diff options
| author | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
| commit | e6ed60548397627bf10f561f9438201dbba0a36e (patch) | |
| tree | f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/nixos/nsd.nix | |
| parent | 9ac64328603d44bd272175942d3ea3eaadcabd04 (diff) | |
2024-04-21
Diffstat (limited to 'modules/nixos/nsd.nix')
| -rw-r--r-- | modules/nixos/nsd.nix | 229 |
1 files changed, 0 insertions, 229 deletions
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix deleted file mode 100644 index f44a2a0..0000000 --- a/modules/nixos/nsd.nix +++ /dev/null @@ -1,229 +0,0 @@ -{ - config, - inputs, - lib, - this, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.nsd; -in -{ - options.nixfiles.modules.nsd = { - enable = mkEnableOption "NSD"; - - fqdn = mkOption { - description = "FQDN of this nameserver."; - type = with types; str; - default = "ns.${config.networking.domain}"; - }; - }; - - config = mkIf cfg.enable { - nixfiles.modules.nginx = - let - domain = my.domain.shire; - in - { - enable = true; - virtualHosts = mapAttrs' ( - _: v: - nameValuePair "mta-sts.${v}" { - locations."= /.well-known/mta-sts.txt" = { - extraConfig = '' - add_header default_type text/plain; - ''; - return = "200 '${ - concatStringsSep "\\r\\n" [ - "version: STSv1" - "mode: enforce" - "max_age: 2419200" - "mx: ${domain}" - ] - }'"; - }; - } - ) my.domain; - }; - - services = { - nsd = { - enable = true; - interfaces = with this; [ - ipv4.address - ipv6.address - ]; - ipTransparent = true; - ratelimit.enable = true; - - zones = - let - dns = inputs.dns.lib; - in - with dns.combinators; - let - ips = - hostname: with my.configurations.${hostname}; { - A = [ (a ipv4.address) ]; - AAAA = [ (aaaa ipv6.address) ]; - }; - - mkEmailEntries = - { - domain ? my.domain.shire, - dkimKey ? null, - }: - { - MX = [ (mx.mx 10 "${my.domain.shire}.") ]; - TXT = [ (spf.soft [ "a" ]) ]; - DMARC = [ - { - p = "quarantine"; - sp = "quarantine"; - rua = [ "mailto:admin+rua@${domain}" ]; - ruf = [ "mailto:admin+ruf@${domain}" ]; - } - ]; - DKIM = optional (dkimKey != null) { - selector = "mail"; - p = dkimKey; - }; - subdomains._mta-sts.TXT = [ "v=STSv1; id=20230506134541Z" ]; - }; - - mkZone = - { - domain, - sldIps ? (ips "manwe"), - extra ? { }, - }: - { - ${domain}.data = dns.toString domain (mkMerge [ - { - TTL = 60 * 60; - - SOA = { - nameServer = "${cfg.fqdn}."; - adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2022091601; # Don't forget to bump the revision! - }; - - NS = with my.domain; [ - "ns1.${shire}" - # "ns2.${shire}" - ]; - - CAA = letsEncrypt "admin+caa@${my.domain.shire}"; - } - sldIps - extra - ]); - }; - - # https://ariadne.id/ - # https://docs.keyoxide.org/service-providers/dns/ - ariadneIdProof.TXT = [ "openpgp4fpr:${my.pgp.fingerprint}" ]; - in - mkMerge [ - (mkZone rec { - domain = my.domain.shire; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = rec { - manwe = ips "manwe"; - "*.manwe" = manwe; - varda = ips "varda"; - "*.varda" = varda; - yavanna = ips "yavanna"; - "*.yavanna" = yavanna; - - mta-sts = manwe; - - ns1 = manwe; - # ns2 = varda; - - alertmanager = manwe; - bitwarden = manwe; - git = manwe; - grafana = manwe; - loki = manwe; - ntfy = manwe; - plausible = manwe; - prometheus = manwe; - radicale = manwe; - rss-bridge = manwe; - vaultwarden = manwe; - - flood = yavanna; - jackett = yavanna; - lidarr = yavanna; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.azahi; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - ariadneIdProof - { - subdomains = { - mta-sts = ips "manwe"; - - git = ips "manwe"; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.gondor; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = { - mta-sts = ips "manwe"; - - frodo = ips "manwe" // ariadneIdProof; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.rohan; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = { - mta-sts = ips "manwe"; - - frodo = ips "manwe" // ariadneIdProof; - }; - } - ]; - }) - ]; - }; - - fail2ban.jails.nsd.enabled = true; - }; - - networking.firewall = rec { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = allowedTCPPorts; - }; - }; -} |