From 3a5d75d776dd07be37b022020e8542c8243ff32d Mon Sep 17 00:00:00 2001
From: Jakub Arbet <hi@jakubarbet.me>
Date: Fri, 25 Oct 2024 02:24:16 +0200
Subject: [PATCH] Server setup fixes

---
 hosts/organ/default.nix                       | 10 ++--
 hosts/organ/dns/jakubarbet.me.zone            | 31 ++++++------
 modules/server/dns/default.nix                |  6 +--
 modules/server/dns/increment-and-sign-zone.sh | 50 +++++++++----------
 modules/server/tailscale.nix                  |  2 +-
 5 files changed, 50 insertions(+), 49 deletions(-)

diff --git a/hosts/organ/default.nix b/hosts/organ/default.nix
index f20bb8f..1f927f6 100644
--- a/hosts/organ/default.nix
+++ b/hosts/organ/default.nix
@@ -19,7 +19,7 @@
     ++ lib._.moduleImports [
       "common/nix"
       "common/packages"
-      # "server/dns"
+      "server/dns"
       "server/tailscale"
     ];
 
@@ -28,7 +28,7 @@
   boot = {
     loader = {
       systemd-boot.enable = true;
-      systemd-boot.configurationLimit = 5;
+      systemd-boot.configurationLimit = 10;
       efi.canTouchEfiVariables = true;
     };
     initrd.kernelModules = ["virtio_gpu"];
@@ -38,11 +38,11 @@
   time.timeZone = "Europe/Prague";
 
   server = {
-    #   dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
+    dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
     tailscale = {
       tailnet = "ide-vega.ts.net";
-      tailscaleIpv4 = "100.67.2.27";
-      tailscaleIpv6 = "fd7a:115c:a1e0::f101:21b";
+      tailscaleIpv4 = "100.71.111.38";
+      tailscaleIpv6 = "fd7a:115c:a1e0::2901:6f29";
       authKeyFile = config.age.secrets.organ-tailscale-auth-key.path;
     };
   };
diff --git a/hosts/organ/dns/jakubarbet.me.zone b/hosts/organ/dns/jakubarbet.me.zone
index 0838087..04ed65a 100644
--- a/hosts/organ/dns/jakubarbet.me.zone
+++ b/hosts/organ/dns/jakubarbet.me.zone
@@ -6,10 +6,11 @@ $TTL 3600
 					1209600		;expire
 					3600	)	;minimum
 
-@	IN	NS	ns2.he.net.
-@	IN	NS	ns3.he.net.
-@	IN	NS	ns4.he.net.
 @	IN	NS	ns5.he.net.
+@	IN	NS	ns4.he.net.
+@	IN	NS	ns3.he.net.
+@	IN	NS	ns2.he.net.
+@	IN	NS	ns1.he.net.
 
 ; Github pages hosting
 @				IN	A	185.199.108.153
@@ -23,19 +24,19 @@ $TTL 3600
 www				IN	CNAME	kubqoa.github.io.
 _github-pages-challenge-kubqoa	IN	TXT	4594a706967b6a5dc0f2924da639ee
 
-organ	IN	A	116.203.250.61
-organ	IN	AAAA	2a01:4f8:c012:58f4::
-git	IN	A	116.203.250.61
-git	IN	AAAA	2a01:4f8:c012:58f4::
-drive	IN	A	116.203.250.61
-drive	IN	AAAA	2a01:4f8:c012:58f4::
+organ	IN	A	116.202.110.124
+organ	IN	AAAA	2a01:4f8:c013:5899::
+git	IN	A	116.202.110.124
+git	IN	AAAA	2a01:4f8:c013:5899::
+drive	IN	A	116.202.110.124
+drive	IN	AAAA	2a01:4f8:c013:5899::
 
 @	IN	CAA	0 iodef mailto:hostmaster@jakubarbet.me
 @	IN	CAA	0 issue letsencrypt.org
 
 ; Mail related settings
-mail		IN	A	116.203.250.61
-mail		IN	AAAA	2a01:4f8:c012:58f4::
+mail		IN	A	116.202.110.124
+mail		IN	AAAA	2a01:4f8:c013:5899::
 email		IN	CNAME	eu.mailgun.org.
 @		IN	MX	10 mail.jakubarbet.me.
 @		IN	TXT	"v=spf1 include:mailgun.org ~all"
@@ -47,10 +48,10 @@ mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
 
 
 ; Mail autoconfig
-autoconfig		IN	A	116.203.250.61
-autoconfig		IN	AAAA	2a01:4f8:c012:58f4::
-autodiscover		IN	A	116.203.250.61
-autodiscover		IN	AAAA	2a01:4f8:c012:58f4::
+autoconfig		IN	A	116.202.110.124
+autoconfig		IN	AAAA	2a01:4f8:c013:5899::
+autodiscover		IN	A	116.202.110.124
+autodiscover		IN	AAAA	2a01:4f8:c013:5899::
 _imap._tcp		IN	SRV	5 0 143 mail.jakubarbet.me.
 _imaps._tcp		IN	SRV	5 0 993 mail.jakubarbet.me.
 _submission._tcp	IN	SRV	5 0 587 mail.jakubarbet.me.
diff --git a/modules/server/dns/default.nix b/modules/server/dns/default.nix
index 9c07d2d..978810a 100644
--- a/modules/server/dns/default.nix
+++ b/modules/server/dns/default.nix
@@ -40,7 +40,7 @@
         "dns-dnssec-${zoneName}".text = ''
           mkdir -p /etc/named
           # Generate DNSSEC key if it doesn't exist
-          if ls /etc/named/K${zoneName}*.key >/dev/null 2>/dev/null; then
+          if ! ls /etc/named/K${zoneName}*.key >/dev/null 2>/dev/null; then
             echo "[dns-dnssec] Generating DNSSEC key for ${zoneName}"
             ${pkgs.bind}/bin/dnssec-keygen -a NSEC3RSASHA1 -b 2048 -K /etc/named -n ZONE "${zoneName}" 2>/dev/null
             ${pkgs.bind}/bin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -K /etc/named -n ZONE "${zoneName}"  2>/dev/null
@@ -50,8 +50,8 @@
           deps = ["dns-dnssec-${zoneName}"];
           text =
             builtins.replaceStrings
-            ["cmp" "dnssec-signzone" "named-checkzone" "sed" "$ZONE" "$ZONE_PATH"]
-            ["${pkgs.diffutils}/bin/cmp" "${pkgs.bind}/bin/dnssec-keygen" "${pkgs.bind}/bin/named-checkzone" "${pkgs.gnused}/bin/sed" "${zoneName}" "${zoneFile}"]
+            ["cmp" "dnssec-signzone" "named-checkzone" "sed" "$ZONE_NAME" "$ZONE_FILE"]
+            ["${pkgs.diffutils}/bin/cmp" "${pkgs.bind}/bin/dnssec-signzone" "${pkgs.bind}/bin/named-checkzone" "${pkgs.gnused}/bin/sed" "${zoneName}" "${zoneFile}"]
             (builtins.readFile ./increment-and-sign-zone.sh);
         };
       };
diff --git a/modules/server/dns/increment-and-sign-zone.sh b/modules/server/dns/increment-and-sign-zone.sh
index 4b313f2..4d336a3 100644
--- a/modules/server/dns/increment-and-sign-zone.sh
+++ b/modules/server/dns/increment-and-sign-zone.sh
@@ -22,30 +22,30 @@ increment_serial() {
   echo $new_serial
 }
 
-if [ -f "/etc/named/$ZONE.zone.orig" ] && $(cmp -s "$ZONE_PATH" "/etc/named/$ZONE.zone.orig"); then
-  echo "[dnssec] Zone $ZONE not changed"
-  exit
-fi
-
-cd /etc/named
-current_serial="0000000000"
-if [ -f "/etc/named/$ZONE.zone" ]; then
-  current_serial=$(named-checkzone "$ZONE" "/etc/named/$ZONE.zone" | egrep -ho '[0-9]{10}')
+if [ -f "/etc/named/$ZONE_NAME.zone.orig" ] && $(cmp -s "$ZONE_FILE" "/etc/named/$ZONE_NAME.zone.orig"); then
+  echo "[dnssec] Zone $ZONE_NAME not changed"
+else
+  cd /etc/named
+  current_serial="0000000000"
+  if [ -f "/etc/named/$ZONE_NAME.zone" ]; then
+    current_serial=$(named-checkzone "$ZONE_NAME" "/etc/named/$ZONE_NAME.zone" | egrep -ho '[0-9]{10}')
+  fi
+  new_serial=$(increment_serial $current_serial)
+  
+  cp "$ZONE_FILE" "/etc/named/$ZONE_NAME.zone"
+  cp "/etc/named/$ZONE_NAME.zone"{,.orig}
+  sed -i "s/\$SERIAL/$new_serial/" "$ZONE_NAME.zone"
+  echo "[dnssec] Zone $ZONE_NAME with serial $new_serial"
+  
+  for key in `ls K$ZONE_NAME*.key`
+  do
+    echo "\$INCLUDE $key">> "$ZONE_NAME.zone"
+  done
+  
+  echo "[dnssec] Signing zone"
+  dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE_NAME" -t "$ZONE_NAME.zone" >/dev/null
+  
+  echo "[dnssec] Please set the following DS records at the registrar"
+  cat "dsset-$ZONE_NAME."
 fi
-new_serial=$(increment_serial $current_serial)
-
-cp "$ZONE_PATH" "/etc/named/$ZONE.zone"
-cp "/etc/named/$ZONE.zone"{,.orig}
-sed -i "s/\$SERIAL/$new_serial/" "$ZONE.zone"
-echo "[dnssec] Zone $ZONE with serial $new_serial"
-
-for key in `ls K$ZONE*.key`
-do
-  echo "\$INCLUDE $key">> "$ZONE.zone"
-done
-
-echo "[dnssec] Signing zone"
-dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o "$ZONE" -t "$ZONE.zone" >/dev/null
 
-echo "[dnssec] Please set the following DS records at the registrar"
-cat "dsset-$ZONE."
diff --git a/modules/server/tailscale.nix b/modules/server/tailscale.nix
index e5f46cd..086c261 100644
--- a/modules/server/tailscale.nix
+++ b/modules/server/tailscale.nix
@@ -48,12 +48,12 @@ with lib; {
         authKeyFile = config.server.tailscale.authKeyFile;
         useRoutingFeatures = "server";
         openFirewall = true;
-        extraUpFlags = ["--advertiseTags tag:ssh"];
         extraSetFlags = [
           "--ssh"
           "--advertise-exit-node" # offer to be exit node internet traffic for tailnet
           "--advertise-connector" # offer to be app connector for domain specific internet traffic for tailnet
         ];
+	extraUpFlags = ["--ssh" "--advertise-exit-node" "--advertise-connector"];
       };
     };