diff options
| author | EuAndreh <eu@euandre.org> | 2024-08-19 06:37:49 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2024-08-19 06:38:12 -0300 |
| commit | 8821ac8b9a20f88847c18f34559976be2ea26ad3 (patch) | |
| tree | 47d99d8210560cbbee15df6dba7185f362715fca /src/org/euandre/queue.scm | |
| parent | packages.scm: Export git-configuration-* (diff) | |
| download | packages-8821ac8b9a20f88847c18f34559976be2ea26ad3.tar.gz packages-8821ac8b9a20f88847c18f34559976be2ea26ad3.tar.xz | |
queue.scm: Add knot-zones-configuration
Diffstat (limited to 'src/org/euandre/queue.scm')
| -rw-r--r-- | src/org/euandre/queue.scm | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/src/org/euandre/queue.scm b/src/org/euandre/queue.scm index c0189c4..9f030d8 100644 --- a/src/org/euandre/queue.scm +++ b/src/org/euandre/queue.scm @@ -177,6 +177,7 @@ (use-service-modules certbot cgit + dns mail shepherd ssh @@ -1732,6 +1733,108 @@ SetEnv GIT_CONFIG_GLOBAL=/etc/gitconfig"))) +(define-public (dkim-public-key-from path) + (if (file-exists? path) ;; FIXME: is this necessary? + (string-join (reverse + (cdr + (reverse + (cdr + (string-split (slurp path) + #\newline))))) + "") + "stub-public-key-for-building")) + +(define-public (build-ipv4-reverse-domain ipv4) + (string-append + (string-join (reverse + (string-split ipv4 + #\.)) + ".") + ".in-addr.arpa")) + +(define-public (build-ipv6-reverse-domain ipv6) + (string-append + (string-join (reverse + (map (lambda (s) (format #f "~a" s)) + (string->list + (string-delete #\: ipv6)))) + ".") + ".ip6.arpa")) + +(define-public (knot-zones-for tld ipv4 ipv6) + (define dkim-selector "dkimproxyout") + (define dkim-public-key-path "/var/lib/dkimproxyout/public.key") + (define dkim-name (string-append dkim-selector "._domainkey")) + (let ((tld. (string-append tld ".")) + (ns1 (format #f "ns1.~a." tld)) + (ns2 (format #f "ns2.~a." tld)) + (mail (format #f "hostmaster.~a." tld)) + (dkim-public-key (dkim-public-key-from dkim-public-key-path)) + (ipv4-reverse-domain (build-ipv4-reverse-domain ipv4)) + (ipv6-reverse-domain (build-ipv6-reverse-domain ipv6))) + (define-zone-entries tld-zone + ("@" "" "IN" "NS" ns1) + ("@" "" "IN" "NS" ns2) + ("ns1" "" "IN" "A" ipv4) + ("ns1" "" "IN" "AAAA" ipv6) + ("ns2" "" "IN" "A" ipv4) + ("ns2" "" "IN" "AAAA" ipv6) + ("@" "" "IN" "A" ipv4) + ("@" "" "IN" "AAAA" ipv6) + ("@" "" "IN" "CAA" "0 issue \"letsencrypt.org\"") + ("@" "" "IN" "CAA" "0 issuewild \";\"") + ("@" "" "IN" "CAA" "0 iodef \"mailto:eu@euandre.org\"") + ("mta-sts" "" "IN" "A" ipv4) + ("mta-sts" "" "IN" "AAAA" ipv6) + ("_mta-sts" "" "IN" "TXT" "\"v=STSv1; id=20230314\"") + ("@" "" "IN" "MX" (format #f "10 ~a." tld)) + ("_dmarc" "" "IN" "TXT" "\"v=DMARC1; p=quarantine\"") + ("@" "" "IN" "TXT" (format #f "\"v=spf1 a:~a -all\"" tld)) + (dkim-name "" "IN" "TXT" (format #f "\"v=DKIM1; k=rsa; t=s; p=~a\"" dkim-public-key))) + (define-zone-entries ipv4-reverse-domain-zone + ("@" "" "IN" "PTR" tld.) + ("@" "" "IN" "NS" ns1) + ("@" "" "IN" "NS" ns2)) + (define-zone-entries ipv6-reverse-domain-zone + ("@" "" "IN" "PTR" tld.) + ("@" "" "IN" "NS" ns1) + ("@" "" "IN" "NS" ns2)) + (list + (knot-zone-configuration + (domain tld) + (semantic-checks? #t) + (zone + (zone-file + (origin tld) + (ns ns1) + (mail mail) + (entries tld-zone)))) + (knot-zone-configuration + (domain ipv4-reverse-domain) + (semantic-checks? #t) + (zone + (zone-file + (origin ipv4-reverse-domain) + (ns ns1) + (mail mail) + (entries ipv4-reverse-domain-zone)))) + (knot-zone-configuration + (domain ipv6-reverse-domain) + (semantic-checks? #t) + (zone + (zone-file + (origin ipv6-reverse-domain) + (ns ns1) + (mail mail) + (entries ipv6-reverse-domain-zone))))))) + +(define-public (knot-zones-configuration tld ipv4 ipv6) + (knot-configuration + (zones + (knot-zones-for tld ipv4 ipv6)))) + + + (list postfix mailutils-sendmail |