From fee260e3ee7b8d8436fa30d8bf13a6257cd8b8fa Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Fri, 21 Mar 2025 10:54:07 +0100
Subject: zones/vhack.eu: Update to actually be a drop-in replacement for
 netcup's servers

Currently, our NS record was missing, and we had an MX record that pointed
to `mail.foss-syndicate.org.vhack.eu`.
---
 zones/vhack.eu/zone.nix | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

(limited to 'zones')

diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix
index a1e6d2e..36c71e4 100644
--- a/zones/vhack.eu/zone.nix
+++ b/zones/vhack.eu/zone.nix
@@ -14,6 +14,11 @@
     "2a03:4000:33:25b::4f4e"
   ];
 
+  NS = [
+    "name-server1.vhack.eu."
+    "name-server2.vhack.eu."
+  ];
+
   CAA = [
     {
       issuerCritical = false;
@@ -22,12 +27,26 @@
     }
   ];
 
+  # Mail section {{{
   MX = [
     {
       preference = 10;
-      exchange = "mail.foss-syndicate.org";
+      exchange = "mail.foss-syndicate.org.";
     }
   ];
+
+  # https://www.rfc-editor.org/rfc/rfc7208.html
+  TXT = [
+    (builtins.concatStringsSep " "
+      [
+        "v=spf1" # The version.
+        "+mx" # Allow mail from this domain MX record.
+        "-all" # Reject all other emails if the previous mechanism did not match.
+      ])
+  ];
+
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.6.1
+  # https://www.rfc-editor.org/rfc/rfc6376.html#section-7.5
   DKIM = [
     {
       selector = "mail";
@@ -37,16 +56,20 @@
       t = ["s"];
     }
   ];
+
+    # https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
   DMARC = [
     {
       adkim = "strict";
       aspf = "strict";
       fo = ["0" "1" "d" "s"];
-      p = "quarantine";
+      p = "reject";
       rua = "admin@foss-syndicate.org";
       ruf = ["admin@foss-syndicate.org"];
     }
   ];
+
+  # https://www.rfc-editor.org/rfc/rfc2782.txt
   SRV = [
     {
       service = "imaps";
@@ -73,11 +96,12 @@
       target = "mail.foss-syndicate.org";
     }
   ];
-  TXT = [
-    "v=spf1 +mx -all"
-  ];
+  # }}}
 
   subdomains = {
+    name-server1.CNAME = ["server2.vhack.eu."];
+    name-server2.CNAME = ["server3.vhack.eu."];
+
     dav.CNAME = ["server2.vhack.eu."];
     etebase.CNAME = ["server2.vhack.eu."];
     git.CNAME = ["server2.vhack.eu."];
-- 
cgit 1.4.1