diff options
| author | seth <[email protected]> | 2024-10-18 03:10:35 -0400 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-10-18 07:10:35 +0000 |
| commit | e6f79b30e620cf7bd5b06e2579e979ff090e925a (patch) | |
| tree | 1dd2b20126602ef448f77fbb9cdd44ba7f02a58c /terranix/cloudflare/dns.nix | |
| parent | fdaf8680ef5bbcadb7cece43911beff18f90cdb2 (diff) | |
more refactors & outsource some things (#477)
* tree-wide: drop flake-parts
* drop nixinate
* justfile: cleanup
* drop treefmt-nix
* doc: update READMEs
* flake: cleanup
* seth: don't use `./.`
* modules/nixos,darwin: bundle all modules
They all depend on each other anyways so
* systems: manually import internal modules
* seth: use riff module from nix-exprs
* flake: back to flake-parts
* Revert "flake: back to flake-parts"
This reverts commit 35334882f7c0c23991a4efd65ea08b216006b2b0.
Saving the last commit so I can go back if I want
* flake: use lib.const
this looks better...right?
* flake: declare systems like a normal person
Diffstat (limited to 'terranix/cloudflare/dns.nix')
| -rw-r--r-- | terranix/cloudflare/dns.nix | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/terranix/cloudflare/dns.nix b/terranix/cloudflare/dns.nix new file mode 100644 index 0000000..335562d --- /dev/null +++ b/terranix/cloudflare/dns.nix @@ -0,0 +1,110 @@ +{ lib, ... }: +let + mkRecord = + { + name, + content, + type, + zone_id, + }: + { + inherit + name + content + type + zone_id + ; + ttl = 1; + } + // lib.optionalAttrs (type != "TXT") { proxied = true; }; + + zones = { + getchoo_com = lib.tfRef "var.getchoo_com_zone_id"; + }; + inherit (zones) getchoo_com; + + atlas_tunnel = + lib.tfRef "data.cloudflare_zero_trust_tunnel_cloudflared.atlas-nginx.id" + ".cfargotunnel.com"; + + pagesSubdomainFor = project: lib.tfRef "resource.cloudflare_pages_project.${project}.subdomain"; + blockEmailSpoofingFor = + domain: + let + zone_id = zones.${domain}; + in + { + "${domain}_dmarc" = { + name = "_dmarc"; + content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"; + type = "TXT"; + inherit zone_id; + }; + + "${domain}_domainkey" = { + name = "*._domainkey"; + content = "v=DKIM1; p="; + type = "TXT"; + inherit zone_id; + }; + + "${domain}_email" = { + name = "@"; + content = "v=spf1 -all"; + type = "TXT"; + inherit zone_id; + }; + }; +in +{ + resource.cloudflare_zone_dnssec = { + getchoo_com_dnssec = { + zone_id = getchoo_com; + }; + }; + + resource.cloudflare_record = + lib.mapAttrs (_: mkRecord) { + getchoo_com_website = { + name = "@"; + content = pagesSubdomainFor "personal_website"; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_www = { + name = "www"; + content = "getchoo.com"; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_api = { + name = "api"; + content = pagesSubdomainFor "teawie_api"; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_miniflux = { + name = "miniflux"; + content = atlas_tunnel; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_git = { + name = "git"; + content = atlas_tunnel; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_keyoxide = { + name = "@"; + content = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg"; + type = "TXT"; + zone_id = getchoo_com; + }; + } + // blockEmailSpoofingFor "getchoo_com"; +} |