diff options
Diffstat (limited to 'nix/tofu/dns.nix')
| -rw-r--r-- | nix/tofu/dns.nix | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/nix/tofu/dns.nix b/nix/tofu/dns.nix new file mode 100644 index 0000000..df0ed65 --- /dev/null +++ b/nix/tofu/dns.nix @@ -0,0 +1,138 @@ +{ + pkgs, +}: +let + zoneId = "6878e48b5cb81c7d789040632153719d"; + zoneName = "fcuny.net"; + + # Helper function to create DNS records with common fields + mkRecord = + type: name: content: extra: + { + inherit name type; + zone_id = zoneId; + ttl = 1; + proxied = false; + content = content; + } + // extra; + + # Helper for A records (typically proxied) + mkARecord = name: ip: mkRecord "A" name ip { proxied = true; }; + + # Helper for CNAME records + mkCNAME = name: target: mkRecord "CNAME" name target { }; + + # Helper for MX records + mkMXRecord = + priority: target: + mkRecord "MX" zoneName target { + inherit priority; + }; + + # Helper for SRV records with data block + mkSRVRecord = name: port: target: weight: priority: { + inherit name; + type = "SRV"; + zone_id = zoneId; + ttl = 1; + proxied = false; + priority = priority; + data = { + inherit + port + target + weight + priority + ; + }; + }; + + # Helper for TXT records + mkTXTRecord = name: content: mkRecord "TXT" name content { }; + +in +pkgs.writeTextFile { + name = "cloudflare-dns.tf.json"; + text = builtins.toJSON ([ + { + terraform = { + required_providers = { + cloudflare = { + source = "cloudflare/cloudflare"; + version = "~> 4.0"; + }; + }; + backend = { + gcs = { + bucket = "fcuny-infra-tofu-state"; + prefix = "cloudflare-dns"; + }; + }; + }; + } + { + provider = { + cloudflare = [ { } ]; + }; + } + { + # Use data source for existing zone instead of managing it + data = { + cloudflare_zone = { + "main" = { + name = zoneName; + }; + }; + }; + } + { + resource = { + cloudflare_record = { + # A records for root domain + "cname_root_0" = mkARecord zoneName "185.199.108.153"; + "cname_root_1" = mkARecord zoneName "185.199.110.153"; + "cname_root_2" = mkARecord zoneName "185.199.109.153"; + "cname_root_3" = mkARecord zoneName "185.199.111.153"; + + # DKIM CNAME records + "cname_dkim_0" = mkCNAME "fm1._domainkey" "fm1.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + "cname_dkim_1" = mkCNAME "fm2._domainkey" "fm2.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + "cname_dkim_2" = mkCNAME "fm3._domainkey" "fm3.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + + # Git subdomain via Cloudflare tunnel + "cname_git" = mkCNAME "git" "b5d5071d-3c09-4379-9d6c-0684c478f151.cfargotunnel.com" // { + proxied = true; + }; + + # MX records + "mx_0" = mkMXRecord 10 "in1-smtp.messagingengine.com"; + "mx_1" = mkMXRecord 20 "in2-smtp.messagingengine.com"; + + # SPF TXT record + "txt_spf" = mkTXTRecord zoneName "v=spf1 include:spf.messagingengine.com ?all"; + }; + }; + } + { + resource = { + cloudflare_record = { + # SRV records for email services + "srv_caldavs" = mkSRVRecord "_caldavs._tcp" 443 "caldav.fastmail.com" 1 0; + "srv_caldav" = mkSRVRecord "_caldav._tcp" 0 "." 0 0; + "srv_carddavs" = mkSRVRecord "_carddavs._tcp" 443 "carddav.fastmail.com" 1 0; + "srv_carddav" = mkSRVRecord "_carddav._tcp" 0 "." 0 0; + "srv_imaps" = mkSRVRecord "_imaps._tcp" 993 "imap.fastmail.com" 1 0; + "srv_imap" = mkSRVRecord "_imap._tcp" 0 "." 0 0; + "srv_smtp" = mkSRVRecord "_submission._tcp" 587 "smtp.fastmail.com" 1 0; + }; + }; + } + ]); +} |