diff options
| -rw-r--r-- | src/infrastructure/guix/system.scm | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm index 19d4c1d..324b7ed 100644 --- a/src/infrastructure/guix/system.scm +++ b/src/infrastructure/guix/system.scm @@ -15,6 +15,7 @@ admin certbot cgit + dns mail mcron networking @@ -26,6 +27,8 @@ (heredoc:enable-syntax) +(define ipv4 "216.238.68.100") +(define ipv6 "2001:19f0:b400:1f0c:5400:04ff:fe35:8c89") (define tld "euandre.org") (define users @@ -119,6 +122,99 @@ users-with-keys)))))) +(define ns (fmt "ns1.~a." tld)) +(define mail (fmt "hostmaster.~a." tld)) + +(define dkim-selector "dkimproxyout") +(define dkim-name (str dkim-selector "._domainkey")) +(define dkim-public-key-path "/var/lib/dkimproxyout/public.key") +(define dkim-public-key + (if (file-exists? dkim-public-key-path) + (string-join (reverse + (cdr + (reverse + (cdr + (string-split (slurp dkim-public-key-path) + #\newline))))) + "") + "stub-public-key-for-building")) + +(define ipv4-reverse-domain + (str + (string-join (reverse + (string-split ipv4 + #\.)) + ".") + ".in-addr.arpa")) + +(define ipv6-reverse-domain + (str + (string-join (reverse + (map (lambda (s) (fmt "~a" s)) + (string->list + (string-delete #\: ipv6)))) + ".") + ".ip6.arpa")) + +(define-zone-entries tld-zone + ("@" "" "IN" "NS" (fmt "ns1.~a." tld)) + ("@" "" "IN" "NS" (fmt "ns2.~a." tld)) + ("ns1" "" "IN" "A" ipv4) + ("ns1" "" "IN" "AAAA" ipv6) + ("ns2" "" "IN" "A" ipv4) + ("ns2" "" "IN" "AAAA" ipv6) + + ("@" "" "IN" "A" ipv4) + ("@" "" "IN" "AAAA" ipv6) + + ("mta-sts" "" "IN" "A" ipv4) + ("mta-sts" "" "IN" "AAAA" ipv6) + ("_mta-sts" "" "IN" "TXT" "\"v=STSv1; id=20230314\"") + ("@" "" "IN" "MX" (fmt "10 ~a." tld)) + ("_dmarc" "" "IN" "TXT" "\"v=DMARC1; p=quarantine\"") + ("@" "" "IN" "TXT" (fmt "\"v=spf1 a:~a -all\"" tld)) + (dkim-name "" "IN" "TXT" (fmt "\"v=DKIM1; k=rsa; t=s; p=~a\"" dkim-public-key))) + +(define-zone-entries ipv4-reverse-domain-zone + ("@" "" "IN" "PTR" (str tld ".")) + ("@" "" "IN" "NS" (fmt "ns1.~a." tld)) + ("@" "" "IN" "NS" (fmt "ns1.~a." tld))) + +(define-zone-entries ipv6-reverse-domain-zone + ("@" "" "IN" "PTR" (str tld ".")) + ("@" "" "IN" "NS" (fmt "ns1.~a." tld)) + ("@" "" "IN" "NS" (fmt "ns1.~a." tld))) + +(define zones + (list + (knot-zone-configuration + (domain tld) + (semantic-checks? #t) + (zone + (zone-file + (origin tld) + (ns ns) + (mail mail) + (entries tld-zone)))) + (knot-zone-configuration + (domain ipv4-reverse-domain) + (semantic-checks? #t) + (zone + (zone-file + (origin ipv4-reverse-domain) + (ns ns) + (mail mail) + (entries ipv4-reverse-domain-zone)))) + (knot-zone-configuration + (domain ipv6-reverse-domain) + (semantic-checks? #t) + (zone + (zone-file + (origin ipv6-reverse-domain) + (ns ns) + (mail mail) + (entries ipv6-reverse-domain-zone)))))) + (operating-system (locale "fr_FR.UTF-8") @@ -194,6 +290,7 @@ '(nss-certs parted acl + bind:utils file git-minimal guile-heredoc-latest @@ -226,6 +323,9 @@ (list (service ntp-service-type) (service dhcp-client-service-type) + (service knot-service-type + (knot-configuration + (zones zones))) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) |