From df9573573c22a4af4fac8e48c810b2d4bf36cf10 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Thu, 2 Sep 2021 16:11:58 +0200 Subject: [PATCH] Fix dkim public key for froidmont.org --- .gitignore | 3 +- dns.tf | 227 ++++++++++++++++++++++++++--------------------------- flake.lock | 12 +-- flake.nix | 116 ++++++++++++++------------- shell.nix | 10 +++ 5 files changed, 193 insertions(+), 175 deletions(-) create mode 100644 shell.nix diff --git a/.gitignore b/.gitignore index 30ac0aa..e908749 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,5 @@ terraform.tfstate.backup .environment .tmp terraform.tfvars -.direnv \ No newline at end of file +.direnv +.vscode diff --git a/dns.tf b/dns.tf index a239277..2ab4975 100644 --- a/dns.tf +++ b/dns.tf @@ -1,6 +1,5 @@ locals { dmarc_value = "\"v=DMARC1; p=none; rua=mailto:failed-dmarc@banditlair.com; ruf=mailto:dmarc@banditlair.com\"" - dkim_value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwDEwt+a0neFlyq7ndCj0EECUp4bsusFpL2aVzroLY5Xw9S//dYuXUp1sr/yiivS71WyNjt7tOpuonu0gGEWpc6RPyeZrzXQg+zY1k/1+cLXFMz5HmJJaAbNxK02Qn89qfk/Y3pbuJt6Y/NBQ4KVOCZQB2hCT2izVSWSkhegYTCwIDAQAB\"" } data "hetznerdns_zone" "banditlair_zone" { @@ -9,100 +8,100 @@ data "hetznerdns_zone" "banditlair_zone" { resource "hetznerdns_record" "banditlair_hcloud_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "@" - value = data.hcloud_floating_ip.main_ip.ip_address - type = "A" - ttl = 600 + name = "@" + value = data.hcloud_floating_ip.main_ip.ip_address + type = "A" + ttl = 600 } resource "hetznerdns_record" "banditlair_dedicated_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "*" - value = "144.76.18.197" - type = "A" - ttl = 600 + name = "*" + value = "144.76.18.197" + type = "A" + ttl = 600 } resource "hetznerdns_record" "nextcloud_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "cloud" - value = data.hcloud_floating_ip.main_ip.ip_address - type = "A" - ttl = 600 + name = "cloud" + value = data.hcloud_floating_ip.main_ip.ip_address + type = "A" + ttl = 600 } # Matrix resource "hetznerdns_record" "matrix_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "matrix" - value = data.hcloud_floating_ip.main_ip.ip_address - type = "A" - ttl = 600 + name = "matrix" + value = data.hcloud_floating_ip.main_ip.ip_address + type = "A" + ttl = 600 } resource "hetznerdns_record" "matrix_srv" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "_matrix._tcp" - value = "12 10 443 matrix" - type = "SRV" - ttl = 86400 + name = "_matrix._tcp" + value = "12 10 443 matrix" + type = "SRV" + ttl = 86400 } # Email resource "hetznerdns_record" "mail_mx" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "@" - value = "12 mail" - type = "MX" - ttl = 86400 + name = "@" + value = "12 mail" + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "mail2_mx" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "@" - value = "20 mail2" - type = "MX" - ttl = 86400 + name = "@" + value = "20 mail2" + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "spf_txt" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "@" - value = "\"v=spf1 mx -all\"" - type = "TXT" - ttl = 600 + name = "@" + value = "\"v=spf1 mx -all\"" + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "dmarc_txt" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "_dmarc" - value = local.dmarc_value - type = "TXT" - ttl = 600 + name = "_dmarc" + value = local.dmarc_value + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "dmarc_report_froidmont_txt" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "froidmont.org._report._dmarc" - value = "\"v=DMARC1\"" - type = "TXT" - ttl = 600 + name = "froidmont.org._report._dmarc" + value = "\"v=DMARC1\"" + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "dmarc_report_falbo_txt" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "falbo.fr._report._dmarc" - value = "\"v=DMARC1\"" - type = "TXT" - ttl = 600 + name = "falbo.fr._report._dmarc" + value = "\"v=DMARC1\"" + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "dkim_txt" { zone_id = data.hetznerdns_zone.banditlair_zone.id - name = "dkim._domainkey" - value = local.dkim_value - type = "TXT" - ttl = 600 + name = "dkim._domainkey" + value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwDEwt+a0neFlyq7ndCj0EECUp4bsusFpL2aVzroLY5Xw9S//dYuXUp1sr/yiivS71WyNjt7tOpuonu0gGEWpc6RPyeZrzXQg+zY1k/1+cLXFMz5HmJJaAbNxK02Qn89qfk/Y3pbuJt6Y/NBQ4KVOCZQB2hCT2izVSWSkhegYTCwIDAQAB\"" + type = "TXT" + ttl = 600 } data "hetznerdns_zone" "falbo_zone" { @@ -111,58 +110,58 @@ data "hetznerdns_zone" "falbo_zone" { resource "hetznerdns_record" "falbo_a" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "@" - value = hetznerdns_record.banditlair_dedicated_a.value - type = "A" - ttl = 600 + name = "@" + value = hetznerdns_record.banditlair_dedicated_a.value + type = "A" + ttl = 600 } resource "hetznerdns_record" "falbo_cname" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "*" - value = "${data.hetznerdns_zone.falbo_zone.name}." - type = "CNAME" - ttl = 600 + name = "*" + value = "${data.hetznerdns_zone.falbo_zone.name}." + type = "CNAME" + ttl = 600 } resource "hetznerdns_record" "falbo_mail_mx" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "@" - value = "12 mail.${data.hetznerdns_zone.banditlair_zone.name}." - type = "MX" - ttl = 86400 + name = "@" + value = "12 mail.${data.hetznerdns_zone.banditlair_zone.name}." + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "falbo_mail2_mx" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "@" - value = "20 mail2.${data.hetznerdns_zone.banditlair_zone.name}." - type = "MX" - ttl = 86400 + name = "@" + value = "20 mail2.${data.hetznerdns_zone.banditlair_zone.name}." + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "falbo_spf_txt" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "@" - value = "\"v=spf1 include:${data.hetznerdns_zone.banditlair_zone.name} -all\"" - type = "TXT" - ttl = 600 + name = "@" + value = "\"v=spf1 include:${data.hetznerdns_zone.banditlair_zone.name} -all\"" + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "falbo_dmarc_txt" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "_dmarc" - value = local.dmarc_value - type = "TXT" - ttl = 600 + name = "_dmarc" + value = local.dmarc_value + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "falbo_dkim_txt" { zone_id = data.hetznerdns_zone.falbo_zone.id - name = "dkim._domainkey" - value = local.dkim_value - type = "TXT" - ttl = 600 + name = "dkim._domainkey" + value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWJwmQoiaxKCp6Cj+rELeHicd7VD1l/Q5KKQURgt1wIAY36bwbFYeuN/+ULruJzbnoyJ63G2QttO4H6MLdVTgNRjTuixmoE5mZEAE/7BlyAfDS0MLUXyGbxD6WtGZPT6PQ1cxWp9jVvYUs/NypcRfpDu0J9IXX6+coQM5CMLLdRwIDAQAB\"" + type = "TXT" + ttl = 600 } data "hetznerdns_zone" "froidmont_zone" { @@ -171,58 +170,58 @@ data "hetznerdns_zone" "froidmont_zone" { resource "hetznerdns_record" "froidmont_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "@" - value = hetznerdns_record.banditlair_dedicated_a.value - type = "A" - ttl = 600 + name = "@" + value = hetznerdns_record.banditlair_dedicated_a.value + type = "A" + ttl = 600 } resource "hetznerdns_record" "froidmont_cname" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "*" - value = "${data.hetznerdns_zone.froidmont_zone.name}." - type = "CNAME" - ttl = 600 + name = "*" + value = "${data.hetznerdns_zone.froidmont_zone.name}." + type = "CNAME" + ttl = 600 } resource "hetznerdns_record" "froidmont_mail_mx" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "@" - value = "12 mail.${data.hetznerdns_zone.banditlair_zone.name}." - type = "MX" - ttl = 86400 + name = "@" + value = "12 mail.${data.hetznerdns_zone.banditlair_zone.name}." + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "froidmont_mail2_mx" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "@" - value = "20 mail2.${data.hetznerdns_zone.banditlair_zone.name}." - type = "MX" - ttl = 86400 + name = "@" + value = "20 mail2.${data.hetznerdns_zone.banditlair_zone.name}." + type = "MX" + ttl = 86400 } resource "hetznerdns_record" "froidmont_spf_txt" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "@" - value = "\"v=spf1 include:${data.hetznerdns_zone.banditlair_zone.name} -all\"" - type = "TXT" - ttl = 600 + name = "@" + value = "\"v=spf1 include:${data.hetznerdns_zone.banditlair_zone.name} -all\"" + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "froidmont_dmarc_txt" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "_dmarc" - value = local.dmarc_value - type = "TXT" - ttl = 600 + name = "_dmarc" + value = local.dmarc_value + type = "TXT" + ttl = 600 } resource "hetznerdns_record" "froidmont_dkim_txt" { zone_id = data.hetznerdns_zone.froidmont_zone.id - name = "dkim._domainkey" - value = local.dkim_value - type = "TXT" - ttl = 600 + name = "dkim._domainkey" + value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlBZhkvPboheAWQtlWZCJpxIsjLvMOjn9TUHpyNz/tATA4/I6m21YlXreyHVoLLkaGOS/jXx2dptU/l6C0Bu+HdhcyBqw3tOxnTwDzD07h58u1mM5L//k/F+YsD+onCWYehQpIzCeRGgNe1w4QN11im4VVoNznFPzwMLIeepbg/QIDAQAB\"" + type = "TXT" + ttl = 600 } data "hetznerdns_zone" "stb_zone" { @@ -231,16 +230,16 @@ data "hetznerdns_zone" "stb_zone" { resource "hetznerdns_record" "stb_a" { zone_id = data.hetznerdns_zone.stb_zone.id - name = "@" - value = hetznerdns_record.banditlair_dedicated_a.value - type = "A" - ttl = 600 + name = "@" + value = hetznerdns_record.banditlair_dedicated_a.value + type = "A" + ttl = 600 } resource "hetznerdns_record" "stb_cname" { zone_id = data.hetznerdns_zone.stb_zone.id - name = "*" - value = "${data.hetznerdns_zone.stb_zone.name}." - type = "CNAME" - ttl = 600 -} \ No newline at end of file + name = "*" + value = "${data.hetznerdns_zone.stb_zone.name}." + type = "CNAME" + ttl = 600 +} diff --git a/flake.lock b/flake.lock index c713645..284d70f 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,16 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1626395775, - "narHash": "sha256-7Uo+4PIQGirfd7WfFuRuspLCyDT7eUn6pnJx/CL9UC8=", - "owner": "NixOS", + "lastModified": 1630248577, + "narHash": "sha256-9d/yq96TTrnF7qjA6wPYk+rYjWAXwfUmwk3qewezSeg=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "a165aeceda9f9741d15bc2488425daeb06c0707e", + "rev": "8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-21.05", + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 686d4e5..72da427 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; outputs = { self, nixpkgs }: let @@ -13,60 +13,68 @@ ]; }; in - { - devShell.x86_64-linux = pkgs.mkShell { - buildInputs = with pkgs; [ - nixpkgs-fmt - terraform_0_14 - sops - ]; - }; - - nixosConfigurations = { - db1 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = common.modules ++ [ - ./modules/postgresql.nix - ./modules/custom-backup-job.nix - ({ - networking.hostName = "db1"; - networking.domain = "banditlair.com"; - networking.firewall.interfaces."enp7s0".allowedTCPPorts = [ 5432 ]; - services.custom-backup-job = { - additionalReadWritePaths = [ "/nix/var/data/postgresql" ]; - additionalPreHook = '' - ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp - ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp - ''; - startAt = "03:00"; - }; - }) + { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = with pkgs; [ + nixpkgs-fmt + terraform + terraform-ls + sops ]; }; - backend1 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = common.modules ++ [ - ./modules/nginx.nix - ./modules/murmur.nix - ./modules/synapse.nix - ./modules/nextcloud.nix - ./modules/custom-backup-job.nix - ({ - networking.hostName = "backend1"; - networking.domain = "banditlair.com"; - networking.localCommands = "ip addr add 95.216.177.3/32 dev enp1s0"; - networking.firewall.allowedTCPPorts = [ 80 443 64738 ]; - networking.firewall.allowedUDPPorts = [ 64738 ]; - services.custom-backup-job = { - additionalPaths = [ "/var/lib/nextcloud/config" ]; - additionalReadWritePaths = [ "/nix/var/data/murmur" ]; - additionalPreHook = "cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite"; - startAt = "03:30"; - }; - }) - ]; - }; - }; - }; + nixosConfigurations = { + db1 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = common.modules ++ [ + ./modules/postgresql.nix + ./modules/custom-backup-job.nix + ./modules/custom-backup-job.nix + ( + { + networking.hostName = "db1"; + networking.domain = "banditlair.com"; + networking.firewall.interfaces."enp7s0".allowedTCPPorts = [ 5432 ]; + services.custom-backup-job = { + additionalReadWritePaths = [ "/nix/var/data/postgresql" ]; + additionalPreHook = '' + ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp + ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp + ''; + startAt = "03:00"; + }; + system.stateVersion = "21.05"; + } + ) + ]; + }; + backend1 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = common.modules ++ [ + ./modules/nginx.nix + ./modules/murmur.nix + ./modules/synapse.nix + ./modules/nextcloud.nix + ./modules/custom-backup-job.nix + ( + { + networking.hostName = "backend1"; + networking.domain = "banditlair.com"; + networking.localCommands = "ip addr add 95.216.177.3/32 dev enp1s0"; + networking.firewall.allowedTCPPorts = [ 80 443 64738 ]; + networking.firewall.allowedUDPPorts = [ 64738 ]; + services.custom-backup-job = { + additionalPaths = [ "/var/lib/nextcloud/config" ]; + additionalReadWritePaths = [ "/nix/var/data/murmur" ]; + additionalPreHook = "cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite"; + startAt = "03:30"; + }; + system.stateVersion = "21.05"; + } + ) + ]; + }; + }; + + }; } diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..57688eb --- /dev/null +++ b/shell.nix @@ -0,0 +1,10 @@ +( + import ( + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/99f1c2157fba4bfe6211a321fd0ee43199025dbf.tar.gz"; + sha256 = "0x2jn3vrawwv9xp15674wjz9pixwjyj3j771izayl962zziivbx2"; + } + ) { + src = ./.; + } +).shellNix