diff options
Diffstat (limited to '')
-rw-r--r-- | modules/nixos/nsd.nix | 342 |
1 files changed, 179 insertions, 163 deletions
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index ae72f1d..f44a2a0 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -5,9 +5,11 @@ this, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.nsd; -in { +in +{ options.nixfiles.modules.nsd = { enable = mkEnableOption "NSD"; @@ -19,194 +21,208 @@ in { }; config = mkIf cfg.enable { - nixfiles.modules.nginx = let - domain = my.domain.shire; - in { - enable = true; - virtualHosts = mapAttrs' (_: v: - nameValuePair "mta-sts.${v}" { - locations."= /.well-known/mta-sts.txt" = { - extraConfig = '' - add_header default_type text/plain; - ''; - return = "200 '${concatStringsSep "\\r\\n" [ - "version: STSv1" - "mode: enforce" - "max_age: 2419200" - "mx: ${domain}" - ]}'"; - }; - }) - my.domain; - }; + nixfiles.modules.nginx = + let + domain = my.domain.shire; + in + { + enable = true; + virtualHosts = mapAttrs' ( + _: v: + nameValuePair "mta-sts.${v}" { + locations."= /.well-known/mta-sts.txt" = { + extraConfig = '' + add_header default_type text/plain; + ''; + return = "200 '${ + concatStringsSep "\\r\\n" [ + "version: STSv1" + "mode: enforce" + "max_age: 2419200" + "mx: ${domain}" + ] + }'"; + }; + } + ) my.domain; + }; services = { nsd = { enable = true; - interfaces = with this; [ipv4.address ipv6.address]; + interfaces = with this; [ + ipv4.address + ipv6.address + ]; ipTransparent = true; ratelimit.enable = true; - zones = let - dns = inputs.dns.lib; - in - with dns.combinators; let - ips = hostname: - with my.configurations.${hostname}; { - A = [(a ipv4.address)]; - AAAA = [(aaaa ipv6.address)]; + zones = + let + dns = inputs.dns.lib; + in + with dns.combinators; + let + ips = + hostname: with my.configurations.${hostname}; { + A = [ (a ipv4.address) ]; + AAAA = [ (aaaa ipv6.address) ]; }; - mkEmailEntries = { - domain ? my.domain.shire, - dkimKey ? null, - }: { - MX = [(mx.mx 10 "${my.domain.shire}.")]; - TXT = [(spf.soft ["a"])]; - DMARC = [ - { - p = "quarantine"; - sp = "quarantine"; - rua = ["mailto:admin+rua@${domain}"]; - ruf = ["mailto:admin+ruf@${domain}"]; - } - ]; - DKIM = optional (dkimKey != null) { - selector = "mail"; - p = dkimKey; + mkEmailEntries = + { + domain ? my.domain.shire, + dkimKey ? null, + }: + { + MX = [ (mx.mx 10 "${my.domain.shire}.") ]; + TXT = [ (spf.soft [ "a" ]) ]; + DMARC = [ + { + p = "quarantine"; + sp = "quarantine"; + rua = [ "mailto:admin+rua@${domain}" ]; + ruf = [ "mailto:admin+ruf@${domain}" ]; + } + ]; + DKIM = optional (dkimKey != null) { + selector = "mail"; + p = dkimKey; + }; + subdomains._mta-sts.TXT = [ "v=STSv1; id=20230506134541Z" ]; }; - subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"]; - }; - mkZone = { - domain, - sldIps ? (ips "manwe"), - extra ? {}, - }: { - ${domain}.data = dns.toString domain (mkMerge [ - { - TTL = 60 * 60; + mkZone = + { + domain, + sldIps ? (ips "manwe"), + extra ? { }, + }: + { + ${domain}.data = dns.toString domain (mkMerge [ + { + TTL = 60 * 60; - SOA = { - nameServer = "${cfg.fqdn}."; - adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2022091601; # Don't forget to bump the revision! - }; + SOA = { + nameServer = "${cfg.fqdn}."; + adminEmail = "admin+dns@${my.domain.shire}"; + serial = 2022091601; # Don't forget to bump the revision! + }; - NS = with my.domain; [ - "ns1.${shire}" - # "ns2.${shire}" - ]; + NS = with my.domain; [ + "ns1.${shire}" + # "ns2.${shire}" + ]; - CAA = letsEncrypt "admin+caa@${my.domain.shire}"; - } - sldIps - extra - ]); - }; + CAA = letsEncrypt "admin+caa@${my.domain.shire}"; + } + sldIps + extra + ]); + }; # https://ariadne.id/ # https://docs.keyoxide.org/service-providers/dns/ - ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"]; + ariadneIdProof.TXT = [ "openpgp4fpr:${my.pgp.fingerprint}" ]; in - mkMerge [ - (mkZone rec { - domain = my.domain.shire; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = rec { - manwe = ips "manwe"; - "*.manwe" = manwe; - varda = ips "varda"; - "*.varda" = varda; - yavanna = ips "yavanna"; - "*.yavanna" = yavanna; - - mta-sts = manwe; - - ns1 = manwe; - # ns2 = varda; - - alertmanager = manwe; - bitwarden = manwe; - git = manwe; - grafana = manwe; - loki = manwe; - ntfy = manwe; - plausible = manwe; - prometheus = manwe; - radicale = manwe; - rss-bridge = manwe; - vaultwarden = manwe; - - flood = yavanna; - jackett = yavanna; - lidarr = yavanna; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.azahi; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - ariadneIdProof - { - subdomains = { - mta-sts = ips "manwe"; + mkMerge [ + (mkZone rec { + domain = my.domain.shire; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = rec { + manwe = ips "manwe"; + "*.manwe" = manwe; + varda = ips "varda"; + "*.varda" = varda; + yavanna = ips "yavanna"; + "*.yavanna" = yavanna; + + mta-sts = manwe; + + ns1 = manwe; + # ns2 = varda; + + alertmanager = manwe; + bitwarden = manwe; + git = manwe; + grafana = manwe; + loki = manwe; + ntfy = manwe; + plausible = manwe; + prometheus = manwe; + radicale = manwe; + rss-bridge = manwe; + vaultwarden = manwe; + + flood = yavanna; + jackett = yavanna; + lidarr = yavanna; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.azahi; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + ariadneIdProof + { + subdomains = { + mta-sts = ips "manwe"; - git = ips "manwe"; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.gondor; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = { - mta-sts = ips "manwe"; + git = ips "manwe"; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.gondor; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = { + mta-sts = ips "manwe"; - frodo = ips "manwe" // ariadneIdProof; - }; - } - ]; - }) - (mkZone rec { - domain = my.domain.rohan; - extra = mkMerge [ - (mkEmailEntries { - inherit domain; - dkimKey = "@DKIM_KEY@"; - }) - { - subdomains = { - mta-sts = ips "manwe"; + frodo = ips "manwe" // ariadneIdProof; + }; + } + ]; + }) + (mkZone rec { + domain = my.domain.rohan; + extra = mkMerge [ + (mkEmailEntries { + inherit domain; + dkimKey = "@DKIM_KEY@"; + }) + { + subdomains = { + mta-sts = ips "manwe"; - frodo = ips "manwe" // ariadneIdProof; - }; - } - ]; - }) - ]; + frodo = ips "manwe" // ariadneIdProof; + }; + } + ]; + }) + ]; }; fail2ban.jails.nsd.enabled = true; }; networking.firewall = rec { - allowedTCPPorts = [53]; + allowedTCPPorts = [ 53 ]; allowedUDPPorts = allowedTCPPorts; }; }; |