+security.acme.certs."${domain}" = {
+  email = "root+letsencrypt@${domain}";
+  extraDomains = {
+    "*.${domain}" = null;
+  };
+  group = users.groups.acme.name;
+  allowKeysForGroup = true;
+  keyType = "rsa4096";
+  dnsProvider = "rfc2136";
+  credentialsFile = pkgs.writeText "credentials" ''
+    RFC2136_NAMESERVER=127.0.0.1:5353
+    LEGO_EXPERIMENTAL_CNAME_SUPPORT=1
+  '';
+};
+services.knot.zones."${domain}" = {
+  conf = ''
+    acl:
+      - id: acl_acme_challenge_autogeree_net
+        address: 127.0.0.1
+        action: update
+        update-owner: name
+        update-owner-match: equal
+        update-owner-name: [_acme-challenge.${domain}]
+        update-type: [TXT]
+
+    zone:
+      - domain: ${domain}
+        file: ${domain}.zone
+        serial-policy: increment
+        semantic-checks: on
+        notify: secondary_gandi
+        notify: secondary_muarf
+        acl: acl_gandi
+        acl: acl_muarf
+        acl: acl_acme_challenge_autogeree_net
+        dnssec-signing: off
+        dnssec-policy: ed25519
+  '';
+  # TODO: increase the TTL once things have settled down
+  data = ''
+    $ORIGIN ${domain}.
+    $TTL 500
+
+    ; SOA (Start Of Authority)
+    @ SOA ns admin (
+      ${serial domain} ; Serial number
+      24h   ; Refresh
+      15m   ; Retry
+      1000h ; Expire (1000h)
+      1d    ; Negative caching
+    )
+
+    ; NS (Name Server)
+    @ NS ns
+    @ NS ns6.gandi.net.
+
+    ; A (DNS -> IPv4)
+    @          A ${mermetIPv4}
+    mermet     A ${mermetIPv4}
+    autoconfig A ${mermetIPv4}
+    code       A ${mermetIPv4}
+    git        A ${mermetIPv4}
+    imap       A ${mermetIPv4}
+    mail       A ${mermetIPv4}
+    ns         A ${mermetIPv4}
+    pop        A ${mermetIPv4}
+    smtp       A ${mermetIPv4}
+    submission A ${mermetIPv4}
+    www        A ${mermetIPv4}
+    chomsky    A 91.216.110.36
+    alpes      A 195.88.84.51
+
+    ; SPF (Sender Policy Framework)
+    @ 3600 IN SPF "v=spf1 mx ip4:${mermetIPv4} -all"
+    @ 3600 IN TXT "v=spf1 mx ip4:${mermetIPv4} -all"
+
+    ; MX (Mail eXchange)
+    @ 180 MX 5 mail
+
+    ; SRV (SeRVice)
+    _git._tcp.git 18000 IN SRV 0 0 9418 git
+
+    ; CAA (Certificate Authority Authorization)
+    ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+    @ CAA 128 issue "letsencrypt.org"
+  '';
+};
+}
diff --git a/servers/mermet/knot/sourcephile.fr.nix b/servers/mermet/knot/sourcephile.fr.nix
index e79ac47..4201805 100644
--- a/servers/mermet/knot/sourcephile.fr.nix
+++ b/servers/mermet/knot/sourcephile.fr.nix
@@ -68,7 +68,7 @@ services.knot.zones."${domain}" = {
     @ NS ns6.gandi.net.
 
     ; A (DNS -> IPv4)
-    @ A ${mermetIPv4}
+    @          A ${mermetIPv4}
     mermet     A ${mermetIPv4}
     autoconfig A ${mermetIPv4}
     code       A ${mermetIPv4}
diff --git a/servers/mermet/production/shorewall.nix b/servers/mermet/production/shorewall.nix
index 16159bb..d8ab15a 100644
--- a/servers/mermet/production/shorewall.nix
+++ b/servers/mermet/production/shorewall.nix
@@ -11,6 +11,7 @@ let
     # By port
     DNS(ACCEPT)    $FW net {user=${users.users.unbound.name}}
     DNS(ACCEPT)    $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
+    DNS(ACCEPT)    $FW net:78.192.65.63  # for knot to notify ns0.muarf.org
     Git(ACCEPT)    $FW net
     HKP(ACCEPT)    $FW net {user=${users.users.julm.name}}
     HTTP(ACCEPT)   $FW net
-- 
2.44.1