servo: enable trust-dns (experimental)
This commit is contained in:
@@ -17,5 +17,6 @@
|
||||
./postgres.nix
|
||||
./prosody.nix
|
||||
./transmission.nix
|
||||
./trust-dns
|
||||
];
|
||||
}
|
||||
|
19
hosts/servo/services/trust-dns/default.nix
Normal file
19
hosts/servo/services/trust-dns/default.nix
Normal file
@@ -0,0 +1,19 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
systemd.services.trust-dns = {
|
||||
description = "trust-dns DNS server";
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.trust-dns}/bin/named \
|
||||
--config ${./uninsane.org.toml} \
|
||||
--zonedir ${./.}
|
||||
'';
|
||||
Type = "simple";
|
||||
Restart = "on-failure";
|
||||
# TODO: hardening
|
||||
};
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
10
hosts/servo/services/trust-dns/uninsane.org.toml
Normal file
10
hosts/servo/services/trust-dns/uninsane.org.toml
Normal file
@@ -0,0 +1,10 @@
|
||||
[[zones]]
|
||||
## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
|
||||
zone = "uninsane.org"
|
||||
|
||||
## zone_type: Primary, Secondary, Hint, Forward
|
||||
zone_type = "Primary"
|
||||
|
||||
## file: this is relative to the directory above
|
||||
file = "uninsane.org.zone"
|
||||
|
75
hosts/servo/services/trust-dns/uninsane.org.zone
Normal file
75
hosts/servo/services/trust-dns/uninsane.org.zone
Normal file
@@ -0,0 +1,75 @@
|
||||
$TTL 900
|
||||
; SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
|
||||
; Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
|
||||
; Refresh = how frequently secondary NS should query master
|
||||
; Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
||||
; Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
||||
@ IN SOA uninsane.org. admin-dns.uninsane.org. (
|
||||
2022120701 ; Serial
|
||||
4h ; Refresh
|
||||
30m ; Retry
|
||||
7d ; Expire
|
||||
5m) ; Negative response TTL
|
||||
|
||||
@ A 97.126.41.123
|
||||
; XXX: RFC's specify that the MX record CANNOT BE A CNAME
|
||||
mx A 185.157.162.178
|
||||
; TODO: we could make native a CNAME of @?
|
||||
; or just make all the `CNAME native`s `CNAME @`s?
|
||||
native A 97.126.41.123
|
||||
ovpns A 185.157.162.178
|
||||
|
||||
|
||||
; the nameserver for anything *under* or at uninsane.org is this server.
|
||||
@ NS uninsane.org.
|
||||
@ MX 10 mx.uninsane.org.
|
||||
|
||||
bt CNAME native
|
||||
fed CNAME native
|
||||
git CNAME native
|
||||
imap CNAME native
|
||||
ipfs CNAME native
|
||||
jacket CNAME native
|
||||
jelly CNAME native
|
||||
matrix CNAME native
|
||||
web.matrix CNAME native
|
||||
music CNAME native
|
||||
nixcache CNAME native
|
||||
pl-dev CNAME native
|
||||
rss CNAME native
|
||||
sink CNAME native
|
||||
|
||||
xmpp CNAME native
|
||||
conference.xmpp CNAME native
|
||||
pubsub.xmpp CNAME native
|
||||
upload.xmpp CNAME native
|
||||
vjid.xmpp CNAME native
|
||||
|
||||
; _Service._Proto.Name TTL Class SRV Priority Weight Port Target
|
||||
_xmpp-client._tcp SRV 0 0 5222 native
|
||||
_xmpp-server._tcp SRV 0 0 5269 native
|
||||
|
||||
; Sender Policy Framework:
|
||||
; +mx => mail passes if it originated from the MX
|
||||
; +a => mail passes if it originated from the A address of this domain
|
||||
; +ip4:.. => mail passes if it originated from this IP
|
||||
; -all => mail fails if none of these conditions were met
|
||||
@ TXT "v=spf1 a mx -all"
|
||||
|
||||
; DKIM public key:
|
||||
mx._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
|
||||
|
||||
; DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
|
||||
; p=none|quarantine|reject: what to do with failures
|
||||
; sp = p but for subdomains
|
||||
; rua = where to send aggregrate reports
|
||||
; ruf = where to send individual failure reports
|
||||
; fo=0|1|d|s controls WHEN to send failure reports
|
||||
; (1=on bad alignment; d=on DKIM failure; s=on SPF failure);
|
||||
; Additionally:
|
||||
; adkim=r|s (is DKIM relaxed [default] or strict)
|
||||
; aspf=r|s (is SPF relaxed [default] or strict)
|
||||
; pct = sampling ratio for punishing failures (default 100 for 100%)
|
||||
; rf = report format
|
||||
; ri = report interval
|
||||
_dmarc TXT "v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"
|
Reference in New Issue
Block a user