1 files changed, 29 insertions, 5 deletions

diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix
index a1e6d2e..36c71e4 100644
--- a/zones/vhack.eu/zone.nix
+++ b/zones/vhack.eu/zone.nix
@@ -14,6 +14,11 @@
     "2a03:4000:33:25b::4f4e"
   ];
 
+  NS = [
+    "name-server1.vhack.eu."
+    "name-server2.vhack.eu."
+  ];
+
   CAA = [
     {
       issuerCritical = false;
@@ -22,12 +27,26 @@
     }
   ];
 
+  # Mail section {{{
   MX = [
     {
       preference = 10;
-      exchange = "mail.foss-syndicate.org";
+      exchange = "mail.foss-syndicate.org.";
     }
   ];
+
+  # https://www.rfc-editor.org/rfc/rfc7208.html
+  TXT = [
+    (builtins.concatStringsSep " "
+      [
+        "v=spf1" # The version.
+        "+mx" # Allow mail from this domain MX record.
+        "-all" # Reject all other emails if the previous mechanism did not match.
+      ])
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5
   DKIM = [
     {
       selector = "mail";
@@ -37,16 +56,20 @@
       t = ["s"];
     }
   ];
+
+    # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
   DMARC = [
     {
       adkim = "strict";
       aspf = "strict";
       fo = ["0" "1" "d" "s"];
-      p = "quarantine";
+      p = "reject";
       rua = "admin@foss-syndicate.org";
       ruf = ["admin@foss-syndicate.org"];
     }
   ];
+
+  # https://www.rfc-editor.org/rfc/rfc2782.txt
   SRV = [
     {
       service = "imaps";
@@ -73,11 +96,12 @@
       target = "mail.foss-syndicate.org";
     }
   ];
-  TXT = [
-    "v=spf1 +mx -all"
-  ];
+  # }}}
 
   subdomains = {
+    name-server1.CNAME = ["server2.vhack.eu."];
+    name-server2.CNAME = ["server3.vhack.eu."];
+
     dav.CNAME = ["server2.vhack.eu."];
     etebase.CNAME = ["server2.vhack.eu."];
     git.CNAME = ["server2.vhack.eu."];