diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-21 10:54:07 +0100 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-21 10:54:07 +0100 |
| commit | fee260e3ee7b8d8436fa30d8bf13a6257cd8b8fa (patch) | |
| tree | 0dd2f882dfaf09396f7e2bbf33fb23cefd7c00e0 | |
| parent | zones: Provide a single entry point for all zones (diff) | |
| download | nixos-server-fee260e3ee7b8d8436fa30d8bf13a6257cd8b8fa.zip | |
zones/vhack.eu: Update to actually be a drop-in replacement for netcup's servers
Currently, our NS record was missing, and we had an MX record that pointed to `mail.foss-syndicate.org.vhack.eu`.
| -rw-r--r-- | zones/vhack.eu/zone.nix | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix index a1e6d2e..36c71e4 100644 --- a/zones/vhack.eu/zone.nix +++ b/zones/vhack.eu/zone.nix @@ -14,6 +14,11 @@ "2a03:4000:33:25b::4f4e" ]; + NS = [ + "name-server1.vhack.eu." + "name-server2.vhack.eu." + ]; + CAA = [ { issuerCritical = false; @@ -22,12 +27,26 @@ } ]; + # Mail section {{{ MX = [ { preference = 10; - exchange = "mail.foss-syndicate.org"; + exchange = "mail.foss-syndicate.org."; } ]; + + # https://www.rfc-editor.org/rfc/rfc7208.html + TXT = [ + (builtins.concatStringsSep " " + [ + "v=spf1" # The version. + "+mx" # Allow mail from this domain MX record. + "-all" # Reject all other emails if the previous mechanism did not match. + ]) + ]; + + # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1 + # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5 DKIM = [ { selector = "mail"; @@ -37,16 +56,20 @@ t = ["s"]; } ]; + + # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3 DMARC = [ { adkim = "strict"; aspf = "strict"; fo = ["0" "1" "d" "s"]; - p = "quarantine"; + p = "reject"; rua = "admin@foss-syndicate.org"; ruf = ["admin@foss-syndicate.org"]; } ]; + + # https://www.rfc-editor.org/rfc/rfc2782.txt SRV = [ { service = "imaps"; @@ -73,11 +96,12 @@ target = "mail.foss-syndicate.org"; } ]; - TXT = [ - "v=spf1 +mx -all" - ]; + # }}} subdomains = { + name-server1.CNAME = ["server2.vhack.eu."]; + name-server2.CNAME = ["server3.vhack.eu."]; + dav.CNAME = ["server2.vhack.eu."]; etebase.CNAME = ["server2.vhack.eu."]; git.CNAME = ["server2.vhack.eu."]; |