Initial commit

Author: bhdicaire

Diff for: .github/workflows/generator-generic-ossf-slsa3-publish.yml

@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      # ========================================================
+      #
+      # Step 1: Build your artifacts.
+      #
+      # ========================================================
+      - name: Build artifacts
+        run: |
+            # These are some amazing artifacts.
+            echo "artifact1" > artifact1
+            echo "artifact2" > artifact2
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release

Diff for: .gitignore

@@ -0,0 +1 @@
+creds.json

Diff for: LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Benoît H. Dicaire
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Diff for: Makefile

@@ -0,0 +1,114 @@
+###############################################################################
+
+programName       := dnsConfiguration
+programVersion    := 1.0
+programSource     := https://github.com/bhdicaire/dnsConfiguration
+modifiedBy        := BH Dicaire
+
+SHELL             := /bin/bash
+RM                := /bin/rm -f
+makeLocation      := `which make`
+makeVersion       := `make -v|grep GNU`
+goLocation        := `which go`
+goVersion         := `go version`
+dnsControl        := /opt/homebrew/bin/dnscontrol
+dnsControlVersion := `/opt/homebrew/bin/dnscontrol version`
+dateStamp         := $(shell date "+%Y%m%d")
+
+normalText        := "\033[0m"
+boldText          := "\033[1m"
+italicText        := "\033[3m"
+tab               := "\t"
+2tab              := "\t\t"
+tabNormal         := $(tab)$(normalText)
+tabBold           := $(tab)$(boldText)
+
+###############################################################################
+
+.PHONY: debug gitArchive
+
+help: ## Show this help.
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+
+test: banner ## Preview the modification
+	@echo -e  $(boldText)"\n\n##########" $(tab)DNS Control: preview$(tabNormal)"\n"
+	@$(dnsControl) preview
+	@printf "\n\n"
+
+build: banner ## Push the update to the nameservers
+	@echo -e  $(boldText)"\n\n##########" $(tab)DNS Control: push$(tabNormal)"\n"
+	@$(dnsControl) push
+	@printf "\n\n"
+
+secret:  ## Inject secret via 1Password
+	op inject -i ./lib/creds.json.tpl -o creds.json
+
+ddns: ## ISPs dynamically update their customer’s IP addresses, let's identify the current one
+	@# https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses
+	curl -o ip.json 'https://api.ipgeolocation.io/getip'
+
+encrypt: ## Encrypt config file with a secret
+	gpg --batch --passphrase $(secret) --symmetric config.js
+	rm config.js
+	ls config.*
+
+decrypt: ## Decrypt config file
+	gpg --batch --output config.js --passphrase $(secret) --decrypt config.js.gpg
+	ls config.*
+
+gitCommit:
+	$(MAKE) triage
+	@echo -e  $(boldText)"\n\n##########" $(tab)Git add ${configFile}$(tabNormal)"\n"
+	git add ${configFile}
+	@echo -e  $(boldText)"\n\n##########" $(tab)Git commit: $(gitMsg)$(tabNormal)"\n"
+	git commit -m$(gitMsg)
+	@echo -e  $(boldText)"\n\n##########" $(tab)Git push$(tabNormal)"\n"
+	git push
+	@printf "\n\n"
+
+gitArchive:
+	$(MAKE) banner
+	$(MAKE) pull
+	@echo -e  $(boldText)"\n\n##########" $(tab)Archive ${configFile}$(tabNormal)"\n"
+	@mkdir -p archive
+	@cp $(configFile) archive/$(dateStamp)" "$(configFile)
+	@echo -e  $(boldText)"\n\n##########" $(tab)Git add archive$(tabNormal)"\n"
+	@git add archive
+	@git commit -m"Update DNS configuration and archive — $(dateStamp)"
+	@echo -e  $(boldText)"\n\n##########" $(tab)Git push$(tabNormal)"\n
+	@git push
+	@printf "\n\n"
+	$(MAKE) updateDNS
+
+clean: banner
+	@echo -e  $(boldText)"\n##########" $(tab)Remove dnsConfig.json and archive subFolder"\n"$(normalText)
+	@$(RM) dnsConfig.json spfcache.json
+	@$(RM) -r archive
+	@printf "\n\n"
+
+banner:
+	@printf "\n\n"
+	@echo -e $(normalText)
+	@printf "###################################################################################################\n\n"
+	@echo -e "\t$(programName) — v$(programVersion)" $(italicText)"with" $(normalText)"$(makeVersion) [$(makeLocation)]\n"
+	@echo -e "\tsource:\t\t$(programSource)"
+	@printf "\tmodified by:\t$(modifiedBy)\n\n"
+	@printf "###################################################################################################\n\n"
+
+
+triage:
+ifdef ticket
+gitMsg = "Update DNS configurations with ticket \#"$(ticket)
+else ifdef msg
+gitMsg = "Update "${dateStamp} ${configFile}" — "$(msg)
+else
+gitMsg = "Update DNS configuration — "$(dateStamp)
+endif
+
+pull:
+	@printf "\n\n"
+	@echo -e  $(boldText)"\n##########" $(tab)Git pull$(tabNormal)"\n"
+	@git pull
+	@echo -e  $(boldText)"\n##########" $(tab)Git status$(tabNormal)"\n"
+	@git status

Diff for: README.md

@@ -0,0 +1,80 @@
+![logo](./logo.png)
+
+I was tired of handling zone files. DNS Management is hard, especially if you manage tons of records with several registrars and many DNS providers. I manage DNS configuration with [StackOverflow's DNSControl](https://stackexchange.github.io/dnscontrol/) and Git.
+
+Your DNS configuration is unique as your ecosystem. These are mine. [Fork this repository](https://github.com/bhdicaire/dnsConfiguration/fork) and make it your own.
+
+## Why would I want my DNS configuration on GitHub?
+
+I don't believe in security by obscurity and I :heart: Github.
+
+Don't expect too much, this is my [opinionated DNS configuration](https://stackexchange.github.io/dnscontrol/opinions) for my own projects.
+
+I can easily backup, and restore settings for my personal sites. Furthermore, I can share what I have learned and grab new tricks from the community. Refer to my [documentation](https://github.com/bhdicaire/dnsConfiguration/blob/master/vanityNameServers.md), to setup vanity name servers on Route 53 — I spent more time than I'd like to admit on this topic.
+
+## Installation
+
+1. Install Golang with Homebrew: `brew update; brew install golang`
+2. Validate GO version and location (DNSControl can be built with Go version 1.7 or higher): `which go;go version`
+3. Ensure the environment variables are adequate (DNSControl will be installed in $GOPATH/bin):
+```
+export GOPATH=$HOME/go
+export GOROOT=/usr/local/opt/go/libexec
+export PATH=$PATH:$GOPATH/bin
+export PATH=$PATH:$GOROOT/bin
+```
+4. Create your GO workspace: `mkdir -p $GOPATH $GOPATH/src $GOPATH/pkg $GOPATH/b`
+5. Download the source, compile it, and install DNSControl: `go get github.com/StackExchange/dnscontrol`
+6. Create your dnsControl repository: `mkdir -p ~/Code/dnsConfiguration`
+6. Clone my repository: `git clone https://github.com/bhdicaire/dnsConfiguration ~/Code/dnsConfiguration`
+7. Create your initial `creds.json` with your own credential, you can use `samples/creds.json` to accelerate your setup
+8. Modify the `dnsconfig.js` with your provider and DNS zones settings:
+	* I'm currently using [AWS Route53 as service provider](https://stackexchange.github.io/dnscontrol/provider-list) and no registrar
+	* Refer to the [Documentation](https://stackexchange.github.io/dnscontrol/) for the language spec
+
+- Get an api token or api key from your DNS provider or registrar, the currently supported providers all have their own ways of doing this but you should look at restricting the key/token to only make DNS changes.
+
+- Fill out the `creds.json` file with your key/token, each provider requires a different name for their credentials so you should look at the [documentation provided.](https://stackexchange.github.io/dnscontrol/provider-list)
+### Hints & tips
+
+Refer to `lib/example.js`,
+
+* [What is my IP](https://www.whatismyip.com/)
+* [API to get your public IP in JSon](https://api.ipgeolocation.io/getip)
+
+Check that your provider is supported!
+Click on "Use this Template" to make a copy of this repository
+Update dnscontrol.js to use your provider and include your domain records (using the migration guide linked below)
+Rename creds.example.json to creds.json and update for your chosen provider (DON'T COMMIT THIS)
+Use dnscontrol preview to check that everything is setup correctly - if you're simply migrating this shouldn't find any changes
+Now you're ready to make changes via DNScontrol!
+## Workflow
+
+1. Modify the configuration file with your favorite text editor
+2. Identify the next step with `make help`:
+```
+test		Read configuration and identify changes to be made, without applying them
+debug		Run test above and check configuration
+build		Deploy configuration to DNS servers
+push		Build above and commit changes to Git, you may use msg=abc or ticket=123
+archive		Build above, copy configuration to archive subfolder, and commit to Git
+clean		Delete dnsConfig.json and archive subfolder
+help		This information
+```
+3. Test your changes with `make test` or use `make debug` if you're stuck
+4. Fix all all warnings/ errors with your favorite text editor
+5. Deploy the compiled configuration to your dns servers with `make build`
+6. When everything is *perfect*, deploy the change one more time and commit the change to Git:
+	* `make push` or `make push msg="Add Dicaire.com"` or `make push ticket=A123456`
+7. Close your change management ticket :grin:
+## Licence
+**DNS Control** is [Copyright 2015 Stack Overflow and licensed under the MIT licence](https://github.com/StackExchange/dnscontrol/blob/master/LICENSE).
+
+**dnsConfiguration** is [Copyright 2018 Benoît H. Dicaire and licensed under the MIT licence](https://github.com/bhdicaire/dnsConfiguration/blob//master/LICENCE).
+
+## DNS Control ressources
+[![Gitter chat](https://badges.gitter.im/dnscontrol/Lobby.png)](https://gitter.im/dnscontrol/Lobby)
+[![Google Group chat](https://img.shields.io/badge/google%20group-chat-green.svg)](https://groups.google.com/forum/#!forum/dnscontrol-discuss)
+
+* [Introducing DNS Control](https://blog.serverfault.com/2017/04/11/introducing-dnscontrol-dns-as-code-has-arrived/) and the [USENIX presentation](https://www.usenix.org/conference/srecon17americas/program/presentation/peterson)
+* Github source repository: [StackExchange/dnscontrol](https://github.com/StackExchange/dnscontrol)

Diff for: cloudFlare.js

@@ -0,0 +1,22 @@
+var cfProxy = {"cloudflare_proxy": "on"};                      // Proxy enabled per record
+var cfProxy_off = {"cloudflare_proxy": "off"};                 // Proxy disabled per record
+var cfProxy_full = {"cloudflare_proxy": "full"};               // Proxy+Raygun enabled per record
+var cfProxyDomain = {"cloudflare_proxy_default": "on"};        // Proxy default on for entire domain
+var cfProxyDomain_off = {"cloudflare_proxy_default": "off"};   // Proxy default off for entire domain
+var cfUniversalSSL = { "cloudflare_universalssl": "on"};       // UniversalSSL on for entire domain
+var cfUniversalSSL_off = { "cloudflare_universalssl": "off"};  // UniversalSSL off for entire domain
+
+// TTL Shortcuts
+var five_minutes = TTL(300);                                   // By default, all CF proxied records have a TTL of Auto, which is set to 300 seconds
+var one_hour = TTL(3600);
+var six_hours = TTL(21600);
+var twelve_hours = TTL(43200);
+var one_day = TTL(86400);
+
+DEFAULTS(
+    NAMESERVER_TTL('24h'),
+      // By default, all CF proxied records have a TTL of Auto, which is set to 300 seconds
+      // For DNS only records (e.g., Unproxied records), you can choose a TTL between 60 seconds (non-Enterprise) and 1 day
+    DefaultTTL('1h'),
+    cfProxyDomain_off
+);

Diff for: dnsconfig.js

@@ -0,0 +1,6 @@
+require("cloudFlare.js")
+var cloudFlare = NewDnsProvider("cloudFlare", {"manage_redirects": true}); // enable manage_redirects
+
+var REG_NONE = NewRegistrar("none");
+
+require_glob("./domains/");

Diff for: domains/example-com.js

@@ -0,0 +1,21 @@
+D('example.com', REG_NONE, DnsProvider(cloudFlare),
+    MX('@', 1, 'smtp.google.com.'),
+    TXT('@','v=spf1 include:_spf.google.com -all'), // SPF with hard fail
+    TXT('_dmarc', "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;"),
+
+    CNAME('fm1._domainkey', 'fm1.example.com.dkim.google.com.'), // DKIM item #1
+    CNAME('fm2._domainkey', 'fm2.example.com.dkim.google.com.'), // DKIM item #2
+    CNAME('fm3._domainkey', 'fm3.example.com.dkim.google.com.'), // DKIM item #3
+    TXT('google._domainkey','v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgy4kjfwHxW2/zL/PIycQ2Nh0o+SDG512sbPrzSqn01v/Cty9Ds54AAHS3LKpwboYL23ysviLsGnWqQ1Eyi4AF/KUEKt0pS7Q0w/2qJAnrdYRml5PQmZETZqqFF+GpZUODmOfJWOj0EcOIDn4fq/bQbxWHmgS6SCQaAYG9z5ra9z0ppnDKWf+SaeT40Meh2rSf2NIm1Gqh7DapKtEUWE7YsTdaLKXTWAOd8hqc6Q1fNiDcCdMOa4g8ZgBFHkZmp9PS6xpLL/e6HHzbRprE7C1bxaSDQuReEHpldJmhspOKfu9TvgeBEEbS7IWZ0Ua1pek9cu7TchkfiuvbsxZshwdpQIDAQAB'),  // DKIM key rotation
+
+    TXT('_smtp._tls','v=TLSRPTv1;'), // TLS Reporting
+    TXT('_mta-sts','v=STSv1; id=202310191122;'),
+    CNAME('mta-sts', 'mta-sts-example.com.pages.dev.',cfProxy, TTL(1)),
+    TXT("@", "google-site-verification=KKilX4ruQDSCL_EiehtaqeOXcBQYXDGYioQA-2UnC2A"),
+
+    ALIAS('@','example.com.pages.dev.', cfProxy, TTL(1)),
+
+    AAAA("blog", '2001:DB8::1', cfProxy),
+    CF_TEMP_REDIRECT("blog.example.com/*", "https://example.com/blog/$1")
+
+);

Diff for: domains/example-net.js

@@ -0,0 +1,15 @@
+D('example.net', REG_NONE, DnsProvider(cloudFlare),
+    MX('@', 0, 'example-net.mail.protection.outlook.com.'),
+    TXT('@','v=spf1 include:spf.protection.outlook.com ~all'),
+    TXT('_smtp._tls','v=TLSRPTv1;'),
+    TXT('_mta-sts','v=STSv1; id=202307050344;'),
+    CNAME('mta-sts', 'mta-sts-example-net.pages.dev.',cfProxy, TTL(1)),
+    TXT('*._domainkey', "v=DKIM1; p="),
+    TXT('_dmarc', "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;"),
+
+    CNAME('selector1._domainkey', 'selector1-example-net._domainkey.dicaire.onmicrosoft.com.'),
+    CNAME('selector2._domainkey', 'selector2-example-net._domainkey.dicaire.onmicrosoft.com.'),
+    CNAME("enterpriseregistration", "enterpriseregistration.windows.net."),
+    CNAME("enterpriseenrollment", "enterpriseenrollment.manage.microsoft.com."),
+    CNAME("autodiscover", "autodiscover.outlook.com.")
+);

Diff for: domains/parkedDomains.js

@@ -0,0 +1,10 @@
+D('example.org', REG_NONE, DnsProvider(cloudFlare),     // domains that do not send email
+    MX('@', 0, '.'), // RFC 7505
+    TXT('@','v=spf1 -all'),
+    TXT('*._domainkey', "v=DKIM1; p="), // absence of a selector / public key (e.g. as a result of deleting the entire DKIM resource record) is semantically equal to a resource record with an empty public key
+    TXT('_dmarc', "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;"),
+
+    AAAA("@", '2001:DB8::1', cfProxy),
+    CF_TEMP_REDIRECT("example.org/*", "https://example.com/$1")
+
+);