Merge pull request #101 from DarkKirb/add-submissive-dns

Add named on instance-20221213-1915
This commit is contained in:
Charlotte 🦝 Delenk 2022-12-14 18:49:50 +01:00 committed by GitHub
commit 5e6d10da15
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 442 additions and 52 deletions

View file

@ -13,6 +13,7 @@
./systemd-boot.nix
./server.nix
./wireguard/public-server.nix
./services/named-submissive.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
@ -96,5 +97,5 @@
owner = "root";
path = "/etc/secrets/initrd/ssh_host_ed25519_key";
};
sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ];
sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
}

View file

@ -17,6 +17,10 @@ _: {
certs."int.chir.rs" = {
domain = "*.int.chir.rs";
};
certs."shitallover.me" = {
domain = "*.shitallover.me";
extraDomainNames = ["shitallover.me"];
};
certs."miifox.net" = {
dnsProvider = "cloudflare";
credentialsFile = "/run/secrets/security/acme/cloudflare";

View file

@ -0,0 +1,53 @@
{
pkgs,
config,
dns,
hosts-list,
...
}: let
internalIP = import ../../utils/getInternalIP.nix config;
createListenEntry = ip: "inet ${ip} port 8653 allow { any; };";
listenEntries = builtins.map createListenEntry internalIP.listenIPsBare;
mkZone = name: {
master = false;
masters = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
file = "/var/lib/named/${name}";
};
in {
services.bind = {
enable = true;
zones = {
"darkkirb.de" = mkZone "darkkirb.de";
"_acme-challenge.darkkirb.de" = mkZone "_acme-challenge.darkkirb.de";
"chir.rs" = mkZone "chir.rs";
"_acme-challenge.chir.rs" = mkZone "_acme-challenge.chir.rs";
"int.chir.rs" = mkZone ".intchir.rs";
"_acme-challenge.int.chir.rs" = mkZone "_acme-challenge.int.chir.rs";
"shitallover.me" = mkZone "shitallover.me";
"_acme-challenge.shitallover.me" = mkZone "_acme-challenge.shitallover.me";
};
extraConfig = ''
statistics-channels {
${toString listenEntries}
};
include "/run/secrets/services/dns/named-keys";
'';
extraOptions = ''
allow-recursion {
127.0.0.1;
::1;
fc00::/7;
};
recursion yes;
dnssec-validation yes;
'';
};
networking.firewall.allowedTCPPorts = [53];
networking.firewall.allowedUDPPorts = [53];
services.prometheus.exporters.bind = {
enable = true;
bindGroups = ["server" "view" "tasks"];
bindURI = "http://${internalIP.listenIP}:8653/";
listenAddress = internalIP.listenIP;
};
}

View file

@ -13,6 +13,7 @@
int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};
rpz-int-chir-rs = import ../../zones/rpz.int.chir.rs.nix {inherit pkgs hosts-list;};
signzone = import ../../zones/signzone.nix;
shitallover-me = import ../../zones/shitallover.me.nix {inherit dns;};
in {
imports = [
(signzone {
@ -36,6 +37,13 @@ in {
zone = darkkirb-de;
zonename = "darkkirb.de";
})
(signzone {
inherit dns;
ksk = "services/dns/me/shitallover/30477";
zsk = "services/dns/me/shitallover/38310";
zone = shitallover-me;
zonename = "shitallover.me";
})
];
services.bind = {
@ -44,6 +52,7 @@ in {
"darkkirb.de" = {
master = true;
file = "/var/lib/named/darkkirb.de";
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"_acme-challenge.darkkirb.de" = {
master = true;
@ -53,10 +62,12 @@ in {
grant certbot. name _acme-challenge.darkkirb.de. txt;
};
'';
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"chir.rs" = {
master = true;
file = "/var/lib/named/chir.rs";
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"_acme-challenge.chir.rs" = {
master = true;
@ -66,10 +77,12 @@ in {
grant certbot. name _acme-challenge.chir.rs. txt;
};
'';
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"int.chir.rs" = {
master = true;
file = "/var/lib/named/int.chir.rs";
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"_acme-challenge.int.chir.rs" = {
master = true;
@ -79,6 +92,22 @@ in {
grant certbot. name _acme-challenge.int.chir.rs. txt;
};
'';
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"shitallover.me" = {
master = true;
file = "/var/lib/named/shitallover.me";
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
"_acme-challenge.shitallover.me" = {
master = true;
file = "/var/lib/named/_acme-challenge.shitallover.me";
extraConfig = ''
update-policy {
grant certbot. name _acme-challenge.shitallover.me. txt;
};
'';
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
};
#"rpz.int.chir.rs" = {
# master = true;

View file

@ -50,6 +50,12 @@ services:
53136.private: ENC[AES256_GCM,data:q4v6yDRuB4TVqcfGX1dhmrGXYM/c1Enzv63oFfLX9xkl7NL61T/eABXLCsHivgSahBvFFlpIdDL86FgOKRIaFeWHiRC05NS2esRKKmxOhU1acP1JK3QrPfa3+c7JUs6CLtADSQXrwfo2MOD31JVYn4CWGW5QFWZLgbpxl6PJXxRcv0O/bllZpmrFGp6NhPy6iNOnivVzOqBlUQdwArk0di5Da1QU1N52aBBkCuoIoWq1zcSAg4y7GKff1Q==,iv:pDw7pU6gEF8NYhsB/NN7Iutc8EaUmXzh7TU+ZG4+qmo=,tag:A6zS/evnWiNQtLDyxurR8g==,type:str]
61825.key: ENC[AES256_GCM,data:gMEdUk7rU8Uw3TBekE6E3CbZGFJYzMLQ3acmMQ3MldL/czh/oA5Tqaj9vN7P1jZCHMBulUG0VR+g1RdSNodB/kpTzSXVwgiI5sOh5LU1S6hQXCK8TaHIQa0w6DWFS4Wq+K20/FEoqOl7QFH+RnaREMuskLe8Y4kuZWcaFobXpIeW/qksPiyXNWx0V8VhnciYGe9yIo3TYqzCtFrkx0u318bYfz8ytRq/c51MFdlQl8xaDX4UnJkjnZnzX6AeHtM1hIfmOwg/Hc5VzSu+0llCi3wfy/9/pBgnN1MhXFbMWnIuah6VwSpKKAboK/pIRAnkrKz8HPU4enGFUqoQZCctfWJjmbaBtLCfCZo4fMDaTVFMyKMSiQocTvjRZ6n2AAT0o6WrsaIwZMUU4/NIvK4nWk92RUnOcyTXM20ePl2kaKrtpOCWr30RbIasd3R3Cwd4+v/kqnl5,iv:CA8KtC+G4LMPEjbFswzEXHjoeGpj+x8vrT9xVD6zBeU=,tag:W6Brvu5lPnFnaCttXcCpww==,type:str]
61825.private: ENC[AES256_GCM,data:MbhA2vMsEJYb0LmPKMi5N8FiTH8Ady2Ipeotqc0SjEKKYbXdbKNPxwkmm9Juyea6DPrIx/Y/evCbAKTdBLadq363Kv4St3dR8O4DA+zjmaG/P1wZZ/4tnkCfNVGPpJDp5NMQPW8fjFNxrITe+hTDI1K2q8Z8sIw2DE81PiivFM7P5BsG6o40lkaLLla6htP8lzY1jWgBpuC6yIYeX56H5Z1oALGns9YuFbgHSAXnpFg7EoSs9epuUfs2Iw==,iv:GIwdFzZmfNsjrgaNRjPF3UioJDpSjH542KP3c80ldEs=,tag:9JV5YgQM/SR+cCdJYX7Jhg==,type:str]
me:
shitallover:
30477.key: ENC[AES256_GCM,data:l/CUl5t1hPDHwkJRBFSkKT18a519t7Zd05TpbM6AaQfjj9NnjAYvIYMS1a4mxQBjYJfPzav/WH2WY3BYFbv5UMcEMTRpFmhKRvE15TGOCwijcXaQzJCYR75X0bMhMe+gYv/iGSpNl7682jZHSxwRZLhaxAJk5Y+js75lTRWouASdinfFqf3cwOtuQ3EBWEjpbILJNr3qeLteUcAAccNtLOMKNK9Of/O570iRsrV6a3MMDRxwEuCzLPJHOT5+vOzrc4PAPqmPhlql8CTuQohJVpkY17B0jHluB99Ldnm3LiR6IGp+MwA9Kr0Z4a8kquLwvIg3Byjs2txH9tNTfi7GdPQmWVRZumQn8hth413BcOv8fq+ltYNU9lHqxRPcJ/WKxCR5+i/Wn857ovLwVaA9,iv:4e/QbNL6UybYr/EcH7YT2kYDdV5BmxibTdiO6l4+ntA=,tag:1MX8q5pBeABAANilrhB/Dw==,type:str]
30477.private: ENC[AES256_GCM,data:djkzBTI2ndbdTeEehAeGXbMfId/38+dsIuGcCG2QcS238hRy1YFwLdcZ62vs9OH8a2+gjficGJv3KvzNMg6WD3dPN9NAZCw0DfNxHao1NYY1J3Anov1FxLFDkhUWW7+hqZ7jEDQToitttOjfXyqp9vzDDPUhCJeyhDAr57M4LXzxI5JwRaoNFPLSQgEnbTaTHYswcZ0IguFewgCVgi1Bm+OU5fq9JUz7SJ8C5dHNrqAgMV0=,iv:ZNXQky1/wBrMBG4v3cnI5CqDK452/wtd+ETlqBQfQHo=,tag:so4eI+YGFynneewbPQIVjA==,type:str]
38310.key: ENC[AES256_GCM,data:KdyKXaKHN11ykfM8x2A8sJfLWMc6WqF8/RhmNdTb4KRoaKQ8hRNz2qmOSrngChE2BbRRepxRLsyOyHN7ubroXAj6HQIhTq/div8AHFvOdxoexEXmXKCDEbjwR52wPbwIb7i9zaGSNUCgKSqyOt/awqoeAUHBOtIzSn5G8iNnwAB8IZjm43sfgmSSB4aSMWbeaslPoE83R23zQE/2fpcwyE2VoOarLThGtj1t02acaSAuIgGg24K5nRZfRKiAXP1qkMguT7ky/xZHglmtlzuXGEqbfIIce7criaodXJxBth2WejXmx8QWOCJuUEDGbofC/FQrLMrFXThY9FKLD0KeOD0cwBvfjhw03Qu7NHhvqpxMCewE5La//1F1GrKxuIIHeEiB1qQjh5Ca3v01c6g=,iv:XgeknLHlEjXa7YX0FvcSRZKXGu1kAIQfmYVXWMJC0gc=,tag:Hpp3CGKKwrdI+KgHrIn0qQ==,type:str]
38310.private: ENC[AES256_GCM,data:oztry2i/lpARTUg7dXAYNP4dNg9HN24rtBQnCA956yLnn36uS8aadOQ6matrZV5UOSuvPej1KsRoHPGc2m00yI55eJEYVke0MGxyMSL1EQR/vJQ4B/e+PfrspcLuNM3FaFU/gJfCGfnaaPPnqs4xCydOWl23Nn4aTbPPmnbLHsiY/O+V6mORHah9aWM+Nw4RL/A3aDTSOychj1f0oozvUfhvR2sB1uR/DAVwVmWiu5zv0pA=,iv:/WhcX0VLmANjoVwM/3Y1Fb/2Cwt1ltTeIXQ70EjvOy0=,tag:hJsg8DSEaQZb35o6Xekymg==,type:str]
rs:
chir:
32969.key: ENC[AES256_GCM,data:OE56/Q9eFh1sKSAAkeEcr6J+jtkfWa1jwYrvEXHBEThuSxFgmbfFeia4ZNQ4ZeotMOFx0BYcxGhPCCSlIpXQA0CFWV2c5WyzRxgVyrVkRiFfiy7jXfP4hPrE9pw8xFPX2W573MCroMhhXIHzbvKDHkdVJQ7M7dnfi46OGWe121kar5kmLneMvgtNRFVCcrL6fcQSR6sTibr8gVlKj6sneto9Dm+WRasjpo207swsSgjabdJoxmBUvvHFJBmAIaIaVPYqPIM20FGujqjywSMEzq+fLGhL+xsjYe44IR7Lag4Ui+kCll/X6LryFAIXBrp7os4wglqXfbkahST4x8FzNnHIJQocxKxbQa4zrmeQvKZml20DtBZZJvj+cAkEHsYG5uL6pJVxtWUtKPRQpUteSnME2bNkL3up62BYQ/zUXz6ptrma2iCMm3pZG/06,iv:aE7F5Zzk0/GOj/Vs1hajs5QxpTjnAvI/f7yJaMhN7/c=,tag:p/ROFt050dMG/r/kB939og==,type:str]
@ -82,8 +88,8 @@ sops:
N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-07T10:10:35Z"
mac: ENC[AES256_GCM,data:UiENOfBCIQ3XZbhuQDumNH8TCm1iYQl75AIM0Hk7gsduH62J66914joXfX3D0qdmGaO9V9RoU+YZySTe0bJJXTsbQBV1ZMFfQFWMfDZCWprSYY0w+VA3aeFicrXOkJrvkDL0RklkNZRthiVvA/K0jIcOc9a3KhQ4AYg4NvpuK4o=,iv:D992NSKogA/St7mJXKKVi5fxcjyW+n2lqbgim54ABQI=,tag:jEH6qPDA/C79XSQ5AkWVuw==,type:str]
lastmodified: "2022-12-14T16:46:00Z"
mac: ENC[AES256_GCM,data:SZUAvmTDVMfzCU8j9FS4zGIHUpwyHFYC2ybPrgiISOO4ka1LAR+8FgsY9SAkI0to6BV/Ha6sf8GyTYzJhtwnhDiTzsd0nmi+ZRJHVb7wZfvUEsKr69XoYhjx4cO3hhCIhBgminxqctSnx4wtR4mxtoisTImm6hxbZOW4FL3Tbu4=,iv:5Qo/fYBph6pbhNTS44ibuyMbli4ojMeGQkQVdtMveRo=,tag:w4xzhjFXiuJT9Jw0ELUXTg==,type:str]
pgp:
- created_at: "2022-02-02T17:50:42Z"
enc: |

View file

@ -11,6 +11,50 @@ with dns.lib.combinators; let
then {subdomains = a.subdomains // b.subdomains;}
else {}
);
oracleBase = {
A = [
(ttl zoneTTL (a "130.162.60.127"))
];
AAAA = [
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
];
SSHFP = [
{
algorithm = "rsa";
mode = "sha1";
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
ttl = zoneTTL;
}
{
algorithm = "rsa";
mode = "sha256";
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha1";
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha256";
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
ttl = zoneTTL;
}
];
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["130.162.60.127"];
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
ttl = zoneTTL;
}
];
};
zoneBase = {
A = [
(ttl zoneTTL (a "138.201.155.128"))
@ -44,28 +88,6 @@ with dns.lib.combinators; let
ttl = zoneTTL;
}
];
/*
subdomains = {
_tcp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
_udp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
};
*/
HTTPS = [
{
svcPriority = 1;
@ -102,11 +124,17 @@ with dns.lib.combinators; let
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 21;
serial = 22;
};
NS = [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
MX = [
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
@ -179,6 +207,8 @@ with dns.lib.combinators; let
mc = createZone {};
ns1 = createZone {};
ns2 = createZone {};
ns3 = createZone oracleBase;
ns4 = createZone oracleBase;
hydra = createZone {};
mastodon = createZone {};
mastodon-assets.CNAME = [
@ -198,6 +228,12 @@ with dns.lib.combinators; let
delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
]
// {
DS = [
@ -212,6 +248,12 @@ with dns.lib.combinators; let
_acme-challenge = delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
};
};

View file

@ -11,6 +11,50 @@ with dns.lib.combinators; let
then {subdomains = a.subdomains // b.subdomains;}
else {}
);
oracleBase = {
A = [
(ttl zoneTTL (a "130.162.60.127"))
];
AAAA = [
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
];
SSHFP = [
{
algorithm = "rsa";
mode = "sha1";
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
ttl = zoneTTL;
}
{
algorithm = "rsa";
mode = "sha256";
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha1";
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha256";
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
ttl = zoneTTL;
}
];
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["130.162.60.127"];
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
ttl = zoneTTL;
}
];
};
zoneBase = {
A = [
(ttl zoneTTL (a "138.201.155.128"))
@ -44,28 +88,6 @@ with dns.lib.combinators; let
ttl = zoneTTL;
}
];
/*
subdomains = {
_tcp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
_udp.subdomains."*".TLSA = [
{
certUsage = "dane-ee";
selector = "spki";
match = "sha256";
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
ttl = zoneTTL;
}
];
};
*/
HTTPS = [
{
svcPriority = 1;
@ -100,13 +122,19 @@ with dns.lib.combinators; let
createZone = merge zoneBase;
zone = createZone {
SOA = {
nameServer = "ns1.chir.rs.";
nameServer = "ns1.darkkirb.de.";
adminEmail = "lotte@chir.rs";
serial = 2;
serial = 3;
};
NS = [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
MX = [
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
@ -179,11 +207,17 @@ with dns.lib.combinators; let
_acme-challenge = delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
www = createZone {};
static = createZone {};
ns1 = createZone {};
ns2 = createZone {};
ns2 = createZone oracleBase;
};
};
in

View file

@ -15,11 +15,17 @@ in {
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 18;
serial = 19;
};
NS = [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
DNSKEY = [
{
@ -268,6 +274,12 @@ in {
_acme-challenge = delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
};
}

209
zones/shitallover.me.nix Normal file
View file

@ -0,0 +1,209 @@
{
dns ? (import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs,
zoneTTL ? 3600,
}:
with dns.lib.combinators; let
inherit (builtins) hasAttr;
merge = a: b:
(a // b)
// (
if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b))
then {subdomains = a.subdomains // b.subdomains;}
else {}
);
oracleBase = {
A = [
(ttl zoneTTL (a "130.162.60.127"))
];
AAAA = [
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
];
SSHFP = [
{
algorithm = "rsa";
mode = "sha1";
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
ttl = zoneTTL;
}
{
algorithm = "rsa";
mode = "sha256";
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha1";
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha256";
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
ttl = zoneTTL;
}
];
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["130.162.60.127"];
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
ttl = zoneTTL;
}
];
};
zoneBase = {
A = [
(ttl zoneTTL (a "138.201.155.128"))
];
AAAA = [
(ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"))
];
SSHFP = [
{
algorithm = "rsa";
mode = "sha1";
fingerprint = "97b910c37194cd98e7edca2d68104f4531721c22";
ttl = zoneTTL;
}
{
algorithm = "rsa";
mode = "sha256";
fingerprint = "7915470f9275116889d5ca1fdbea20416d8372636c3d63653b272308608cf70f";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha1";
fingerprint = "1aff467e745a8d68ba032dd3d54597e10d31ccf8";
ttl = zoneTTL;
}
{
algorithm = "ed25519";
mode = "sha256";
fingerprint = "e6dcdb73dc381ee2b354528cdaf8552364e75c34316d7e0c9819801daea5c951";
ttl = zoneTTL;
}
];
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["138.201.155.128"];
ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"];
ttl = zoneTTL;
}
];
CAA = [
{
issuerCritical = false;
tag = "issue";
value = "letsencrypt.org";
ttl = zoneTTL;
}
{
issuerCritical = false;
tag = "issuewild";
value = "letsencrypt.org";
ttl = zoneTTL;
}
{
issuerCritical = false;
tag = "iodef";
value = "mailto:lotte@chir.rs";
ttl = zoneTTL;
}
];
};
createZone = merge zoneBase;
zone = createZone {
SOA = {
nameServer = "ns1.shitallover.me.";
adminEmail = "lotte@chir.rs";
serial = 1;
};
NS = [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
MX = [
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
];
SRV = [
{
service = "submission";
proto = "tcp";
port = 587;
target = "mail.chir.rs.";
}
{
service = "imap";
proto = "tcp";
port = 143;
target = "mail.chir.rs.";
}
{
service = "imaps";
proto = "tcp";
port = 993;
target = "mail.chir.rs.";
}
{
service = "pop3";
proto = "tcp";
port = 110;
target = "mail.chir.rs.";
}
{
service = "pop3s";
proto = "tcp";
port = 995;
target = "mail.chir.rs.";
}
];
TXT = [
(ttl zoneTTL (txt "v=spf1 ip4:138.201.155.128 ip6:2a01:4f8:1c17:d953/64 -all"))
(ttl zoneTTL (txt "google-site-verification=f2XWRDvD4F99pM7ux7sMtVJ9ZGtjKRLI_rfcO2IWIMI"))
];
DNSKEY = [
{
flags.zoneSigningKey = true;
flags.secureEntryPoint = true;
algorithm = "ecdsap256sha256";
publicKey = "FZklP7KowbXVjfkT5ndAE60QFvaKoghhLY2TavukRBGFA8pyGm+ce9QHekbrjE14q8sb5x0uXl4VdyDIUNZ3XQ==";
ttl = zoneTTL;
}
{
flags.zoneSigningKey = true;
algorithm = "ecdsap256sha256";
publicKey = "WH9JM7Qvi2Hz3bCp7O5/WFLNdKUA/2aUkQqByfhaItfqoAm+hw6x4Qj8+umu5EDyo2A/HD/h9b/eO3zVq6pebw==";
}
];
subdomains = {
_acme-challenge = delegateTo [
"ns1.chir.rs."
"ns2.chir.rs."
"ns3.chir.rs."
"ns4.chir.rs."
"ns1.darkkirb.de."
"ns2.darkkirb.de."
"ns1.shitallover.me."
"ns2.shitallover.me."
];
www = createZone {};
ns1 = createZone {};
ns2 = createZone oracleBase;
};
};
in
zone