[perso/Immae/Config/Nix.git] / systems / eldiron / dns.nix

{ lib, pkgs, config, dns-nix, ... }:
let
  zonesWithDNSSec = lib.filterAttrs (k: v: v.dnssec.enable) config.myServices.dns.zones;
  zoneToFile = name: v: pkgs.runCommand "${name}.zone" {
    text = v;
    passAsFile = [ "text" ];
    # Automatically change the increment when relevant change
    # happened (both serial and mta-sts)
  } ''
    mv "$textPath" $out
    increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 ))
    sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
    sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
  '';
in
{
  options.myServices.dns = {
    enable = lib.mkEnableOption "enable DNS resolver";
    helpers = lib.mkOption {
      readOnly = true;
      description = ''
        Some useful constants or functions for zones definition
      '';
      default = rec {
        servers = config.myEnv.servers;
        ips = i: { A = i.ip4; AAAA = i.ip6; };
        letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ];
        toKV = a: let
          removeOrder = n: lib.last (builtins.split "__" n);
        in
          builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${removeOrder n}=${v}") a));
        mailMX = {
          hasEmail = true;
          subdomains = let
            mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
          in
            lib.mapAttrs' (n: v: lib.nameValuePair v.mx.subdomain (ips v.ips.main)) mxes;
        };
        zoneHeader = {
          TTL = 3*60*60;
          SOA = {
            # yyyymmdd?? (increment ?? at each change)
            serial = 2022121902; # Don't change this value, it is replaced automatically!
            refresh = 3*60*60;
            retry = 60*60;
            expire = 14*24*60*60;
            minimum = 3*60*60; # negative cache ttl
            adminEmail = "hostmaster@immae.eu"; #email-address s/@/./
            nameServer = "ns1.immae.eu.";
          };
        };
        mailSend = {
          # DKIM 2048b
          subdomains._domainkey.subdomains.eldiron2.TXT = [
            (toKV config.myEnv.mail.dkim.eldiron2.public)
          ];
          # DKIM 1024b
          subdomains._domainkey.subdomains.eldiron.TXT = [
            (toKV config.myEnv.mail.dkim.eldiron.public)
          ];
          # old key, may still be used by verifiers
          subdomains._domainkey.subdomains.immae_eu.TXT = [
            (toKV config.myEnv.mail.dkim.immae_eu.public)
          ];
        };
        mailCommon = name: quarantine: {
          MX = let
            mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
          in
            lib.mapAttrsToList (n: v: { preference = v.mx.priority; exchange = "${v.mx.subdomain}.${name}."; }) mxes;

          # https://tools.ietf.org/html/rfc6186
          SRV = [
            { service = "submission"; proto = "tcp"; priority = 0; weight = 1; port = 587; target = "smtp.immae.eu."; }
            { service = "submissions"; proto = "tcp"; priority = 0; weight = 1; port = 465; target = "smtp.immae.eu."; }

            { service = "imap"; proto = "tcp"; priority = 0; weight = 1; port = 143; target = "imap.immae.eu."; }
            { service = "imaps"; proto = "tcp"; priority = 0; weight = 1; port = 993; target = "imap.immae.eu."; }
            { service = "sieve"; proto = "tcp"; priority = 0; weight = 1; port = 4190; target = "imap.immae.eu."; }

            { service = "pop3"; proto = "tcp"; priority = 10; weight = 1; port = 110; target = "pop3.immae.eu."; }
            { service = "pop3s"; proto = "tcp"; priority = 10; weight = 1; port = 995; target = "pop3.immae.eu."; }
          ];

          subdomains = {
            # MTA-STS
            # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
            # https://support.google.com/a/answer/9261504
            _mta-sts.TXT = [ (toKV { _00__v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically!
            _tls.subdomains._smtp.TXT = [ (toKV { _00__v = "TLSRPTv1"; rua = "mailto:postmaster+mta-sts@immae.eu"; }) ];
            mta-sts = ips servers.eldiron.ips.main;

            # DMARC
            # p needs to be the first tag
            _dmarc.TXT = [ (toKV { _00__v = "DMARC1"; _01__p = if quarantine then "quarantine" else "none"; adkim = "s"; aspf = "s"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ];

            # Autoconfiguration for Outlook
            autodiscover = ips servers.eldiron.ips.main;
            # Autoconfiguration for Mozilla
            autoconfig = ips servers.eldiron.ips.main;
          };

          # SPF
          TXT = [ (toKV { _00__v = "spf1 mx ~all"; }) ];
        };
      };
    };
    zones = lib.mkOption {
      type = lib.types.attrsOf (dns-nix.lib.types.zone.substSubModules (
        dns-nix.lib.types.zone.getSubModules ++ [
          ({ name, ... }: {
            options = {
              dnssec = lib.mkOption {
                default.enable = false;
                type = lib.types.submodule {
                  options = {
                    enable = lib.mkEnableOption "Configure dnssec for this domain";
                  };
                };
              };
              hasEmail = lib.mkEnableOption "This domain has e-mails configuration";
              emailPolicies = lib.mkOption {
                default = {};
                type = lib.types.attrsOf (lib.types.submodule {
                  options = {
                    receive = lib.mkEnableOption "Configure this domain to receive e-mail";
                  };
                });
                apply = builtins.mapAttrs (n: v: v // {
                  domain = name;
                  fqdn = if n == "" then name else "${n}.${name}";
                });
              };
              extraConfig = lib.mkOption {
                type = lib.types.lines;
                description = "Extra zone configuration for bind";
                example = ''
                  notify yes;
                '';
                default = "";
              };
              slaves = lib.mkOption {
                type = lib.types.listOf lib.types.str;
                description = "NS slave groups of this zone";
                default = [];
              };
              ns = lib.mkOption {
                type = lib.types.listOf lib.types.str;
                default = [];
              };
            };
          })
        ]));
      apply = let
          toNS = n: builtins.map (d: "${d}.") (builtins.concatMap (s: builtins.attrNames config.myEnv.dns.ns."${s}") n);
        in
          builtins.mapAttrs (n: v: v // { NS = v.NS or [] ++ toNS (v.ns); });
      default = {};
      description = ''
        attrset of zones to configure
      '';
    };
  };
  config = let
    cfg = config.services.bind;
  in lib.mkIf config.myServices.dns.enable {
    myServices.chatonsProperties.hostings.dns-secondaire = {
      file.datetime = "2022-08-22T02:00:00";
      hosting = {
        name = "DNS secondaire";
        description = "DNS secondaire";
        website = "ns1.immae.eu";
        status.level = "OK";
        status.description = "OK";
        registration.load = "OPEN";
        install.type = "PACKAGE";
      };
      software = {
        name = "bind9";
        website = pkgs.bind.meta.homepage;
        license.url = pkgs.bind.meta.license.url;
        license.name = pkgs.bind.meta.license.fullName;
        version = pkgs.bind.version;
        source.url = "https://www.isc.org/download/";
      };
    };
    myServices.dns.zones = with config.myServices.dns.helpers; {
      "imsite.eu" = lib.mkMerge [
        zoneHeader
        (ips servers.eldiron.ips.main)
        {
          dnssec.enable = true;
          ns = [ "immae" "raito" ];
          CAA = letsencrypt;
          extraConfig = ''
            notify yes;
          '';
          slaves = [ "raito" ];
        }
      ];
      "immae.dev" = lib.mkMerge [
        {
          dnssec.enable = true;
          extraConfig = ''
            notify yes;
          '';
          slaves = [ "raito" ];
        }
        zoneHeader
        (ips servers.eldiron.ips.integration)
        {
          ns = [ "immae" "raito" ];
          CAA = letsencrypt;
        }
      ];
      "immae.eu" = lib.mkMerge [
        {
          dnssec.enable = true;
          extraConfig = ''
            notify yes;
          '';
          slaves = [ "raito" ];
        }
        zoneHeader
        (ips servers.eldiron.ips.production)
        {
          ns = [ "immae" ];
          # Cannot put ns2.immae.eu as glue record as it takes ages to propagate.
          # And gandi only accepts NS records with glues in their interface
          NS = [ "kurisu.dual.lahfa.xyz." ];
          CAA = letsencrypt;

          # ns1 has glue records in gandi.net
          subdomains.ns1 = ips servers.eldiron.ips.main;
          # raito / kurisu.dual.lahfa.xyz ; replace with eldiron in case of problem
          subdomains.ns2.A = builtins.map (address: { inherit address; ttl = 600; }) servers.eldiron.ips.main.ip4;
          subdomains.ns2.AAAA = builtins.map (address: { inherit address; ttl = 600; }) servers.eldiron.ips.main.ip6;
        }
        {
          # Machines local users
          emailPolicies.localhost.receive = false;
          subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
          emailPolicies.eldiron.receive = true;
          subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
        }
        {
          # For each server "server" and each server ip group "ipgroup",
          # define ipgroup.server.immae.eu
          # "main" is set as server.immae.eu instead
          # if main has an "alias", it is duplicated with this alias.
          # If the server is a vm, use the v.immae.eu namespace (only main is created)
          subdomains = let
            vms = lib.filterAttrs (n: v: v.isVm) servers;
            bms = lib.filterAttrs (n: v: !v.isVm) servers;
            toIps = type: builtins.mapAttrs (n: v: ips v.ips."${type}");
          in
            lib.mkMerge [
              (toIps "main" bms)

              { v.subdomains = toIps "main" vms; }

              (lib.mapAttrs (_: v: {
                subdomains = lib.mapAttrs'
                  (n': v': lib.nameValuePair "${if v'.alias == null then n' else v'.alias}" (ips v'))
                  (lib.filterAttrs (n': v': n' != "main" || v'.alias != null) v.ips);
                }) bms)
            ];
        }
        {
          # Outils
          subdomains = {
            status = ips servers.monitoring-1.ips.main;
          };
        }
      ];
    };
    networking.firewall.allowedUDPPorts = [ 53 ];
    networking.firewall.allowedTCPPorts = [ 53 ];
    users.users.named.extraGroups = [ "keys" ];
    services.bind = {
      package = pkgs.bind.overrideAttrs(old: {
        # Partially revert https://gitlab.isc.org/isc-projects/bind9/-/commit/fd96a418689593882485bb715b3cd76b9af6f968
        # Some DNS server don’t sent the question section
        postPatch = (old.postPatch or "") + ''
          sed -i -e "/missing question section/{n;N;d;}" lib/dns/xfrin.c
        '';
      });
      enable = true;
      cacheNetworks = ["any"];
      extraOptions = ''
        allow-recursion { 127.0.0.1; };
        allow-transfer  { none; };

        notify-source    ${lib.head config.myEnv.servers.eldiron.ips.main.ip4};
        notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6};
        version   none;
        hostname  none;
        server-id none;
        '';
      zones =
        builtins.mapAttrs (name: v: {
          master = true;
          extraConfig = v.extraConfig + lib.optionalString v.dnssec.enable ''
            key-directory "/var/lib/named/dnssec_keys";
            dnssec-policy default;
            inline-signing yes;
          '';
          masters = [];
          slaves =
            lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves);
          file = if v.dnssec.enable then "/var/run/named/dnssec-${name}.zone" else zoneToFile name v;
        }) config.myServices.dns.zones;
    };
    systemd.services.bind.serviceConfig.StateDirectory = "named";
    systemd.services.bind.preStart = lib.mkAfter
      (builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: v: ''
        install -m444 ${zoneToFile name v} /var/run/named/dnssec-${name}.zone
      '') zonesWithDNSSec) + ''
        install -dm755 -o named /var/lib/named/dnssec_keys
      '');
    myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ];
    myServices.monitoring.fromMasterObjects.contactgroup.dns-raito = {
      alias = "Secondary DNS Raito";
      members = "immae";
    };
    myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z:
      lib.optional (builtins.elem "immae" z.ns) {
        service_description = "eldiron dns is active and authoritative for ${name}";
        host_name = config.hostEnv.fqdn;
        use = "dns-service";
        check_command = ["check_dns" name "-A"];

        servicegroups = "webstatus-dns";
        _webstatus_name = name;
      } ++
      lib.optionals (builtins.elem "raito" z.ns) [
        {
          service_description = "raito dns is active and authoritative for ${name}";
          host_name = config.hostEnv.fqdn;
          use = "dns-service";
          check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"];
          contact_groups = "dns-raito";

          servicegroups = "webstatus-dns";
          _webstatus_name = "${name} (Secondary DNS Raito)";
        }
        {
          service_description = "raito dns is up to date for ${name}";
          host_name = config.hostEnv.fqdn;
          use = "dns-service";
          check_command = ["check_dns_soa" "kurisu.dual.lahfa.xyz" name config.hostEnv.fqdn];
          contact_groups = "dns-raito";

          servicegroups = "webstatus-dns";
          _webstatus_name = "${name} (Secondary DNS Raito up to date)";
        }
      ] ++
      lib.optional z.dnssec.enable {
        service_description = "DNSSEC is active and not expired for ${name}";
        host_name = config.hostEnv.fqdn;
        use = "dns-service";
        check_command = ["check_dnssec" name];

        servicegroups = "webstatus-dns";
        _webstatus_name = "${name} (DNSSEC)";
      }
    ) config.myServices.dns.zones);
  };
}
Commit	Line	Data
1a64deeb	1	{ lib, pkgs, config, dns-nix, ... }:
97787a9d IB	2	let
	3	zonesWithDNSSec = lib.filterAttrs (k: v: v.dnssec.enable) config.myServices.dns.zones;
	4	zoneToFile = name: v: pkgs.runCommand "${name}.zone" {
	5	text = v;
	6	passAsFile = [ "text" ];
	7	# Automatically change the increment when relevant change
	8	# happened (both serial and mta-sts)
	9	} ''
	10	mv "$textPath" $out
	11	increment=$(( 100($(date -u +%-H) 60 + $(date -u +%-M))/1440 ))
	12	sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
	13	sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
	14	'';
	15	in
1a64deeb IB	16	{
	17	options.myServices.dns = {
	18	enable = lib.mkEnableOption "enable DNS resolver";
	19	helpers = lib.mkOption {
	20	readOnly = true;
	21	description = ''
	22	Some useful constants or functions for zones definition
	23	'';
	24	default = rec {
	25	servers = config.myEnv.servers;
	26	ips = i: { A = i.ip4; AAAA = i.ip6; };
	27	letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ];
97787a9d IB	28	toKV = a: let
	29	removeOrder = n: lib.last (builtins.split "__" n);
	30	in
	31	builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${removeOrder n}=${v}") a));
1a64deeb IB	32	mailMX = {
	33	hasEmail = true;
	34	subdomains = let
	35	mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
	36	in
	37	lib.mapAttrs' (n: v: lib.nameValuePair v.mx.subdomain (ips v.ips.main)) mxes;
	38	};
	39	zoneHeader = {
	40	TTL = 36060;
	41	SOA = {
	42	# yyyymmdd?? (increment ?? at each change)
	43	serial = 2022121902; # Don't change this value, it is replaced automatically!
97787a9d IB	44	refresh = 36060;
	45	retry = 60*60;
	46	expire = 142460*60;
	47	minimum = 36060; # negative cache ttl
1a64deeb IB	48	adminEmail = "hostmaster@immae.eu"; #email-address s/@/./
	49	nameServer = "ns1.immae.eu.";
	50	};
	51	};
	52	mailSend = {
c4511c38 IB	53	# DKIM 2048b
	54	subdomains._domainkey.subdomains.eldiron2.TXT = [
	55	(toKV config.myEnv.mail.dkim.eldiron2.public)
	56	];
	57	# DKIM 1024b
1a64deeb IB	58	subdomains._domainkey.subdomains.eldiron.TXT = [
	59	(toKV config.myEnv.mail.dkim.eldiron.public)
	60	];
	61	# old key, may still be used by verifiers
	62	subdomains._domainkey.subdomains.immae_eu.TXT = [
	63	(toKV config.myEnv.mail.dkim.immae_eu.public)
	64	];
	65	};
97787a9d	66	mailCommon = name: quarantine: {
1a64deeb IB	67	MX = let
	68	mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
	69	in
	70	lib.mapAttrsToList (n: v: { preference = v.mx.priority; exchange = "${v.mx.subdomain}.${name}."; }) mxes;
	71
	72	# https://tools.ietf.org/html/rfc6186
	73	SRV = [
	74	{ service = "submission"; proto = "tcp"; priority = 0; weight = 1; port = 587; target = "smtp.immae.eu."; }
	75	{ service = "submissions"; proto = "tcp"; priority = 0; weight = 1; port = 465; target = "smtp.immae.eu."; }
	76
	77	{ service = "imap"; proto = "tcp"; priority = 0; weight = 1; port = 143; target = "imap.immae.eu."; }
	78	{ service = "imaps"; proto = "tcp"; priority = 0; weight = 1; port = 993; target = "imap.immae.eu."; }
	79	{ service = "sieve"; proto = "tcp"; priority = 0; weight = 1; port = 4190; target = "imap.immae.eu."; }
	80
	81	{ service = "pop3"; proto = "tcp"; priority = 10; weight = 1; port = 110; target = "pop3.immae.eu."; }
	82	{ service = "pop3s"; proto = "tcp"; priority = 10; weight = 1; port = 995; target = "pop3.immae.eu."; }
	83	];
	84
	85	subdomains = {
	86	# MTA-STS
	87	# https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
	88	# https://support.google.com/a/answer/9261504
97787a9d IB	89	_mta-sts.TXT = [ (toKV { _00__v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically!
97787a9d IB	90	_tls.subdomains._smtp.TXT = [ (toKV { _00__v = "TLSRPTv1"; rua = "mailto:postmaster+mta-sts@immae.eu"; }) ];
1a64deeb IB	91	mta-sts = ips servers.eldiron.ips.main;
	92
	93	# DMARC
97787a9d IB	94	# p needs to be the first tag
97787a9d IB	95	_dmarc.TXT = [ (toKV { _00__v = "DMARC1"; _01__p = if quarantine then "quarantine" else "none"; adkim = "s"; aspf = "s"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ];
6ce9fbeb IB	96
	97	# Autoconfiguration for Outlook
	98	autodiscover = ips servers.eldiron.ips.main;
	99	# Autoconfiguration for Mozilla
	100	autoconfig = ips servers.eldiron.ips.main;
1a64deeb IB	101	};
	102
	103	# SPF
97787a9d	104	TXT = [ (toKV { _00__v = "spf1 mx ~all"; }) ];
1a64deeb IB	105	};
	106	};
	107	};
	108	zones = lib.mkOption {
	109	type = lib.types.attrsOf (dns-nix.lib.types.zone.substSubModules (
	110	dns-nix.lib.types.zone.getSubModules ++ [
	111	({ name, ... }: {
	112	options = {
97787a9d IB	113	dnssec = lib.mkOption {
	114	default.enable = false;
	115	type = lib.types.submodule {
	116	options = {
	117	enable = lib.mkEnableOption "Configure dnssec for this domain";
	118	};
	119	};
	120	};
1a64deeb IB	121	hasEmail = lib.mkEnableOption "This domain has e-mails configuration";
	122	emailPolicies = lib.mkOption {
	123	default = {};
	124	type = lib.types.attrsOf (lib.types.submodule {
	125	options = {
	126	receive = lib.mkEnableOption "Configure this domain to receive e-mail";
	127	};
	128	});
	129	apply = builtins.mapAttrs (n: v: v // {
	130	domain = name;
	131	fqdn = if n == "" then name else "${n}.${name}";
	132	});
	133	};
	134	extraConfig = lib.mkOption {
	135	type = lib.types.lines;
	136	description = "Extra zone configuration for bind";
	137	example = ''
	138	notify yes;
	139	'';
	140	default = "";
	141	};
	142	slaves = lib.mkOption {
	143	type = lib.types.listOf lib.types.str;
	144	description = "NS slave groups of this zone";
	145	default = [];
	146	};
	147	ns = lib.mkOption {
	148	type = lib.types.listOf lib.types.str;
	149	default = [];
	150	};
	151	};
	152	})
	153	]));
	154	apply = let
	155	toNS = n: builtins.map (d: "${d}.") (builtins.concatMap (s: builtins.attrNames config.myEnv.dns.ns."${s}") n);
	156	in
	157	builtins.mapAttrs (n: v: v // { NS = v.NS or [] ++ toNS (v.ns); });
	158	default = {};
	159	description = ''
	160	attrset of zones to configure
	161	'';
	162	};
	163	};
	164	config = let
	165	cfg = config.services.bind;
	166	in lib.mkIf config.myServices.dns.enable {
	167	myServices.chatonsProperties.hostings.dns-secondaire = {
	168	file.datetime = "2022-08-22T02:00:00";
	169	hosting = {
	170	name = "DNS secondaire";
	171	description = "DNS secondaire";
	172	website = "ns1.immae.eu";
	173	status.level = "OK";
	174	status.description = "OK";
	175	registration.load = "OPEN";
	176	install.type = "PACKAGE";
	177	};
	178	software = {
	179	name = "bind9";
	180	website = pkgs.bind.meta.homepage;
	181	license.url = pkgs.bind.meta.license.url;
	182	license.name = pkgs.bind.meta.license.fullName;
	183	version = pkgs.bind.version;
	184	source.url = "https://www.isc.org/download/";
185	};
186	};
187	myServices.dns.zones = with config.myServices.dns.helpers; {
188	"imsite.eu" = lib.mkMerge [
189	zoneHeader
190	(ips servers.eldiron.ips.main)
191	{
97787a9d IB	192	dnssec.enable = true;
97787a9d IB	193	ns = [ "immae" "raito" ];
1a64deeb	194	CAA = letsencrypt;
97787a9d IB	195	extraConfig = ''
	196	notify yes;
	197	'';
	198	slaves = [ "raito" ];
1a64deeb IB	199	}
	200	];
	201	"immae.dev" = lib.mkMerge [
	202	{
97787a9d	203	dnssec.enable = true;
1a64deeb IB	204	extraConfig = ''
	205	notify yes;
	206	'';
	207	slaves = [ "raito" ];
	208	}
	209	zoneHeader
	210	(ips servers.eldiron.ips.integration)
	211	{
	212	ns = [ "immae" "raito" ];
	213	CAA = letsencrypt;
	214	}
	215	];
	216	"immae.eu" = lib.mkMerge [
	217	{
97787a9d	218	dnssec.enable = true;
1a64deeb IB	219	extraConfig = ''
	220	notify yes;
	221	'';
	222	slaves = [ "raito" ];
	223	}
	224	zoneHeader
	225	(ips servers.eldiron.ips.production)
	226	{
97787a9d IB	227	ns = [ "immae" ];
	228	# Cannot put ns2.immae.eu as glue record as it takes ages to propagate.
	229	# And gandi only accepts NS records with glues in their interface
	230	NS = [ "kurisu.dual.lahfa.xyz." ];
1a64deeb IB	231	CAA = letsencrypt;
	232
	233	# ns1 has glue records in gandi.net
	234	subdomains.ns1 = ips servers.eldiron.ips.main;
	235	# raito / kurisu.dual.lahfa.xyz ; replace with eldiron in case of problem
	236	subdomains.ns2.A = builtins.map (address: { inherit address; ttl = 600; }) servers.eldiron.ips.main.ip4;
	237	subdomains.ns2.AAAA = builtins.map (address: { inherit address; ttl = 600; }) servers.eldiron.ips.main.ip6;
	238	}
	239	{
	240	# Machines local users
	241	emailPolicies.localhost.receive = false;
97787a9d	242	subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
1a64deeb	243	emailPolicies.eldiron.receive = true;
97787a9d	244	subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
1a64deeb IB	245	}
	246	{
	247	# For each server "server" and each server ip group "ipgroup",
	248	# define ipgroup.server.immae.eu
	249	# "main" is set as server.immae.eu instead
	250	# if main has an "alias", it is duplicated with this alias.
	251	# If the server is a vm, use the v.immae.eu namespace (only main is created)
	252	subdomains = let
	253	vms = lib.filterAttrs (n: v: v.isVm) servers;
	254	bms = lib.filterAttrs (n: v: !v.isVm) servers;
	255	toIps = type: builtins.mapAttrs (n: v: ips v.ips."${type}");
	256	in
	257	lib.mkMerge [
	258	(toIps "main" bms)
	259
	260	{ v.subdomains = toIps "main" vms; }
	261
	262	(lib.mapAttrs (_: v: {
	263	subdomains = lib.mapAttrs'
	264	(n': v': lib.nameValuePair "${if v'.alias == null then n' else v'.alias}" (ips v'))
	265	(lib.filterAttrs (n': v': n' != "main" \|\| v'.alias != null) v.ips);
	266	}) bms)
	267	];
	268	}
	269	{
	270	# Outils
	271	subdomains = {
	272	status = ips servers.monitoring-1.ips.main;
	273	};
	274	}
	275	];
	276	};
	277	networking.firewall.allowedUDPPorts = [ 53 ];
	278	networking.firewall.allowedTCPPorts = [ 53 ];
	279	users.users.named.extraGroups = [ "keys" ];
	280	services.bind = {
a3147364 IB	281	package = pkgs.bind.overrideAttrs(old: {
	282	# Partially revert https://gitlab.isc.org/isc-projects/bind9/-/commit/fd96a418689593882485bb715b3cd76b9af6f968
	283	# Some DNS server don’t sent the question section
	284	postPatch = (old.postPatch or "") + ''
	285	sed -i -e "/missing question section/{n;N;d;}" lib/dns/xfrin.c
	286	'';
	287	});
1a64deeb IB	288	enable = true;
	289	cacheNetworks = ["any"];
	290	extraOptions = ''
	291	allow-recursion { 127.0.0.1; };
	292	allow-transfer { none; };
	293
	294	notify-source ${lib.head config.myEnv.servers.eldiron.ips.main.ip4};
	295	notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6};
	296	version none;
	297	hostname none;
	298	server-id none;
	299	'';
	300	zones =
	301	builtins.mapAttrs (name: v: {
	302	master = true;
97787a9d IB	303	extraConfig = v.extraConfig + lib.optionalString v.dnssec.enable ''
	304	key-directory "/var/lib/named/dnssec_keys";
	305	dnssec-policy default;
	306	inline-signing yes;
	307	'';
1a64deeb IB	308	masters = [];
	309	slaves =
	310	lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves);
97787a9d	311	file = if v.dnssec.enable then "/var/run/named/dnssec-${name}.zone" else zoneToFile name v;
1a64deeb IB	312	}) config.myServices.dns.zones;
1a64deeb IB	313	};
97787a9d IB	314	systemd.services.bind.serviceConfig.StateDirectory = "named";
	315	systemd.services.bind.preStart = lib.mkAfter
	316	(builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: v: ''
	317	install -m444 ${zoneToFile name v} /var/run/named/dnssec-${name}.zone
	318	'') zonesWithDNSSec) + ''
	319	install -dm755 -o named /var/lib/named/dnssec_keys
	320	'');
1a64deeb	321	myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ];
d006558d IB	322	myServices.monitoring.fromMasterObjects.contactgroup.dns-raito = {
	323	alias = "Secondary DNS Raito";
	324	members = "immae";
	325	};
1a64deeb IB	326	myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z:
	327	lib.optional (builtins.elem "immae" z.ns) {
	328	service_description = "eldiron dns is active and authoritative for ${name}";
	329	host_name = config.hostEnv.fqdn;
	330	use = "dns-service";
	331	check_command = ["check_dns" name "-A"];
	332
	333	servicegroups = "webstatus-dns";
	334	_webstatus_name = name;
	335	} ++
97787a9d IB	336	lib.optionals (builtins.elem "raito" z.ns) [
	337	{
	338	service_description = "raito dns is active and authoritative for ${name}";
	339	host_name = config.hostEnv.fqdn;
	340	use = "dns-service";
	341	check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"];
d006558d	342	contact_groups = "dns-raito";
97787a9d IB	343
	344	servicegroups = "webstatus-dns";
	345	_webstatus_name = "${name} (Secondary DNS Raito)";
	346	}
	347	{
	348	service_description = "raito dns is up to date for ${name}";
	349	host_name = config.hostEnv.fqdn;
	350	use = "dns-service";
	351	check_command = ["check_dns_soa" "kurisu.dual.lahfa.xyz" name config.hostEnv.fqdn];
d006558d	352	contact_groups = "dns-raito";
97787a9d IB	353
	354	servicegroups = "webstatus-dns";
	355	_webstatus_name = "${name} (Secondary DNS Raito up to date)";
	356	}
	357	] ++
	358	lib.optional z.dnssec.enable {
	359	service_description = "DNSSEC is active and not expired for ${name}";
1a64deeb IB	360	host_name = config.hostEnv.fqdn;
1a64deeb IB	361	use = "dns-service";
97787a9d	362	check_command = ["check_dnssec" name];
1a64deeb IB	363
1a64deeb IB	364	servicegroups = "webstatus-dns";
97787a9d	365	_webstatus_name = "${name} (DNSSEC)";
1a64deeb IB	366	}
	367	) config.myServices.dns.zones);
	368	};
	369	}