migrated to linode dns

tf/monotremata-xyz.tf

@@ -1,66 +1,20 @@
-// Important:
+# todo:
-// Due to API restrictions, SRV and Dynamic DNS Records can't be created with
+# I am also creating the subdomain `wg.monotremata.xyz` manually
-// terraform, so I need to use `MERGE` mode and set those manually on the
+# I decided to manage that subdomain outside of terraform because it has a
-// namecheap web UI
+# dynamic IP that I update with a cron job
-// https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
-//
-// - SRV Record:
-//     service: _matrix
-//     protocol: _tcp
-//     priority: 0
-//     weight: 10
-//     port: 443
-//     target: matrix.monotremata.xyz
-//     TTL: 30 min
-//
-// - SRV Record:
-//     service: _xmpp-client
-//     protocol: _tcp
-//     priority: 5
-//     weight: 0
-//     port: 5222
-//     target: xmpp.monotremata.xyz
-//     TTL: 30 min
-//
-// - SRV Record:
-//     service: _xmpp-server
-//     protocol: _tcp
-//     priority: 5
-//     weight: 0
-//     port: 5269
-//     target: xmpp.monotremata.xyz
-//     TTL: 30 min
-//
-// - A + Dynamic DNS Record:
-//     host: wg
-//
-//  I also enable DNSSEC from the web UI, because I can't do that with
-//  terraform...
 
+locals {
+  domain = "monotremata.xyz"
 
-
-variable "hosts" {
-  default = {
   // Alpine VPS hosted on Linode
   caladan = {
-      v4 = "139.162.137.29"
+    ipv4 = "139.162.137.29"
-      v6 = "2a01:7e01::f03c:92ff:fea2:5d7c"
+    ipv6 = "2a01:7e01::f03c:92ff:fea2:5d7c"
-    }
+    // These are subdomains for services hosted on the host named `caladan`.
-    // OpenBSD VPS hosted on Vultr
+    // Both A and AAAA records should be made for them pointing to caladan's ipv4
-    fugu = {
+    // and ipv6 respectively
-      v4 = "217.69.5.52"
+    domains = toset([
-      v6 = "2001:19f0:6801:1d34:5400:03ff:fe18:7588"
+      local.domain,
-    }
-  }
-}
-
-// These are subdomains for services hosted on the host named `caladan`.
-// Both A and AAAA records should be made for them pointing to caladan's ipv4
-// and ipv6 respectively
-variable "caladan-subdomains" {
-  type = set(string)
-  default = [
-    "@",
       "git",
       "gts",
       "kb",
@@ -73,17 +27,23 @@ variable "caladan-subdomains" {
       "proxy.xmpp",
       "upload.xmpp",
       "groups.xmpp",
-  ]
+    ])
-}
+  }
 
-// These are subdomains for services hosted on the host named `narwhal`.
+  // OpenBSD VPS hosted on Vultr
-// They are only accessible from my internal network and my internal DNS server
+  fugu = {
-// takes care of that.
+    ipv4 = "217.69.5.52"
-// But I set the public A record to caladan's ipv4 just for renewing their
+    ipv6 = "2001:19f0:6801:1d34:5400:03ff:fe18:7588"
-// letsencrypt certificates. No need to set the AAAA record.
+  }
-variable "narwhal-subdomains" {
+
-  type = set(string)
+  // ODROID-HC4 serving as a NAS
-  default = [
+  narwhal = {
+    // These are subdomains for services hosted on the host named `narwhal`.
+    // They are only accessible from my internal network and my internal DNS server
+    // takes care of that.
+    // But I set the public A record to caladan's ipv4 just for renewing their
+    // letsencrypt certificates. No need to set the AAAA record.
+    domains = toset([
       "authelia",
       "calibre",
       "dav",
@@ -111,106 +71,176 @@ variable "narwhal-subdomains" {
       "transmission",
       "wallabag",
       "woodpecker",
-  ]
+    ])
-}
+  }
 
-// These are subdomains for services hosted on the host named `sloth`.
+  // Raspberry Pi 4 serving as a media center
-// They are only accessible from my internal network and my internal DNS server
+  sloth = {
-// takes care of that.
+    // These are subdomains for services hosted on the host named `sloth`.
-// But I set the public A record to caladan's ipv4 just for renewing their
+    // They are only accessible from my internal network and my internal DNS server
-// letsencrypt certificates. No need to set the AAAA record.
+    // takes care of that.
-variable "sloth-subdomains" {
+    // But I set the public A record to caladan's ipv4 just for renewing their
-  type = set(string)
+    // letsencrypt certificates. No need to set the AAAA record.
-  default = [
+    domains = toset([
       "kodi",
       "mympd",
       "snapweb",
+    ])
+  }
+
+  dkim_pub_key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3dRTQXNdRNKjM/hnTIQ9d6h4qr7hDkoo3D8ySrV4tEcOC9cCD5fWiUzc560GuWPW5nm/VCDt6gHTGbkwsU/ULO+mjKJtvhZtEJnO4WqVG9Hr2whypODkGM9FSwh0yaWV96OJd51upsNRD/S5fKDMRcl09aBYe2rsn/877re/M0wIDAQAB"
+
+}
+
+resource "namecheap_domain_records" "namecheap-monotremata-xyz" {
+  domain = "monotremata.xyz"
+  mode   = "OVERWRITE"
+  nameservers = [
+    "ns1.linode.com",
+    "ns2.linode.com",
+    "ns3.linode.com",
+    "ns4.linode.com",
+    "ns5.linode.com"
   ]
 }
 
-resource "namecheap_domain_records" "monotremata-xyz" {
+resource "linode_domain" "monotremata_xyz" {
-  domain     = "monotremata.xyz"
+  type      = "master"
-  mode       = "MERGE"
+  domain    = local.domain
-  email_type = "MX"
+  soa_email = format("admin@%s", local.domain)
-
+}
-  dynamic "record" {
+
-    for_each = var.caladan-subdomains
+resource "linode_domain_record" "caladan_a" {
-    content {
+  domain_id   = linode_domain.monotremata_xyz.id
-      hostname = record.value
+  name        = each.key
-      type     = "A"
+  record_type = "A"
-      address  = var.hosts.caladan.v4
+  target      = local.caladan.ipv4
-    }
+  for_each    = local.caladan.domains
-  }
+}
-
+
-  dynamic "record" {
+resource "linode_domain_record" "caladan_aaaa" {
-    for_each = var.narwhal-subdomains
+  domain_id   = linode_domain.monotremata_xyz.id
-    content {
+  name        = each.key
-      hostname = record.value
+  record_type = "AAAA"
-      type     = "A"
+  target      = local.caladan.ipv6
-      address  = var.hosts.caladan.v4
+  for_each    = local.caladan.domains
-    }
+}
-  }
+
-
+resource "linode_domain_record" "narwhal_a" {
-  dynamic "record" {
+  domain_id   = linode_domain.monotremata_xyz.id
-    for_each = var.sloth-subdomains
+  name        = each.key
-    content {
+  record_type = "A"
-      hostname = record.value
+  target      = local.caladan.ipv4
-      type     = "A"
+  for_each    = local.narwhal.domains
-      address  = var.hosts.caladan.v4
+}
-    }
+
-  }
+resource "linode_domain_record" "sloth_a" {
-
+  domain_id   = linode_domain.monotremata_xyz.id
-  dynamic "record" {
+  name        = each.key
-    for_each = var.caladan-subdomains
+  record_type = "A"
-    content {
+  target      = local.caladan.ipv4
-      hostname = record.value
+  for_each    = local.sloth.domains
-      type     = "AAAA"
+}
-      address  = var.hosts.caladan.v6
+
-    }
+resource "linode_domain_record" "mx" {
-  }
+  domain_id   = linode_domain.monotremata_xyz.id
-
+  name        = each.value.name
-  record {
+  target      = each.value.target
-    hostname = "mail"
+  record_type = each.key
-    type     = "A"
+  priority    = each.value.priority
-    address  = var.hosts.fugu.v4
+  for_each = {
-  }
+    A = {
-
+      name     = "mail"
-  record {
+      target   = local.fugu.ipv4
-    hostname = "mail"
+      priority = null
-    type     = "AAAA"
+    }
-    address  = var.hosts.fugu.v6
+    AAAA = {
-  }
+      name     = "mail"
-
+      target   = local.fugu.ipv6
-  record {
+      priority = null
-    hostname = "@"
+    }
-    type     = "MX"
+    MX = {
-    address  = "mail.monotremata.xyz"
+      name     = local.domain,
-    mx_pref  = 0
+      target   = format("mail.%s", local.domain)
-  }
+      priority = 0
-
+    }
-  record {
+  }
-    hostname = "@"
+}
-    type     = "MX"
+
-    address  = "mx2.monotremata.xyz"
+resource "linode_domain_record" "mx2" {
-    mx_pref  = 5
+  domain_id   = linode_domain.monotremata_xyz.id
-  }
+  name        = each.value.name
-
+  target      = each.value.target
-  record {
+  record_type = each.key
-    hostname = "@"
+  priority    = each.value.priority
-    type     = "TXT"
+  for_each = {
-    address  = "v=spf1 mx -all"
+    A = {
-  }
+      name     = "mx2"
-
+      target   = local.caladan.ipv4
-  record {
+      priority = null
-    hostname = "_dmarc"
+    }
-    type     = "TXT"
+    AAAA = {
-    address  = "v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@monotremata.xyz;;"
+      name     = "mx2"
-  }
+      target   = local.caladan.ipv6
-
+      priority = null
-  record {
+    }
-    hostname = "20201210._domainkey"
+    MX = {
-    type     = "TXT"
+      name     = local.domain
-    address  = "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3dRTQXNdRNKjM/hnTIQ9d6h4qr7hDkoo3D8ySrV4tEcOC9cCD5fWiUzc560GuWPW5nm/VCDt6gHTGbkwsU/ULO+mjKJtvhZtEJnO4WqVG9Hr2whypODkGM9FSwh0yaWV96OJd51upsNRD/S5fKDMRcl09aBYe2rsn/877re/M0wIDAQAB;"
+      target   = format("mx2.%s", local.domain)
-  }
+      priority = 5
-
+    }
+  }
+}
+
+resource "linode_domain_record" "mail_txt" {
+  domain_id   = linode_domain.monotremata_xyz.id
+  record_type = "TXT"
+  name        = each.value.name
+  target      = each.value.target
+  for_each = {
+    spf = {
+      name   = local.domain
+      target = "v=spf1 mx -all"
+    }
+    dmarc = {
+      name   = "_dmarc"
+      target = format("v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@%s;;", local.domain)
+    }
+    dkim = {
+      name   = "20201210._domainkey"
+      target = format("v=DKIM1;k=rsa;p=%s;", local.dkim_pub_key)
+    }
+  }
+}
+
+resource "linode_domain_record" "matrix_srv" {
+  domain_id   = linode_domain.monotremata_xyz.id
+  record_type = "SRV"
+  service     = "matrix"
+  protocol    = "tcp"
+  priority    = 0
+  weight      = 10
+  port        = 443
+  target      = format("matrix.%s", local.domain)
+  ttl_sec     = 1800 // 30 min
+}
+
+resource "linode_domain_record" "xmpp_srv" {
+  domain_id   = linode_domain.monotremata_xyz.id
+  record_type = "SRV"
+  service     = each.key
+  protocol    = "tcp"
+  port        = each.value.port
+  priority    = 5
+  weight      = 0
+  target      = format("xmpp.%s", local.domain)
+  ttl_sec     = 1800 // 30 min
+  for_each = {
+    xmpp-client = {
+      port = 5222
+    }
+    xmpp-server = {
+      port = 5269
+    }
+  }
 }