diff options
| author | Arun Isaac | 2026-05-04 02:18:50 +0100 |
|---|---|---|
| committer | Arun Isaac | 2026-05-04 02:18:50 +0100 |
| commit | 37fc07fb6d61d157492c8817ee91b33eb471f872 (patch) | |
| tree | b1417391fccd7771f8195164e8cfe6de503006b3 | |
| parent | 0b19d5a62febfd594c4d15f4e967f2378cd39f2c (diff) | |
| download | machines-37fc07fb6d61d157492c8817ee91b33eb471f872.tar.gz machines-37fc07fb6d61d157492c8817ee91b33eb471f872.tar.lz machines-37fc07fb6d61d157492c8817ee91b33eb471f872.zip | |
Switch to knot DNS.
The knot DNS service lets us configure the DNS records from the Guix system configuration instead of having to rely on zone files as state. This is more Guix-y and preferable despite the loss of quick editing for users.
| -rw-r--r-- | mugam.scm | 258 |
1 files changed, 205 insertions, 53 deletions
diff --git a/mugam.scm b/mugam.scm index 7a4ed7f..85f1538 100644 --- a/mugam.scm +++ b/mugam.scm @@ -1,10 +1,10 @@ -(use-modules (arunisaac powerdns) - (gnu) +(use-modules (gnu) ((gnu packages admin) #:select (htop nmap)) ((gnu packages curl) #:select (curl)) ((gnu packages dns) #:select (knot)) ((gnu packages linux) #:select (nftables)) ((gnu packages ssh) #:select (openssh-sans-x)) + (gnu services dns) (gnu services networking) (gnu services ssh) (gnu services sysctl) @@ -36,50 +36,200 @@ ;;; DNS Server ;;; -(define-record-type* <zone> - zone make-zone - zone? - (name zone-name) - (file zone-file)) - -;; TODO: Backup zone files. -(define %zones - (list (zone - (name "arohonline.in") - (file "/etc/powerdns/zones/arohonline.in")) - (zone - (name "arohonline.org") - (file "/etc/powerdns/zones/arohonline.org")) - (zone - (name "cosmobird.me") - (file "/etc/powerdns/zones/cosmobird.me")) - (zone - (name "issuesofconcern.in") - (file "/etc/powerdns/zones/issuesofconcern.in")) - (zone - (name "ragulkanth.dev") - (file "/etc/powerdns/zones/ragulkanth.dev")) - (zone - (name "solariiknight.org") - (file "/etc/powerdns/zones/solariiknight.org")) - (zone - (name "systemreboot.net") - (file "/etc/powerdns/zones/systemreboot.net")))) - -(define (named.conf-gexp zones) - "Return a G-expression that computes a named.conf with ZONES, a list -of <zone> records." - #~(begin - (call-with-output-file #$output - (lambda (port) - (for-each (lambda (name file) - (format port "zone ~s { - file ~s; -}; -" - name file)) - '#$(map zone-name zones) - '#$(map zone-file zones)))))) +(define %mugam-ip + "188.166.169.68") + +(define (mugam-a-zone-entry name) + (zone-entry + (name name) + (ttl "60") + (data %mugam-ip))) + +(define (hrrol-cname-zone-entry name) + (zone-entry + (name name) + (ttl "60") + (type "CNAME") + (data "hrrol.systemreboot.net."))) + +(define (caa-zone-entry name) + (zone-entry + (name name) + (ttl "3600") + (type "CAA") + (data "128 issue \"letsencrypt.org\""))) + +;; TODO: Export from (gnu services dns). +(define knot-zone-configuration-zone + (@@ (gnu services dns) knot-zone-configuration-zone)) + +;; TODO: Export from (gnu services dns). +(define zone-file-entries + (@@ (gnu services dns) zone-file-entries)) + +(define (add-ns-zone-entries config) + (knot-zone-configuration + (inherit config) + (zone (zone-file + (inherit (knot-zone-configuration-zone config)) + (entries (append (map (lambda (ns) + (zone-entry + (name "@") + (ttl "3600") + (type "NS") + (data ns))) + (list "ns1.systemreboot.net." + "ns2.systemreboot.net.")) + (zone-file-entries (knot-zone-configuration-zone config)))))))) + +(define arohonline.in-zone + (knot-zone-configuration + (domain "arohonline.in") + (zone (zone-file + (origin domain) + (entries (list (mugam-a-zone-entry "@") + (caa-zone-entry "@") + (hrrol-cname-zone-entry "www"))))))) + +(define arohonline.org-zone + (knot-zone-configuration + (domain "arohonline.org") + (zone (zone-file + (origin domain) + (entries (cons* (mugam-a-zone-entry "@") + (caa-zone-entry "@") + (hrrol-cname-zone-entry "www") + (zone-entry + (name "@") + (ttl "3600") + (type "TXT") + (data "\"v=spf1 include:_spf.google.com ~all\"")) + (zone-entry + (name "_dmarc") + (ttl "3600") + (type "TXT") + (data "\"v=DMARC1; p=none\"")) + (zone-entry + (name "google._domainkey") + (ttl "3600") + (type "TXT") + (data "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJTz4BskFyqQYUHn/3xXqasYtPZtlcY9e8t0LiFDT28YoYinUB4YWA4Q7iHwH8L5Dd5EG401vDJBXz7/TK6zO1ZJMs6pStCmzs9AbRpA2hX4WRACB6aNk6DKSYNT/I7G839RxX1xx9SYrXFGM71c6C7iR1vuKJdROlAd+ZfKj6nBA69fiWbFr68krLnEHlq14k8NimT6XuCxjVLNO3yp36diKmej32BU9bi9ThIcv3QwufpQtt7ejPBhBDRzBKdcrS09FYC4HzSLbOiZDB4upEfnrWwAGOI/+L3qTlCzNe/7jZyNTYSB5g74E6t1O3TOdjzdN26AqEZN35k4KokRYQIDAQAB\"")) + (map (lambda (data) + (zone-entry + (name "@") + (ttl "3600") + (type "MX") + (data data))) + (list "1 aspmx.l.google.com." + "5 alt1.aspmx.l.google.com." + "5 alt2.aspmx.l.google.com." + "10 alt3.aspmx.l.google.com." + "10 alt4.aspmx.l.google.com." + "15 demr5wwt4lgi2mqctgimwbw4vmal3vdkhdbhp5577xgivbvl3xxa.mx-verification.google.com.")))))))) + +(define issuesofconcern.in-zone + (knot-zone-configuration + (domain "issuesofconcern.in") + (zone (zone-file + (origin domain) + (entries (list (mugam-a-zone-entry "@") + (caa-zone-entry "@") + (hrrol-cname-zone-entry "www"))))))) + +(define ragulkanth.dev-zone + (knot-zone-configuration + (domain "ragulkanth.dev") + (zone (zone-file + (origin domain) + (entries (cons* (mugam-a-zone-entry "@") + (mugam-a-zone-entry "server") + (append (map (lambda (name) + (zone-entry + (name name) + (ttl "60") + (type "CNAME") + (data "server"))) + (list "collabora" + "files")) + (map (lambda (name) + (zone-entry + (name name) + (ttl "60") + (data "103.109.44.157"))) + (list "bazarr" "jellyfin" "lidarr" + "portainer" "prowlarr" + "qbittorrent" "radarr" "readarr" + "sabnzbd" "sonarr"))))))))) + +(define solariiknight.org-zone + (knot-zone-configuration + (domain "solariiknight.org") + (zone (zone-file + (origin domain) + (entries (list (mugam-a-zone-entry "@") + (caa-zone-entry "@") + (hrrol-cname-zone-entry "www"))))))) + +(define systemreboot.net-zone + (knot-zone-configuration + (domain "systemreboot.net") + (zone (zone-file + (origin domain) + (entries (cons* (caa-zone-entry "@") + (mugam-a-zone-entry "@") + (zone-entry + (name "_avatars-sec") + (ttl "3600") + (type "SRV") + (data (string-append "0 0 443 avatars." origin "."))) + (zone-entry + (name "_dmarc") + (ttl "3600") + (type "TXT") + (data "\"v=DMARC1; p=none\"")) + (zone-entry + (name "_xmpp-client._tcp") + (ttl "3600") + (type "SRV") + (data (string-append "0 5 5222 xmpp." origin "."))) + (zone-entry + (name "_xmpp-server._tcp.conference") + (ttl "3600") + (type "SRV") + (data (string-append "0 5 5269 xmpp." origin "."))) + (zone-entry + (name "_xmpp-server._tcp") + (ttl "3600") + (type "SRV") + (data (string-append "0 5 5269 xmpp." origin "."))) + (zone-entry + (name "default._domainkey") + (ttl "3600") + (type "TXT") + (data "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAquVdlx+0jHyN/lle1Mte41uOJ8fkmsCnPhxhBKq9axS2e45ZLJxCqZFWTIZddo+xbA4A95VW9utvX0ssbvfFFT34p0oZsF060Z/OvB/bnwPTalChVkntbuTx5i2HfH6c3uVMjUswPZU6EP2Rf32iNzd0S2DJKd1YFlXOewQniaC/CZeRekVkvDXLCEHDqM8QDvFsOGjoBlAn9d4isC8nEvvUaK3OTQo6tdGLTpcJWhsHm6q28fVmzc6Ba6cXbZ1vDGAntDbRT/xFeHeOTRRNBdjoQEeTYybyBCrhZidRJFuywz/i3Ht5E2Nq5M6fk9GxrzPgGud8HcvCyuKXDdY4SQIDAQAB\"")) + (zone-entry + (name "@") + (ttl "3600") + (type "MX") + (data (string-append "10 mail." origin "."))) + (zone-entry + (name "@") + (ttl "3600") + (type "TXT") + (data (string-append "\"v=spf1 mx a:mugam." origin " -all\""))) + (append (map (lambda (name) + (mugam-a-zone-entry name)) + (list "hrrol" "ns1" "ns2")) + (map (lambda (name) + (hrrol-cname-zone-entry name)) + (list "aruni" "avatars" "bridge" "ccwl" "ci" + "ci.demo" "files" "forge" "git" + "git.demo" "guile-email" "guile-xapian" + "guix-forge" "klaus" "kolam" "lists" + "mail" "mathjax" "meetfree" "mugam" + "nardhini" "run64" "sale" "selfhost" + "skribilo" "ta" "tamil" "tissue" "www" + "xmpp"))))))))) ;;; @@ -140,13 +290,15 @@ of <zone> records." ("arunisaac" ,(local-file "ssh-keys/arunisaac.pub")) ("cosmovpndns" ,(local-file "ssh-keys/cosmovpndns.pub")) ("ragulkanth" ,(local-file "ssh-keys/ragulkanth.pub")))))) - (service powerdns-service-type - (powerdns-configuration - (backends (list "bind")) - (bind-config - (computed-file "named.conf" - (named.conf-gexp %zones))) - (bind-check-interval 60))) + (service knot-service-type + (knot-configuration + (zones (map add-ns-zone-entries + (list arohonline.in-zone + arohonline.org-zone + issuesofconcern.in-zone + ragulkanth.dev-zone + solariiknight.org-zone + systemreboot.net-zone))))) (service nginx-service-type (nginx-configuration (server-blocks |