From 6e26789f330fe34df54b56f06ba095ece4bd7128 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Mon, 10 Mar 2025 19:49:37 +0100 Subject: {hosts,zones}: Init dns zone for vhack.eu --- hosts/by-name/server2/configuration.nix | 9 +++ hosts/by-name/server3/configuration.nix | 9 +++ zones/vhack.eu/zone.nix | 119 ++++++++++++++++++++++++++++++++ 3 files changed, 137 insertions(+) create mode 100644 zones/vhack.eu/zone.nix diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix index c373d28..b7b868f 100644 --- a/hosts/by-name/server2/configuration.nix +++ b/hosts/by-name/server2/configuration.nix @@ -26,6 +26,15 @@ privatePassword = ./secrets/backup/backuppass.age; user = "u384702-sub3"; }; + dns = { + enable = true; + openFirewall = true; + interfaces = [ + "185.16.61.132" + "2a03:4000:a:106::1" + ]; + zones = import ../../../zones/vhack.eu/zone.nix {}; + }; etesync = { enable = true; secretFile = ./secrets/etesync/secret_file.age; diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index d819e81..e18d055 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -11,6 +11,15 @@ privatePassword = ./secrets/backup/backuppass.age; user = "u384702-sub4"; }; + dns = { + enable = true; + openFirewall = true; + interfaces = [ + "92.60.38.179" + "2a03:4000:33:25b::4f4e" + ]; + zones = import ../../../zones/vhack.eu/zone.nix {}; + }; fail2ban.enable = true; nix-sync = { enable = true; diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix new file mode 100644 index 0000000..31222f7 --- /dev/null +++ b/zones/vhack.eu/zone.nix @@ -0,0 +1,119 @@ +{...}: { + "vhack.eu" = { + SOA = { + nameServer = "name-server.foss-syndicate.org."; + adminEmail = "dns-admin@foss-syndicate.org"; + serial = 2025031001; + }; + useOrigin = false; + + # TODO: Why are we using server3's IPs here? <2025-03-10> + A = [ + "92.60.38.179" + ]; + AAAA = [ + "2a03:4000:33:25b::4f4e" + ]; + + CAA = [ + { + issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + } + ]; + + MX = [ + { + preference = 10; + exchange = "mail.foss-syndicate.org"; + } + ]; + DKIM = [ + { + selector = "mail"; + k = "rsa"; + p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8KXSkQD0ZFk3EetJ1qaoqevvdBoV93dRh5X2GCcc7hWBtLWtj31F3BefgfcrbdACVitdmJcRu7ed8qZMpxZM9pN5TrPMebAkjxMvMH554Wvi1FSwzuPSR724NHPKIgveU8pgiYffks5Mu1ejZmBvlnhXjpbDCEL1reWk+OtmB+QIDAQAB"; + s = ["email"]; + t = ["s"]; + } + ]; + DMARC = [ + { + adkim = "strict"; + aspf = "strict"; + fo = ["0" "1" "d" "s"]; + p = "quarantine"; + rua = "admin@foss-syndicate.org"; + ruf = ["admin@foss-syndicate.org"]; + } + ]; + SRV = [ + { + service = "imaps"; + proto = "tcp"; + priority = 0; + weight = 1; + port = 993; + target = "mail.foss-syndicate.org"; + } + { + service = "pop3s"; + proto = "tcp"; + priority = 0; + weight = 1; + port = 995; + target = "mail.foss-syndicate.org"; + } + { + service = "smtps"; + proto = "tcp"; + priority = 0; + weight = 1; + port = 465; + target = "mail.foss-syndicate.org"; + } + ]; + TXT = [ + "v=spf1 +mx -all" + ]; + + subdomains = { + dav.CNAME = ["server2.vhack.eu"]; + etebase.CNAME = ["server2.vhack.eu"]; + git.CNAME = ["server2.vhack.eu"]; + invidious-router.CNAME = ["server2.vhack.eu"]; + + libreddit.CNAME = ["server2.vhack.eu"]; + redlib.CNAME = ["server2.vhack.eu"]; + + mastodon.CNAME = ["server3.vhack.eu"]; + matrix.CNAME = ["server3.vhack.eu"]; + + miniflux.CNAME = ["server3.vhack.eu"]; + rss.CNAME = ["server3.vhack.eu"]; + + mumble.CNAME = ["server3.vhack.eu"]; + openpgpkey.CNAME = ["server3.vhack.eu"]; + peertube.CNAME = ["server3.vhack.eu"]; + trinitrix.CNAME = ["server3.vhack.eu"]; + + server2 = { + AAAA = [ + "2a03:4000:a:106::1" + ]; + A = [ + "185.16.61.132" + ]; + }; + server3 = { + AAAA = [ + "2a03:4000:33:25b::4f4e" + ]; + A = [ + "92.60.38.179" + ]; + }; + }; + }; +} -- cgit 1.4.1