Add VPN flag for DNS and update TLSA record for mail

2025-04-18 13:00:00 +02:00 · 2025-04-18 13:00:00 +02:00 · a7a8d17186
commit a7a8d17186
parent 32e42626a1
6 changed files with 23 additions and 17 deletions
--- a/dns/default_records.js
+++ b/dns/default_records.js
@ -12,7 +12,7 @@ function mx_default(dkim) {
 		TXT("_dmarc", "v=DMARC1; p=quarantine; rua=mailto:dmarcreports@serguzim.me; ruf=mailto:dmarcreports@serguzim.me; rf=afrf; sp=quarantine; fo=1; pct=100; ri=604800; adkim=r; aspf=r"),
 		TXT("dkim._domainkey", "v=DKIM1; k=rsa; t=s; s=email; p=" + dkim),

-		TLSA("_25._tcp", 3, 1, 1, "e66a608a3ec459bda7fb1f2d500b8abeb78f2910f26641204b6bc454b8aa2a49"),
+		TLSA("_25._tcp", 3, 1, 1, "70143145ab67680a3b61fe2d0eb63319625fa086f845cce59afdbf1dad79e561"),

 		MX("@", 10, "mail.serguzim.me."),
 		MX("*", 10, "mail.serguzim.me."),
--- a/dns/functions.js
+++ b/dns/functions.js
@ -1,11 +1,12 @@
-function service(target, domain, host, alias) {
+function service(target, domain, host, alias, vpn) {
 	return {
 		target: target,
 		domain: domain,
 		host: hosts[host],
 		alias: alias,
+		vpn: vpn,
 		record: function() {
-			return my_host_record(this.target, this.resolve_host());
+			return my_host_record(this.target, this.resolve_host(), this.vpn);
 		},
 		resolve_host: function() {
 			if (this.alias) {
@ -27,18 +28,18 @@ function collect_services(domain) {
 	return result;
 }

-function my_host_record(target, host) {
-	switch (target) {
-		case "db":
-			return [
-				A(target, host.ipv4_address_vpn),
-				AAAA(target, host.ipv6_address_vpn)
-			];
-		default:
-			return [
-				A(target, host.ipv4_address),
-				AAAA(target, host.ipv6_address)
-			];
+function my_host_record(target, host, vpn) {
+	if (vpn) {
+		return [
+			A(target, host.ipv4_address_vpn),
+			AAAA(target, host.ipv6_address_vpn)
+		];
+	}
+	else {
+		return [
+			A(target, host.ipv4_address),
+			AAAA(target, host.ipv6_address)
+		];
 	}
 }

--- a/dnsconfig.js
+++ b/dnsconfig.js
@ -15,7 +15,7 @@ var DSP_OVH = NewDnsProvider("ovh");
 var services = {};
 for (var key in services_json) {
 	var s = services_json[key];
-	services[key] = service(s.target, s.domain, s.host, s.alias);
+	services[key] = service(s.target, s.domain, s.host, s.alias, s.vpn);
 }


@ -61,11 +61,13 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 	all_defaults("serguzim.me", true),
 	TXT("direct", "v=spf1 mx -all"),

-	TLSA("_25._tcp.mail", 3, 1, 1, "e66a608a3ec459bda7fb1f2d500b8abeb78f2910f26641204b6bc454b8aa2a49"),
+	TLSA("_25._tcp.mail", 3, 1, 1, "70143145ab67680a3b61fe2d0eb63319625fa086f845cce59afdbf1dad79e561"),

 	acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
 	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
 	acme_challenge("paas", "92924f7c-0859-4941-9e3d-2ecedfb21c1b"),
+	acme_challenge("alloy", "92924f7c-0859-4941-9e3d-2ecedfb21c1b"),
+	acme_challenge("mimir", "92924f7c-0859-4941-9e3d-2ecedfb21c1b"),

 	verify_amazon_ses(dkim_ses["serguzim.me"]),

--- a/playbooks/filter_plugins/service_filters.py
+++ b/playbooks/filter_plugins/service_filters.py
@ -71,6 +71,7 @@ class FilterModule(object):
                result[name] = {
                    "target": ".".join(target_parts),
                    "domain": ".".join(domain_parts[-2:]),
+                    "vpn": dns.get("vpn", False),
                }
               
                if dns.get("alias"):
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@ -502,6 +502,7 @@ services = {
    host = "node001"
    dns = [{
      domain = "db.serguzim.me"
+      vpn = true
    }]
    backup = [{
      name = "postgresql"
--- a/variables.tf
+++ b/variables.tf
@ -139,6 +139,7 @@ variable "services" {
      domain = string
      name = optional(string)
      alias = optional(string)
+      vpn = optional(bool)
    })))
    backup = optional(list(object({
      name = string