diff --git a/flake.lock b/flake.lock index 1955690..f382057 100644 --- a/flake.lock +++ b/flake.lock @@ -96,6 +96,27 @@ "type": "github" } }, + "dns": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1635273082, + "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=", + "owner": "nix-community", + "repo": "dns.nix", + "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "dns.nix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -134,6 +155,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1614513358, + "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems_2" }, @@ -233,7 +269,7 @@ "crane": "crane", "flake-compat": "flake-compat", "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -432,6 +468,7 @@ "root": { "inputs": { "agenix": "agenix", + "dns": "dns", "home-manager": "home-manager", "impermanence": "impermanence", "lanzaboote": "lanzaboote", diff --git a/flake.nix b/flake.nix index ce70049..ffb8b80 100644 --- a/flake.nix +++ b/flake.nix @@ -18,9 +18,12 @@ impermanence.url = "github:nix-community/impermanence"; home-manager = { - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + dns = { + url = "github:nix-community/dns.nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; nix-colors.url = "github:Misterio77/nix-colors"; @@ -56,6 +59,7 @@ { self , nixpkgs , home-manager + , dns , nix-index-database , agenix , impermanence diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index b6ac08f..8fd068a 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -1,53 +1,52 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, dns, ... }: let secondary = "185.181.104.96"; - zonefile = pkgs.writeText "rfive.de.zone.txt" '' - $TTL 3600 - $ORIGIN rfive.de. + zonefile = with dns.lib.combinators; pkgs.writeText "rfive.de.zone.txt" (dns.lib.toString "rfive.de" { + TTL = 3600; + SOA = { + nameServer = "ns.rfive.de."; + adminEmail = "hostmaster@rfive.de"; + serial = 2024041709; + refresh = 10800; + retry = 3600; + expire = 604800; + minimum = 3600; + }; + NS = [ + "ns.inwx.de." + "ns2.inwx.de." + "ns3.inxw.eu." + ]; + A = [ "23.88.121.184" ]; + AAAA = [ "2a01:4f8:c012:49de::1" ]; - rfive.de. 86400 IN SOA ns.rfive.de. hostmaster.rfive.de. ( - 2024040800 ; serial - 10800 ; refresh - 3600 ; retry - 604800 ; expire - 3600 ) ; negatives caching, ehem. minimum - - @ NS ns.inwx.de. - @ NS ns2.inwx.de. - @ NS ns3.inwx.eu. + CAA = letsEncrypt "ca@rfive.de"; - @ A 23.88.121.184 - @ AAAA 2a01:4f8:c012:49de::1 + MX = [{ preference = 1; exchange = "mail.rfive.de."; }]; - @ CAA 0 iodef "mailto:ca@rfive.de" - @ CAA 0 issue "letsencrypt.org" - @ CAA 0 issuewild ";" + TXT = [ + (spf.soft [ "mx" ]) + ]; - ns A 23.88.121.184 - ns AAAA 2a01:4f8:c012:49de::1 + subdomains = lib.attrsets.mergeAttrsList [ + rec { + nuc = { + A = [ "141.30.227.6" ]; + }; + falkenstein = { + A = [ "23.88.121.184" ]; + AAAA = [ "2a01:4f8:c012:49de::1" ]; + }; + ns = falkenstein; + mail = falkenstein; + _dmarc.TXT = [ "v=DMARC1; p=none; adkim=s; fo=1; rua=mailto:dmarc@rfive.de; ruf=mailto:dmarc@rfive.de" ]; + _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ]; - nuc A 141.30.227.6 - falkenstein A 23.88.121.184 - falkenstein AAAA 2a01:4f8:c012:49de::1 - - @ MX 1 mail.rfive.de. - mail A 23.88.121.184 - mail AAAA 2a01:4f8:c012:49de::1 - - @ TXT "v=spf1 mx ~all" - rspamd._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" - _dmarc TXT "v=DMARC1; p=none; adkim=s; fo=1; rua=mailto:dmarc@rfive.de; ruf=mailto:dmarc@rfive.de" - - cache CNAME nuc.rfive.de. - chat CNAME nuc.rfive.de. - matrix CNAME nuc.rfive.de. - seafile CNAME nuc.rfive.de. - vault CNAME nuc.rfive.de. - - purge CNAME falkenstein.rfive.de. - rspamd CNAME falkenstein.rfive.de. - trucks CNAME falkenstein.rfive.de. - ''; + } + (lib.attrsets.genAttrs [ "cache" "chat" "matrix" "seafile" "vault" ] (label: { CNAME = [ "nuc.rfive.de." ]; })) + (lib.attrsets.genAttrs [ "purge" "rspamd" "trucks" ] (label: { CNAME = [ "falkenstein.rfive.de." ]; })) + ]; + }); in { services.bind = rec {