services/mail: add dork.dev

config/services/knot/default.nix

@@ -2,7 +2,7 @@
 
 {
   kw.secrets.variables = {
-    katdns-key = {
+    katdns-key-config = {
       path = "secrets/katdns";
       field = "notes";
     };
@@ -13,8 +13,12 @@
     udp.ports = [ 53 ];
   };
 
+/*  environment.etc."katdns/zones/dork.dev.zone".text = let
+    dns = pkgs.dns;
+    in dns.lib.toString "dork.dev" (import ./dork.dev.nix { inherit dns lib; }); */
+
   secrets.files.katdns-keyfile = {
-    text = "${tf.variables.katdns-key.ref}";
+    text = "${tf.variables.katdns-key-config.ref}";
     owner = "knot";
     group = "knot";
   };

config/services/knot/dork.dev.nix

@@ -0,0 +1,20 @@
+{ dns, lib }:
+
+with dns.lib.combinators;
+
+{
+  SOA = {
+    nameServer = "ns1";
+    adminEmail = "kat@kittywit.ch";
+    serial = 2021090100;
+    ttl = 3600;
+  };
+
+  CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
+
+  NS = [
+    "ns1.kittywit.ch."
+    "rdns1.benjojo.co.uk."
+    "rdns2.benjojo.co.uk."
+  ];
+}

config/services/knot/knot.yaml

@@ -28,6 +28,17 @@ zone:
     zonefile-load: difference
     acl: [ benjojo, dnsupdate ]
 
+zone:
+  - domain: dork.dev
+    semantic-checks: on
+    storage: /var/lib/knot/zones/
+    file: dork.dev.zone
+    dnssec-signing: on
+    module: mod-stats
+    notify: [ benjojo-1, benjojo-2, benjojo-3 ]
+    zonefile-load: difference
+    acl: [ benjojo, dnsupdate ]
+
 log:
   - target: syslog
     any: info

config/services/mail/default.nix

@@ -2,47 +2,50 @@
 
 with lib;
 
-{
+let
+  domains = [ "kittywitch" "dork" ];
+in {
   imports = [ sources.nixos-mailserver.outPath ];
 
-  kw.secrets.variables = (mapListToAttrs (field:
+  kw.secrets.variables = listToAttrs (map (field:
     nameValuePair "mail-${field}-hash" {
       path = "secrets/mail-kittywitch";
       field = "${field}-hash";
     }) ["gitea" "kat"]
-    // {
-      mail-domainkey-kitty = {
-        path = "secrets/mail-kittywitch";
+    ++ map (domain:
+      nameValuePair "mail-domainkey-${domain}" {
+        path = "secrets/mail-${domain}";
         field = "notes";
+      }) domains);
+
+  deploy.tf.dns.records = lib.mkMerge (map (domain: let
+      zoneGet = domain: if domain == "dork" then "dork.dev." else config.network.dns.zone;
+    in {
+      "services_mail_${domain}_mx" = {
+        zone = zoneGet domain;
+        mx = {
+          priority = 10;
+          target = "${config.network.addresses.public.domain}.";
+        };
       };
-    });
 
-  deploy.tf.dns.records.services_mail_mx = {
-    tld = config.network.dns.tld;
-    domain = "@";
-    mx = {
-      priority = 10;
-      target = "${config.network.addresses.public.domain}.";
-    };
-  };
+      "services_mail_${domain}_spf" = {
+        zone = zoneGet domain;
+        txt.value = "v=spf1 ip4:${config.network.addresses.public.nixos.ipv4.address} ip6:${config.network.addresses.public.nixos.ipv6.address} -all";
+      };
 
-  deploy.tf.dns.records.services_mail_spf = {
-    tld = config.network.dns.tld;
-    domain = "@";
-    txt.value = "v=spf1 ip4:${config.network.addresses.public.nixos.ipv4.address} ip6:${config.network.addresses.public.nixos.ipv6.address} -all";
-  };
+      "services_mail_${domain}_dmarc" = {
+        zone = zoneGet domain;
+        domain = "_dmarc";
+        txt.value = "v=DMARC1; p=none";
+      };
 
-  deploy.tf.dns.records.services_mail_dmarc = {
-    tld = config.network.dns.tld;
-    domain = "_dmarc";
-    txt.value = "v=DMARC1; p=none";
-  };
-
-  deploy.tf.dns.records.services_mail_domainkey = {
-    tld = config.network.dns.tld;
-    domain = "mail._domainkey";
-    txt.value = tf.variables.mail-domainkey-kitty.ref;
-  };
+      "services_mail_${domain}_domainkey" = {
+        zone = zoneGet domain;
+        domain = "mail._domainkey";
+        txt.value = tf.variables."mail-domainkey-${domain}".ref;
+      };
+    }) domains);
 
   secrets.files = {
     mail-kat-hash = {