-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
+ options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
config = let
+ # taken from unstable
+ cartesianProductOfSets = attrsOfLists: with lib;
+ lib.foldl' (listOfAttrs: attrName:
+ concatMap (attrs:
+ map (listValue: attrs // { ${attrName} = listValue; }) attrsOfLists.${attrName}
+ ) listOfAttrs
+ ) [{}] (attrNames attrsOfLists);
cfg = config.services.bind;
+ keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"${config.secrets.fullPaths."bind/${v}.key"}\";") (builtins.attrNames config.myEnv.dns.keys));
+ cartProduct = lib.foldr
+ (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); })
+ {}
+ (lib.unique (lib.concatMap (z: cartesianProductOfSets { masters = z.masters or []; keys = z.keys or []; }) config.myEnv.dns.slaveZones));
+ toKeyList = servers: keys: builtins.concatStringsSep "\n" (map (s: ''
+ server ${s} {
+ keys { ${builtins.concatStringsSep ";" keys}; };
+ };
+ '') servers);
+ serverIncludes = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: toKeyList (lib.flatten (builtins.attrValues config.myEnv.dns.ns."${n}"))) cartProduct);
configFile = pkgs.writeText "named.conf" ''
include "/etc/bind/rndc.key";
controls {
${cfg.extraOptions}
};
+ ${keyIncludes}
+ ${serverIncludes}
+
${cfg.extraConfig}
${ lib.concatMapStrings
'')
cfg.zones }
'';
- in
- {
+ mxes = lib.attrsets.filterAttrs
+ (n: v: v.mx.enable)
+ config.myEnv.servers;
+ ip4mxes = builtins.concatStringsSep "\n" (lib.mapAttrsToList
+ (n: v: "${v.mx.subdomain} IN A ${v.ips.main.ip4}")
+ mxes);
+ ip6mxes = builtins.concatStringsSep "\n" (lib.mapAttrsToList
+ (n: v: builtins.concatStringsSep "\n" (map (i: "${v.mx.subdomain} IN AAAA ${i}") v.ips.main.ip6))
+ mxes);
+ mxmxes = n: conf: builtins.concatStringsSep "\n" (lib.mapAttrsToList
+ (_: v: "${n} IN MX ${v.mx.priority} ${v.mx.subdomain}.${conf.name}.")
+ mxes);
+ in lib.mkIf config.myServices.dns.enable {
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ];
+ users.users.named.extraGroups = [ "keys" ];
+ secrets.keys = lib.mapAttrs' (k: v:
+ lib.nameValuePair "bind/${k}.key" {
+ permissions = "0400";
+ user = "named";
+ text = ''
+ key "${k}"
+ {
+ algorithm ${v.algorithm};
+ secret "${v.secret}";
+ };
+ '';
+ }
+ ) config.myEnv.dns.keys;
services.bind = {
enable = true;
cacheNetworks = ["any"];
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
- notify-source ${myconfig.env.servers.eldiron.ips.main.ip4};
- notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
+ notify-source ${config.myEnv.servers.eldiron.ips.main.ip4};
+ notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6};
version none;
hostname none;
server-id none;
'';
- zones = with myconfig.env.dns;
+ zones = with config.myEnv.dns;
assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != ".";
assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != ".";
(map (conf: {
@ IN SOA ${soa.primary}. ${builtins.replaceStrings ["@"] ["."] soa.email}. ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
+ ${lib.optionalString (conf.withCAA != null) ''
+ ${conf.name}. IN CAA 0 issue "${conf.withCAA}"
+ ''}
${conf.entries}
${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
- mail IN A ${myconfig.env.servers.immaeEu.ips.main.ip4}
- mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4}
- ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
- ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)}
+ ${ip4mxes}
+ ${ip6mxes}
${lib.concatStringsSep "\n\n" (map (e:
let
n = if e.domain == "" then "@" else "${e.domain} ";
in
''
; ------------------ mail: ${n} ---------------------------
- ${n} IN MX 10 mail.${conf.name}.
- ${n} IN MX 50 mx-1.${conf.name}.
+ ${mxmxes n conf}
; https://tools.ietf.org/html/rfc6186
- _submission._tcp${suffix} SRV 0 1 587 smtp.immae.eu.
- _imap._tcp${suffix} SRV 0 1 143 imap.immae.eu.
- _imaps._tcp${suffix} SRV 0 1 993 imap.immae.eu.
- _pop3._tcp${suffix} SRV 10 1 110 pop3.immae.eu.
- _pop3s._tcp${suffix} SRV 10 1 995 pop3.immae.eu.
- _sieve._tcp${suffix} SRV 0 1 4190 imap.immae.eu.
+ _submission._tcp${suffix} SRV 0 1 587 smtp.immae.eu.
+ _submissions._tcp${suffix} SRV 0 1 465 smtp.immae.eu.
+ _imap._tcp${suffix} SRV 0 1 143 imap.immae.eu.
+ _imaps._tcp${suffix} SRV 0 1 993 imap.immae.eu.
+ _pop3._tcp${suffix} SRV 10 1 110 pop3.immae.eu.
+ _pop3s._tcp${suffix} SRV 10 1 995 pop3.immae.eu.
+ _sieve._tcp${suffix} SRV 0 1 4190 imap.immae.eu.
+
+ ; MTA-STS
+ ; https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
+ ; https://support.google.com/a/answer/9261504
+ _mta-sts${suffix} IN TXT "v=STSv1;id=20200109150200Z"
+ _smtp._tls${suffix} IN TXT "v=TLSRPTv1;rua=mailto:postmaster+mta-sts@immae.eu"
+ mta-sts${suffix} IN A ${config.myEnv.servers.eldiron.ips.main.ip4}
+ ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)}
; Mail sender authentications
${n} IN TXT "v=spf1 mx ~all"
immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
"0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
- eldiron._domainkey${suffix} IN TXT ${myconfig.env.mail.dkim.eldiron.public}
+ eldiron._domainkey${suffix} IN TXT ${config.myEnv.mail.dkim.eldiron.public}
'' else ""}
'') conf.withEmail)}
'' + (if conf.name == "immae.eu" then ''