aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-10 10:44:24 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2023-10-12 00:24:46 +0200
commit97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree4b7ea0d889a4c2c27bfec351693995f1fcba2bbb
parent450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
downloadNix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip
Add dnssec
-rw-r--r--deploy/flake.lock24
-rw-r--r--flake.lock24
-rw-r--r--flakes/flake.lock22
-rw-r--r--flakes/private/monitoring/myplugins.nix23
-rwxr-xr-xflakes/private/monitoring/plugins/check_dnssec195
-rw-r--r--systems/backup-2/flake.lock2
-rw-r--r--systems/dilion/flake.lock2
-rw-r--r--systems/eldiron/dns.nix117
-rw-r--r--systems/eldiron/ejabberd/default.nix2
-rw-r--r--systems/eldiron/flake.lock2
-rw-r--r--systems/eldiron/mail/postfix.nix4
-rw-r--r--systems/eldiron/mail/sympa.nix2
-rw-r--r--systems/eldiron/websites/tools/default.nix2
-rw-r--r--systems/monitoring-1/flake.lock2
-rw-r--r--systems/quatresaisons/flake.lock2
15 files changed, 350 insertions, 75 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 5cdf632..99a99c0 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783 }, 2783 },
2784 "locked": { 2784 "locked": {
2785 "lastModified": 1, 2785 "lastModified": 1,
2786 "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", 2786 "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=",
2787 "path": "../flakes", 2787 "path": "../flakes",
2788 "type": "path" 2788 "type": "path"
2789 }, 2789 },
@@ -2894,7 +2894,7 @@
2894 }, 2894 },
2895 "locked": { 2895 "locked": {
2896 "lastModified": 1, 2896 "lastModified": 1,
2897 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2897 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2898 "path": "../../flakes/private/monitoring", 2898 "path": "../../flakes/private/monitoring",
2899 "type": "path" 2899 "type": "path"
2900 }, 2900 },
@@ -2912,7 +2912,7 @@
2912 }, 2912 },
2913 "locked": { 2913 "locked": {
2914 "lastModified": 1, 2914 "lastModified": 1,
2915 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2915 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2916 "path": "../../flakes/private/monitoring", 2916 "path": "../../flakes/private/monitoring",
2917 "type": "path" 2917 "type": "path"
2918 }, 2918 },
@@ -2930,7 +2930,7 @@
2930 }, 2930 },
2931 "locked": { 2931 "locked": {
2932 "lastModified": 1, 2932 "lastModified": 1,
2933 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2933 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2934 "path": "../../flakes/private/monitoring", 2934 "path": "../../flakes/private/monitoring",
2935 "type": "path" 2935 "type": "path"
2936 }, 2936 },
@@ -2948,7 +2948,7 @@
2948 }, 2948 },
2949 "locked": { 2949 "locked": {
2950 "lastModified": 1, 2950 "lastModified": 1,
2951 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2951 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2952 "path": "../../flakes/private/monitoring", 2952 "path": "../../flakes/private/monitoring",
2953 "type": "path" 2953 "type": "path"
2954 }, 2954 },
@@ -3832,7 +3832,7 @@
3832 }, 3832 },
3833 "locked": { 3833 "locked": {
3834 "lastModified": 1, 3834 "lastModified": 1,
3835 "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", 3835 "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
3836 "path": "../systems/backup-2", 3836 "path": "../systems/backup-2",
3837 "type": "path" 3837 "type": "path"
3838 }, 3838 },
@@ -3855,7 +3855,7 @@
3855 }, 3855 },
3856 "locked": { 3856 "locked": {
3857 "lastModified": 1, 3857 "lastModified": 1,
3858 "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", 3858 "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
3859 "path": "../systems/dilion", 3859 "path": "../systems/dilion",
3860 "type": "path" 3860 "type": "path"
3861 }, 3861 },
@@ -3903,7 +3903,7 @@
3903 }, 3903 },
3904 "locked": { 3904 "locked": {
3905 "lastModified": 1, 3905 "lastModified": 1,
3906 "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", 3906 "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
3907 "path": "../systems/eldiron", 3907 "path": "../systems/eldiron",
3908 "type": "path" 3908 "type": "path"
3909 }, 3909 },
@@ -3929,7 +3929,7 @@
3929 }, 3929 },
3930 "locked": { 3930 "locked": {
3931 "lastModified": 1, 3931 "lastModified": 1,
3932 "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", 3932 "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
3933 "path": "../systems/monitoring-1", 3933 "path": "../systems/monitoring-1",
3934 "type": "path" 3934 "type": "path"
3935 }, 3935 },
@@ -3954,7 +3954,7 @@
3954 }, 3954 },
3955 "locked": { 3955 "locked": {
3956 "lastModified": 1, 3956 "lastModified": 1,
3957 "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", 3957 "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
3958 "path": "../systems/quatresaisons", 3958 "path": "../systems/quatresaisons",
3959 "type": "path" 3959 "type": "path"
3960 }, 3960 },
@@ -7541,7 +7541,7 @@
7541 }, 7541 },
7542 "locked": { 7542 "locked": {
7543 "lastModified": 1, 7543 "lastModified": 1,
7544 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 7544 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
7545 "path": "../../flakes/private/monitoring", 7545 "path": "../../flakes/private/monitoring",
7546 "type": "path" 7546 "type": "path"
7547 }, 7547 },
@@ -8412,7 +8412,7 @@
8412 }, 8412 },
8413 "locked": { 8413 "locked": {
8414 "lastModified": 1, 8414 "lastModified": 1,
8415 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 8415 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
8416 "path": "./private/monitoring", 8416 "path": "./private/monitoring",
8417 "type": "path" 8417 "type": "path"
8418 }, 8418 },
diff --git a/flake.lock b/flake.lock
index 6cc709e..e6b10be 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664 }, 2664 },
2665 "locked": { 2665 "locked": {
2666 "lastModified": 1, 2666 "lastModified": 1,
2667 "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", 2667 "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=",
2668 "path": "./flakes", 2668 "path": "./flakes",
2669 "type": "path" 2669 "type": "path"
2670 }, 2670 },
@@ -2910,7 +2910,7 @@
2910 }, 2910 },
2911 "locked": { 2911 "locked": {
2912 "lastModified": 1, 2912 "lastModified": 1,
2913 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2913 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2914 "path": "../../flakes/private/monitoring", 2914 "path": "../../flakes/private/monitoring",
2915 "type": "path" 2915 "type": "path"
2916 }, 2916 },
@@ -2928,7 +2928,7 @@
2928 }, 2928 },
2929 "locked": { 2929 "locked": {
2930 "lastModified": 1, 2930 "lastModified": 1,
2931 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2931 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2932 "path": "../../flakes/private/monitoring", 2932 "path": "../../flakes/private/monitoring",
2933 "type": "path" 2933 "type": "path"
2934 }, 2934 },
@@ -2946,7 +2946,7 @@
2946 }, 2946 },
2947 "locked": { 2947 "locked": {
2948 "lastModified": 1, 2948 "lastModified": 1,
2949 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2949 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2950 "path": "../../flakes/private/monitoring", 2950 "path": "../../flakes/private/monitoring",
2951 "type": "path" 2951 "type": "path"
2952 }, 2952 },
@@ -2964,7 +2964,7 @@
2964 }, 2964 },
2965 "locked": { 2965 "locked": {
2966 "lastModified": 1, 2966 "lastModified": 1,
2967 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2967 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2968 "path": "../../flakes/private/monitoring", 2968 "path": "../../flakes/private/monitoring",
2969 "type": "path" 2969 "type": "path"
2970 }, 2970 },
@@ -3848,7 +3848,7 @@
3848 }, 3848 },
3849 "locked": { 3849 "locked": {
3850 "lastModified": 1, 3850 "lastModified": 1,
3851 "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", 3851 "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
3852 "path": "../systems/backup-2", 3852 "path": "../systems/backup-2",
3853 "type": "path" 3853 "type": "path"
3854 }, 3854 },
@@ -3871,7 +3871,7 @@
3871 }, 3871 },
3872 "locked": { 3872 "locked": {
3873 "lastModified": 1, 3873 "lastModified": 1,
3874 "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", 3874 "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
3875 "path": "../systems/dilion", 3875 "path": "../systems/dilion",
3876 "type": "path" 3876 "type": "path"
3877 }, 3877 },
@@ -3919,7 +3919,7 @@
3919 }, 3919 },
3920 "locked": { 3920 "locked": {
3921 "lastModified": 1, 3921 "lastModified": 1,
3922 "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", 3922 "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
3923 "path": "../systems/eldiron", 3923 "path": "../systems/eldiron",
3924 "type": "path" 3924 "type": "path"
3925 }, 3925 },
@@ -3945,7 +3945,7 @@
3945 }, 3945 },
3946 "locked": { 3946 "locked": {
3947 "lastModified": 1, 3947 "lastModified": 1,
3948 "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", 3948 "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
3949 "path": "../systems/monitoring-1", 3949 "path": "../systems/monitoring-1",
3950 "type": "path" 3950 "type": "path"
3951 }, 3951 },
@@ -3970,7 +3970,7 @@
3970 }, 3970 },
3971 "locked": { 3971 "locked": {
3972 "lastModified": 1, 3972 "lastModified": 1,
3973 "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", 3973 "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
3974 "path": "../systems/quatresaisons", 3974 "path": "../systems/quatresaisons",
3975 "type": "path" 3975 "type": "path"
3976 }, 3976 },
@@ -7557,7 +7557,7 @@
7557 }, 7557 },
7558 "locked": { 7558 "locked": {
7559 "lastModified": 1, 7559 "lastModified": 1,
7560 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 7560 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
7561 "path": "../../flakes/private/monitoring", 7561 "path": "../../flakes/private/monitoring",
7562 "type": "path" 7562 "type": "path"
7563 }, 7563 },
@@ -8428,7 +8428,7 @@
8428 }, 8428 },
8429 "locked": { 8429 "locked": {
8430 "lastModified": 1, 8430 "lastModified": 1,
8431 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 8431 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
8432 "path": "./private/monitoring", 8432 "path": "./private/monitoring",
8433 "type": "path" 8433 "type": "path"
8434 }, 8434 },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 751316c..090ef48 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -2815,7 +2815,7 @@
2815 }, 2815 },
2816 "locked": { 2816 "locked": {
2817 "lastModified": 1, 2817 "lastModified": 1,
2818 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2818 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2819 "path": "../../flakes/private/monitoring", 2819 "path": "../../flakes/private/monitoring",
2820 "type": "path" 2820 "type": "path"
2821 }, 2821 },
@@ -2833,7 +2833,7 @@
2833 }, 2833 },
2834 "locked": { 2834 "locked": {
2835 "lastModified": 1, 2835 "lastModified": 1,
2836 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2836 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2837 "path": "../../flakes/private/monitoring", 2837 "path": "../../flakes/private/monitoring",
2838 "type": "path" 2838 "type": "path"
2839 }, 2839 },
@@ -2851,7 +2851,7 @@
2851 }, 2851 },
2852 "locked": { 2852 "locked": {
2853 "lastModified": 1, 2853 "lastModified": 1,
2854 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2854 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2855 "path": "../../flakes/private/monitoring", 2855 "path": "../../flakes/private/monitoring",
2856 "type": "path" 2856 "type": "path"
2857 }, 2857 },
@@ -2869,7 +2869,7 @@
2869 }, 2869 },
2870 "locked": { 2870 "locked": {
2871 "lastModified": 1, 2871 "lastModified": 1,
2872 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2872 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2873 "path": "../../flakes/private/monitoring", 2873 "path": "../../flakes/private/monitoring",
2874 "type": "path" 2874 "type": "path"
2875 }, 2875 },
@@ -3753,7 +3753,7 @@
3753 }, 3753 },
3754 "locked": { 3754 "locked": {
3755 "lastModified": 1, 3755 "lastModified": 1,
3756 "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", 3756 "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
3757 "path": "../systems/backup-2", 3757 "path": "../systems/backup-2",
3758 "type": "path" 3758 "type": "path"
3759 }, 3759 },
@@ -3776,7 +3776,7 @@
3776 }, 3776 },
3777 "locked": { 3777 "locked": {
3778 "lastModified": 1, 3778 "lastModified": 1,
3779 "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", 3779 "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
3780 "path": "../systems/dilion", 3780 "path": "../systems/dilion",
3781 "type": "path" 3781 "type": "path"
3782 }, 3782 },
@@ -3824,7 +3824,7 @@
3824 }, 3824 },
3825 "locked": { 3825 "locked": {
3826 "lastModified": 1, 3826 "lastModified": 1,
3827 "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", 3827 "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
3828 "path": "../systems/eldiron", 3828 "path": "../systems/eldiron",
3829 "type": "path" 3829 "type": "path"
3830 }, 3830 },
@@ -3850,7 +3850,7 @@
3850 }, 3850 },
3851 "locked": { 3851 "locked": {
3852 "lastModified": 1, 3852 "lastModified": 1,
3853 "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", 3853 "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
3854 "path": "../systems/monitoring-1", 3854 "path": "../systems/monitoring-1",
3855 "type": "path" 3855 "type": "path"
3856 }, 3856 },
@@ -3875,7 +3875,7 @@
3875 }, 3875 },
3876 "locked": { 3876 "locked": {
3877 "lastModified": 1, 3877 "lastModified": 1,
3878 "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", 3878 "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
3879 "path": "../systems/quatresaisons", 3879 "path": "../systems/quatresaisons",
3880 "type": "path" 3880 "type": "path"
3881 }, 3881 },
@@ -7384,7 +7384,7 @@
7384 }, 7384 },
7385 "locked": { 7385 "locked": {
7386 "lastModified": 1, 7386 "lastModified": 1,
7387 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 7387 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
7388 "path": "../../flakes/private/monitoring", 7388 "path": "../../flakes/private/monitoring",
7389 "type": "path" 7389 "type": "path"
7390 }, 7390 },
@@ -8294,7 +8294,7 @@
8294 }, 8294 },
8295 "locked": { 8295 "locked": {
8296 "lastModified": 1, 8296 "lastModified": 1,
8297 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 8297 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
8298 "path": "./private/monitoring", 8298 "path": "./private/monitoring",
8299 "type": "path" 8299 "type": "path"
8300 }, 8300 },
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix
index 35730bb..f76f2c1 100644
--- a/flakes/private/monitoring/myplugins.nix
+++ b/flakes/private/monitoring/myplugins.nix
@@ -69,8 +69,31 @@ in
69 dns = { 69 dns = {
70 commands = { 70 commands = {
71 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; 71 check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
72 check_dns_soa = "$USER2$/check_dns_soa -H $ARG1$ -z $ARG2$ -M $ARG3$";
73 check_dnssec = "$USER2$/check_dnssec -z $ARG1$";
72 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; 74 check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
73 }; 75 };
76 chunk = let
77 soa_plugin = pkgs.fetchurl {
78 name = "check_dns_soa";
79 url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1429&cf_id=24";
80 sha256 = "sha256-Yy4XO19Fb7WdHZZmhUfyyAGBnxJyFWwc7U3HiWyE8wc=";
81 };
82 in ''
83 cp ${./plugins}/check_dnssec $out/
84 patchShebangs $out/check_dnssec
85 wrapProgram $out/check_dnssec --prefix PATH : ${lib.makeBinPath [
86 pkgs.bind.dnsutils pkgs.gnugrep pkgs.gawk pkgs.which pkgs.coreutils
87 ]}
88
89 cp ${soa_plugin} $out/check_dns_soa
90 chmod +xw $out/check_dns_soa
91 patchShebangs $out/check_dns_soa
92 sed -i -e 's/^use utils qw.*$/my %ERRORS = ("OK" => 0, "WARNING" => 1, "CRITICAL" => 2, "UNKNOWN" => 3);my $TIMEOUT = 10;/' -e '/^use lib /d' $out/check_dns_soa
93 wrapProgram $out/check_dns_soa --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
94 pkgs.perlPackages.NetDNS
95 ]}
96 '';
74 }; 97 };
75 mdadm = { 98 mdadm = {
76 commands = { 99 commands = {
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec
new file mode 100755
index 0000000..a6e408d
--- /dev/null
+++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
1#!/usr/bin/env bash
2
3# check_dnssec_expiry.sh
4#
5# Copyright 2017 by Mario Rimann <mario@rimann.org>
6# Licensed under the permissive MIT license, see LICENSE.md
7#
8# Development of this script was partially sponsored by my
9# employer internezzo, see http://www.internezzo.ch
10#
11# If this script helps you to make your work easier, please consider
12# to give feedback or do something good, see https://rimann.org/support
13
14usage() {
15 cat - >&2 << _EOT_
16usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
17
18 -z <zone>
19 specify zone to check
20 -w <critical %>
21 warning time left percentage
22 -c <critical %>
23 critical time left percentage
24 -r <resolver>
25 specify which resolver to use.
26 -f <always failing domain>
27 specify a domain that will always fail DNSSEC.
28 used to test if DNSSEC is supported in used tools.
29 -t <DNS record type to check>
30 specify a DNS record type for calculating the remaining lifetime.
31 For example SOA, A, etc.
32_EOT_
33 exit 255
34}
35
36# Parse the input options
37while getopts ":z:w:c:r:f:h:t:" opt; do
38 case $opt in
39 z)
40 zone=$OPTARG
41 ;;
42 w)
43 warning=$OPTARG
44 ;;
45 c)
46 critical=$OPTARG
47 ;;
48 r)
49 resolver=$OPTARG
50 ;;
51 f)
52 alwaysFailingDomain=$OPTARG
53 ;;
54 t)
55 recordType=$OPTARG
56 ;;
57 h)
58 usage ;;
59 esac
60done
61
62
63# Check if dig is available at all - fail hard if not
64pathToDig=$( which dig )
65if [[ ! -e $pathToDig ]]; then
66 echo "No executable of dig found, cannot proceed without dig. Sorry!"
67 exit 1
68fi
69
70# Check if we got a zone to validate - fail hard if not
71if [[ -z $zone ]]; then
72 echo "Missing zone to test - please provide a zone via the -z parameter."
73 usage
74 exit 3
75fi
76
77# Check if we got warning/critical percentage values, use defaults if not
78if [[ -z $warning ]]; then
79 warning=20
80fi
81if [[ -z $critical ]]; then
82 critical=10
83fi
84
85
86# Use Google's 8.8.8.8 resolver as fallback if none is provided
87if [[ -z $resolver ]]; then
88 resolver="8.8.8.8"
89fi
90
91if [[ -z $alwaysFailingDomain ]]; then
92 alwaysFailingDomain="dnssec-failed.org"
93fi
94
95# Use SOA record type as fallback
96if [[ -z $recordType ]]; then
97 recordType="SOA"
98fi
99
100# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
101checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
102if [[ -z $checkResolverDoesDnssecValidation ]]; then
103 echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
104 exit 1
105fi
106
107# Check if the resolver delivers an answer for the domain to test
108checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
109if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
110
111 checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
112
113 if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
114 echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
115 exit 2
116 else
117 echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
118 exit 2
119 fi
120fi
121
122# Check if the domain is DNSSEC signed at all
123# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
124checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
125if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
126 echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
127 exit 1
128fi
129
130
131# Check if there are multiple RRSIG responses and check them one after the other
132now=$(date +"%s")
133rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
134if [[ -z $rrsigEntries ]]; then
135 echo "CRITICAL: There is no RRSIG for the SOA of your zone."
136 exit 2
137else
138 while read -r rrsig; do
139 # Get the RRSIG entry and extract the date out of it
140 expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
141 checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
142 if [[ -z $checkValidityOfExpirationTimestamp ]]; then
143 echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
144 exit 3
145 fi
146
147 inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
148 checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
149 if [[ -z $checkValidityOfInceptionTimestamp ]]; then
150 echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
151 exit 3
152 fi
153
154 # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
155 expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
156 expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
157 if [[ $? -ne 0 ]]; then
158 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
159 expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
160 fi
161 inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
162 inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
163 if [[ $? -ne 0 ]]; then
164 # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
165 inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
166 fi
167
168
169 # calculate the remaining lifetime of the signature
170 totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
171 remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
172 remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
173
174 # store the result of this single RRSIG's check
175 if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
176 maxRemainingLifetime=$remainingLifetimeOfSignature
177 maxRemainingPercentage=$remainingPercentage
178 fi
179 done <<< "$rrsigEntries"
180fi
181
182
183
184
185# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
186if [[ $maxRemainingPercentage -lt $critical ]]; then
187 echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
188 exit 2
189elif [[ $remainingPercentage -lt $warning ]]; then
190 echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
191 exit 1
192else
193 echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
194 exit 0
195fi
diff --git a/systems/backup-2/flake.lock b/systems/backup-2/flake.lock
index 919a027..3ca1baf 100644
--- a/systems/backup-2/flake.lock
+++ b/systems/backup-2/flake.lock
@@ -389,7 +389,7 @@
389 }, 389 },
390 "locked": { 390 "locked": {
391 "lastModified": 1, 391 "lastModified": 1,
392 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 392 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
393 "path": "../../flakes/private/monitoring", 393 "path": "../../flakes/private/monitoring",
394 "type": "path" 394 "type": "path"
395 }, 395 },
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock
index b6aef70..bd3cdd9 100644
--- a/systems/dilion/flake.lock
+++ b/systems/dilion/flake.lock
@@ -207,7 +207,7 @@
207 }, 207 },
208 "locked": { 208 "locked": {
209 "lastModified": 1, 209 "lastModified": 1,
210 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 210 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
211 "path": "../../flakes/private/monitoring", 211 "path": "../../flakes/private/monitoring",
212 "type": "path" 212 "type": "path"
213 }, 213 },
diff --git a/systems/eldiron/dns.nix b/systems/eldiron/dns.nix
index 486fcc1..7645b69 100644
--- a/systems/eldiron/dns.nix
+++ b/systems/eldiron/dns.nix
@@ -1,4 +1,18 @@
1{ lib, pkgs, config, dns-nix, ... }: 1{ lib, pkgs, config, dns-nix, ... }:
2let
3 zonesWithDNSSec = lib.filterAttrs (k: v: v.dnssec.enable) config.myServices.dns.zones;
4 zoneToFile = name: v: pkgs.runCommand "${name}.zone" {
5 text = v;
6 passAsFile = [ "text" ];
7 # Automatically change the increment when relevant change
8 # happened (both serial and mta-sts)
9 } ''
10 mv "$textPath" $out
11 increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 ))
12 sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
13 sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
14 '';
15in
2{ 16{
3 options.myServices.dns = { 17 options.myServices.dns = {
4 enable = lib.mkEnableOption "enable DNS resolver"; 18 enable = lib.mkEnableOption "enable DNS resolver";
@@ -11,7 +25,10 @@
11 servers = config.myEnv.servers; 25 servers = config.myEnv.servers;
12 ips = i: { A = i.ip4; AAAA = i.ip6; }; 26 ips = i: { A = i.ip4; AAAA = i.ip6; };
13 letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ]; 27 letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ];
14 toKV = a: builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${n}=${v}") a)); 28 toKV = a: let
29 removeOrder = n: lib.last (builtins.split "__" n);
30 in
31 builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${removeOrder n}=${v}") a));
15 mailMX = { 32 mailMX = {
16 hasEmail = true; 33 hasEmail = true;
17 subdomains = let 34 subdomains = let
@@ -24,10 +41,10 @@
24 SOA = { 41 SOA = {
25 # yyyymmdd?? (increment ?? at each change) 42 # yyyymmdd?? (increment ?? at each change)
26 serial = 2022121902; # Don't change this value, it is replaced automatically! 43 serial = 2022121902; # Don't change this value, it is replaced automatically!
27 refresh = 10800; 44 refresh = 3*60*60;
28 retry = 3600; 45 retry = 60*60;
29 expire = 604800; 46 expire = 14*24*60*60;
30 minimum = 10800; # negative cache ttl 47 minimum = 3*60*60; # negative cache ttl
31 adminEmail = "hostmaster@immae.eu"; #email-address s/@/./ 48 adminEmail = "hostmaster@immae.eu"; #email-address s/@/./
32 nameServer = "ns1.immae.eu."; 49 nameServer = "ns1.immae.eu.";
33 }; 50 };
@@ -42,7 +59,7 @@
42 (toKV config.myEnv.mail.dkim.immae_eu.public) 59 (toKV config.myEnv.mail.dkim.immae_eu.public)
43 ]; 60 ];
44 }; 61 };
45 mailCommon = name: { 62 mailCommon = name: quarantine: {
46 MX = let 63 MX = let
47 mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers; 64 mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
48 in 65 in
@@ -65,16 +82,17 @@
65 # MTA-STS 82 # MTA-STS
66 # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/ 83 # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
67 # https://support.google.com/a/answer/9261504 84 # https://support.google.com/a/answer/9261504
68 _mta-sts.TXT = [ (toKV { v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically! 85 _mta-sts.TXT = [ (toKV { _00__v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically!
69 _tls.subdomains._smtp.TXT = [ (toKV { v = "TLSRPTv1"; "rua" = "mailto:postmaster+mta-sts@immae.eu"; }) ]; 86 _tls.subdomains._smtp.TXT = [ (toKV { _00__v = "TLSRPTv1"; rua = "mailto:postmaster+mta-sts@immae.eu"; }) ];
70 mta-sts = ips servers.eldiron.ips.main; 87 mta-sts = ips servers.eldiron.ips.main;
71 88
72 # DMARC 89 # DMARC
73 _dmarc.TXT = [ (toKV { v = "DMARC1"; p = "none"; adkim = "r"; aspf = "r"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ]; 90 # p needs to be the first tag
91 _dmarc.TXT = [ (toKV { _00__v = "DMARC1"; _01__p = if quarantine then "quarantine" else "none"; adkim = "s"; aspf = "s"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ];
74 }; 92 };
75 93
76 # SPF 94 # SPF
77 TXT = [ (toKV { v = "spf1 mx ~all"; }) ]; 95 TXT = [ (toKV { _00__v = "spf1 mx ~all"; }) ];
78 }; 96 };
79 }; 97 };
80 }; 98 };
@@ -83,6 +101,14 @@
83 dns-nix.lib.types.zone.getSubModules ++ [ 101 dns-nix.lib.types.zone.getSubModules ++ [
84 ({ name, ... }: { 102 ({ name, ... }: {
85 options = { 103 options = {
104 dnssec = lib.mkOption {
105 default.enable = false;
106 type = lib.types.submodule {
107 options = {
108 enable = lib.mkEnableOption "Configure dnssec for this domain";
109 };
110 };
111 };
86 hasEmail = lib.mkEnableOption "This domain has e-mails configuration"; 112 hasEmail = lib.mkEnableOption "This domain has e-mails configuration";
87 emailPolicies = lib.mkOption { 113 emailPolicies = lib.mkOption {
88 default = {}; 114 default = {};
@@ -154,12 +180,18 @@
154 zoneHeader 180 zoneHeader
155 (ips servers.eldiron.ips.main) 181 (ips servers.eldiron.ips.main)
156 { 182 {
157 ns = [ "immae" ]; 183 dnssec.enable = true;
184 ns = [ "immae" "raito" ];
158 CAA = letsencrypt; 185 CAA = letsencrypt;
186 extraConfig = ''
187 notify yes;
188 '';
189 slaves = [ "raito" ];
159 } 190 }
160 ]; 191 ];
161 "immae.dev" = lib.mkMerge [ 192 "immae.dev" = lib.mkMerge [
162 { 193 {
194 dnssec.enable = true;
163 extraConfig = '' 195 extraConfig = ''
164 notify yes; 196 notify yes;
165 ''; 197 '';
@@ -174,6 +206,7 @@
174 ]; 206 ];
175 "immae.eu" = lib.mkMerge [ 207 "immae.eu" = lib.mkMerge [
176 { 208 {
209 dnssec.enable = true;
177 extraConfig = '' 210 extraConfig = ''
178 notify yes; 211 notify yes;
179 ''; 212 '';
@@ -182,7 +215,10 @@
182 zoneHeader 215 zoneHeader
183 (ips servers.eldiron.ips.production) 216 (ips servers.eldiron.ips.production)
184 { 217 {
185 ns = [ "immae" "raito" ]; 218 ns = [ "immae" ];
219 # Cannot put ns2.immae.eu as glue record as it takes ages to propagate.
220 # And gandi only accepts NS records with glues in their interface
221 NS = [ "kurisu.dual.lahfa.xyz." ];
186 CAA = letsencrypt; 222 CAA = letsencrypt;
187 223
188 # ns1 has glue records in gandi.net 224 # ns1 has glue records in gandi.net
@@ -194,9 +230,9 @@
194 { 230 {
195 # Machines local users 231 # Machines local users
196 emailPolicies.localhost.receive = false; 232 emailPolicies.localhost.receive = false;
197 subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; 233 subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
198 emailPolicies.eldiron.receive = true; 234 emailPolicies.eldiron.receive = true;
199 subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; 235 subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
200 } 236 }
201 { 237 {
202 # For each server "server" and each server ip group "ipgroup", 238 # For each server "server" and each server ip group "ipgroup",
@@ -248,23 +284,24 @@
248 zones = 284 zones =
249 builtins.mapAttrs (name: v: { 285 builtins.mapAttrs (name: v: {
250 master = true; 286 master = true;
251 extraConfig = v.extraConfig; 287 extraConfig = v.extraConfig + lib.optionalString v.dnssec.enable ''
288 key-directory "/var/lib/named/dnssec_keys";
289 dnssec-policy default;
290 inline-signing yes;
291 '';
252 masters = []; 292 masters = [];
253 slaves = 293 slaves =
254 lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves); 294 lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves);
255 file = pkgs.runCommand "${name}.zone" { 295 file = if v.dnssec.enable then "/var/run/named/dnssec-${name}.zone" else zoneToFile name v;
256 text = v;
257 passAsFile = [ "text" ];
258 # Automatically change the increment when relevant change
259 # happened (both serial and mta-sts)
260 } ''
261 mv "$textPath" $out
262 increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 ))
263 sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
264 sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
265 '';
266 }) config.myServices.dns.zones; 296 }) config.myServices.dns.zones;
267 }; 297 };
298 systemd.services.bind.serviceConfig.StateDirectory = "named";
299 systemd.services.bind.preStart = lib.mkAfter
300 (builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: v: ''
301 install -m444 ${zoneToFile name v} /var/run/named/dnssec-${name}.zone
302 '') zonesWithDNSSec) + ''
303 install -dm755 -o named /var/lib/named/dnssec_keys
304 '');
268 myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ]; 305 myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ];
269 myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z: 306 myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z:
270 lib.optional (builtins.elem "immae" z.ns) { 307 lib.optional (builtins.elem "immae" z.ns) {
@@ -276,14 +313,34 @@
276 servicegroups = "webstatus-dns"; 313 servicegroups = "webstatus-dns";
277 _webstatus_name = name; 314 _webstatus_name = name;
278 } ++ 315 } ++
279 lib.optional (builtins.elem "raito" z.ns) { 316 lib.optionals (builtins.elem "raito" z.ns) [
280 service_description = "raito dns is active and authoritative for ${name}"; 317 {
318 service_description = "raito dns is active and authoritative for ${name}";
319 host_name = config.hostEnv.fqdn;
320 use = "dns-service";
321 check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"];
322
323 servicegroups = "webstatus-dns";
324 _webstatus_name = "${name} (Secondary DNS Raito)";
325 }
326 {
327 service_description = "raito dns is up to date for ${name}";
328 host_name = config.hostEnv.fqdn;
329 use = "dns-service";
330 check_command = ["check_dns_soa" "kurisu.dual.lahfa.xyz" name config.hostEnv.fqdn];
331
332 servicegroups = "webstatus-dns";
333 _webstatus_name = "${name} (Secondary DNS Raito up to date)";
334 }
335 ] ++
336 lib.optional z.dnssec.enable {
337 service_description = "DNSSEC is active and not expired for ${name}";
281 host_name = config.hostEnv.fqdn; 338 host_name = config.hostEnv.fqdn;
282 use = "dns-service"; 339 use = "dns-service";
283 check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"]; 340 check_command = ["check_dnssec" name];
284 341
285 servicegroups = "webstatus-dns"; 342 servicegroups = "webstatus-dns";
286 _webstatus_name = "${name} (Secondary DNS Raito)"; 343 _webstatus_name = "${name} (DNSSEC)";
287 } 344 }
288 ) config.myServices.dns.zones); 345 ) config.myServices.dns.zones);
289 }; 346 };
diff --git a/systems/eldiron/ejabberd/default.nix b/systems/eldiron/ejabberd/default.nix
index 5268516..463d255 100644
--- a/systems/eldiron/ejabberd/default.nix
+++ b/systems/eldiron/ejabberd/default.nix
@@ -25,7 +25,7 @@ in
25 } 25 }
26 zoneHeader 26 zoneHeader
27 mailMX 27 mailMX
28 (mailCommon "immae.fr") 28 (mailCommon "immae.fr" true)
29 (ips servers.eldiron.ips.main) 29 (ips servers.eldiron.ips.main)
30 { 30 {
31 ns = [ "immae" "raito" ]; 31 ns = [ "immae" "raito" ];
diff --git a/systems/eldiron/flake.lock b/systems/eldiron/flake.lock
index c52dd61..5a60dab 100644
--- a/systems/eldiron/flake.lock
+++ b/systems/eldiron/flake.lock
@@ -2038,7 +2038,7 @@
2038 }, 2038 },
2039 "locked": { 2039 "locked": {
2040 "lastModified": 1, 2040 "lastModified": 1,
2041 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 2041 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2042 "path": "../../flakes/private/monitoring", 2042 "path": "../../flakes/private/monitoring",
2043 "type": "path" 2043 "type": "path"
2044 }, 2044 },
diff --git a/systems/eldiron/mail/postfix.nix b/systems/eldiron/mail/postfix.nix
index f95ee1b..93d1e1e 100644
--- a/systems/eldiron/mail/postfix.nix
+++ b/systems/eldiron/mail/postfix.nix
@@ -12,7 +12,7 @@ in
12 config = lib.mkIf config.myServices.mail.enable { 12 config = lib.mkIf config.myServices.mail.enable {
13 myServices.dns.zones."immae.eu" = with config.myServices.dns.helpers; lib.mkMerge [ 13 myServices.dns.zones."immae.eu" = with config.myServices.dns.helpers; lib.mkMerge [
14 mailMX 14 mailMX
15 (mailCommon "immae.eu") 15 (mailCommon "immae.eu" true)
16 mailSend 16 mailSend
17 { 17 {
18 # Virtual forwards and mailboxes for real users 18 # Virtual forwards and mailboxes for real users
@@ -22,7 +22,7 @@ in
22 # system virtual mailboxes: 22 # system virtual mailboxes:
23 # devnull, printer, testconnect 23 # devnull, printer, testconnect
24 emailPolicies."".receive = true; 24 emailPolicies."".receive = true;
25 subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; 25 subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
26 subdomains.smtp = ips servers.eldiron.ips.main; 26 subdomains.smtp = ips servers.eldiron.ips.main;
27 27
28 # DMARC reports 28 # DMARC reports
diff --git a/systems/eldiron/mail/sympa.nix b/systems/eldiron/mail/sympa.nix
index 8e801dd..07175e8 100644
--- a/systems/eldiron/mail/sympa.nix
+++ b/systems/eldiron/mail/sympa.nix
@@ -9,7 +9,7 @@ in
9 myServices.dns.zones."immae.eu".subdomains.lists = 9 myServices.dns.zones."immae.eu".subdomains.lists =
10 with config.myServices.dns.helpers; lib.mkMerge [ 10 with config.myServices.dns.helpers; lib.mkMerge [
11 (ips servers.eldiron.ips.main) 11 (ips servers.eldiron.ips.main)
12 (mailCommon "immae.eu") 12 (mailCommon "immae.eu" false)
13 mailSend 13 mailSend
14 ]; 14 ];
15 15
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 397b644..338ed0b 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -91,7 +91,7 @@ in {
91 { 91 {
92 outils = ips servers.eldiron.ips.main; 92 outils = ips servers.eldiron.ips.main;
93 tools = lib.mkMerge [ 93 tools = lib.mkMerge [
94 (mailCommon "immae.eu") 94 (mailCommon "immae.eu" true)
95 mailSend 95 mailSend
96 (ips servers.eldiron.ips.main) 96 (ips servers.eldiron.ips.main)
97 ]; 97 ];
diff --git a/systems/monitoring-1/flake.lock b/systems/monitoring-1/flake.lock
index 6758db3..ec29221 100644
--- a/systems/monitoring-1/flake.lock
+++ b/systems/monitoring-1/flake.lock
@@ -277,7 +277,7 @@
277 }, 277 },
278 "locked": { 278 "locked": {
279 "lastModified": 1, 279 "lastModified": 1,
280 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 280 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
281 "path": "../../flakes/private/monitoring", 281 "path": "../../flakes/private/monitoring",
282 "type": "path" 282 "type": "path"
283 }, 283 },
diff --git a/systems/quatresaisons/flake.lock b/systems/quatresaisons/flake.lock
index 653ce9c..e23bbde 100644
--- a/systems/quatresaisons/flake.lock
+++ b/systems/quatresaisons/flake.lock
@@ -239,7 +239,7 @@
239 }, 239 },
240 "locked": { 240 "locked": {
241 "lastModified": 1, 241 "lastModified": 1,
242 "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", 242 "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
243 "path": "../../flakes/private/monitoring", 243 "path": "../../flakes/private/monitoring",
244 "type": "path" 244 "type": "path"
245 }, 245 },