mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-02-07 12:19:07 +00:00
hosts/plover: update DNS-related configuration
This commit is contained in:
parent
7aca74924c
commit
4c62274145
@ -1,59 +1,63 @@
|
|||||||
; This is trying to be discrete with certain information. This should be copied
|
; This is trying to be discrete with certain information. This should be copied
|
||||||
; and replaced with more confidential information somewhere.
|
; and replaced with more confidential information somewhere.
|
||||||
$TTL 2h
|
$TTL 2h
|
||||||
$ORIGIN @domain@
|
$ORIGIN foodogsquared.one
|
||||||
|
|
||||||
; Take note we're not making the NS record type since it will be dynamically
|
@ IN SOA ns1.foodogsquared.one. hostmaster.foodogsquared.one. (
|
||||||
; queried by the DNS server.
|
2023021100 ; serial number
|
||||||
@ IN SOA @dnsNameserver@ @dnsEmail@ (
|
|
||||||
2023021002 ; serial number
|
|
||||||
2h ; refresh
|
2h ; refresh
|
||||||
15m ; update retry
|
15m ; update retry
|
||||||
3w ; expiry
|
3w ; expiry
|
||||||
3h ; nx = nxdomain ttl
|
3h ; nx = nxdomain ttl
|
||||||
)
|
)
|
||||||
@dnsNameservers@
|
IN NS ns1.first-ns.de.
|
||||||
|
IN NS robotns2.second-ns.de.
|
||||||
|
IN NS robotns3.second-ns.com.
|
||||||
|
|
||||||
; Setting up the mail-related DNS entries.
|
; Setting up the mail-related DNS entries.
|
||||||
; For future references, please the see the following document at
|
; For future references, please the see the following document at
|
||||||
; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain
|
; https://kb.mailbox.org/en/private/e-mail-article/using-e-mail-addresses-of-your-domain
|
||||||
@ IN MX 10 mxext1.mailbox.org
|
@ IN MX 10 mxext1.mailbox.org.
|
||||||
IN MX 10 mxext2.mailbox.org
|
IN MX 10 mxext2.mailbox.org.
|
||||||
IN MX 20 mxext3.mailbox.org
|
IN MX 20 mxext3.mailbox.org.
|
||||||
IN TXT v=spf1 include:mailbox.org ~all
|
IN TXT v=spf1 include:mailbox.org ~all
|
||||||
_dmarc. IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
|
_dmarc IN TXT v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
|
||||||
mbo0001._domainkey. IN CNAME mbo0001._domainkey.mailbox.org.
|
mbo0001._domainkey IN CNAME mbo0001._domainkey.mailbox.org.
|
||||||
mbo0002._domainkey. IN CNAME mbo0002._domainkey.mailbox.org.
|
mbo0002._domainkey IN CNAME mbo0002._domainkey.mailbox.org.
|
||||||
mbo0003._domainkey. IN CNAME mbo0003._domainkey.mailbox.org.
|
mbo0003._domainkey IN CNAME mbo0003._domainkey.mailbox.org.
|
||||||
mbo0004._domainkey. IN CNAME mbo0004._domainkey.mailbox.org.
|
mbo0004._domainkey IN CNAME mbo0004._domainkey.mailbox.org.
|
||||||
#mailboxSecurityKey#. IN TXT #mailboxSecurityKeyRecord#
|
#mailboxSecurityKey# IN TXT #mailboxSecurityKeyRecord#
|
||||||
|
|
||||||
; My websites that are deployed by somewhere else.
|
; My websites that are deployed by somewhere else.
|
||||||
@ IN ALIAS apex-loadbalancer.netlify.com.
|
@ IN A 75.2.60.5
|
||||||
www IN CNAME foodogsquared.netlify.app.
|
www IN CNAME foodogsquared.netlify.app.
|
||||||
wiki IN CNAME foodogsquared-wiki.netlify.app.
|
wiki IN CNAME foodogsquared-wiki.netlify.app.
|
||||||
|
|
||||||
; Public-facing services from this server.
|
; Public-facing services from this server. Just remember to increment the
|
||||||
auth. IN A @publicIPv4@
|
; serial number once the public IPs changes. PLEEEEEEEEEEEAAAAAAAAASE!
|
||||||
auth. IN AAAA @publicIPv6@
|
auth IN A @publicIPv4@
|
||||||
|
auth IN AAAA @publicIPv6@
|
||||||
|
|
||||||
pass. IN A @publicIPv4@
|
pass IN A @publicIPv4@
|
||||||
pass. IN AAAA @publicIPv6@
|
pass IN AAAA @publicIPv6@
|
||||||
|
|
||||||
code. IN A @publicIPv4@
|
code IN A @publicIPv4@
|
||||||
code. IN AAAA @publicIPv6@
|
code IN AAAA @publicIPv6@
|
||||||
|
|
||||||
|
vpn IN A @publicIPv4@
|
||||||
|
vpn IN AAAA @publicIPv6@
|
||||||
|
|
||||||
; Other things.
|
; Other things.
|
||||||
_github-pages-challenge-foo-dogsquared. IN TXT 673febae1ea0095e76d1e02a7a1709
|
_github-pages-challenge-foo-dogsquared IN TXT 673febae1ea0095e76d1e02a7a1709
|
||||||
|
|
||||||
; Setting up SendGrid.
|
; Setting up SendGrid.
|
||||||
; This is for rewriting tracking links to my domain.
|
; This is for rewriting tracking links to my domain.
|
||||||
url2871. IN CNAME sendgrid.net
|
url2871 IN CNAME sendgrid.net
|
||||||
30339354. IN CNAME sendgrid.net
|
30339354 IN CNAME sendgrid.net
|
||||||
|
|
||||||
; This is for SendGrid sender authentication.
|
; This is for SendGrid sender authentication.
|
||||||
em1172. IN CNAME u30339354.wl105.sendgrid.net
|
em1172 IN CNAME u30339354.wl105.sendgrid.net
|
||||||
s1._domainkey. IN CNAME s1.domainkey.u30339354.wl105.sendgrid.net
|
s1._domainkey IN CNAME s1.domainkey.u30339354.wl105.sendgrid.net
|
||||||
s2._domainkey. IN CNAME s2.domainkey.u30339354.wl105.sendgrid.net
|
s2._domainkey IN CNAME s2.domainkey.u30339354.wl105.sendgrid.net
|
||||||
|
|
||||||
; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns
|
; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns
|
||||||
|
|||||||
@ -209,6 +209,9 @@ in
|
|||||||
|
|
||||||
# PostgreSQL database dumps
|
# PostgreSQL database dumps
|
||||||
config.services.postgresqlBackup.location
|
config.services.postgresqlBackup.location
|
||||||
|
|
||||||
|
# DNS records.
|
||||||
|
"/etc/coredns"
|
||||||
];
|
];
|
||||||
repo = borgRepo "services";
|
repo = borgRepo "services";
|
||||||
passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
|
passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
|
||||||
|
|||||||
@ -16,17 +16,13 @@ let
|
|||||||
|
|
||||||
domainZoneFile = pkgs.substituteAll {
|
domainZoneFile = pkgs.substituteAll {
|
||||||
src = ../../config/coredns/${domain}.zone;
|
src = ../../config/coredns/${domain}.zone;
|
||||||
inherit domain dnsSubdomain;
|
|
||||||
dnsEmail = "dns.hetzner.com.";
|
|
||||||
publicIPv4 = interfaces.main'.IPv4.address;
|
publicIPv4 = interfaces.main'.IPv4.address;
|
||||||
publicIPv6 = interfaces.main'.IPv6.address;
|
publicIPv6 = interfaces.main'.IPv6.address;
|
||||||
dnsNameserver = lib.head secondaryNameserverDomains;
|
|
||||||
dnsNameservers = lib.concatStringsSep "\n"
|
|
||||||
(lib.lists.map
|
|
||||||
(ns: "\tIN\tNS\t${ns}")
|
|
||||||
secondaryNameserverDomains);
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# The final location of the thing.
|
||||||
|
domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
|
||||||
|
|
||||||
secondaryNameserverDomains = lib.attrNames secondaryNameServers;
|
secondaryNameserverDomains = lib.attrNames secondaryNameServers;
|
||||||
secondaryNameServersIPv4 = lib.foldl'
|
secondaryNameServersIPv4 = lib.foldl'
|
||||||
(total: addresses: total ++ addresses.IPv4)
|
(total: addresses: total ++ addresses.IPv4)
|
||||||
@ -38,8 +34,12 @@ let
|
|||||||
(lib.attrValues secondaryNameServers);
|
(lib.attrValues secondaryNameServers);
|
||||||
secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
|
secondaryNameServersIPs = secondaryNameServersIPv4 ++ secondaryNameServersIPv6;
|
||||||
|
|
||||||
# The final location of the thing.
|
dnsListenAddresses = with interfaces; [
|
||||||
domainZoneFile' = "/etc/coredns/zones/${domain}.zone";
|
internal.IPv4.address
|
||||||
|
internal.IPv6.address
|
||||||
|
main'.IPv4.address
|
||||||
|
main'.IPv6.address
|
||||||
|
];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets =
|
sops.secrets =
|
||||||
@ -87,11 +87,10 @@ in
|
|||||||
# https://docs.hetzner.com/dns-console/dns/general/dnssec
|
# https://docs.hetzner.com/dns-console/dns/general/dnssec
|
||||||
config = ''
|
config = ''
|
||||||
. {
|
. {
|
||||||
forward . /etc/resolv.conf
|
|
||||||
log
|
log
|
||||||
errors
|
errors
|
||||||
|
|
||||||
bind lo ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} {
|
bind lo ${lib.concatStringsSep " " dnsListenAddresses} {
|
||||||
# These are already taken from systemd-resolved.
|
# These are already taken from systemd-resolved.
|
||||||
except 127.0.0.53 127.0.0.54
|
except 127.0.0.53 127.0.0.54
|
||||||
}
|
}
|
||||||
@ -101,7 +100,9 @@ in
|
|||||||
allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
|
allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
|
||||||
allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
|
allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
|
||||||
|
|
||||||
# Allowing this for debugging.
|
# This will allow internal clients connect to the subdomains that
|
||||||
|
# have internal resources.
|
||||||
|
allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
|
||||||
allow net 127.0.0.0/8 ::1
|
allow net 127.0.0.0/8 ::1
|
||||||
|
|
||||||
# Otherwise, it's just really a primary server that is hidden
|
# Otherwise, it's just really a primary server that is hidden
|
||||||
@ -113,8 +114,6 @@ in
|
|||||||
to *
|
to *
|
||||||
}
|
}
|
||||||
|
|
||||||
file ${domainZoneFile'}
|
|
||||||
|
|
||||||
# ${fqdn} DNS server blocks. This is an internal DNS server so we'll
|
# ${fqdn} DNS server blocks. This is an internal DNS server so we'll
|
||||||
# only allow queries from the internal network.
|
# only allow queries from the internal network.
|
||||||
acl ${fqdn} {
|
acl ${fqdn} {
|
||||||
@ -130,6 +129,8 @@ in
|
|||||||
template IN AAAA ${fqdn} {
|
template IN AAAA ${fqdn} {
|
||||||
answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
|
answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
file ${domainZoneFile'}
|
||||||
}
|
}
|
||||||
|
|
||||||
tls://. {
|
tls://. {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user