lasuite-federez/nix
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

and dns MX record + fixes

Browse source
This commit is contained in:
asyncnomi 2025-07-31 18:21:09 +02:00
parent fb29ad7d9a
commit 152e28053f
3 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
shared/dns/knot.nix
View file

@ -94,7 +94,12 @@ let
toNSRecord = host: "\tIN NS ${hostToDomain host}.net."; toNSRecord = host: "\tIN NS ${hostToDomain host}.net.";
nsRecords = map toNSRecord mapping.dns.secondary; nsRecords = map toNSRecord mapping.dns.secondary;
# Gen MX
toMXRecord = host: "\tIN MX 10 ${hostToDomain host}.net.";
mxRecords = map toMXRecord mapping.mail.hosts;
dnsSecondaryConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.dns.secondary) nodes; dnsSecondaryConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.dns.secondary) nodes;
mailConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.mail.hosts) nodes;
# Gen A NS # Gen A NS
nsARecords = lib.flatten (lib.mapAttrsToList (hostname: node: nsARecords = lib.flatten (lib.mapAttrsToList (hostname: node:
@ -106,6 +111,16 @@ let
lib.optional (supportsIPv6 node) "${hostToDomain hostname}.net. IN AAAA ${rmCidr node.ip6}" lib.optional (supportsIPv6 node) "${hostToDomain hostname}.net. IN AAAA ${rmCidr node.ip6}"
) dnsSecondaryConfigs); ) dnsSecondaryConfigs);
# Gen A MX
mxARecords = lib.flatten (lib.mapAttrsToList (hostname: node:
lib.optional (supportsIPv4 node) "${hostToDomain hostname}.net. IN A ${rmCidr node.ip4}"
) mailConfigs);
# Gen AAAA MX
mxAAAARecords = lib.flatten (lib.mapAttrsToList (hostname: node:
lib.optional (supportsIPv6 node) "${hostToDomain hostname}.net. IN AAAA ${rmCidr node.ip6}"
) mailConfigs);
# Gen A records for lf zone # Gen A records for lf zone
lfARecords = lib.flatten (lib.mapAttrsToList (hostname: node: lfARecords = lib.flatten (lib.mapAttrsToList (hostname: node:
"${hostToLfDomain hostname} IN A 172.19.${toString node.zone}.${toString node.id}" "${hostToLfDomain hostname} IN A 172.19.${toString node.zone}.${toString node.id}"
@ -134,9 +149,12 @@ let
IN TXT "v=spf1 a:lasuite.federez.net ~all" IN TXT "v=spf1 a:lasuite.federez.net ~all"
${builtins.concatStringsSep "\n" nsRecords} ${builtins.concatStringsSep "\n" nsRecords}
${builtins.concatStringsSep "\n" mxRecords}
${builtins.concatStringsSep "\n" nsARecords} ${builtins.concatStringsSep "\n" nsARecords}
${builtins.concatStringsSep "\n" nsAAAARecords} ${builtins.concatStringsSep "\n" nsAAAARecords}
${builtins.concatStringsSep "\n" mxARecords}
${builtins.concatStringsSep "\n" mxAAAARecords}
_dmarc IN TXT "v=DMARC1; p=quarantine; ruf=mailto:monitoring@federez.net" _dmarc IN TXT "v=DMARC1; p=quarantine; ruf=mailto:monitoring@federez.net"
_mta-sts IN TXT "v=STSv1; id=1" _mta-sts IN TXT "v=STSv1; id=1"

2
shared/mail.nix
View file

@ -9,4 +9,6 @@ in
imports = [ imports = [
./mail/maddy.nix ./mail/maddy.nix
]; ];
_module.args.ensureAccountsWithoutIMAP = ensureAccountsWithoutIMAP;
} }

5
shared/mail/maddy.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ensureAccountsWithoutIMAP, ... }:
let let
# Import nodes # Import nodes
@ -52,7 +52,6 @@ in
hostname = "lasuite.federez.net"; hostname = "lasuite.federez.net";
user = "maddy"; user = "maddy";
group = "maddy"; group = "maddy";
openFirewall = true;
primaryDomain = "lasuite.federez.net"; primaryDomain = "lasuite.federez.net";
tls = { tls = {
loader = "file"; loader = "file";
@ -216,7 +215,7 @@ in
dnsPropagationCheck = true; dnsPropagationCheck = true;
enableDebugLogs = true; enableDebugLogs = true;
environmentFile = "${pkgs.writeText "dns-creds" '' environmentFile = "${pkgs.writeText "dns-creds" ''
RFC2136_NAMESERVER=172.19.${nodes.${mapping.dns.master}.zone}.${nodes.${mapping.dns.master}.id} RFC2136_NAMESERVER=172.19.${toString nodes.${mapping.dns.master}.zone}.${toString nodes.${mapping.dns.master}.id}
RFC2136_TSIG_KEY=letsencrypt RFC2136_TSIG_KEY=letsencrypt
RFC2136_TSIG_ALGORITHM=hmac-sha512. RFC2136_TSIG_ALGORITHM=hmac-sha512.
RFC2136_TSIG_SECRET_FILE="${config.age.secrets.challenge.path}" RFC2136_TSIG_SECRET_FILE="${config.age.secrets.challenge.path}"