1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
{
inputs,
povSelf,
pkgs,
lib,
config,
hostConfig,
...
}:
let
inherit (lib) types;
cfg = lib.getAttrFromPath povSelf config;
in
{
options.enable = {
type = types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
dns.zones."zaphyra.dn42".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" = {
AAAA = [ hostConfig.networking.dn42Address ];
};
security.acme.certs."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = {
server = "https://acme.burble.dn42/v1/dn42/acme/directory";
validMinDays = 20;
keyType = "ec384";
dnsProvider = null;
};
services.nginx = {
enable = true;
virtualHosts."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = {
enableACME = true;
forceSSL = true;
kTLS = true;
};
};
services.resolved = {
enable = true;
fallbackDns = [
"8.8.8.8"
"2001:4860:4860::8844"
];
};
systemd.network = {
networks."20-dn42" = {
matchConfig.Name = "dn42";
routes = [ { Destination = "fd00::/8"; } ];
networkConfig = {
DNSDefaultRoute = false;
DNS = [ "fd6b:6174:6a61::1" ];
Domains = [
"~dn42"
"d.f.ip6.arpa"
];
};
};
};
modules.services.prometheusExporters.domain = "${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42";
security.pki.certificates = [
#dn42 root ca
''
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
C0IKqQ==
-----END CERTIFICATE-----
''
];
environment.etc."whois.conf".text = ''
\.dn42$ whois.dn42
\-DN42$ whois.dn42
# dn42 range 64512-65534
^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ whois.dn42
# dn42 range 76100-76199
^as761[0-9][0-9]$ whois.dn42
# dn42 range 4242420000-4242429999
^as424242[0-9]{4}$ whois.dn42
# dn42 ipv4 address space
^172\.2[0-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ whois.dn42
# dn42 ula ipv6 address space
^fd**:****:****:****:****:****:****:**** whois.dn42
'';
};
}