colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: enable trust-dns (experimental)

Browse Source
This commit is contained in:
colin
2022-12-07 12:15:35 +00:00
parent 62df4492a3
commit ab176b8d4b
4 changed files with 105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/servo/services/default.nix
View File

@@ -17,5 +17,6 @@
./postgres.nix
./prosody.nix
./transmission.nix
./trust-dns
];
}

19
hosts/servo/services/trust-dns/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{ pkgs, ... }:
{
systemd.services.trust-dns = {
description = "trust-dns DNS server";
serviceConfig = {
ExecStart = ''
${pkgs.trust-dns}/bin/named \
--config ${./uninsane.org.toml} \
--zonedir ${./.}
'';
Type = "simple";
Restart = "on-failure";
# TODO: hardening
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
}

10
hosts/servo/services/trust-dns/uninsane.org.toml Normal file
View File

@@ -0,0 +1,10 @@
[[zones]]
## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
zone = "uninsane.org"
## zone_type: Primary, Secondary, Hint, Forward
zone_type = "Primary"
## file: this is relative to the directory above
file = "uninsane.org.zone"

75
hosts/servo/services/trust-dns/uninsane.org.zone Normal file
View File

@@ -0,0 +1,75 @@
$TTL 900
; SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
; Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
; Refresh = how frequently secondary NS should query master
; Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
; Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
@ IN SOA uninsane.org. admin-dns.uninsane.org. (
2022120701 ; Serial
4h ; Refresh
30m ; Retry
7d ; Expire
5m) ; Negative response TTL
@ A 97.126.41.123
; XXX: RFC's specify that the MX record CANNOT BE A CNAME
mx A 185.157.162.178
; TODO: we could make native a CNAME of @?
; or just make all the `CNAME native`s `CNAME @`s?
native A 97.126.41.123
ovpns A 185.157.162.178
; the nameserver for anything *under* or at uninsane.org is this server.
@ NS uninsane.org.
@ MX 10 mx.uninsane.org.
bt CNAME native
fed CNAME native
git CNAME native
imap CNAME native
ipfs CNAME native
jacket CNAME native
jelly CNAME native
matrix CNAME native
web.matrix CNAME native
music CNAME native
nixcache CNAME native
pl-dev CNAME native
rss CNAME native
sink CNAME native
xmpp CNAME native
conference.xmpp CNAME native
pubsub.xmpp CNAME native
upload.xmpp CNAME native
vjid.xmpp CNAME native
; _Service._Proto.Name TTL Class SRV Priority Weight Port Target
_xmpp-client._tcp SRV 0 0 5222 native
_xmpp-server._tcp SRV 0 0 5269 native
; Sender Policy Framework:
; +mx => mail passes if it originated from the MX
; +a => mail passes if it originated from the A address of this domain
; +ip4:.. => mail passes if it originated from this IP
; -all => mail fails if none of these conditions were met
@ TXT "v=spf1 a mx -all"
; DKIM public key:
mx._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
; DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
; p=none|quarantine|reject: what to do with failures
; sp = p but for subdomains
; rua = where to send aggregrate reports
; ruf = where to send individual failure reports
; fo=0|1|d|s controls WHEN to send failure reports
; (1=on bad alignment; d=on DKIM failure; s=on SPF failure);
; Additionally:
; adkim=r|s (is DKIM relaxed [default] or strict)
; aspf=r|s (is SPF relaxed [default] or strict)
; pct = sampling ratio for punishing failures (default 100 for 100%)
; rf = report format
; ri = report interval
_dmarc TXT "v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"