hosts/plover: update DNS server setup

2025-01-31 04:58:01 +00:00 · 2023-02-22 11:28:59 +08:00 · 2023-02-22 11:28:59 +08:00 · 41fd659453
commit 41fd659453
parent 84b4e3be3e
3 changed files with 14 additions and 13 deletions
--- a/hosts/plover/config/coredns/foodogsquared.one.zone
+++ b/hosts/plover/config/coredns/foodogsquared.one.zone
@ -3,7 +3,7 @@
 $TTL 12h

@	3600	IN	SOA	ns1.first-ns.de. hostmaster.foodogsquared.one. (
-				2023021701 	; serial number
+				2023021803 	; serial number
 				1h		; refresh
 				15m		; update retry
 				3w		; expiry
@ -19,11 +19,11 @@ $TTL 12h
@	IN	MX	10 mxext1.mailbox.org.
 	IN	MX	10 mxext2.mailbox.org.
 	IN	MX	20 mxext3.mailbox.org.
-	IN	TXT	"v=spf1 include:mailbox.org ~all"
+	IN	TXT	v=spf1 include:mailbox.org ~all

 ; This is something that is needed for mailbox.org to verify it is indeed in my
 ; domain.
-#mailboxSecurityKey#	IN	TXT	"#mailboxSecurityKeyRecord#"
+#mailboxSecurityKey#	3600	IN	TXT	#mailboxSecurityKeyRecord#

 ; Protect the validity of my emails sent by me!!!!
 MBO0001._domainkey	IN	CNAME	MBO0001._domainkey.mailbox.org.
@ -32,7 +32,7 @@ MBO0003._domainkey	IN	CNAME	MBO0003._domainkey.mailbox.org.
 MBO0004._domainkey	IN	CNAME	MBO0004._domainkey.mailbox.org.

 ; Protect my domain email from spoofing.
-_dmarc	IN	400	TXT	"v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one"
+_dmarc	400	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one

 ; This will make PGP clients find my public key for the email.
 _hkps._tcp	IN	SRV	1 1 443 pgp.mailbox.org.
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@ -36,7 +36,7 @@ let

  # The local network segments.
  allowedIPs = secondaryNameServersIPv4 ++ [ "172.16.0.0/12" ];
-  allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/64" ];
+  allowedIPv6s = secondaryNameServersIPv6 ++ [ "${privateIPv6Prefix}::/48" ];

  dnsListenAddresses = with interfaces; [
    internal.IPv4.address
@ -61,8 +61,8 @@ in
          secrets;
    in
    getSecrets {
-      "dns/mailbox-security-key" = { };
-      "dns/mailbox-security-key-record" = { };
+      "dns/${domain}/mailbox-security-key" = { };
+      "dns/${domain}/mailbox-security-key-record" = { };
    };

  # Generating a certificate for the DNS-over-TLS feature.
@ -162,8 +162,8 @@ in
      lib.mkBefore ''
        install -Dm0644 ${domainZoneFile} ${domainZoneFile'}

-        ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/mailbox-security-key"}' '${domainZoneFile'}'
-        ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/mailbox-security-key-record"}' '${domainZoneFile'}'
+        ${replaceSecretBin} '#mailboxSecurityKey#' '${secretsPath "dns/${domain}/mailbox-security-key"}' '${domainZoneFile'}'
+        ${replaceSecretBin} '#mailboxSecurityKeyRecord#' '${secretsPath "dns/${domain}/mailbox-security-key-record"}' '${domainZoneFile'}'
      '';
    serviceConfig.LoadCredential = let
      certDirectory = certs."${dnsDomainName}".directory;
--- a/hosts/plover/secrets/secrets.yaml
+++ b/hosts/plover/secrets/secrets.yaml
@ -37,8 +37,9 @@ wireguard:
        ni: ENC[AES256_GCM,data:NAgNnVtPKCaaSagWCIet5pd5ZehymJPmhQShoO/ktqa1pl6MtzJsygbTktk=,iv:2/sOdNN6QX1Rou5xnq87t/m/kguPTthOXD8oXJfvM90=,tag:F/I2CYR9O1LAlLs/9LaXGg==,type:str]
        phone: ENC[AES256_GCM,data:3wIv8mE7eYhvSjwcE9fwsUZhh2Svmzg+RFjJzvjvMyB9V3uvBYG8vmB751w=,iv:iSm4dXNVqFa52eq0Hhct1MGSoq4x7FFzWdjXHlkGTW8=,tag:Lr463ee5r/ZhEC78uYyzfQ==,type:str]
 dns:
-    mailbox-security-key: ENC[AES256_GCM,data:e1/y+JNNUxdf5D0OVhTD8hsoPlvV2Jpp3/+nHBktZH02/ZOfa9W5oA==,iv:tR9aVFHuMekr2uz4MaGAddlRsAh9XctS25EO+yMyvhE=,tag:BImSGpx4ltuU1qPTrmioKg==,type:str]
-    mailbox-security-key-record: ENC[AES256_GCM,data:bP1kKQczfjOQyokOa+cScNs7jKLaXamUHYqzW7k0QRXnin5Nsj7G9w==,iv:l8NtJcYll8rdQJLsuxPIj3Ch3Tc/ESs1wUwPrGRTI7Y=,tag:RWD9mvinKW0xv6GDw/4jkQ==,type:str]
+    foodogsquared.one:
+        mailbox-security-key: ENC[AES256_GCM,data:CmiAcewC47dTlKX+PmWJrnSM7dreMImEL3nw6+MnJ2MCwcnakT8zUw==,iv:tRh4d+QUUqxzz+c0r6NLnnPOgqtYZNdE3RgCa7MbvE4=,tag:RHkPwRVt8+YCw61RwBZZzg==,type:str]
+        mailbox-security-key-record: ENC[AES256_GCM,data:vXwTyZEsov20GDkg/X2P/MJFKWkrijnNNHrGRp0AMJORh0H5/mnshQ==,iv:7BKnkKj1vwLYCcm1uoHF+Ndunl2enSoXRpReW/uuaAo=,tag:KTzU1MMwXard4+Ar4WrJhA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -54,8 +55,8 @@ sops:
            ZCtNbnFqdzNkVlBtNjVCdE4yNHMrRjQKfFV4GaReO0UO81xsTB0EuN5ibVsafXJY
            miBgZAZWbJjSBcM4X+Fym/DlxHRoB1a6iFEFN9yg+Z9WI8PfjKnbsA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-11T13:30:33Z"
-    mac: ENC[AES256_GCM,data:3/SJstH4DV40P5oRToL77nbGwbIONuhjSrGmlvZvPKip7Mq6VLlpjLZhXWTkuVxZm7bVBloX7QWYZJn0aX9naKOMzqD+EVBmWgP1nC3USfzMXlItOlkrIo04KELb07oKfX8DWvagoZf4BY8p2TVHd4fSZrRJoiATI6TgOoATJeQ=,iv:ZKzNlbZ8mQablscBJKSkd5oTxb5YZQSPmGfjnzpuf4Q=,tag:FjN8/6lksHYw52jUlbQjcA==,type:str]
+    lastmodified: "2023-02-18T12:20:09Z"
+    mac: ENC[AES256_GCM,data:b3frDpKobh4Vl/BXX7M0U6eaJ8TdQHylPmUGsZqzGjwxZUMRyrxH/ETx6iseS2aRFyZzShPxJwSETyFswYMuObMRe1pk4DNjYCNCNSn98080nklG4Rod+QrB+p934aGMrpfjd4ZSI3UAQV2AKdZob2ivATwPFj7Q1hMdeXaEJYk=,iv:j+k9tG86UZhBKmSiCz+LtriZj2ajPb6AxuPosoH5bE0=,tag:7NYieEM2XG6Jfaug3UsZFQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3