X-Git-Url: https://git.distorted.org.uk/~mdw/zones/blobdiff_plain/424ccd8af3417249d43807218f61760be46d3245..29b01bcd1e544c98daad88f5ca1708e823c805f4:/distorted.lisp

diff --git a/distorted.lisp b/distorted.lisp
index 371b782..696e724 100644
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -74,8 +74,13 @@
        #+view/inside (vampire.ns :ip vampire)
        #-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
        #-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
+       #-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
        #-view/inside (chiark.ns :ip chiark.greenend.org.uk))
 
+  ;; Certification.
+  :caa ((:issue "letsencrypt.org")
+	(:issue "distorted.org.uk"))
+
   ;; Mail servers.
   ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
   ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
@@ -145,25 +150,37 @@
 				      :public-key :sha-256 #p"https-jazz")))
   ((bugs lists db ftp) (colo :svc telecaster.colo :sshfp "telecaster")
 		       (jump :svc telecaster.jump :sshfp "telecaster"))
-  ((bugs lists ftp) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-telecaster")))
+  ((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-telecaster")))
   (dyndns :svc telecaster.jump :sshfp "telecaster")
   ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
 		  (jump :svc stratocaster.jump :sshfp "stratocaster"))
-  ((www git mail @) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-stratocaster")))
+  ((www git mail @) :tlsa (:https #2=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-stratocaster")))
   (www-cache :tlsa (3127 #1=(:trust-anchor-assertion
 			     :certificate :sha-256 #p"distorted-ca")))
-  ((bugs lists) :tlsa (:smtp #1#))
-  (mail :tlsa ((:smtp :submission :imap :imaps) #1#))
+  (mail :tlsa ((:submission :imap :imaps) #1#))
+  (mail :tlsa (:smtp
+	       #+view/inside #1#
+	       #-view/inside (:domain-issued-certificate
+			      :public-key :sha-256
+			      #p"smtps-stratocaster")))
+  ((bugs lists) :tlsa (:smtp
+		       #+view/inside #1#
+		       #-view/inside (:domain-issued-certificate
+				      :public-key :sha-256
+				      #p"smtps-telecaster")))
   :svc #+view/inside stratocaster.colo
        #-view/inside stratocaster.jump
   (cabal :svc stratocaster.colo :sshfp "stratocaster")
 
   ;; Local services.
-  ((rawk pifi) (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
+  (rawk (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
+  (rawk :tlsa (:https (:service-certificate-constraint
+		       :public-key :sha-256
+		       #p"https-artist")))
   (mirror (dmz :svc roadstar.dmz :sshfp "roadstar")
 	  (unsafe :svc roadstar.unsafe :sshfp "roadstar"))
 
@@ -178,6 +195,7 @@
 
   ;; Fancy connectivity.
   (iodine (jump :svc jazz.jump))
+  (hippotat (jump :svc jazz.jump))
 
   ;; Colocated hosts.
   (colo :net colo)
@@ -204,29 +222,36 @@
   (jazz (colo :addr jazz.colo :sshfp "jazz")
 	(jump :addr jazz.jump :sshfp "jazz")
 	(vpn :addr jazz.vpn :sshfp "jazz")
-	(iodine :addr jazz.iodine :sshfp "jazz"))
+	(iodine :addr jazz.iodine :sshfp "jazz")
+	(hippo :addr jazz.hippo :sshfp "jazz"))
 
   ;; Virtual hosts.
   (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
   (national (linode :addr national.linode)
 	    (upn :addr national.upn))
+  (mdwdev (upn :addr mdwdev.upn))
 
-  ;; Media server (on loan to Good Technology HSTG).
-  (jaguar :abbrev jag)
-  (jaguar (jump :addr jaguar.jump :sshfp "jaguar"))
-
-  ;; Nicko's server.
+  ;; Nicko's servers.
   (richmond (jump :svc richmond.jump))
+  (marshall (jump :svc marshall.jump))
 
   ;; Entry is via little router box.
   (dmz :net dmz)
   (guvnor (dmz :addr guvnor.dmz))
   (nat (dmz :addr nat.dmz))
 
-  ;; Wireless gateway.
+  ;; Wireless access points.
   (wireless :net wireless)
   (evolution (safe :addr evolution.safe))
   (evolution :alias evo)
+  (kitkat :alias ap0)
+  (kitkat (safe :addr kitkat.safe))
+  (lunch :alias ap1)
+  (lunch (safe :addr lunch.safe))
+
+  ;; Printer.
+  (burntaxe :alias lp0)
+  (burntaxe (safe :addr burntaxe.safe))
 
   ;; Switches.
   (grigsby :alias tp0)
@@ -287,13 +312,17 @@
   ;; Virtual network.
   (vpn :net vpn)
   (crybaby :abbrev cb)
-  (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby"))
+  (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby")
+	   (hippo :addr crybaby.hippo :sshfp "crybaby"))
+  (spirit (vpn :addr spirit.vpn :sshfp "spirit")
+	  (hippo :addr spirit.hippo :sshfp "spirit"))
   (terror (vpn :addr terror.vpn :sshfp "terror"))
   (orange :abbrev o)
   (orange (vpn :addr orange.vpn :sshfp "orange"))
   (haze :abbrev h)
   (haze (vpn :addr haze.vpn :sshfp "haze"))
   (iodine :net iodine)
+  (hippo :net hippo)
 
   ;; ITS.
   (its :net its)
@@ -349,6 +378,7 @@
   (crybaby :addr crybaby.unsafe)
   (lespaul :addr lespaul.unsafe)
   (gretsch :addr gretsch.unsafe)
+  (spirit :addr spirit.unsafe)
   (haze :addr haze.unsafe)
   (invader :addr invader.safe)
   (marauder :addr marauder.safe))
@@ -444,8 +474,20 @@
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
        secondary-dns.co.uk.)
+  (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
+				vampire.distorted.org.uk.
+				precision.distorted.org.uk.
+				telecaster.distorted.org.uk.
+				national.distorted.org.uk.))
   :reverse ((((:ipv6 distorted.org.uk-aaisp)))))
 
+(defrevzone (dhcp :family :ipv6)
+  :ns (radius.distorted.org.uk.
+       vampire.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.))
+
 (defrevzone distorted.org.uk-jump
   :ns (radius.distorted.org.uk.
        vampire.distorted.org.uk.