about summary refs log tree commit diff stats
path: root/zones
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--zones/default.nix3
-rw-r--r--zones/vhack.eu/zone.nix189
2 files changed, 192 insertions, 0 deletions
diff --git a/zones/default.nix b/zones/default.nix
new file mode 100644
index 0000000..babb531
--- /dev/null
+++ b/zones/default.nix
@@ -0,0 +1,3 @@
+{lib, ...}: {
+  "vhack.eu" = import ./vhack.eu/zone.nix {inherit lib;};
+}
diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix
new file mode 100644
index 0000000..d647174
--- /dev/null
+++ b/zones/vhack.eu/zone.nix
@@ -0,0 +1,189 @@
+{lib, ...}: let
+  /*
+  Computes a reasonable value for the DNS serial number from the date of last change
+  and the iteration of that day.
+
+  # Type
+
+  mkSerial :: Number -> Number -> Number -> Number -> Number
+
+  # Arguments
+
+  year
+  : The year of the last change in the format YYYY.
+
+  month
+  : The month of the last change in the format MM.
+
+  day
+  : The day of the last change in the format DD.
+
+  iteration
+  : The number of change on that day. The format should be CC (assuming there are less
+    than 100 changes happening on a day) .
+
+  # Examples
+
+  mkSerial 2025 04 01 01
+  => 2025040101
+  */
+  mkSerial = year: month: day: iteration: let
+    n2 = lib.strings.fixedWidthNumber 2;
+    n4 = lib.strings.fixedWidthNumber 4;
+  in
+    lib.strings.toIntBase10 "${n4 year}${n2 month}${n2 day}${n2 iteration}";
+in {
+  SOA = {
+    nameServer = "name-server1.vhack.eu.";
+    adminEmail = "dns-admin@foss-syndicate.org";
+    # NOTE(@bpeetz): ALWAYS change the serial number, when you change something in the
+    # zone file! <2025-04-01>
+    serial = mkSerial 2025 04 11 01;
+  };
+  useOrigin = false;
+
+  # NOTE: matrix/mastodon need to have the point from `vhack.eu` to their IP <2025-03-10>
+  A = [
+    "92.60.38.179"
+  ];
+  AAAA = [
+    "2a03:4000:33:25b::4f4e"
+  ];
+
+  NS = [
+    "name-server1.vhack.eu."
+    "name-server2.vhack.eu."
+  ];
+
+  CAA = [
+    {
+      issuerCritical = false;
+      tag = "issue";
+      value = "letsencrypt.org";
+    }
+  ];
+
+  # Mail section {{{
+  MX = [
+    {
+      preference = 10;
+      exchange = "mail.vhack.eu.";
+    }
+    {
+      preference = 100;
+      exchange = "mail.foss-syndicate.org.";
+    }
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc7208.html
+  TXT = [
+    (builtins.concatStringsSep " "
+      [
+        "v=spf1" # The version.
+        "+mx" # Allow mail from this domain MX record.
+        "-all" # Reject all other emails if the previous mechanism did not match.
+      ])
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5
+  DKIM = [
+    {
+      selector = "mail";
+      k = "ed25519";
+      p = "U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=";
+      s = ["email"];
+      t = ["s"];
+    }
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
+  DMARC = [
+    {
+      adkim = "strict";
+      aspf = "strict";
+      fo = ["0" "1" "d" "s"];
+      p = "reject";
+      rua = "admin@foss-syndicate.org";
+      ruf = ["admin@foss-syndicate.org"];
+    }
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc2782.txt
+  SRV = [
+    {
+      service = "imaps";
+      proto = "tcp";
+      priority = 0;
+      weight = 1;
+      port = 993;
+      target = "mail.vhack.eu.";
+    }
+    {
+      service = "pop3s";
+      proto = "tcp";
+      priority = 0;
+      weight = 1;
+      port = 995;
+      target = "mail.vhack.eu.";
+    }
+    {
+      service = "smtps";
+      proto = "tcp";
+      priority = 0;
+      weight = 1;
+      port = 465;
+      target = "mail.vhack.eu.";
+    }
+  ];
+  # }}}
+
+  subdomains = {
+    name-server1.CNAME = ["server2.vhack.eu."];
+    name-server2.CNAME = ["server3.vhack.eu."];
+
+    source.CNAME = ["server2.vhack.eu."];
+
+    mail.CNAME = ["server3.vhack.eu."];
+
+    taskchampion.CNAME = ["server2.vhack.eu."];
+
+    dav.CNAME = ["server2.vhack.eu."];
+    etebase.CNAME = ["server2.vhack.eu."];
+    git.CNAME = ["server2.vhack.eu."];
+    invidious-router.CNAME = ["server2.vhack.eu."];
+
+    libreddit.CNAME = ["server2.vhack.eu."];
+    redlib.CNAME = ["server2.vhack.eu."];
+
+    nextcloud.CNAME = ["server2.vhack.eu."];
+
+    mastodon.CNAME = ["server3.vhack.eu."];
+    matrix.CNAME = ["server3.vhack.eu."];
+
+    miniflux.CNAME = ["server3.vhack.eu."];
+    rss.CNAME = ["server3.vhack.eu."];
+
+    mumble.CNAME = ["server3.vhack.eu."];
+    openpgpkey.CNAME = ["server3.vhack.eu."];
+    peertube.CNAME = ["server3.vhack.eu."];
+    trinitrix.CNAME = ["server3.vhack.eu."];
+
+    server2 = {
+      AAAA = [
+        "2a03:4000:a:106::1"
+      ];
+      A = [
+        "185.16.61.132"
+      ];
+    };
+    server3 = {
+      AAAA = [
+        "2a03:4000:33:25b::4f4e"
+      ];
+      A = [
+        "92.60.38.179"
+      ];
+    };
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-04-20 03:03:48 +0000