diff options
Diffstat (limited to 'ext/terranix/cloudflare/dns.nix')
| -rw-r--r-- | ext/terranix/cloudflare/dns.nix | 129 |
1 files changed, 89 insertions, 40 deletions
diff --git a/ext/terranix/cloudflare/dns.nix b/ext/terranix/cloudflare/dns.nix index 562fdf7..5664be2 100644 --- a/ext/terranix/cloudflare/dns.nix +++ b/ext/terranix/cloudflare/dns.nix @@ -1,65 +1,114 @@ {lib, ...}: let - mkRecord = name: { + mkRecord = { + name, value, type, - ... - } @ args: + zone_id, + }: { - name = args.name or name; - zone_id = lib.tfRef "var.zone_id"; + inherit name value type zone_id; ttl = 1; - inherit value type; } // lib.optionalAttrs (type != "TXT") {proxied = true;}; - atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com"; -in { - resource.cloudflare_record = builtins.mapAttrs mkRecord { - website = { - name = "@"; - value = "website-86j.pages.dev"; - type = "CNAME"; - }; - - keyoxide = { - name = "@"; - value = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg"; - type = "TXT"; - }; - - www = { - value = "mydadleft.me"; - type = "CNAME"; - }; - - api = { - value = "teawieapi.pages.dev"; - type = "CNAME"; - }; - - miniflux = { - value = atlas_tunnel; - type = "CNAME"; - }; + zones = { + mydadleft_me = lib.tfRef "var.mydadleft_me_zone_id"; + getchoo_com = lib.tfRef "var.getchoo_com_zone_id"; + }; + inherit + (zones) + mydadleft_me + getchoo_com + ; - # prevent email spoofing + atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com"; - dmarc = { + blockEmailSpoofingFor = domain: let + zone_id = zones.${domain}; + in { + "${domain}_dmarc" = { name = "_dmarc"; value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"; type = "TXT"; + inherit zone_id; }; - domainkey = { + "${domain}_domainkey" = { name = "*._domainkey"; value = "v=DKIM1; p="; type = "TXT"; + inherit zone_id; }; - email = { - name = "mydadleft.me"; + "${domain}_email" = { + name = "@"; value = "v=spf1 -all"; type = "TXT"; + inherit zone_id; + }; + }; +in { + resource.cloudflare_zone_dnssec = { + mydadleft_me_dnssec = { + zone_id = mydadleft_me; + }; + + getchoo_com_dnssec = { + zone_id = getchoo_com; }; }; + + resource.cloudflare_record = + lib.mapAttrs (_: mkRecord) { + getchoo_com_website = { + name = "@"; + value = "website-86j.pages.dev"; + type = "CNAME"; + zone_id = getchoo_com; + }; + + getchoo_com_www = { + name = "www"; + value = "getchoo.com"; + type = "CNAME"; + zone_id = getchoo_com; + }; + + mydadleft_me_website = { + name = "@"; + value = "website-86j.pages.dev"; + type = "CNAME"; + zone_id = mydadleft_me; + }; + + mydadleft_me_keyoxide = { + name = "@"; + value = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg"; + type = "TXT"; + zone_id = mydadleft_me; + }; + + mydadleft_me_www = { + name = "www"; + value = "mydadleft.me"; + type = "CNAME"; + zone_id = mydadleft_me; + }; + + mydadleft_me_api = { + name = "api"; + value = "teawieapi.pages.dev"; + type = "CNAME"; + zone_id = mydadleft_me; + }; + + mydadleft_me_miniflux = { + name = "miniflux"; + value = atlas_tunnel; + type = "CNAME"; + zone_id = mydadleft_me; + }; + } + // blockEmailSpoofingFor "mydadleft_me" + // blockEmailSpoofingFor "getchoo_com"; } |