diff options
Diffstat (limited to 'modules/nsd.nix')
| -rw-r--r-- | modules/nsd.nix | 101 |
1 files changed, 51 insertions, 50 deletions
diff --git a/modules/nsd.nix b/modules/nsd.nix index 13cebe9..82dc16a 100644 --- a/modules/nsd.nix +++ b/modules/nsd.nix @@ -5,37 +5,36 @@ this, ... }: -with lib; let cfg = config.nixfiles.modules.nsd; in { options.nixfiles.modules.nsd = { - enable = mkEnableOption "NSD"; + enable = lib.mkEnableOption "NSD"; - fqdn = mkOption { + fqdn = lib.mkOption { description = "FQDN of this nameserver."; - type = with types; str; + type = lib.types.str; default = "ns.${config.networking.domain}"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { nixfiles.modules.nginx = let - domain = my.domain.shire; + domain = lib.my.domain.shire; in { enable = true; - virtualHosts = mapAttrs' ( + virtualHosts = lib.mapAttrs' ( _: v: - nameValuePair "mta-sts.${v}" { + lib.nameValuePair "mta-sts.${v}" { locations."= /.well-known/mta-sts.txt" = { extraConfig = '' add_header default_type text/plain; ''; return = "200 '${ - concatStringsSep "\\r\\n" [ + lib.concatStringsSep "\\r\\n" [ "version: STSv1" "mode: enforce" "max_age: 2419200" @@ -44,7 +43,7 @@ in }'"; }; } - ) my.domain; + ) lib.my.domain; }; services = { @@ -58,31 +57,31 @@ in ratelimit.enable = true; zones = - with dns.combinators; + with lib.dns.combinators; let ips = - hostname: with my.configurations.${hostname}; { + hostname: with lib.my.configurations.${hostname}; { A = [ (a ipv4.address) ]; AAAA = [ (aaaa ipv6.address) ]; }; mkEmailEntries = { - domain ? my.domain.shire, + domain ? lib.my.domain.shire, dkimKey ? null, }: { - MX = [ (mx.mx 10 "${my.domain.shire}.") ]; + MX = [ (mx.mx 10 "${lib.my.domain.shire}.") ]; TXT = [ (spf.soft [ "a" ]) ]; DMARC = [ { p = "quarantine"; sp = "quarantine"; - rua = [ "mailto:admin+rua@${domain}" ]; - ruf = [ "mailto:admin+ruf@${domain}" ]; + rua = [ "mailto:postmaster@${domain}" ]; + ruf = [ "mailto:postmaster@${domain}" ]; } ]; - DKIM = optional (dkimKey != null) { + DKIM = lib.optional (dkimKey != null) { selector = "mail"; p = dkimKey; }; @@ -96,36 +95,38 @@ in extra ? { }, }: { - ${domain}.data = dns.toString domain (mkMerge [ - { - TTL = 60 * 60; - - SOA = { - nameServer = "${cfg.fqdn}."; - adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2024010301; # Don't forget to bump the revision! - }; - - NS = with my.domain; [ - "ns1.${shire}" - # "ns2.${shire}" - ]; - - CAA = letsEncrypt "admin+caa@${my.domain.shire}"; - } - sldIps - extra - ]); + ${domain}.data = lib.dns.toString domain ( + lib.mkMerge [ + { + TTL = 60 * 60; + + SOA = { + nameServer = "${cfg.fqdn}."; + adminEmail = "hostmaster@${lib.my.domain.shire}"; + serial = 2025020201; # Don't forget to bump the revision! + }; + + NS = with lib.my.domain; [ + "ns1.${shire}" + # "ns2.${shire}" + ]; + + CAA = letsEncrypt "hostmaster@${lib.my.domain.shire}"; + } + sldIps + extra + ] + ); }; # https://ariadne.id/ # https://docs.keyoxide.org/service-providers/dns/ - ariadneIdProof.TXT = [ "openpgp4fpr:${my.pgp.fingerprint}" ]; + ariadneIdProof.TXT = [ "openpgp4fpr:${lib.my.pgp.fingerprint}" ]; in - mkMerge [ + lib.mkMerge [ (mkZone rec { - domain = my.domain.shire; - extra = mkMerge [ + domain = lib.my.domain.shire; + extra = lib.mkMerge [ (mkEmailEntries { inherit domain; dkimKey = "@DKIM_KEY@"; @@ -169,8 +170,8 @@ in ]; }) (mkZone rec { - domain = my.domain.azahi; - extra = mkMerge [ + domain = lib.my.domain.azahi; + extra = lib.mkMerge [ (mkEmailEntries { inherit domain; dkimKey = "@DKIM_KEY@"; @@ -186,8 +187,8 @@ in ]; }) (mkZone rec { - domain = my.domain.gondor; - extra = mkMerge [ + domain = lib.my.domain.gondor; + extra = lib.mkMerge [ (mkEmailEntries { inherit domain; dkimKey = "@DKIM_KEY@"; @@ -202,8 +203,8 @@ in ]; }) (mkZone rec { - domain = my.domain.rohan; - extra = mkMerge [ + domain = lib.my.domain.rohan; + extra = lib.mkMerge [ (mkEmailEntries { inherit domain; dkimKey = "@DKIM_KEY@"; @@ -228,12 +229,12 @@ in allowedUDPPorts = allowedTCPPorts; }; - topology = with cfg; { + topology = { nodes.${this.hostname}.services.nsd = { name = "NSD"; icon = "${inputs.homelab-svg-assets}/assets/unbound.svg"; - details.listen.text = concatMapStringsSep "\n" (i: "${i}:53") ( - filter (i: i != "127.0.0.1" && i != "::1") config.services.nsd.interfaces + details.listen.text = lib.concatMapStringsSep "\n" (i: "${i}:53") ( + lib.filter (i: i != "127.0.0.1" && i != "::1") config.services.nsd.interfaces ); }; }; |