diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf index 3747ac4a336e7cc98670429390e7e1da0276e3b6..543fbfc33dcf932df85c644e33f6dbb12b2a7d5f 100644 --- a/tf-stage1/archlinux.tf +++ b/tf-stage1/archlinux.tf @@ -148,6 +148,51 @@ locals { "whatcanwedofor" = "b5f8011047c1610ace52e754b568c834" } + # This creates archlinux.org TXT DNS entries + # Valid parameters are: + # - ttl (optional) + # - value (mandatory) + # + # Example: + # "_github-challenge-archlinux" = { ttl = 600, value = "824af4446e" } + archlinux_org_txt = { + "luna._domainkey.lists" = { ttl = 600, value = "v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==" } + "luna2._domainkey" = { ttl = 600, value = "v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==" } + "dkim-ed25519._domainkey" = { ttl = 600, value = "v=DKIM1; k=ed25519; \" \"p=XOHB7b7V1puX+FryNIhsjXHYIFqk+q6JRu4XQ7Jc8MQ=" } + "dkim-rsa._domainkey" = { ttl = 600, value = "v=DKIM1; k=rsa; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1GjGrEczq7iHZbvT7wa4ltJz2jwSndUGdRHgfEPnGBeevOXEAlEFr4zsdkfZEaNaQLIhZNpvKAt/A+kkyalkj4u9AnxqeNsNmZflFl6TKgvh0tWNEP3+XNxfdQ7zfml4WggL/YdAjXngg42oZEUsnS/6iozOFn7bNvzqBx5PFJ21pgyuR8DWyLaeOt+p55dVed7DCKnKi11Xjiu7k\" \"H68W8rose7g8Fv9fecBatEE4jwloOXsjh+tH0iab1NSSSpIq6EdgcPrpmrllN3/n2J/kCGK6ztISB6vR7xWgvgHSMjmEL0GPWzohGPrw2UQhZhrNV8dJpiLRYmfK+rXaKF0Kqag/F0e4C4jCKFX7NYFcYXYRlN5QlDFjZvUmOILlgnZ8w/SdZUKzpLObGuwnANLG+WSOjw42p9mXVGN6AfOQPu8OjRjS1MyhcdDIbUvZiQjbmiVJ5frpYZ39BTg\" \"CIzYLJJ5932+3gnwROu1OeljWkpBkfHZXPzADus80l3Vxsk91XZVB36rN8tyuMownR/M4HNC7ZE/EBwOnn1mGH7bLd6pva8u5Qy8Y6LrDdYea5Kk7aZ2WJSSRTV+nkPvOEIx+DfsIWNfmkVWzmuVky96fRvwOCuh38w8zpmlqzhDuGSQrBaLFXwAC7LYQ6kPDHzrjQhs99ScR0ix6YclrmpimMcCAwEAAQ==" } + "_dmarc" = { value = "v=DMARC1; p=none; rua=mailto:dmarc-reports@archlinux.org; ruf=mailto:dmarc-reports@archlinux.org;" } + "_github-challenge-archlinux" = { value = "824af4446e" } + "_github-challenge-archlinux.www" = { value = "b53f311f86" } + + # TLS-RPT + MTA-STS + SPF + "_smtp._tls" = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" } + "_smtp._tls.aur" = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" } + "_smtp._tls.master-key" = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" } + "_smtp._tls.lists" = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" } + # Generated with: date +%s + "_mta-sts" = { value = "v=STSv1; id=1608210175" } + "@" = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 } + "mail" = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 } + "aur" = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 } + "master-key" = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 } + lists = { value = "v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all" } + luna = { value = "v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all" } + } + + # This creates archlinux.org MX DNS entries + # Valid parameters are: + # - mx (mandatory) + # - ttl (optional) + # + # Example: + # "lists" = { mx = "luna", ttl = 600 } + archlinux_org_mx = { + "@" = { mx = "mail", ttl = 600 } + aur = { mx = "mail", ttl = 600 } + master-key = { mx = "mail", ttl = 600 } + lists = { mx = "luna", ttl = 600 } + } + # This creates archlinux.org A/AAAA DNS entries in addition to those already specified by the VPSes. # The VPSes already get a default domain assigned based on their domain parameter. # Thus the domains in local.archlinux_org_a_aaaa are additional domains or domains assigned to dedicated servers. @@ -241,6 +286,15 @@ locals { "static.conf" = { value = "redirect" } status = { value = "stats.uptimerobot.com." } svn = { value = "gemini" } + + # MTA-STS + mta-sts = { value = "mail" } + "mta-sts.aur" = { value = "mail" } + "_mta-sts.aur" = { value = "_mta-sts" } + "mta-sts.master-key" = { value = "mail" } + "_mta-sts.master-key" = { value = "_mta-sts" } + "mta-sts.lists" = { value = "mail" } + "_mta-sts.lists" = { value = "_mta-sts" } } # This creates pkgbuild.comA/AAAA DNS entries in addition to those already specified by the VPSes. @@ -256,8 +310,8 @@ locals { # pkgbuild_com_a_aaaa = { "@" = { - ipv4_address = "78.46.178.133" - ipv6_address = "2a01:4f8:c2c:51e2::1" + ipv4_address = hcloud_server.machine["homedir.archlinux.org"].ipv4_address + ipv6_address = hcloud_server.machine["homedir.archlinux.org"].ipv6_address } "america.mirror" = { ipv4_address = "143.244.34.62" @@ -292,8 +346,8 @@ locals { ipv6_address = "2a02:6ea0:c238::2" } www = { - ipv4_address = "78.46.178.133" - ipv6_address = "2a01:4f8:c2c:51e2::1" + ipv4_address = hcloud_server.machine["homedir.archlinux.org"].ipv4_address + ipv6_address = hcloud_server.machine["homedir.archlinux.org"].ipv6_address } } } @@ -399,120 +453,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" { # type = "SOA" # } -resource "hetznerdns_record" "archlinux_org_lists_mx" { - zone_id = hetznerdns_zone.archlinux.id - name = "lists" - ttl = 600 - value = "10 luna" - type = "MX" -} - -resource "hetznerdns_record" "archlinux_org_lists_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "lists" - ttl = 600 - # lists.archlinux.org - value = "\"v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_luna_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "luna._domainkey.lists" - ttl = 600 - value = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==\" " - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_luna2_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "luna2._domainkey" - ttl = 600 - value = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==\" " - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_luna3_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "luna" - ttl = 600 - value = "\"v=spf1 include:lists.archlinux.org -all\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_mtasts_cname" { - for_each = toset(["", ".aur", ".master-key", ".lists"]) - - zone_id = hetznerdns_zone.archlinux.id - name = "mta-sts${each.value}" - value = "mail" - type = "CNAME" -} - -resource "hetznerdns_record" "archlinux_org__mtasts_txt" { - for_each = toset(["", ".aur", ".master-key", ".lists"]) - - zone_id = hetznerdns_zone.archlinux.id - name = "_mta-sts${each.value}" - ttl = 600 - # date +%s - value = "\"v=STSv1; id=1608210175\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_origin_mx" { - for_each = toset(["@", "aur", "master-key"]) - - zone_id = hetznerdns_zone.archlinux.id - name = each.value - ttl = 600 - value = "10 mail" - type = "MX" -} - -resource "hetznerdns_record" "archlinux_org_origin_txt" { - for_each = toset(["@", "aur", "mail", "master-key"]) - - zone_id = hetznerdns_zone.archlinux.id - name = each.value - ttl = 600 - # mail.archlinux.org - value = "\"v=spf1 ip4:95.216.189.61 ip6:2a01:4f9:c010:3052::1 ~all\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_domainkey_dkim-ed25519_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "dkim-ed25519._domainkey" - ttl = 600 - value = "\"v=DKIM1; k=ed25519; \" \"p=XOHB7b7V1puX+FryNIhsjXHYIFqk+q6JRu4XQ7Jc8MQ=\" " - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_domainkey_dkim-rsa_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "dkim-rsa._domainkey" - ttl = 600 - value = "\"v=DKIM1; k=rsa; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1GjGrEczq7iHZbvT7wa4ltJz2jwSndUGdRHgfEPnGBeevOXEAlEFr4zsdkfZEaNaQLIhZNpvKAt/A+kkyalkj4u9AnxqeNsNmZflFl6TKgvh0tWNEP3+XNxfdQ7zfml4WggL/YdAjXngg42oZEUsnS/6iozOFn7bNvzqBx5PFJ21pgyuR8DWyLaeOt+p55dVed7DCKnKi11Xjiu7k\" \"H68W8rose7g8Fv9fecBatEE4jwloOXsjh+tH0iab1NSSSpIq6EdgcPrpmrllN3/n2J/kCGK6ztISB6vR7xWgvgHSMjmEL0GPWzohGPrw2UQhZhrNV8dJpiLRYmfK+rXaKF0Kqag/F0e4C4jCKFX7NYFcYXYRlN5QlDFjZvUmOILlgnZ8w/SdZUKzpLObGuwnANLG+WSOjw42p9mXVGN6AfOQPu8OjRjS1MyhcdDIbUvZiQjbmiVJ5frpYZ39BTg\" \"CIzYLJJ5932+3gnwROu1OeljWkpBkfHZXPzADus80l3Vxsk91XZVB36rN8tyuMownR/M4HNC7ZE/EBwOnn1mGH7bLd6pva8u5Qy8Y6LrDdYea5Kk7aZ2WJSSRTV+nkPvOEIx+DfsIWNfmkVWzmuVky96fRvwOCuh38w8zpmlqzhDuGSQrBaLFXwAC7LYQ6kPDHzrjQhs99ScR0ix6YclrmpimMcCAwEAAQ==\" " - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_dmarc_txt" { - zone_id = hetznerdns_zone.archlinux.id - name = "_dmarc" - value = "\"v=DMARC1; p=none; rua=mailto:dmarc-reports@archlinux.org; ruf=mailto:dmarc-reports@archlinux.org;\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_smtp_tlsrpt_txt" { - for_each = toset(["", ".aur", ".master-key", ".lists"]) - - zone_id = hetznerdns_zone.archlinux.id - name = "_smtp._tls${each.value}" - value = "\"v=TLSRPTv1;rua=mailto:postmaster@archlinux.org\"" - type = "TXT" -} - resource "hetznerdns_record" "archlinux_org_matrix_tcp_srv" { zone_id = hetznerdns_zone.archlinux.id name = "_matrix._tcp" @@ -520,20 +460,6 @@ resource "hetznerdns_record" "archlinux_org_matrix_tcp_srv" { type = "SRV" } -resource "hetznerdns_record" "archlinux_org_github_challenge_archlinux" { - zone_id = hetznerdns_zone.archlinux.id - name = "_github-challenge-archlinux" - value = "\"824af4446e\"" - type = "TXT" -} - -resource "hetznerdns_record" "archlinux_org_github_challenge_archlinux_www" { - zone_id = hetznerdns_zone.archlinux.id - name = "_github-challenge-archlinux.www" - value = "\"b53f311f86\"" - type = "TXT" -} - resource "hcloud_floating_ip" "gitlab_pages" { type = "ipv4" description = "GitLab Pages" diff --git a/tf-stage1/templates.tf b/tf-stage1/templates.tf index 3e1d82bb6181ad6b277c465897c35baf35531de6..c2461c6bfda5c24a4b8bc5267589315f9c09f476 100644 --- a/tf-stage1/templates.tf +++ b/tf-stage1/templates.tf @@ -38,6 +38,26 @@ resource "hetznerdns_record" "pkgbuild_org_aaaa" { type = "AAAA" } +resource "hetznerdns_record" "archlinux_org_txt" { + for_each = local.archlinux_org_txt + + zone_id = hetznerdns_zone.archlinux.id + name = each.key + ttl = lookup(local.archlinux_org_txt[each.key], "ttl", null) + value = "\"${each.value.value}\"" + type = "TXT" +} + +resource "hetznerdns_record" "archlinux_org_mx" { + for_each = local.archlinux_org_mx + + zone_id = hetznerdns_zone.archlinux.id + name = each.key + ttl = lookup(local.archlinux_org_mx[each.key], "ttl", null) + value = "10 ${each.value.mx}" + type = "MX" +} + resource "hetznerdns_record" "archlinux_org_a" { for_each = local.archlinux_org_a_aaaa