From 2636c90a5ed7b970469dd31a9be68a683219d79b Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Sat, 22 Jun 2024 17:07:31 +0200 Subject: Initial commit --- dnsconfig.js | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) create mode 100644 dnsconfig.js (limited to 'dnsconfig.js') diff --git a/dnsconfig.js b/dnsconfig.js new file mode 100644 index 0000000..d2578e4 --- /dev/null +++ b/dnsconfig.js @@ -0,0 +1,195 @@ +// @ts-check +/// + +// Helpers + +/** + * @param {object} record + * @param {string[]} [record.alpn] + * @param {string[]} [record.ipv4hint] + * @param {string[]} [record.ipv6hint] + */ +function https(record) { + return Object.keys(record) + .map(function (key) { + return [key, record[key].join(',')].join('=') + }) + .join(' ') +} + +// Fast, but no IPv6 support in 2024 +var vercelIPv4A = '76.76.21.241' +var vercelIPv4B = '76.76.21.98' + +// A bit slower but at least IPv6 is supported +var netlifyIPv4A = '75.2.60.5' +var netlifyIPv4B = '99.83.231.61' +var netlifyIPv6A = '2a05:d014:275:cb01::c8' +var netlifyIPv6B = '2a05:d014:275:cb00::c8' + +/** + * @param {string} name + */ +function vercelv4Netlifyv6(name) { + return [ + A(name, vercelIPv4A), + A(name, vercelIPv4B), + AAAA(name, netlifyIPv6A), + AAAA(name, netlifyIPv6B), + // neither vercel nor netlify support HTTP/3 yet + HTTPS(name, 1, '.', https({ alpn: ['h2'] })), + ] +} + +/** + * @param {string} domain + * @param {string} verification + */ +function iCloudMail(domain, verification) { + return [ + MX('@', 10, 'mx01.mail.icloud.com.'), + MX('@', 10, 'mx02.mail.icloud.com.'), + TXT('@', 'apple-domain=' + verification), + SPF_BUILDER({ + parts: ['v=spf1', 'redirect=icloud.com'], + }), + CNAME('sig1._domainkey', 'sig1.dkim.' + domain + '.at.icloudmailadmin.com.'), + ] +} + +/** + * @param {string[]} sources + * @param {string} target + */ +function bulkCNAME(sources, target) { + return sources.map(function (source) { + return CNAME(source, target) + }) +} + +var nameserversHE = [ + NAMESERVER('ns1.he.net.'), + NAMESERVER('ns2.he.net.'), + NAMESERVER('ns3.he.net.'), + NAMESERVER('ns4.he.net.'), + NAMESERVER('ns5.he.net.'), +] + +var acmeLetsEncrypt = [ + CAA_BUILDER({ + iodef: 'mailto:alan@alanpearce.eu', + issue: ['letsencrypt.org'], + issuewild: ['letsencrypt.org'], + }), + IGNORE('_acme-challenge', 'TXT'), + IGNORE('_acme-challenge.**', 'TXT'), +] + +var websiteHosting = [vercelv4Netlifyv6('@'), vercelv4Netlifyv6('www')] + +// Providers: + +var RegistrarNone = NewRegistrar('none') +var RegistrarOVH = NewRegistrar('ovh') +var PowerDNS = NewDnsProvider('powerdns') + +// Domains: + +DEFAULTS(DefaultTTL('1d'), NAMESERVER_TTL('1d')) + +D( + 'alanpearce.eu', + RegistrarOVH, + DnsProvider(PowerDNS), + + nameserversHE, + + acmeLetsEncrypt, + websiteHosting, + + // prettier-ignore + bulkCNAME([ + 'binarycache', + 'ci', + 'dns', + 'files', + 'git', + 'id', + 'legit', + 'ntfy', + 'pdns', + 'test', + ], 'linde'), + + // bluesky + TXT('_atproto', 'did=did:plc:exkgyiknwmakcrbmebvk34do'), + + CNAME('searchix', 'searchix.vercel.app.'), + CNAME('zola-bearblog', 'zola-bearblog.netlify.app.'), + + CNAME('home', 'nanopi'), + IGNORE('nanopi', 'A,AAAA'), + SSHFP('nanopi', 4, 2, '87383955296887ec069cfd2b41b556614918c2347306c5ef526f5306ad3e2dc7'), + SSHFP('nanopi', 4, 1, '9401664debcab758c9450ac65070f7cd0be6de64'), + SSHFP('nanopi', 3, 2, '5216e600a267675b4615c8a595323c455e8db8007d3bf01cd408166941019e38'), + SSHFP('nanopi', 3, 1, '09f0ec4751014d32c32c7d67c1127be3306a1baf'), + SSHFP('nanopi', 1, 2, 'ed6e750de7f6ddaa338f73c4140f0bd0d54711706986925bb8890a96abea1bc6'), + SSHFP('nanopi', 1, 1, '90bee798b3a7fe8aeb7e84ee7717b04edb0b197d'), + + A('linde', '116.203.248.56'), + AAAA('linde', '2a01:4f8:c012:23a4::1'), + HTTPS('linde', 1, '.', 'alpn=h3,h2'), + SSHFP('linde', 1, 1, 'ef6691558281a88b874ac41cf7c14d31209e64bc'), + SSHFP('linde', 1, 2, '5d1b6ecff5dd5c624ee662eb1684c3c9e42f9a138aa938ba8d018fbc5cf628de'), + SSHFP('linde', 4, 1, 'ec773b94dec19f70cb6df7c78df0229a6fbe9666'), + SSHFP('linde', 4, 2, '72f576b32b5c2d16312574182b028671fa39c8bab03d802fae04eb7f649d2570'), + CNAME('*.linde', 'linde'), + + iCloudMail('alanpearce.eu', 'anzQe301nq7grixH'), + DMARC_BUILDER({ + policy: 'reject', + percent: 100, + subdomainPolicy: 'reject', + rua: ['mailto:re+xkh82ketimo@dmarc.postmarkapp.com'], + alignmentSPF: 'r', + }) +) + +D( + 'alanpearce.uk', + RegistrarOVH, + DnsProvider(PowerDNS), + + acmeLetsEncrypt, + websiteHosting, + + iCloudMail('alanpearce.uk', 'BNdyqalwDX8kwF6k'), + DMARC_BUILDER({ + policy: 'reject', + percent: 100, + subdomainPolicy: 'reject', + rua: ['mailto:re+kef20qlkynz@dmarc.postmarkapp.com'], + alignmentSPF: 'r', + }), + + nameserversHE +) + +D( + 'aln.pe', + RegistrarNone, + DnsProvider(PowerDNS), + DefaultTTL(86400), + NAMESERVER_TTL(86400), + + acmeLetsEncrypt, + websiteHosting, + + SPF_BUILDER({ + parts: ['v=spf1', '-all'], + }), + + DNAME('@', 'alanpearce.eu.'), + + nameserversHE +) -- cgit 1.4.1