diff --git a/hosts/servo/services/ejabberd.nix b/hosts/servo/services/ejabberd.nix index 0d84246a..793c7ddd 100644 --- a/hosts/servo/services/ejabberd.nix +++ b/hosts/servo/services/ejabberd.nix @@ -75,33 +75,33 @@ sane.services.trust-dns.zones."uninsane.org".inet = { # XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs - A."xmpp" = [ "%NATIVE%" ]; - CNAME."muc.xmpp" = [ "xmpp" ]; - CNAME."pubsub.xmpp" = [ "xmpp" ]; - CNAME."upload.xmpp" = [ "xmpp" ]; - CNAME."vjid.xmpp" = [ "xmpp" ]; + A."xmpp" = "%NATIVE%"; + CNAME."muc.xmpp" = "xmpp"; + CNAME."pubsub.xmpp" = "xmpp"; + CNAME."upload.xmpp" = "xmpp"; + CNAME."vjid.xmpp" = "xmpp"; # _Service._Proto.Name TTL Class SRV Priority Weight Port Target # - # something's requesting the SRV records for muc.xmpp, so let's include it # nothing seems to request XMPP SRVs for the other records (except @) # lower numerical priority field tells clients to prefer this method - SRV."_xmpps-client._tcp.muc.xmpp" = [ "3 50 5223 xmpp" ]; - SRV."_xmpps-server._tcp.muc.xmpp" = [ "3 50 5270 xmpp" ]; - SRV."_xmpp-client._tcp.muc.xmpp" = [ "5 50 5222 xmpp" ]; - SRV."_xmpp-server._tcp.muc.xmpp" = [ "5 50 5269 xmpp" ]; + SRV."_xmpps-client._tcp.muc.xmpp" = "3 50 5223 xmpp"; + SRV."_xmpps-server._tcp.muc.xmpp" = "3 50 5270 xmpp"; + SRV."_xmpp-client._tcp.muc.xmpp" = "5 50 5222 xmpp"; + SRV."_xmpp-server._tcp.muc.xmpp" = "5 50 5269 xmpp"; - SRV."_xmpps-client._tcp" = [ "3 50 5223 xmpp" ]; - SRV."_xmpps-server._tcp" = [ "3 50 5270 xmpp" ]; - SRV."_xmpp-client._tcp" = [ "5 50 5222 xmpp" ]; - SRV."_xmpp-server._tcp" = [ "5 50 5269 xmpp" ]; + SRV."_xmpps-client._tcp" = "3 50 5223 xmpp"; + SRV."_xmpps-server._tcp" = "3 50 5270 xmpp"; + SRV."_xmpp-client._tcp" = "5 50 5222 xmpp"; + SRV."_xmpp-server._tcp" = "5 50 5269 xmpp"; - SRV."_stun._udp" = [ "5 50 3478 xmpp" ]; - SRV."_stun._tcp" = [ "5 50 3478 xmpp" ]; - SRV."_stuns._tcp" = [ "5 50 5349 xmpp" ]; - SRV."_turn._udp" = [ "5 50 3478 xmpp" ]; - SRV."_turn._tcp" = [ "5 50 3478 xmpp" ]; - SRV."_turns._tcp" = [ "5 50 5349 xmpp" ]; + SRV."_stun._udp" = "5 50 3478 xmpp"; + SRV."_stun._tcp" = "5 50 3478 xmpp"; + SRV."_stuns._tcp" = "5 50 5349 xmpp"; + SRV."_turn._udp" = "5 50 3478 xmpp"; + SRV."_turn._tcp" = "5 50 3478 xmpp"; + SRV."_turns._tcp" = "5 50 5349 xmpp"; }; # TODO: allocate UIDs/GIDs ? diff --git a/hosts/servo/services/freshrss.nix b/hosts/servo/services/freshrss.nix index a999b3c2..47ea9b87 100644 --- a/hosts/servo/services/freshrss.nix +++ b/hosts/servo/services/freshrss.nix @@ -57,5 +57,5 @@ # the routing is handled by services.freshrss.virtualHost }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = "native"; } diff --git a/hosts/servo/services/gitea.nix b/hosts/servo/services/gitea.nix index 594d05f6..7d1c0664 100644 --- a/hosts/servo/services/gitea.nix +++ b/hosts/servo/services/gitea.nix @@ -85,5 +85,5 @@ }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = "native"; } diff --git a/hosts/servo/services/goaccess.nix b/hosts/servo/services/goaccess.nix index a0ecf5c9..89340391 100644 --- a/hosts/servo/services/goaccess.nix +++ b/hosts/servo/services/goaccess.nix @@ -64,5 +64,5 @@ }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = "native"; } diff --git a/hosts/servo/services/ipfs.nix b/hosts/servo/services/ipfs.nix index ee8df852..ebe1cae8 100644 --- a/hosts/servo/services/ipfs.nix +++ b/hosts/servo/services/ipfs.nix @@ -34,7 +34,7 @@ lib.mkIf false # i don't actively use ipfs anymore }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = "native"; # services.ipfs.enable = true; services.kubo.localDiscovery = true; diff --git a/hosts/servo/services/jackett.nix b/hosts/servo/services/jackett.nix index 31c2d023..7c6d7e55 100644 --- a/hosts/servo/services/jackett.nix +++ b/hosts/servo/services/jackett.nix @@ -27,6 +27,6 @@ }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = "native"; } diff --git a/hosts/servo/services/jellyfin.nix b/hosts/servo/services/jellyfin.nix index 20234cf1..1862a599 100644 --- a/hosts/servo/services/jellyfin.nix +++ b/hosts/servo/services/jellyfin.nix @@ -61,7 +61,7 @@ lib.mkIf false }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native"; # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid; # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid; diff --git a/hosts/servo/services/kiwix-serve.nix b/hosts/servo/services/kiwix-serve.nix index a08e00e0..cc84a75f 100644 --- a/hosts/servo/services/kiwix-serve.nix +++ b/hosts/servo/services/kiwix-serve.nix @@ -13,5 +13,5 @@ locations."/".proxyPass = "http://127.0.0.1:8013"; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = "native"; } diff --git a/hosts/servo/services/matrix/default.nix b/hosts/servo/services/matrix/default.nix index 346bbd75..0b26947b 100644 --- a/hosts/servo/services/matrix/default.nix +++ b/hosts/servo/services/matrix/default.nix @@ -122,8 +122,8 @@ }; sane.services.trust-dns.zones."uninsane.org".inet = { - CNAME."matrix" = [ "native" ]; - CNAME."web.matrix" = [ "native" ]; + CNAME."matrix" = "native"; + CNAME."web.matrix" = "native"; }; diff --git a/hosts/servo/services/navidrome.nix b/hosts/servo/services/navidrome.nix index 3bf5b0aa..6b4abd56 100644 --- a/hosts/servo/services/navidrome.nix +++ b/hosts/servo/services/navidrome.nix @@ -22,5 +22,5 @@ locations."/".proxyPass = "http://127.0.0.1:4533"; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = "native"; } diff --git a/hosts/servo/services/nixserve.nix b/hosts/servo/services/nixserve.nix index 888f199f..cbd3f580 100644 --- a/hosts/servo/services/nixserve.nix +++ b/hosts/servo/services/nixserve.nix @@ -14,7 +14,7 @@ ''; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native"; sane.services.nixserve.enable = true; sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml; diff --git a/hosts/servo/services/pleroma.nix b/hosts/servo/services/pleroma.nix index c2c104e3..87ebc0a1 100644 --- a/hosts/servo/services/pleroma.nix +++ b/hosts/servo/services/pleroma.nix @@ -179,7 +179,7 @@ }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = [ "native" ]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native"; sops.secrets.pleroma_secrets = { sopsFile = ../../../secrets/servo.yaml; diff --git a/hosts/servo/services/postfix.nix b/hosts/servo/services/postfix.nix index f5daca03..41774dce 100644 --- a/hosts/servo/services/postfix.nix +++ b/hosts/servo/services/postfix.nix @@ -45,22 +45,22 @@ in sane.services.trust-dns.zones."uninsane.org".inet = { - MX."@" = [ "10 mx.uninsane.org." ]; + MX."@" = "10 mx.uninsane.org."; # XXX: RFC's specify that the MX record CANNOT BE A CNAME - A."mx" = [ "185.157.162.178" ]; - CNAME."imap" = [ "native" ]; + A."mx" = "185.157.162.178"; + CNAME."imap" = "native"; # Sender Policy Framework: # +mx => mail passes if it originated from the MX # +a => mail passes if it originated from the A address of this domain # +ip4:.. => mail passes if it originated from this IP # -all => mail fails if none of these conditions were met - TXT."@" = [ "v=spf1 a mx -all" ]; + TXT."@" = "v=spf1 a mx -all"; # DKIM public key: - TXT."mx._domainkey" = [ + TXT."mx._domainkey" = "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB" - ]; + ; # DMARC fields : # p=none|quarantine|reject: what to do with failures @@ -75,9 +75,9 @@ in # pct = sampling ratio for punishing failures (default 100 for 100%) # rf = report format # ri = report interval - TXT."_dmarc" = [ + TXT."_dmarc" = "v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s" - ]; + ; }; services.postfix.enable = true; diff --git a/hosts/servo/services/transmission.nix b/hosts/servo/services/transmission.nix index db9b75bb..e3cbc4f0 100644 --- a/hosts/servo/services/transmission.nix +++ b/hosts/servo/services/transmission.nix @@ -75,6 +75,6 @@ }; }; - sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = ["native"]; + sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = "native"; } diff --git a/hosts/servo/services/trust-dns.nix b/hosts/servo/services/trust-dns.nix index fbdbf558..e6c472d4 100644 --- a/hosts/servo/services/trust-dns.nix +++ b/hosts/servo/services/trust-dns.nix @@ -21,25 +21,25 @@ # Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh) # Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry) sane.services.trust-dns.zones."uninsane.org".inet = { - SOA."@" = ['' + SOA."@" = '' ns1.uninsane.org. admin-dns.uninsane.org. ( 2022122101 ; Serial 4h ; Refresh 30m ; Retry 7d ; Expire 5m) ; Negative response TTL - '']; - TXT."rev" = [ "2022122101" ]; + ''; + TXT."rev" = "2022122101"; # XXX NS records must also not be CNAME # it's best that we keep this identical, or a superset of, what org. lists as our NS. # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here. - A."ns1" = [ "%NATIVE%" ]; - A."ns2" = [ "185.157.162.178" ]; - A."ns3" = [ "185.157.162.178" ]; - A."ovpns" = [ "185.157.162.178" ]; - A."native" = [ "%NATIVE%" ]; - A."@" = [ "%NATIVE%" ]; + A."ns1" = "%NATIVE%"; + A."ns2" = "185.157.162.178"; + A."ns3" = "185.157.162.178"; + A."ovpns" = "185.157.162.178"; + A."native" = "%NATIVE%"; + A."@" = "%NATIVE%"; NS."@" = [ "ns1.uninsane.org." "ns2.uninsane.org." diff --git a/modules/services/trust-dns.nix b/modules/services/trust-dns.nix index df6cbc34..b8d8db82 100644 --- a/modules/services/trust-dns.nix +++ b/modules/services/trust-dns.nix @@ -52,6 +52,13 @@ let }) cfg.zones ); }; + + # (listOf ty) type which also accepts single-assignment of `ty`. + # it's used to allow the user to write: + # CNAME."foo" = "bar"; + # as shorthand for + # CNAME."foo" = [ "bar" ]; + listOrUnit = ty: types.coercedTo ty (elem: [ elem ]) (types.listOf ty); in { options = { @@ -91,37 +98,37 @@ in }; inet = { SOA = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "Start of Authority record(s)"; default = {}; }; A = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "IPv4 address record(s)"; default = {}; }; CNAME = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "canonical name record(s)"; default = {}; }; MX = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "mail exchanger record(s)"; default = {}; }; NS = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "name server record(s)"; default = {}; }; SRV = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "service record(s)"; default = {}; }; TXT = mkOption { - type = types.attrsOf (types.listOf types.str); + type = types.attrsOf (listOrUnit types.str); description = "text record(s)"; default = {}; };