chore: Refactor DNS Stack

SvenKirschbaum · Mar 16, 2024 · ec4c204 · ec4c204
1 parent 8e966fa
commit ec4c204
Show file tree

Hide file tree

Showing 4 changed files with 294 additions and 472 deletions.
diff --git a/bin/dns.ts b/bin/dns.ts
@@ -5,20 +5,5 @@ import {dnsAccountEnv} from "./constants";
 const app = new cdk.App();
 
 new DNSStack(app, 'DNSStack', {
-    // WARNING: The Zones have been manually created with a reusable delegation set.
-    // Further zones should follow the same procedure, to use the same white-label nameservers.
-    // The create-hosted-zone script can be used to create a new zone, and the update-default-records
-    // script can be used to update the SOA and NS records.
-    domains: [
-        'elite12.de',
-        'kirschbaum.me',
-        'kirschbaum.cloud',
-        'bund-von-theramore.de',
-        'theramo.re',
-        'markus-dope.de',
-        'grillteller42.de',
-        'trigardon-rg.de',
-        'westerwald-esport.de',
-    ],
     env: dnsAccountEnv
 })
diff --git a/lib/constructs/CommonRecords.ts b/lib/constructs/CommonRecords.ts
@@ -9,86 +9,58 @@ import {
     RecordTarget,
     TxtRecord
 } from "aws-cdk-lib/aws-route53";
+import {
+    DEFAULT_TTL, HOSTS, LONG_TTL,
+} from "./constants";
 import {Duration} from "aws-cdk-lib";
 
-export const DEFAULT_TTL = Duration.hours(1);
-
-/**
- * @Deprecated
- */
-export const E12_OLD_SERVER_IPV4 = "89.58.11.239";
-/**
- * @Deprecated
- */
-export const E12_OLD_SERVER_IPV6 = "2a03:4000:5f:ba0::1";
-
-export const MAIN_01_NUE_NC_IPV4 = "89.58.34.152";
-
-export const MAIN_01_NUE_NC_IPV6 = "2a03:4000:64:95::1";
-export const E12_MONITORING_IPV4 = "152.53.19.135";
-export const E12_MONITORING_IPV6 = "2a0a:4cc0:1:11b6::1";
-
 export interface CommonRecordProps {
     zone: IHostedZone,
+    ttl?: Duration
 }
 
 export interface NameableCommonRecordProps extends CommonRecordProps {
     name?: string
 }
-export class E12MainRecord extends Construct {
 
-    constructor(scope: Construct, id: string, props: NameableCommonRecordProps) {
-        super(scope, id);
-
-        new ARecord(this, 'ARecord', {
-            zone: props.zone,
-            ttl: DEFAULT_TTL,
-            recordName: props.name,
-            target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV4),
-        });
-        new AaaaRecord(this, 'AAAARecord', {
-            zone: props.zone,
-            ttl: DEFAULT_TTL,
-            recordName: props.name,
-            target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV6),
-        });
-    }
+export interface HostRecordProps extends NameableCommonRecordProps {
+    host: string
 }
 
-export class E12MonitoringRecord extends Construct {
+export class HostRecord extends Construct {
 
-    constructor(scope: Construct, id: string, props: NameableCommonRecordProps) {
+    constructor(scope: Construct, id: string, props: HostRecordProps) {
         super(scope, id);
 
         new ARecord(this, 'ARecord', {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? DEFAULT_TTL,
             recordName: props.name,
-            target: RecordTarget.fromIpAddresses(E12_MONITORING_IPV4),
+            target: RecordTarget.fromIpAddresses(HOSTS[props.host].V4),
         });
         new AaaaRecord(this, 'AAAARecord', {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? DEFAULT_TTL,
             recordName: props.name,
-            target: RecordTarget.fromIpAddresses(E12_MONITORING_IPV6),
+            target: RecordTarget.fromIpAddresses(HOSTS[props.host].V6),
         });
     }
 }
 
-export class LetsencryptCAARecord extends Construct {
+export class DefaultCAARecord extends Construct {
 
     constructor(scope: Construct, id: string, props: NameableCommonRecordProps) {
         super(scope, id);
 
         new CaaRecord(this, 'CAA', {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? LONG_TTL,
             recordName: props.name,
             values: [
                 {
                     tag: CaaTag.IODEF,
                     flag: 0,
-                    value: 'mailto:caa@kirschbaum.me'
+                    value: 'mailto:caa@elite12.de'
                 },
                 {
                     tag: CaaTag.ISSUE,
@@ -99,6 +71,16 @@ export class LetsencryptCAARecord extends Construct {
                     tag: CaaTag.ISSUEWILD,
                     flag: 0,
                     value: 'letsencrypt.org'
+                },
+                {
+                    tag: CaaTag.ISSUE,
+                    flag: 0,
+                    value: 'amazonaws.com'
+                },
+                {
+                    tag: CaaTag.ISSUEWILD,
+                    flag: 0,
+                    value: 'amazonaws.com'
                 }
             ]
         });
@@ -115,7 +97,7 @@ export class GoogleMailRecords extends Construct {
 
         new MxRecord(this, 'MXRecord', {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? DEFAULT_TTL,
             values: [
                 {
                     priority: 1,
@@ -144,7 +126,7 @@ export class GoogleMailRecords extends Construct {
             for (let domainKeyName in props.domainKeys) {
                 new TxtRecord(this, `DomainKey-${domainKeyName}`, {
                     zone: props.zone,
-                    ttl: DEFAULT_TTL,
+                    ttl: props.ttl ?? DEFAULT_TTL,
                     recordName: `${domainKeyName}._domainkey`,
                     values: [
                         props.domainKeys[domainKeyName]
@@ -155,19 +137,52 @@ export class GoogleMailRecords extends Construct {
 
         new TxtRecord(this, `SPFRecord`, {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? DEFAULT_TTL,
             values: [
                 `v=spf1 include:_spf.google.com ~all`
             ]
         });
 
         new TxtRecord(this, `DMARCRecord`, {
             zone: props.zone,
-            ttl: DEFAULT_TTL,
+            ttl: props.ttl ?? DEFAULT_TTL,
             recordName: '_dmarc',
             values: [
                 'v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:mailauth-reports-rua@elite12.de'
             ]
         });
     }
 }
+
+interface DefaultDomainRecordsProps extends CommonRecordProps, GoogleMailRecordProps {
+
+}
+
+export class DefaultDomainRecords extends Construct {
+
+    constructor(scope: Construct, id: string, props: DefaultDomainRecordsProps) {
+        super(scope, id);
+
+        new HostRecord(this, 'Root', {
+            zone: props.zone,
+            host: 'main-01-nue-nc'
+        });
+
+        new HostRecord(this, 'Wildcard', {
+            zone: props.zone,
+            host: 'main-01-nue-nc',
+            name: '*'
+        });
+
+        new DefaultCAARecord(this, 'CAA', {
+            zone: props.zone
+        });
+
+        if(props.domainKeys) {
+            new GoogleMailRecords(this, 'Mail', {
+                zone: props.zone,
+                domainKeys: props.domainKeys
+            });
+        }
+    }
+}
diff --git a/lib/constructs/constants.ts b/lib/constructs/constants.ts
@@ -0,0 +1,101 @@
+import {Duration} from "aws-cdk-lib";
+
+export const DEFAULT_TTL = Duration.hours(1);
+export const LONG_TTL = Duration.days(2);
+
+interface HostProperties {
+    V4: string;
+    V6: string;
+}
+
+export const HOSTS: {[key: string]: HostProperties} = {
+    'main-01-nue-nc': {
+        V4: "89.58.34.152",
+        V6: "2a03:4000:64:95::1"
+    },
+    'obs-01-vie-nc': {
+        V4: "152.53.19.135",
+        V6: "2a0a:4cc0:1:11b6::1"
+    },
+    'gw-01-nue-nc': {
+        V4: "188.68.49.21",
+        V6: "2a03:4000:6:d0e1::1"
+    },
+    // These are technically not Hostnames, but it is convenient to have them here
+    'ns1': {
+        V4: "205.251.197.240",
+        V6: "2600:9000:5305:f000::1",
+    },
+    'ns2': {
+        V4: "205.251.193.155",
+        V6: "2600:9000:5301:9b00::1",
+    },
+    'ns3': {
+        V4: "205.251.194.127",
+        V6: "2600:9000:5302:7f00::1",
+    },
+    'ns4': {
+        V4: "205.251.199.225",
+        V6: "2600:9000:5307:e100::1",
+    },
+}
+
+interface DomainProperties {
+    defaultRecords: boolean;
+    domainKeys?: {[key: string]: string}
+}
+
+// WARNING: The Zones have been manually created with a reusable delegation set before being imported into CDK management.
+// Further zones should follow the same procedure, to use the same white-label nameservers.
+// The create-hosted-zone script can be used to create a new zone, and the update-default-records
+// script can be used to update the SOA and NS records.
+export const DOMAINS: {[key: string]: DomainProperties} = {
+    'elite12.de': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgA2tuBVL5JhYkCqF0Qh4Z97GyDnvt5uQefZx6hXycGMCXfZaCI5XpFo0ey0+H/Uqc19woo53PWxrTxsXAK6N0mK2vRHMI9eHsAS3ZK6KSy/PzK2QDObZl2E+lrYtwSss6IZBMOhgRHglw0ZOtmzfabBV2KJGepIDUvBAtFqC3lPBAuNXC5kxUj6IArMp6T8OWoirJ3gpE1DRi8YcyNnHx8ZpbcQ9hQRq1h3njcZsBwKRUprSYobkiX/LMaxHHpI4YrLyhT59vy8R/THNSU7Me61UB1prcjMb+ohfAyHpyJuSX3RX/T0AvZQV2XCUSpQPfk1h4mMGHCtw6FzC63hYZwIDAQAB'
+        }
+    },
+    'kirschbaum.me': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXDuLMb7IB4eLodktPplslADR7WfUSt1Q/aLAATiAqdsT9rcVOIFkdTYNq6pUS0gnGvUrgzKxiN44ggqn7J5k0WcX6sCOeHkPhv2T9BXJOYeA0wv14XKaePCGopmLCbVh/18aZah065xFhF9Ohp1KCzVM211ZNtpCcgDqXaQadsfCbSXKBM7dcplYnp9HR1xm0Y8H5vv3hXdwLTFMmIeJXPHs3LD+3opY836HprDcR9fEA5TT20832J227cYD6ZzQCmO3YSgHpxZ9VVX+xU8LtkUjvfr+6xzvx148h6zKwRCZOvvicOdOqpNy+X7XJVzGLMJVUmY55U57Q8W7WWRawIDAQAB'
+        }
+    },
+    'kirschbaum.cloud': {
+        defaultRecords: false,
+    },
+    'bund-von-theramore.de': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjS+3U6bERFAUDhJ+yfafjwEELCERab3MLCVF8+FCz46qBkUsoQlim68MSL37ShUT34FsYSMAsTdRKJVCtdbk79Za2yuzh/0uZ3jsC/+QCpC06VAZKdWzZB4Myept0fPUjmseCjZfSVOvPN0fNrngxUmXxKNHuqSLA9UQS5ex8MB4UJl7m7/ixUsvjHQdJdi2usO6TdGnadKlS+2gYl+VYrzf+R/z9eEy8edhp+BkBlSlGVmzCSPYAV5Ykp9iC7fJz7p2w9etYytTG8U7Jh4jh75KzSojGgWz6miU9DXdroczEdsYATJyTE5O981er89Tzm0mFdbTuKPbSHMFZXncmQIDAQAB'
+        }
+    },
+    'theramo.re': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCxnyi5zDkB3iDdXvh2hl5Facm4bokGQvILLpmKxHq7ti3YWJHJUfyQ02tQVvfjMKEP7DK7UOAmN9bexUJsq9GBAHP10fx66D2FHjuu5vfwm3xp65vN27t5iM8HEfqKX7dTG+oRKM1eO0fGKhliwyJlHQti9trFnzUKlkxU+7N1m/B/5EGu53fxpGQu1UQY2Jas/UOEU+YLVoogSyZTM8htB5efUF8d0f6Ggbpb4CJN6ZPIcUg5Qr+K/sipJsiUyk4Xdoi3I/FZhNptK/dDglpB8UCUTtIfyH0ms4qXRKjQvnqbj9m+H2XKkC65LcIiT7OxKNyEqejnvs2fSLaViFwIDAQAB'
+        }
+    },
+    'markus-dope.de': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqgcZiSEkHo/0X/CziEz8eEklImh1mN5x7PXrNTGiahujwWzTiBLfpDjgacvsHIMpXUShi3Tl+e7X52m0DsBSK6DMkgzIFnQvJ2PbJ8giCh5k3iTaxGd6WuqcCQHg5ARrqmvgZyQegLWxLMXfgQi3SaVTsez+0OGhYDsdcdHEMpI9fud3XRN8QvNumlPz3SuNJ0VvDvFCY9GglQhi5z8K1MT6DBJQgK05BHCeXc9ltoBD4/GzXR+/zZ5v1jBmMONvoYbQgrt1jZ84WCucR54YmdpGlgMXFCqfaW72ZFKtpaJbeseR3ycVv0iKU5+BbXYlVMjeGKXcJewWmLH2gl2lhQIDAQAB'
+        }
+    },
+    'grillteller42.de': {
+        defaultRecords: true,
+    },
+    'trigardon-rg.de': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8ldG7q9BR5mgn1IevBpxKT7OBWBd6T209+C7SXXHIJH4lUqSyRnLxq4MHFKUARxABZUV3K8sZ3GQvJI1/HLD9LEGXpCxVvdUJMv//TuKdzRug+awIW4t9fl1yovoC4w1zQN0pIGvwafrhtniZYAJrvOZVhF5ngTDUvqjo8ue4dAvRyfD6cxWZb70t4m4gOD3pnAsM4OuONOy06joCuNQosV4XQ/aR0iCXlli8LcaZSwihY6tx8eZkqprjgKmx1/pPcdePzmx9NOOi9iAGiGfC6qesFUBq8eMy3Qk5oyGijxh75S2MRkmRwEVZy/aXwnUI0OLRoWyZgMd4z6w5uVdQIDAQAB'
+        }
+    },
+    'westerwald-esport.de': {
+        defaultRecords: true,
+        domainKeys: {
+            'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApsvZT6MOvasdtSnTz38y1Zwxcaq/FYV5zP789JyoUHuLktY9lRgYGIXeJrxaSjo+RlCrqN3g4cfHX/MGkwxwpp3Qal7zDvRBERWyyj169s8N8UWi8AIsMzFqAymJPkCDU3nW99WXafJrFZvmX1lVpY1cctA/G4pjx1RCT7Ixcv72hWR8lRgUWlc2lEIykZQ9s4tUd3+NbsreUnxgkvN4PD0M7w9ORU7b7iIAR2N5DAwgD5FiTQ84JiqZILzQ69y6CS/FCdlLSxPcq7yYO+OsQ8zj/RAAvfG4CrRykxMHAi3GTo8RHWyxgt8MHmZpcgtJQU0Vz+MZiaM0Dx6KdWRpmwIDAQAB'
+        }
+    },
+};