trust-dns: allow shorthand assignment of record lists
This commit is contained in:
parent
88a33dd5de
commit
be222c1d70
|
@ -75,33 +75,33 @@
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet = {
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
||||||
# XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
|
# XXX: SRV records have to point to something with a A/AAAA record; no CNAMEs
|
||||||
A."xmpp" = [ "%NATIVE%" ];
|
A."xmpp" = "%NATIVE%";
|
||||||
CNAME."muc.xmpp" = [ "xmpp" ];
|
CNAME."muc.xmpp" = "xmpp";
|
||||||
CNAME."pubsub.xmpp" = [ "xmpp" ];
|
CNAME."pubsub.xmpp" = "xmpp";
|
||||||
CNAME."upload.xmpp" = [ "xmpp" ];
|
CNAME."upload.xmpp" = "xmpp";
|
||||||
CNAME."vjid.xmpp" = [ "xmpp" ];
|
CNAME."vjid.xmpp" = "xmpp";
|
||||||
|
|
||||||
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
|
# _Service._Proto.Name TTL Class SRV Priority Weight Port Target
|
||||||
# - <https://xmpp.org/extensions/xep-0368.html>
|
# - <https://xmpp.org/extensions/xep-0368.html>
|
||||||
# something's requesting the SRV records for muc.xmpp, so let's include it
|
# something's requesting the SRV records for muc.xmpp, so let's include it
|
||||||
# nothing seems to request XMPP SRVs for the other records (except @)
|
# nothing seems to request XMPP SRVs for the other records (except @)
|
||||||
# lower numerical priority field tells clients to prefer this method
|
# lower numerical priority field tells clients to prefer this method
|
||||||
SRV."_xmpps-client._tcp.muc.xmpp" = [ "3 50 5223 xmpp" ];
|
SRV."_xmpps-client._tcp.muc.xmpp" = "3 50 5223 xmpp";
|
||||||
SRV."_xmpps-server._tcp.muc.xmpp" = [ "3 50 5270 xmpp" ];
|
SRV."_xmpps-server._tcp.muc.xmpp" = "3 50 5270 xmpp";
|
||||||
SRV."_xmpp-client._tcp.muc.xmpp" = [ "5 50 5222 xmpp" ];
|
SRV."_xmpp-client._tcp.muc.xmpp" = "5 50 5222 xmpp";
|
||||||
SRV."_xmpp-server._tcp.muc.xmpp" = [ "5 50 5269 xmpp" ];
|
SRV."_xmpp-server._tcp.muc.xmpp" = "5 50 5269 xmpp";
|
||||||
|
|
||||||
SRV."_xmpps-client._tcp" = [ "3 50 5223 xmpp" ];
|
SRV."_xmpps-client._tcp" = "3 50 5223 xmpp";
|
||||||
SRV."_xmpps-server._tcp" = [ "3 50 5270 xmpp" ];
|
SRV."_xmpps-server._tcp" = "3 50 5270 xmpp";
|
||||||
SRV."_xmpp-client._tcp" = [ "5 50 5222 xmpp" ];
|
SRV."_xmpp-client._tcp" = "5 50 5222 xmpp";
|
||||||
SRV."_xmpp-server._tcp" = [ "5 50 5269 xmpp" ];
|
SRV."_xmpp-server._tcp" = "5 50 5269 xmpp";
|
||||||
|
|
||||||
SRV."_stun._udp" = [ "5 50 3478 xmpp" ];
|
SRV."_stun._udp" = "5 50 3478 xmpp";
|
||||||
SRV."_stun._tcp" = [ "5 50 3478 xmpp" ];
|
SRV."_stun._tcp" = "5 50 3478 xmpp";
|
||||||
SRV."_stuns._tcp" = [ "5 50 5349 xmpp" ];
|
SRV."_stuns._tcp" = "5 50 5349 xmpp";
|
||||||
SRV."_turn._udp" = [ "5 50 3478 xmpp" ];
|
SRV."_turn._udp" = "5 50 3478 xmpp";
|
||||||
SRV."_turn._tcp" = [ "5 50 3478 xmpp" ];
|
SRV."_turn._tcp" = "5 50 3478 xmpp";
|
||||||
SRV."_turns._tcp" = [ "5 50 5349 xmpp" ];
|
SRV."_turns._tcp" = "5 50 5349 xmpp";
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: allocate UIDs/GIDs ?
|
# TODO: allocate UIDs/GIDs ?
|
||||||
|
|
|
@ -57,5 +57,5 @@
|
||||||
# the routing is handled by services.freshrss.virtualHost
|
# the routing is handled by services.freshrss.virtualHost
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."rss" = "native";
|
||||||
}
|
}
|
||||||
|
|
|
@ -85,5 +85,5 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."git" = "native";
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,5 +64,5 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."sink" = "native";
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ lib.mkIf false # i don't actively use ipfs anymore
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."ipfs" = "native";
|
||||||
|
|
||||||
# services.ipfs.enable = true;
|
# services.ipfs.enable = true;
|
||||||
services.kubo.localDiscovery = true;
|
services.kubo.localDiscovery = true;
|
||||||
|
|
|
@ -27,6 +27,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jackett" = "native";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,7 @@ lib.mkIf false
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
|
||||||
|
|
||||||
# users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
|
# users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
|
||||||
# users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
|
# users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
|
||||||
|
|
|
@ -13,5 +13,5 @@
|
||||||
locations."/".proxyPass = "http://127.0.0.1:8013";
|
locations."/".proxyPass = "http://127.0.0.1:8013";
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."w" = "native";
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,8 +122,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet = {
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
||||||
CNAME."matrix" = [ "native" ];
|
CNAME."matrix" = "native";
|
||||||
CNAME."web.matrix" = [ "native" ];
|
CNAME."web.matrix" = "native";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -22,5 +22,5 @@
|
||||||
locations."/".proxyPass = "http://127.0.0.1:4533";
|
locations."/".proxyPass = "http://127.0.0.1:4533";
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."music" = "native";
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."nixcache" = "native";
|
||||||
|
|
||||||
sane.services.nixserve.enable = true;
|
sane.services.nixserve.enable = true;
|
||||||
sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
|
sane.services.nixserve.sopsFile = ../../../secrets/servo.yaml;
|
||||||
|
|
|
@ -179,7 +179,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = [ "native" ];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."fed" = "native";
|
||||||
|
|
||||||
sops.secrets.pleroma_secrets = {
|
sops.secrets.pleroma_secrets = {
|
||||||
sopsFile = ../../../secrets/servo.yaml;
|
sopsFile = ../../../secrets/servo.yaml;
|
||||||
|
|
|
@ -45,22 +45,22 @@ in
|
||||||
|
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet = {
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
||||||
MX."@" = [ "10 mx.uninsane.org." ];
|
MX."@" = "10 mx.uninsane.org.";
|
||||||
# XXX: RFC's specify that the MX record CANNOT BE A CNAME
|
# XXX: RFC's specify that the MX record CANNOT BE A CNAME
|
||||||
A."mx" = [ "185.157.162.178" ];
|
A."mx" = "185.157.162.178";
|
||||||
CNAME."imap" = [ "native" ];
|
CNAME."imap" = "native";
|
||||||
|
|
||||||
# Sender Policy Framework:
|
# Sender Policy Framework:
|
||||||
# +mx => mail passes if it originated from the MX
|
# +mx => mail passes if it originated from the MX
|
||||||
# +a => mail passes if it originated from the A address of this domain
|
# +a => mail passes if it originated from the A address of this domain
|
||||||
# +ip4:.. => mail passes if it originated from this IP
|
# +ip4:.. => mail passes if it originated from this IP
|
||||||
# -all => mail fails if none of these conditions were met
|
# -all => mail fails if none of these conditions were met
|
||||||
TXT."@" = [ "v=spf1 a mx -all" ];
|
TXT."@" = "v=spf1 a mx -all";
|
||||||
|
|
||||||
# DKIM public key:
|
# DKIM public key:
|
||||||
TXT."mx._domainkey" = [
|
TXT."mx._domainkey" =
|
||||||
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
|
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
|
||||||
];
|
;
|
||||||
|
|
||||||
# DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
|
# DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
|
||||||
# p=none|quarantine|reject: what to do with failures
|
# p=none|quarantine|reject: what to do with failures
|
||||||
|
@ -75,9 +75,9 @@ in
|
||||||
# pct = sampling ratio for punishing failures (default 100 for 100%)
|
# pct = sampling ratio for punishing failures (default 100 for 100%)
|
||||||
# rf = report format
|
# rf = report format
|
||||||
# ri = report interval
|
# ri = report interval
|
||||||
TXT."_dmarc" = [
|
TXT."_dmarc" =
|
||||||
"v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"
|
"v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"
|
||||||
];
|
;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postfix.enable = true;
|
services.postfix.enable = true;
|
||||||
|
|
|
@ -75,6 +75,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = ["native"];
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."bt" = "native";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -21,25 +21,25 @@
|
||||||
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
# Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
|
||||||
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
# Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet = {
|
sane.services.trust-dns.zones."uninsane.org".inet = {
|
||||||
SOA."@" = [''
|
SOA."@" = ''
|
||||||
ns1.uninsane.org. admin-dns.uninsane.org. (
|
ns1.uninsane.org. admin-dns.uninsane.org. (
|
||||||
2022122101 ; Serial
|
2022122101 ; Serial
|
||||||
4h ; Refresh
|
4h ; Refresh
|
||||||
30m ; Retry
|
30m ; Retry
|
||||||
7d ; Expire
|
7d ; Expire
|
||||||
5m) ; Negative response TTL
|
5m) ; Negative response TTL
|
||||||
''];
|
'';
|
||||||
TXT."rev" = [ "2022122101" ];
|
TXT."rev" = "2022122101";
|
||||||
|
|
||||||
# XXX NS records must also not be CNAME
|
# XXX NS records must also not be CNAME
|
||||||
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
|
# it's best that we keep this identical, or a superset of, what org. lists as our NS.
|
||||||
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
|
# so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
|
||||||
A."ns1" = [ "%NATIVE%" ];
|
A."ns1" = "%NATIVE%";
|
||||||
A."ns2" = [ "185.157.162.178" ];
|
A."ns2" = "185.157.162.178";
|
||||||
A."ns3" = [ "185.157.162.178" ];
|
A."ns3" = "185.157.162.178";
|
||||||
A."ovpns" = [ "185.157.162.178" ];
|
A."ovpns" = "185.157.162.178";
|
||||||
A."native" = [ "%NATIVE%" ];
|
A."native" = "%NATIVE%";
|
||||||
A."@" = [ "%NATIVE%" ];
|
A."@" = "%NATIVE%";
|
||||||
NS."@" = [
|
NS."@" = [
|
||||||
"ns1.uninsane.org."
|
"ns1.uninsane.org."
|
||||||
"ns2.uninsane.org."
|
"ns2.uninsane.org."
|
||||||
|
|
|
@ -52,6 +52,13 @@ let
|
||||||
}) cfg.zones
|
}) cfg.zones
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# (listOf ty) type which also accepts single-assignment of `ty`.
|
||||||
|
# it's used to allow the user to write:
|
||||||
|
# CNAME."foo" = "bar";
|
||||||
|
# as shorthand for
|
||||||
|
# CNAME."foo" = [ "bar" ];
|
||||||
|
listOrUnit = ty: types.coercedTo ty (elem: [ elem ]) (types.listOf ty);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
|
@ -91,37 +98,37 @@ in
|
||||||
};
|
};
|
||||||
inet = {
|
inet = {
|
||||||
SOA = mkOption {
|
SOA = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "Start of Authority record(s)";
|
description = "Start of Authority record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
A = mkOption {
|
A = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "IPv4 address record(s)";
|
description = "IPv4 address record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
CNAME = mkOption {
|
CNAME = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "canonical name record(s)";
|
description = "canonical name record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
MX = mkOption {
|
MX = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "mail exchanger record(s)";
|
description = "mail exchanger record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
NS = mkOption {
|
NS = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "name server record(s)";
|
description = "name server record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
SRV = mkOption {
|
SRV = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "service record(s)";
|
description = "service record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
TXT = mkOption {
|
TXT = mkOption {
|
||||||
type = types.attrsOf (types.listOf types.str);
|
type = types.attrsOf (listOrUnit types.str);
|
||||||
description = "text record(s)";
|
description = "text record(s)";
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue
Block a user