Files
nix-stuff/dns/default.nix
Shelvacu e5b487d7d4 stuff
2025-08-12 19:32:21 -07:00

138 lines
4.3 KiB
Nix

{
dns,
lib,
vaculib,
config,
...
}:
let
inherit (lib) mkOption types singleton;
inherit (dns.lib.combinators)
ns
ttl
spf
mx
;
inherit (config.vacu) hosts;
cloudnsNameServers = [
"pns51.cloudns.net."
"pns52.cloudns.net."
"pns53.cloudns.net."
"pns54.cloudns.net."
];
cloudnsSoa = (
ttl (60 * 60) {
nameServer = lib.head cloudnsNameServers;
adminEmail = "support@cloudns.net";
serial = 1970010101; # cloudns takes care of updating the serial
refresh = 7200;
retry = 1800;
expire = 1209600;
minimum = 3600;
}
);
dkimKeyLiam = {
name = "2024-03-liam";
content = "v=DKIM1; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqoFR9cwOb+IpvaqrI55zlouWMUk5hjKHQARajqeOev2I6Gc3QIvU8btyhKCJu7pwxr+DxK/9HeqTmweCSXZmLlVZ6LjW80aAg+8l2DyMKZPaTowSQcExfNMwHqI1ByUPx49LQQEzvwv8Lx3To2+JghZNXHUx7gcraoCUQnRNzCMoMsGF25Yyt4piW6SXKWsbWHVXaL2i953PtT6agJYqssnBqPx6wqibrkeB9MbtSw97L5oQDaDLmJzEK54vRjFFV4X6/Q1d3D6M5PH0XGm6WEhrNEPgMAAZ6rBqi+AoXUz9E9B+kE/Zc6krCTiV0Y1uL83RCILaEJIjRsHqgrGRYEIBUb4Z5d4CgB3szixzaFTmG+XAgDLGnAHRNGeOn0bUmj35miLUopzGJgHCUQYjaaXMH4FSQMYBFPVqZ1aSiZO0EC/mbLlFbBy51RYPJQK0IusN4IqaBYw6jZYMEVlLWkNb34bfNtPKwoG4T3UjxmSRpfiNCFjYd4DaOz/FBAvUL9bx+qU7O6EZRtslROaWN18uSt20hBH0SpvEovj7vBgWWqXG/chNS7YSSaf3Tlb3I5NbqbmvwFF0t8uuEtN0Wh26qMuOKx70K90B9FpJBpfIk/w8FQ80kP6spbMN1v1T5fA7oZMV1fOn1IezH4wE5Yk/3dS+OXJ4YiLH/hWfjecCAwEAAQ==";
};
dmarc = lib.pipe [
# see https://www.rfc-editor.org/rfc/rfc7489.html#section-6.3
"v=DMARC1"
"p=reject" # policy = reject all mail that fails DKIM or SPF
# no need for sp=, policy applies to subdomains by default
"adkim=s" # match dkim domains strictly (foo.shelvacu.com != shelvacu.com)
"aspf=s" # match spf domains strictly
"fo=1" # failure reporting: report a failure if any of dkim or spf fails
"rua=mailto:dmarc-rua@shelvacu.com!25m"
"ruf=mailto:dmarc-ruf@shelvacu.com!25m"
] [
(map (s: s + ";"))
(lib.concatStringsSep " ")
];
vacuZoneExtModule = { config, ... }: {
imports = [ vacuDomainExtModule ];
options.vacu.cloudns = mkOption {
default = true;
type = types.bool;
};
config = lib.mkIf config.vacu.cloudns {
SOA = cloudnsSoa;
NS = map (server: ttl (60 * 60) (ns server)) cloudnsNameServers;
TTL = lib.mkDefault 300;
};
};
vacuDomainExtModule = { config, ... }: {
options.vacu = {
liamMail = mkOption {
default = false;
type = types.bool;
};
_ancestorHasDMARC = mkOption {
type = types.bool;
default = false;
internal = true;
};
};
options.subdomains = mkOption {
type = types.attrsOf (types.submodule [
{
config.vacu._ancestorHasDMARC = config.vacu.liamMail || config.vacu._ancestorHasDMARC;
}
vacuDomainExtModule
]);
};
config = lib.mkMerge [
(lib.mkIf config.vacu.liamMail {
MX = singleton (mx.mx 0 "liam.dis8.net.");
TXT = singleton (
spf.strict [
"mx"
"include:outbound.mailhop.org"
"include:_spf.mailersend.net"
"a:relay.dynu.com"
]
);
subdomains."${dkimKeyLiam.name}._domainkey".TXT = singleton dkimKeyLiam.content;
})
(lib.mkIf (config.vacu.liamMail && !config.vacu._ancestorHasDMARC) {
subdomains._dmarc.TXT = singleton dmarc;
})
];
};
# vacuZone = lib.mkMerge [
# dns.lib.types.zone
# (types.submodule vacuZoneExtModule)
# ];
in
{
imports = [
./jean-luc.org.nix
./pwrhs.win.nix
./shelvacu.miras.pet.nix
./for.miras.pet.nix
./shelvacu.com.nix
./dis8.net.nix
./sv.mt.nix
({ dns, ... }: {
options.vacu.dns = mkOption {
default = { };
type = types.attrsOf dns.lib.types.zone;
};
})
];
options.vacu.dns = mkOption {
type = types.attrsOf (types.submodule vacuZoneExtModule);
};
options.vacu.dnsData = vaculib.mkOutOptions rec {
tripPublicV4 = hosts.triple-dezert.primaryIp;
propPublicV4 = hosts.prophecy.primaryIp;
digitalOcean = {
reservedV4 = "138.197.233.105";
liamPublicV4 = "178.128.79.152";
mailPublicV4 = "167.99.161.174";
};
doV4 = digitalOcean.reservedV4;
awooV4 = hosts.awoo.primaryIp;
};
}