summary refs log tree commit diff stats
path: root/dnsconfig.js
diff options
context:
space:
mode:
Diffstat (limited to 'dnsconfig.js')
-rw-r--r--dnsconfig.js195
1 files changed, 195 insertions, 0 deletions
diff --git a/dnsconfig.js b/dnsconfig.js
new file mode 100644
index 0000000..d2578e4
--- /dev/null
+++ b/dnsconfig.js
@@ -0,0 +1,195 @@
+// @ts-check
+/// <reference path="types-dnscontrol.d.ts" />
+
+// Helpers
+
+/**
+ * @param {object} record
+ * @param {string[]} [record.alpn]
+ * @param {string[]} [record.ipv4hint]
+ * @param {string[]} [record.ipv6hint]
+ */
+function https(record) {
+  return Object.keys(record)
+    .map(function (key) {
+      return [key, record[key].join(',')].join('=')
+    })
+    .join(' ')
+}
+
+// Fast, but no IPv6 support in 2024
+var vercelIPv4A = '76.76.21.241'
+var vercelIPv4B = '76.76.21.98'
+
+// A bit slower but at least IPv6 is supported
+var netlifyIPv4A = '75.2.60.5'
+var netlifyIPv4B = '99.83.231.61'
+var netlifyIPv6A = '2a05:d014:275:cb01::c8'
+var netlifyIPv6B = '2a05:d014:275:cb00::c8'
+
+/**
+ * @param {string} name
+ */
+function vercelv4Netlifyv6(name) {
+  return [
+    A(name, vercelIPv4A),
+    A(name, vercelIPv4B),
+    AAAA(name, netlifyIPv6A),
+    AAAA(name, netlifyIPv6B),
+    // neither vercel nor netlify support HTTP/3 yet
+    HTTPS(name, 1, '.', https({ alpn: ['h2'] })),
+  ]
+}
+
+/**
+ * @param {string} domain
+ * @param {string} verification
+ */
+function iCloudMail(domain, verification) {
+  return [
+    MX('@', 10, 'mx01.mail.icloud.com.'),
+    MX('@', 10, 'mx02.mail.icloud.com.'),
+    TXT('@', 'apple-domain=' + verification),
+    SPF_BUILDER({
+      parts: ['v=spf1', 'redirect=icloud.com'],
+    }),
+    CNAME('sig1._domainkey', 'sig1.dkim.' + domain + '.at.icloudmailadmin.com.'),
+  ]
+}
+
+/**
+ * @param {string[]} sources
+ * @param {string} target
+ */
+function bulkCNAME(sources, target) {
+  return sources.map(function (source) {
+    return CNAME(source, target)
+  })
+}
+
+var nameserversHE = [
+  NAMESERVER('ns1.he.net.'),
+  NAMESERVER('ns2.he.net.'),
+  NAMESERVER('ns3.he.net.'),
+  NAMESERVER('ns4.he.net.'),
+  NAMESERVER('ns5.he.net.'),
+]
+
+var acmeLetsEncrypt = [
+  CAA_BUILDER({
+    iodef: 'mailto:alan@alanpearce.eu',
+    issue: ['letsencrypt.org'],
+    issuewild: ['letsencrypt.org'],
+  }),
+  IGNORE('_acme-challenge', 'TXT'),
+  IGNORE('_acme-challenge.**', 'TXT'),
+]
+
+var websiteHosting = [vercelv4Netlifyv6('@'), vercelv4Netlifyv6('www')]
+
+// Providers:
+
+var RegistrarNone = NewRegistrar('none')
+var RegistrarOVH = NewRegistrar('ovh')
+var PowerDNS = NewDnsProvider('powerdns')
+
+// Domains:
+
+DEFAULTS(DefaultTTL('1d'), NAMESERVER_TTL('1d'))
+
+D(
+  'alanpearce.eu',
+  RegistrarOVH,
+  DnsProvider(PowerDNS),
+
+  nameserversHE,
+
+  acmeLetsEncrypt,
+  websiteHosting,
+
+  // prettier-ignore
+  bulkCNAME([
+    'binarycache',
+    'ci',
+    'dns',
+    'files',
+    'git',
+    'id',
+    'legit',
+    'ntfy',
+    'pdns',
+    'test',
+  ], 'linde'),
+
+  // bluesky
+  TXT('_atproto', 'did=did:plc:exkgyiknwmakcrbmebvk34do'),
+
+  CNAME('searchix', 'searchix.vercel.app.'),
+  CNAME('zola-bearblog', 'zola-bearblog.netlify.app.'),
+
+  CNAME('home', 'nanopi'),
+  IGNORE('nanopi', 'A,AAAA'),
+  SSHFP('nanopi', 4, 2, '87383955296887ec069cfd2b41b556614918c2347306c5ef526f5306ad3e2dc7'),
+  SSHFP('nanopi', 4, 1, '9401664debcab758c9450ac65070f7cd0be6de64'),
+  SSHFP('nanopi', 3, 2, '5216e600a267675b4615c8a595323c455e8db8007d3bf01cd408166941019e38'),
+  SSHFP('nanopi', 3, 1, '09f0ec4751014d32c32c7d67c1127be3306a1baf'),
+  SSHFP('nanopi', 1, 2, 'ed6e750de7f6ddaa338f73c4140f0bd0d54711706986925bb8890a96abea1bc6'),
+  SSHFP('nanopi', 1, 1, '90bee798b3a7fe8aeb7e84ee7717b04edb0b197d'),
+
+  A('linde', '116.203.248.56'),
+  AAAA('linde', '2a01:4f8:c012:23a4::1'),
+  HTTPS('linde', 1, '.', 'alpn=h3,h2'),
+  SSHFP('linde', 1, 1, 'ef6691558281a88b874ac41cf7c14d31209e64bc'),
+  SSHFP('linde', 1, 2, '5d1b6ecff5dd5c624ee662eb1684c3c9e42f9a138aa938ba8d018fbc5cf628de'),
+  SSHFP('linde', 4, 1, 'ec773b94dec19f70cb6df7c78df0229a6fbe9666'),
+  SSHFP('linde', 4, 2, '72f576b32b5c2d16312574182b028671fa39c8bab03d802fae04eb7f649d2570'),
+  CNAME('*.linde', 'linde'),
+
+  iCloudMail('alanpearce.eu', 'anzQe301nq7grixH'),
+  DMARC_BUILDER({
+    policy: 'reject',
+    percent: 100,
+    subdomainPolicy: 'reject',
+    rua: ['mailto:re+xkh82ketimo@dmarc.postmarkapp.com'],
+    alignmentSPF: 'r',
+  })
+)
+
+D(
+  'alanpearce.uk',
+  RegistrarOVH,
+  DnsProvider(PowerDNS),
+
+  acmeLetsEncrypt,
+  websiteHosting,
+
+  iCloudMail('alanpearce.uk', 'BNdyqalwDX8kwF6k'),
+  DMARC_BUILDER({
+    policy: 'reject',
+    percent: 100,
+    subdomainPolicy: 'reject',
+    rua: ['mailto:re+kef20qlkynz@dmarc.postmarkapp.com'],
+    alignmentSPF: 'r',
+  }),
+
+  nameserversHE
+)
+
+D(
+  'aln.pe',
+  RegistrarNone,
+  DnsProvider(PowerDNS),
+  DefaultTTL(86400),
+  NAMESERVER_TTL(86400),
+
+  acmeLetsEncrypt,
+  websiteHosting,
+
+  SPF_BUILDER({
+    parts: ['v=spf1', '-all'],
+  }),
+
+  DNAME('@', 'alanpearce.eu.'),
+
+  nameserversHE
+)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-19 16:21:53 +0000