Tue Jul 23 21:53:14+0200 2019
9f73162
Set up a master/slave DNS config for ene and hermes
modules/config/dns.scm
| 26 | 26 | #:use-module (srfi srfi-1) | |
| 27 | 27 | #:export (ipv4-reverse-master-zone | |
| 28 | 28 | ipv6-reverse-master-zone | |
| 29 | - | lepiller-master-zone)) | |
| 29 | + | lepiller-master-zone | |
| 30 | + | master-acl | |
| 31 | + | slave-acl | |
| 32 | + | hermes | |
| 33 | + | ene)) | |
| 30 | 34 | ||
| 31 | 35 | (define-zone-entries lepiller.eu.zone | |
| 32 | 36 | ;; Name TTL Class Type Data | |
… | |||
| 69 | 73 | ("@" "" "IN" "NS" "ns.lepiller.eu.") | |
| 70 | 74 | ("@" "" "IN" "NS" "ns2.lepiller.eu.")) | |
| 71 | 75 | ||
| 76 | + | (define ene | |
| 77 | + | (knot-remote-configuration | |
| 78 | + | (id "ene") | |
| 79 | + | (address (list ene-ip4)) | |
| 80 | + | (key "lepiller-key"))) | |
| 81 | + | ||
| 82 | + | (define hermes | |
| 83 | + | (knot-remote-configuration | |
| 84 | + | (id "hermes") | |
| 85 | + | (address (list hermes-ip4)) | |
| 86 | + | (key "lepiller-key"))) | |
| 87 | + | ||
| 88 | + | (define master-acl | |
| 89 | + | (knot-acl-configuration | |
| 90 | + | (id "master-acl") | |
| 91 | + | (address (list hermes-ip4)) | |
| 92 | + | (key '("lepiller-key")) | |
| 93 | + | (action '(transfer)))) | |
| 94 | + | ||
| 95 | + | (define slave-acl | |
| 96 | + | (knot-acl-configuration | |
| 97 | + | (id "master-acl") | |
| 98 | + | (address (list ene-ip4)) | |
| 99 | + | (key '("lepiller-key")) | |
| 100 | + | (action '(notify)))) | |
| 101 | + | ||
| 72 | 102 | (define lepiller-master-zone | |
| 73 | 103 | (knot-zone-configuration | |
| 74 | 104 | (domain "lepiller.eu") | |
| 105 | + | (notify '("hermes")) | |
| 75 | 106 | (dnssec-policy "default") | |
| 107 | + | (acl '("master-acl")) | |
| 76 | 108 | (zonefile-load 'difference) | |
| 77 | 109 | (zone (zone-file | |
| 78 | 110 | (origin "lepiller.eu") | |
| 79 | 111 | (entries lepiller.eu.zone) | |
| 80 | 112 | (serial 2019041202))))) | |
| 81 | 113 | ||
| 114 | + | (define lepiller-slave-zone | |
| 115 | + | (knot-zone-configuration | |
| 116 | + | (domain "lepiller.eu") | |
| 117 | + | (acl '("slave-acl")) | |
| 118 | + | (master '("ene")))) | |
| 119 | + | ||
| 82 | 120 | (define ipv6-reverse-master-zone | |
| 83 | 121 | (let* ((ip6 (string->list (substring (string-delete hermes-ip6 #\:) 0 12))) | |
| 84 | 122 | (rev-ip6-lst (fold (lambda (elem acc) | |
systems/ene.scm
| 48 | 48 | (services | |
| 49 | 49 | (append | |
| 50 | 50 | (list | |
| 51 | - | (service dhcp-client-service-type) | |
| 52 | - | (agetty-service | |
| 53 | - | (agetty-configuration | |
| 54 | - | (extra-options '("-L")) | |
| 55 | - | (baud-rate "115200") | |
| 56 | - | (term "vt100") | |
| 57 | - | (tty "ttyS0"))) | |
| 51 | + | (service dhcp-client-service-type) | |
| 52 | + | (agetty-service | |
| 53 | + | (agetty-configuration | |
| 54 | + | (extra-options '("-L")) | |
| 55 | + | (baud-rate "115200") | |
| 56 | + | (term "vt100") | |
| 57 | + | (tty "ttyS0"))) | |
| 58 | 58 | (service nginx-service-type) | |
| 59 | 59 | (service knot-service-type | |
| 60 | 60 | (knot-configuration | |
| 61 | + | (includes '("/etc/knot/secrets.conf")) | |
| 62 | + | (acls (list master-acl)) | |
| 63 | + | (remotes (list hermes)) | |
| 61 | 64 | (zones (list lepiller-master-zone | |
| 62 | 65 | ipv4-reverse-master-zone | |
| 63 | 66 | ipv6-reverse-master-zone)))) | |
| 64 | 67 | (certbot-service `(("courriel.lepiller.eu" "imap.lepiller.eu") | |
| 65 | - | ("ene.lepiller.eu" "rennes.lepiller.eu") | |
| 66 | - | ("avatar.lepiller.eu"))) | |
| 67 | - | (service php-fpm-service-type) | |
| 68 | - | (cat-avatar-generator-service | |
| 69 | - | #:configuration | |
| 70 | - | (nginx-server-configuration | |
| 71 | - | (server-name '("avatar.lepiller.eu")) | |
| 72 | - | (ssl-certificate "/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem") | |
| 73 | - | (ssl-certificate-key "/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem") | |
| 74 | - | (listen '("443 ssl http2" "[::]:443 ssl http2")))) | |
| 68 | + | ("ene.lepiller.eu" "rennes.lepiller.eu") | |
| 69 | + | ("avatar.lepiller.eu"))) | |
| 70 | + | (service php-fpm-service-type) | |
| 71 | + | (cat-avatar-generator-service | |
| 72 | + | #:configuration | |
| 73 | + | (nginx-server-configuration | |
| 74 | + | (server-name '("avatar.lepiller.eu")) | |
| 75 | + | (ssl-certificate "/etc/letsencrypt/live/avatar.lepiller.eu/fullchain.pem") | |
| 76 | + | (ssl-certificate-key "/etc/letsencrypt/live/avatar.lepiller.eu/privkey.pem") | |
| 77 | + | (listen '("443 ssl http2" "[::]:443 ssl http2")))) | |
| 75 | 78 | (simple-service 'default-http-server nginx-service-type | |
| 76 | 79 | (list (nginx-server-configuration | |
| 77 | 80 | (ssl-certificate "/etc/letsencrypt/live/ene.lepiller.eu/fullchain.pem") | |
… | |||
| 79 | 82 | (listen '("443 ssl http2" "[::]:443 ssl http2")) | |
| 80 | 83 | (server-name '(default))(root "/srv/http/default"))))) | |
| 81 | 84 | (lepiller-mail-services | |
| 82 | - | #:interface "eth0" | |
| 83 | - | #:domain "courriel.lepiller.eu") | |
| 85 | + | #:interface "eth0" | |
| 86 | + | #:domain "courriel.lepiller.eu") | |
| 84 | 87 | (server-services "ene")))) | |
systems/hermes.scm
| 40 | 40 | (service nginx-service-type) | |
| 41 | 41 | (service knot-service-type | |
| 42 | 42 | (knot-configuration | |
| 43 | - | (zones (list lepiller-master-zone | |
| 43 | + | (includes '("/etc/knot/secrets.conf")) | |
| 44 | + | (acls (list glave-acl)) | |
| 45 | + | (remotes (list ene)) | |
| 46 | + | (zones (list lepiller-slave-zone | |
| 44 | 47 | ipv4-reverse-master-zone | |
| 45 | 48 | ipv6-reverse-master-zone)))) | |
| 46 | 49 | (certbot-service `(("lepiller.eu" "www.lepiller.eu" "smtp.lepiller.eu"))) | |
… | |||
| 55 | 58 | (try-files '("$uri.$language_suffix.html" "$uri" "$uri/" "=404")) | |
| 56 | 59 | (raw-content | |
| 57 | 60 | '("add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;" | |
| 58 | - | "add_header X-Frame-Options DENY;" | |
| 59 | - | "add_header X-Content-Type-Options nosniff;" | |
| 60 | - | "add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" | |
| 61 | - | "add_header Referrer-Policy no-referrer;" | |
| 62 | - | "set $first_language $http_accept_language;" | |
| 61 | + | "add_header X-Frame-Options DENY;" | |
| 62 | + | "add_header X-Content-Type-Options nosniff;" | |
| 63 | + | "add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" | |
| 64 | + | "add_header Referrer-Policy no-referrer;" | |
| 65 | + | "set $first_language $http_accept_language;" | |
| 63 | 66 | "if ($http_accept_language ~* '(en|eo|fr)') {" | |
| 64 | 67 | " set $first_language $1;" | |
| 65 | 68 | "}" | |
… | |||
| 83 | 86 | " add_header Set-Cookie 'language=$language_suffix;HttpOnly;Secure';" | |
| 84 | 87 | " add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';" | |
| 85 | 88 | " add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;" | |
| 86 | - | " add_header X-Frame-Options DENY;" | |
| 87 | - | " add_header X-Content-Type-Options nosniff;" | |
| 88 | - | " add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" | |
| 89 | - | " add_header Referrer-Policy no-referrer;" | |
| 89 | + | " add_header X-Frame-Options DENY;" | |
| 90 | + | " add_header X-Content-Type-Options nosniff;" | |
| 91 | + | " add_header Content-Security-Policy 'default-src \\'none\\'; img-src \\'self\\'; style-src \\'self\\' \\'unsafe-inline\\'; frame-ancestors \\'none\\'';" | |
| 92 | + | " add_header Referrer-Policy no-referrer;" | |
| 90 | 93 | " expires off;" | |
| 91 | 94 | " try_files $my_uri $uri $uri/ =404;" | |
| 92 | 95 | "}" | |
… | |||
| 98 | 101 | (listen '("443 ssl http2" "[::]:443 ssl http2")) | |
| 99 | 102 | (server-name '(default))(root "/srv/http/default"))))) | |
| 100 | 103 | (lepiller-mail-services | |
| 101 | - | #:interface "ens18" | |
| 102 | - | #:domain "lepiller.eu") | |
| 104 | + | #:interface "ens18" | |
| 105 | + | #:domain "lepiller.eu") | |
| 103 | 106 | (server-services "hermes")))) | |