diff --git a/hosts/plover/config/coredns/foodogsquared.one.zone b/hosts/plover/config/coredns/foodogsquared.one.zone index 309f1ba4..960c910b 100644 --- a/hosts/plover/config/coredns/foodogsquared.one.zone +++ b/hosts/plover/config/coredns/foodogsquared.one.zone @@ -3,7 +3,7 @@ $TTL 12h @ 3600 IN SOA ns1.first-ns.de. hostmaster.foodogsquared.one. ( - 2023021701 ; serial number + 2023021803 ; serial number 1h ; refresh 15m ; update retry 3w ; expiry @@ -19,11 +19,11 @@ $TTL 12h @ IN MX 10 mxext1.mailbox.org. IN MX 10 mxext2.mailbox.org. IN MX 20 mxext3.mailbox.org. - IN TXT "v=spf1 include:mailbox.org ~all" + IN TXT v=spf1 include:mailbox.org ~all ; This is something that is needed for mailbox.org to verify it is indeed in my ; domain. -#mailboxSecurityKey# IN TXT "#mailboxSecurityKeyRecord#" +#mailboxSecurityKey# 3600 IN TXT #mailboxSecurityKeyRecord# ; Protect the validity of my emails sent by me!!!! MBO0001._domainkey IN CNAME MBO0001._domainkey.mailbox.org. @@ -32,7 +32,7 @@ MBO0003._domainkey IN CNAME MBO0003._domainkey.mailbox.org. MBO0004._domainkey IN CNAME MBO0004._domainkey.mailbox.org. ; Protect my domain email from spoofing. -_dmarc IN 400 TXT "v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one" +_dmarc 400 IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one ; This will make PGP clients find my public key for the email. _hkps._tcp IN SRV 1 1 443 pgp.mailbox.org. diff --git a/hosts/plover/modules/services/coredns.nix b/hosts/plover/modules/services/coredns.nix index c7e95f33..d097c46f 100644 --- a/hosts/plover/modules/services/coredns.nix +++ b/hosts/plover/modules/services/coredns.nix @@ -36,7 +36,7 @@ let # The local network segments. allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ]; - allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/64" ]; + allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/48" ]; dnsListenAddresses = with interfaces; [ internal.IPv4.address @@ -61,8 +61,8 @@ in secrets; in getSecrets { - "dns/mailbox-security-key" = { }; - "dns/mailbox-security-key-record" = { }; + "dns/${domain}/mailbox-security-key" = { }; + "dns/${domain}/mailbox-security-key-record" = { }; }; # Generating a certificate for the DNS-over-TLS feature. @@ -162,8 +162,8 @@ in lib.mkBefore '' install -Dm0644 ${domainZoneFile} ${domainZoneFile'} - ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/mailbox-security-key"}' '${domainZoneFile'}' - ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/mailbox-security-key-record"}' '${domainZoneFile'}' + ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}' + ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}' ''; serviceConfig.LoadCredential = let certDirectory = certs."${dnsDomainName}".directory; diff --git a/hosts/plover/secrets/secrets.yaml b/hosts/plover/secrets/secrets.yaml index a7de07b8..ee0ecd59 100644 --- a/hosts/plover/secrets/secrets.yaml +++ b/hosts/plover/secrets/secrets.yaml @@ -37,8 +37,9 @@ wireguard: ni: ENC[AES256_GCM,data:NAgNnVtPKCaaSagWCIet5pd5ZehymJPmhQShoO/ktqa1pl6MtzJsygbTktk=,iv:2/sOdNN6QX1Rou5xnq87t/m/kguPTthOXD8oXJfvM90=,tag:F/I2CYR9O1LAlLs/9LaXGg==,type:str] phone: ENC[AES256_GCM,data:3wIv8mE7eYhvSjwcE9fwsUZhh2Svmzg+RFjJzvjvMyB9V3uvBYG8vmB751w=,iv:iSm4dXNVqFa52eq0Hhct1MGSoq4x7FFzWdjXHlkGTW8=,tag:Lr463ee5r/ZhEC78uYyzfQ==,type:str] dns: - mailbox-security-key: ENC[AES256_GCM,data:e1/y+JNNUxdf5D0OVhTD8hsoPlvV2Jpp3/+nHBktZH02/ZOfa9W5oA==,iv:tR9aVFHuMekr2uz4MaGAddlRsAh9XctS25EO+yMyvhE=,tag:BImSGpx4ltuU1qPTrmioKg==,type:str] - mailbox-security-key-record: ENC[AES256_GCM,data:bP1kKQczfjOQyokOa+cScNs7jKLaXamUHYqzW7k0QRXnin5Nsj7G9w==,iv:l8NtJcYll8rdQJLsuxPIj3Ch3Tc/ESs1wUwPrGRTI7Y=,tag:RWD9mvinKW0xv6GDw/4jkQ==,type:str] + foodogsquared.one: + mailbox-security-key: ENC[AES256_GCM,data:CmiAcewC47dTlKX+PmWJrnSM7dreMImEL3nw6+MnJ2MCwcnakT8zUw==,iv:tRh4d+QUUqxzz+c0r6NLnnPOgqtYZNdE3RgCa7MbvE4=,tag:RHkPwRVt8+YCw61RwBZZzg==,type:str] + mailbox-security-key-record: ENC[AES256_GCM,data:vXwTyZEsov20GDkg/X2P/MJFKWkrijnNNHrGRp0AMJORh0H5/mnshQ==,iv:7BKnkKj1vwLYCcm1uoHF+Ndunl2enSoXRpReW/uuaAo=,tag:KTzU1MMwXard4+Ar4WrJhA==,type:str] sops: kms: [] gcp_kms: [] @@ -54,8 +55,8 @@ sops: ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-11T13:30:33Z" - mac: ENC[AES256_GCM,data:3/SJstH4DV40P5oRToL77nbGwbIONuhjSrGmlvZvPKip7Mq6VLlpjLZhXWTkuVxZm7bVBloX7QWYZJn0aX9naKOMzqD+EVBmWgP1nC3USfzMXlItOlkrIo04KELb07oKfX8DWvagoZf4BY8p2TVHd4fSZrRJoiATI6TgOoATJeQ=,iv:ZKzNlbZ8mQablscBJKSkd5oTxb5YZQSPmGfjnzpuf4Q=,tag:FjN8/6lksHYw52jUlbQjcA==,type:str] + lastmodified: "2023-02-18T12:20:09Z" + mac: ENC[AES256_GCM,data:b3frDpKobh4Vl/BXX7M0U6eaJ8TdQHylPmUGsZqzGjwxZUMRyrxH/ETx6iseS2aRFyZzShPxJwSETyFswYMuObMRe1pk4DNjYCNCNSn98080nklG4Rod+QrB+p934aGMrpfjd4ZSI3UAQV2AKdZob2ivATwPFj7Q1hMdeXaEJYk=,iv:j+k9tG86UZhBKmSiCz+LtriZj2ajPb6AxuPosoH5bE0=,tag:7NYieEM2XG6Jfaug3UsZFQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3