Merge pull request #101 from DarkKirb/add-submissive-dns
Add named on instance-20221213-1915
This commit is contained in:
commit
5e6d10da15
9 changed files with 442 additions and 52 deletions
|
@ -13,6 +13,7 @@
|
|||
./systemd-boot.nix
|
||||
./server.nix
|
||||
./wireguard/public-server.nix
|
||||
./services/named-submissive.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
|
||||
|
@ -96,5 +97,5 @@
|
|||
owner = "root";
|
||||
path = "/etc/secrets/initrd/ssh_host_ed25519_key";
|
||||
};
|
||||
sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ];
|
||||
sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"];
|
||||
}
|
||||
|
|
|
@ -17,6 +17,10 @@ _: {
|
|||
certs."int.chir.rs" = {
|
||||
domain = "*.int.chir.rs";
|
||||
};
|
||||
certs."shitallover.me" = {
|
||||
domain = "*.shitallover.me";
|
||||
extraDomainNames = ["shitallover.me"];
|
||||
};
|
||||
certs."miifox.net" = {
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = "/run/secrets/security/acme/cloudflare";
|
||||
|
|
53
config/services/named-submissive.nix
Normal file
53
config/services/named-submissive.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
dns,
|
||||
hosts-list,
|
||||
...
|
||||
}: let
|
||||
internalIP = import ../../utils/getInternalIP.nix config;
|
||||
createListenEntry = ip: "inet ${ip} port 8653 allow { any; };";
|
||||
listenEntries = builtins.map createListenEntry internalIP.listenIPsBare;
|
||||
mkZone = name: {
|
||||
master = false;
|
||||
masters = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
file = "/var/lib/named/${name}";
|
||||
};
|
||||
in {
|
||||
services.bind = {
|
||||
enable = true;
|
||||
zones = {
|
||||
"darkkirb.de" = mkZone "darkkirb.de";
|
||||
"_acme-challenge.darkkirb.de" = mkZone "_acme-challenge.darkkirb.de";
|
||||
"chir.rs" = mkZone "chir.rs";
|
||||
"_acme-challenge.chir.rs" = mkZone "_acme-challenge.chir.rs";
|
||||
"int.chir.rs" = mkZone ".intchir.rs";
|
||||
"_acme-challenge.int.chir.rs" = mkZone "_acme-challenge.int.chir.rs";
|
||||
"shitallover.me" = mkZone "shitallover.me";
|
||||
"_acme-challenge.shitallover.me" = mkZone "_acme-challenge.shitallover.me";
|
||||
};
|
||||
extraConfig = ''
|
||||
statistics-channels {
|
||||
${toString listenEntries}
|
||||
};
|
||||
include "/run/secrets/services/dns/named-keys";
|
||||
'';
|
||||
extraOptions = ''
|
||||
allow-recursion {
|
||||
127.0.0.1;
|
||||
::1;
|
||||
fc00::/7;
|
||||
};
|
||||
recursion yes;
|
||||
dnssec-validation yes;
|
||||
'';
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [53];
|
||||
networking.firewall.allowedUDPPorts = [53];
|
||||
services.prometheus.exporters.bind = {
|
||||
enable = true;
|
||||
bindGroups = ["server" "view" "tasks"];
|
||||
bindURI = "http://${internalIP.listenIP}:8653/";
|
||||
listenAddress = internalIP.listenIP;
|
||||
};
|
||||
}
|
|
@ -13,6 +13,7 @@
|
|||
int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;};
|
||||
rpz-int-chir-rs = import ../../zones/rpz.int.chir.rs.nix {inherit pkgs hosts-list;};
|
||||
signzone = import ../../zones/signzone.nix;
|
||||
shitallover-me = import ../../zones/shitallover.me.nix {inherit dns;};
|
||||
in {
|
||||
imports = [
|
||||
(signzone {
|
||||
|
@ -36,6 +37,13 @@ in {
|
|||
zone = darkkirb-de;
|
||||
zonename = "darkkirb.de";
|
||||
})
|
||||
(signzone {
|
||||
inherit dns;
|
||||
ksk = "services/dns/me/shitallover/30477";
|
||||
zsk = "services/dns/me/shitallover/38310";
|
||||
zone = shitallover-me;
|
||||
zonename = "shitallover.me";
|
||||
})
|
||||
];
|
||||
|
||||
services.bind = {
|
||||
|
@ -44,6 +52,7 @@ in {
|
|||
"darkkirb.de" = {
|
||||
master = true;
|
||||
file = "/var/lib/named/darkkirb.de";
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"_acme-challenge.darkkirb.de" = {
|
||||
master = true;
|
||||
|
@ -53,10 +62,12 @@ in {
|
|||
grant certbot. name _acme-challenge.darkkirb.de. txt;
|
||||
};
|
||||
'';
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"chir.rs" = {
|
||||
master = true;
|
||||
file = "/var/lib/named/chir.rs";
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"_acme-challenge.chir.rs" = {
|
||||
master = true;
|
||||
|
@ -66,10 +77,12 @@ in {
|
|||
grant certbot. name _acme-challenge.chir.rs. txt;
|
||||
};
|
||||
'';
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"int.chir.rs" = {
|
||||
master = true;
|
||||
file = "/var/lib/named/int.chir.rs";
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"_acme-challenge.int.chir.rs" = {
|
||||
master = true;
|
||||
|
@ -79,6 +92,22 @@ in {
|
|||
grant certbot. name _acme-challenge.int.chir.rs. txt;
|
||||
};
|
||||
'';
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"shitallover.me" = {
|
||||
master = true;
|
||||
file = "/var/lib/named/shitallover.me";
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
"_acme-challenge.shitallover.me" = {
|
||||
master = true;
|
||||
file = "/var/lib/named/_acme-challenge.shitallover.me";
|
||||
extraConfig = ''
|
||||
update-policy {
|
||||
grant certbot. name _acme-challenge.shitallover.me. txt;
|
||||
};
|
||||
'';
|
||||
slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
|
||||
};
|
||||
#"rpz.int.chir.rs" = {
|
||||
# master = true;
|
||||
|
|
|
@ -50,6 +50,12 @@ services:
|
|||
53136.private: ENC[AES256_GCM,data:q4v6yDRuB4TVqcfGX1dhmrGXYM/c1Enzv63oFfLX9xkl7NL61T/eABXLCsHivgSahBvFFlpIdDL86FgOKRIaFeWHiRC05NS2esRKKmxOhU1acP1JK3QrPfa3+c7JUs6CLtADSQXrwfo2MOD31JVYn4CWGW5QFWZLgbpxl6PJXxRcv0O/bllZpmrFGp6NhPy6iNOnivVzOqBlUQdwArk0di5Da1QU1N52aBBkCuoIoWq1zcSAg4y7GKff1Q==,iv:pDw7pU6gEF8NYhsB/NN7Iutc8EaUmXzh7TU+ZG4+qmo=,tag:A6zS/evnWiNQtLDyxurR8g==,type:str]
|
||||
61825.key: ENC[AES256_GCM,data:gMEdUk7rU8Uw3TBekE6E3CbZGFJYzMLQ3acmMQ3MldL/czh/oA5Tqaj9vN7P1jZCHMBulUG0VR+g1RdSNodB/kpTzSXVwgiI5sOh5LU1S6hQXCK8TaHIQa0w6DWFS4Wq+K20/FEoqOl7QFH+RnaREMuskLe8Y4kuZWcaFobXpIeW/qksPiyXNWx0V8VhnciYGe9yIo3TYqzCtFrkx0u318bYfz8ytRq/c51MFdlQl8xaDX4UnJkjnZnzX6AeHtM1hIfmOwg/Hc5VzSu+0llCi3wfy/9/pBgnN1MhXFbMWnIuah6VwSpKKAboK/pIRAnkrKz8HPU4enGFUqoQZCctfWJjmbaBtLCfCZo4fMDaTVFMyKMSiQocTvjRZ6n2AAT0o6WrsaIwZMUU4/NIvK4nWk92RUnOcyTXM20ePl2kaKrtpOCWr30RbIasd3R3Cwd4+v/kqnl5,iv:CA8KtC+G4LMPEjbFswzEXHjoeGpj+x8vrT9xVD6zBeU=,tag:W6Brvu5lPnFnaCttXcCpww==,type:str]
|
||||
61825.private: ENC[AES256_GCM,data:MbhA2vMsEJYb0LmPKMi5N8FiTH8Ady2Ipeotqc0SjEKKYbXdbKNPxwkmm9Juyea6DPrIx/Y/evCbAKTdBLadq363Kv4St3dR8O4DA+zjmaG/P1wZZ/4tnkCfNVGPpJDp5NMQPW8fjFNxrITe+hTDI1K2q8Z8sIw2DE81PiivFM7P5BsG6o40lkaLLla6htP8lzY1jWgBpuC6yIYeX56H5Z1oALGns9YuFbgHSAXnpFg7EoSs9epuUfs2Iw==,iv:GIwdFzZmfNsjrgaNRjPF3UioJDpSjH542KP3c80ldEs=,tag:9JV5YgQM/SR+cCdJYX7Jhg==,type:str]
|
||||
me:
|
||||
shitallover:
|
||||
30477.key: ENC[AES256_GCM,data:l/CUl5t1hPDHwkJRBFSkKT18a519t7Zd05TpbM6AaQfjj9NnjAYvIYMS1a4mxQBjYJfPzav/WH2WY3BYFbv5UMcEMTRpFmhKRvE15TGOCwijcXaQzJCYR75X0bMhMe+gYv/iGSpNl7682jZHSxwRZLhaxAJk5Y+js75lTRWouASdinfFqf3cwOtuQ3EBWEjpbILJNr3qeLteUcAAccNtLOMKNK9Of/O570iRsrV6a3MMDRxwEuCzLPJHOT5+vOzrc4PAPqmPhlql8CTuQohJVpkY17B0jHluB99Ldnm3LiR6IGp+MwA9Kr0Z4a8kquLwvIg3Byjs2txH9tNTfi7GdPQmWVRZumQn8hth413BcOv8fq+ltYNU9lHqxRPcJ/WKxCR5+i/Wn857ovLwVaA9,iv:4e/QbNL6UybYr/EcH7YT2kYDdV5BmxibTdiO6l4+ntA=,tag:1MX8q5pBeABAANilrhB/Dw==,type:str]
|
||||
30477.private: ENC[AES256_GCM,data:djkzBTI2ndbdTeEehAeGXbMfId/38+dsIuGcCG2QcS238hRy1YFwLdcZ62vs9OH8a2+gjficGJv3KvzNMg6WD3dPN9NAZCw0DfNxHao1NYY1J3Anov1FxLFDkhUWW7+hqZ7jEDQToitttOjfXyqp9vzDDPUhCJeyhDAr57M4LXzxI5JwRaoNFPLSQgEnbTaTHYswcZ0IguFewgCVgi1Bm+OU5fq9JUz7SJ8C5dHNrqAgMV0=,iv:ZNXQky1/wBrMBG4v3cnI5CqDK452/wtd+ETlqBQfQHo=,tag:so4eI+YGFynneewbPQIVjA==,type:str]
|
||||
38310.key: ENC[AES256_GCM,data:KdyKXaKHN11ykfM8x2A8sJfLWMc6WqF8/RhmNdTb4KRoaKQ8hRNz2qmOSrngChE2BbRRepxRLsyOyHN7ubroXAj6HQIhTq/div8AHFvOdxoexEXmXKCDEbjwR52wPbwIb7i9zaGSNUCgKSqyOt/awqoeAUHBOtIzSn5G8iNnwAB8IZjm43sfgmSSB4aSMWbeaslPoE83R23zQE/2fpcwyE2VoOarLThGtj1t02acaSAuIgGg24K5nRZfRKiAXP1qkMguT7ky/xZHglmtlzuXGEqbfIIce7criaodXJxBth2WejXmx8QWOCJuUEDGbofC/FQrLMrFXThY9FKLD0KeOD0cwBvfjhw03Qu7NHhvqpxMCewE5La//1F1GrKxuIIHeEiB1qQjh5Ca3v01c6g=,iv:XgeknLHlEjXa7YX0FvcSRZKXGu1kAIQfmYVXWMJC0gc=,tag:Hpp3CGKKwrdI+KgHrIn0qQ==,type:str]
|
||||
38310.private: ENC[AES256_GCM,data:oztry2i/lpARTUg7dXAYNP4dNg9HN24rtBQnCA956yLnn36uS8aadOQ6matrZV5UOSuvPej1KsRoHPGc2m00yI55eJEYVke0MGxyMSL1EQR/vJQ4B/e+PfrspcLuNM3FaFU/gJfCGfnaaPPnqs4xCydOWl23Nn4aTbPPmnbLHsiY/O+V6mORHah9aWM+Nw4RL/A3aDTSOychj1f0oozvUfhvR2sB1uR/DAVwVmWiu5zv0pA=,iv:/WhcX0VLmANjoVwM/3Y1Fb/2Cwt1ltTeIXQ70EjvOy0=,tag:hJsg8DSEaQZb35o6Xekymg==,type:str]
|
||||
rs:
|
||||
chir:
|
||||
32969.key: ENC[AES256_GCM,data:OE56/Q9eFh1sKSAAkeEcr6J+jtkfWa1jwYrvEXHBEThuSxFgmbfFeia4ZNQ4ZeotMOFx0BYcxGhPCCSlIpXQA0CFWV2c5WyzRxgVyrVkRiFfiy7jXfP4hPrE9pw8xFPX2W573MCroMhhXIHzbvKDHkdVJQ7M7dnfi46OGWe121kar5kmLneMvgtNRFVCcrL6fcQSR6sTibr8gVlKj6sneto9Dm+WRasjpo207swsSgjabdJoxmBUvvHFJBmAIaIaVPYqPIM20FGujqjywSMEzq+fLGhL+xsjYe44IR7Lag4Ui+kCll/X6LryFAIXBrp7os4wglqXfbkahST4x8FzNnHIJQocxKxbQa4zrmeQvKZml20DtBZZJvj+cAkEHsYG5uL6pJVxtWUtKPRQpUteSnME2bNkL3up62BYQ/zUXz6ptrma2iCMm3pZG/06,iv:aE7F5Zzk0/GOj/Vs1hajs5QxpTjnAvI/f7yJaMhN7/c=,tag:p/ROFt050dMG/r/kB939og==,type:str]
|
||||
|
@ -82,8 +88,8 @@ sops:
|
|||
N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
|
||||
dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-12-07T10:10:35Z"
|
||||
mac: ENC[AES256_GCM,data:UiENOfBCIQ3XZbhuQDumNH8TCm1iYQl75AIM0Hk7gsduH62J66914joXfX3D0qdmGaO9V9RoU+YZySTe0bJJXTsbQBV1ZMFfQFWMfDZCWprSYY0w+VA3aeFicrXOkJrvkDL0RklkNZRthiVvA/K0jIcOc9a3KhQ4AYg4NvpuK4o=,iv:D992NSKogA/St7mJXKKVi5fxcjyW+n2lqbgim54ABQI=,tag:jEH6qPDA/C79XSQ5AkWVuw==,type:str]
|
||||
lastmodified: "2022-12-14T16:46:00Z"
|
||||
mac: ENC[AES256_GCM,data:SZUAvmTDVMfzCU8j9FS4zGIHUpwyHFYC2ybPrgiISOO4ka1LAR+8FgsY9SAkI0to6BV/Ha6sf8GyTYzJhtwnhDiTzsd0nmi+ZRJHVb7wZfvUEsKr69XoYhjx4cO3hhCIhBgminxqctSnx4wtR4mxtoisTImm6hxbZOW4FL3Tbu4=,iv:5Qo/fYBph6pbhNTS44ibuyMbli4ojMeGQkQVdtMveRo=,tag:w4xzhjFXiuJT9Jw0ELUXTg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-02-02T17:50:42Z"
|
||||
enc: |
|
||||
|
|
|
@ -11,6 +11,50 @@ with dns.lib.combinators; let
|
|||
then {subdomains = a.subdomains // b.subdomains;}
|
||||
else {}
|
||||
);
|
||||
oracleBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "130.162.60.127"))
|
||||
];
|
||||
AAAA = [
|
||||
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
|
||||
];
|
||||
SSHFP = [
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha1";
|
||||
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha256";
|
||||
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha1";
|
||||
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha256";
|
||||
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = ["http/1.1" "h2" "h3"];
|
||||
ipv4hint = ["130.162.60.127"];
|
||||
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
zoneBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "138.201.155.128"))
|
||||
|
@ -44,28 +88,6 @@ with dns.lib.combinators; let
|
|||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
/*
|
||||
subdomains = {
|
||||
_tcp.subdomains."*".TLSA = [
|
||||
{
|
||||
certUsage = "dane-ee";
|
||||
selector = "spki";
|
||||
match = "sha256";
|
||||
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
_udp.subdomains."*".TLSA = [
|
||||
{
|
||||
certUsage = "dane-ee";
|
||||
selector = "spki";
|
||||
match = "sha256";
|
||||
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
*/
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
|
@ -102,11 +124,17 @@ with dns.lib.combinators; let
|
|||
SOA = {
|
||||
nameServer = "ns1.chir.rs.";
|
||||
adminEmail = "lotte@chir.rs";
|
||||
serial = 21;
|
||||
serial = 22;
|
||||
};
|
||||
NS = [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
MX = [
|
||||
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
|
||||
|
@ -179,6 +207,8 @@ with dns.lib.combinators; let
|
|||
mc = createZone {};
|
||||
ns1 = createZone {};
|
||||
ns2 = createZone {};
|
||||
ns3 = createZone oracleBase;
|
||||
ns4 = createZone oracleBase;
|
||||
hydra = createZone {};
|
||||
mastodon = createZone {};
|
||||
mastodon-assets.CNAME = [
|
||||
|
@ -198,6 +228,12 @@ with dns.lib.combinators; let
|
|||
delegateTo [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
]
|
||||
// {
|
||||
DS = [
|
||||
|
@ -212,6 +248,12 @@ with dns.lib.combinators; let
|
|||
_acme-challenge = delegateTo [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -11,6 +11,50 @@ with dns.lib.combinators; let
|
|||
then {subdomains = a.subdomains // b.subdomains;}
|
||||
else {}
|
||||
);
|
||||
oracleBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "130.162.60.127"))
|
||||
];
|
||||
AAAA = [
|
||||
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
|
||||
];
|
||||
SSHFP = [
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha1";
|
||||
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha256";
|
||||
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha1";
|
||||
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha256";
|
||||
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = ["http/1.1" "h2" "h3"];
|
||||
ipv4hint = ["130.162.60.127"];
|
||||
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
zoneBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "138.201.155.128"))
|
||||
|
@ -44,28 +88,6 @@ with dns.lib.combinators; let
|
|||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
/*
|
||||
subdomains = {
|
||||
_tcp.subdomains."*".TLSA = [
|
||||
{
|
||||
certUsage = "dane-ee";
|
||||
selector = "spki";
|
||||
match = "sha256";
|
||||
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
_udp.subdomains."*".TLSA = [
|
||||
{
|
||||
certUsage = "dane-ee";
|
||||
selector = "spki";
|
||||
match = "sha256";
|
||||
certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
*/
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
|
@ -100,13 +122,19 @@ with dns.lib.combinators; let
|
|||
createZone = merge zoneBase;
|
||||
zone = createZone {
|
||||
SOA = {
|
||||
nameServer = "ns1.chir.rs.";
|
||||
nameServer = "ns1.darkkirb.de.";
|
||||
adminEmail = "lotte@chir.rs";
|
||||
serial = 2;
|
||||
serial = 3;
|
||||
};
|
||||
NS = [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
MX = [
|
||||
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
|
||||
|
@ -179,11 +207,17 @@ with dns.lib.combinators; let
|
|||
_acme-challenge = delegateTo [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
www = createZone {};
|
||||
static = createZone {};
|
||||
ns1 = createZone {};
|
||||
ns2 = createZone {};
|
||||
ns2 = createZone oracleBase;
|
||||
};
|
||||
};
|
||||
in
|
||||
|
|
|
@ -15,11 +15,17 @@ in {
|
|||
SOA = {
|
||||
nameServer = "ns1.chir.rs.";
|
||||
adminEmail = "lotte@chir.rs";
|
||||
serial = 18;
|
||||
serial = 19;
|
||||
};
|
||||
NS = [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
DNSKEY = [
|
||||
{
|
||||
|
@ -268,6 +274,12 @@ in {
|
|||
_acme-challenge = delegateTo [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
209
zones/shitallover.me.nix
Normal file
209
zones/shitallover.me.nix
Normal file
|
@ -0,0 +1,209 @@
|
|||
{
|
||||
dns ? (import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs,
|
||||
zoneTTL ? 3600,
|
||||
}:
|
||||
with dns.lib.combinators; let
|
||||
inherit (builtins) hasAttr;
|
||||
merge = a: b:
|
||||
(a // b)
|
||||
// (
|
||||
if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b))
|
||||
then {subdomains = a.subdomains // b.subdomains;}
|
||||
else {}
|
||||
);
|
||||
oracleBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "130.162.60.127"))
|
||||
];
|
||||
AAAA = [
|
||||
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
|
||||
];
|
||||
SSHFP = [
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha1";
|
||||
fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha256";
|
||||
fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha1";
|
||||
fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha256";
|
||||
fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = ["http/1.1" "h2" "h3"];
|
||||
ipv4hint = ["130.162.60.127"];
|
||||
ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
zoneBase = {
|
||||
A = [
|
||||
(ttl zoneTTL (a "138.201.155.128"))
|
||||
];
|
||||
AAAA = [
|
||||
(ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"))
|
||||
];
|
||||
SSHFP = [
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha1";
|
||||
fingerprint = "97b910c37194cd98e7edca2d68104f4531721c22";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "rsa";
|
||||
mode = "sha256";
|
||||
fingerprint = "7915470f9275116889d5ca1fdbea20416d8372636c3d63653b272308608cf70f";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha1";
|
||||
fingerprint = "1aff467e745a8d68ba032dd3d54597e10d31ccf8";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
algorithm = "ed25519";
|
||||
mode = "sha256";
|
||||
fingerprint = "e6dcdb73dc381ee2b354528cdaf8552364e75c34316d7e0c9819801daea5c951";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
HTTPS = [
|
||||
{
|
||||
svcPriority = 1;
|
||||
targetName = ".";
|
||||
alpn = ["http/1.1" "h2" "h3"];
|
||||
ipv4hint = ["138.201.155.128"];
|
||||
ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"];
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
CAA = [
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "issue";
|
||||
value = "letsencrypt.org";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "issuewild";
|
||||
value = "letsencrypt.org";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
issuerCritical = false;
|
||||
tag = "iodef";
|
||||
value = "mailto:lotte@chir.rs";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
];
|
||||
};
|
||||
createZone = merge zoneBase;
|
||||
zone = createZone {
|
||||
SOA = {
|
||||
nameServer = "ns1.shitallover.me.";
|
||||
adminEmail = "lotte@chir.rs";
|
||||
serial = 1;
|
||||
};
|
||||
NS = [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
MX = [
|
||||
(ttl zoneTTL (mx.mx 10 "mail.chir.rs."))
|
||||
];
|
||||
SRV = [
|
||||
{
|
||||
service = "submission";
|
||||
proto = "tcp";
|
||||
port = 587;
|
||||
target = "mail.chir.rs.";
|
||||
}
|
||||
{
|
||||
service = "imap";
|
||||
proto = "tcp";
|
||||
port = 143;
|
||||
target = "mail.chir.rs.";
|
||||
}
|
||||
{
|
||||
service = "imaps";
|
||||
proto = "tcp";
|
||||
port = 993;
|
||||
target = "mail.chir.rs.";
|
||||
}
|
||||
{
|
||||
service = "pop3";
|
||||
proto = "tcp";
|
||||
port = 110;
|
||||
target = "mail.chir.rs.";
|
||||
}
|
||||
{
|
||||
service = "pop3s";
|
||||
proto = "tcp";
|
||||
port = 995;
|
||||
target = "mail.chir.rs.";
|
||||
}
|
||||
];
|
||||
TXT = [
|
||||
(ttl zoneTTL (txt "v=spf1 ip4:138.201.155.128 ip6:2a01:4f8:1c17:d953/64 -all"))
|
||||
(ttl zoneTTL (txt "google-site-verification=f2XWRDvD4F99pM7ux7sMtVJ9ZGtjKRLI_rfcO2IWIMI"))
|
||||
];
|
||||
DNSKEY = [
|
||||
{
|
||||
flags.zoneSigningKey = true;
|
||||
flags.secureEntryPoint = true;
|
||||
algorithm = "ecdsap256sha256";
|
||||
publicKey = "FZklP7KowbXVjfkT5ndAE60QFvaKoghhLY2TavukRBGFA8pyGm+ce9QHekbrjE14q8sb5x0uXl4VdyDIUNZ3XQ==";
|
||||
ttl = zoneTTL;
|
||||
}
|
||||
{
|
||||
flags.zoneSigningKey = true;
|
||||
algorithm = "ecdsap256sha256";
|
||||
publicKey = "WH9JM7Qvi2Hz3bCp7O5/WFLNdKUA/2aUkQqByfhaItfqoAm+hw6x4Qj8+umu5EDyo2A/HD/h9b/eO3zVq6pebw==";
|
||||
}
|
||||
];
|
||||
subdomains = {
|
||||
_acme-challenge = delegateTo [
|
||||
"ns1.chir.rs."
|
||||
"ns2.chir.rs."
|
||||
"ns3.chir.rs."
|
||||
"ns4.chir.rs."
|
||||
"ns1.darkkirb.de."
|
||||
"ns2.darkkirb.de."
|
||||
"ns1.shitallover.me."
|
||||
"ns2.shitallover.me."
|
||||
];
|
||||
www = createZone {};
|
||||
ns1 = createZone {};
|
||||
ns2 = createZone oracleBase;
|
||||
};
|
||||
};
|
||||
in
|
||||
zone
|
Loading…
Reference in a new issue