diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 17:10:20 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 17:10:20 +0100 |
commit | 56db0eef6b60891b6320feba397033b68ff3ee56 (patch) | |
tree | 43300690be0c3f54954c54ef80f71f11d713e9f4 | |
parent | a7255ba16633d70c22e8bed75ae52c49f08e1c18 (diff) | |
download | nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.gz nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.bz2 nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.xz nixos-56db0eef6b60891b6320feba397033b68ff3ee56.zip |
surtr: dns: open rfc2136 to ymir
-rw-r--r-- | hosts/surtr/dns/default.nix | 16 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/ymir_acme.yaml | 26 |
2 files changed, 39 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 57146d67..dc991b66 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -23,7 +23,9 @@ let | |||
23 | 23 | ||
24 | indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); | 24 | indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); |
25 | 25 | ||
26 | mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain]}: indentString " " '' | 26 | mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain], addACLs ? {}}: indentString " " (let |
27 | keys = acmeDomain: [(assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl")] ++ (addACLs.${acmeDomain} or []); | ||
28 | in '' | ||
27 | - domain: ${domain} | 29 | - domain: ${domain} |
28 | template: inwx_zone | 30 | template: inwx_zone |
29 | ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} | 31 | ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} |
@@ -31,10 +33,10 @@ let | |||
31 | ${concatMapStringsSep "\n" (acmeDomain: '' | 33 | ${concatMapStringsSep "\n" (acmeDomain: '' |
32 | - domain: _acme-challenge.${acmeDomain} | 34 | - domain: _acme-challenge.${acmeDomain} |
33 | template: acme_zone | 35 | template: acme_zone |
34 | acl: [${assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl"}] | 36 | acl: [${concatStringsSep ", " (keys acmeDomain)}] |
35 | file: ${acmeChallengeZonefile acmeDomain} | 37 | file: ${acmeChallengeZonefile acmeDomain} |
36 | '') acmeDomains} | 38 | '') acmeDomains} |
37 | ''; | 39 | ''); |
38 | in { | 40 | in { |
39 | config = { | 41 | config = { |
40 | fileSystems."/var/lib/knot" = | 42 | fileSystems."/var/lib/knot" = |
@@ -152,21 +154,29 @@ in { | |||
152 | zone: | 154 | zone: |
153 | ${concatMapStringsSep "\n" mkZone [ | 155 | ${concatMapStringsSep "\n" mkZone [ |
154 | { domain = "yggdrasil.li"; | 156 | { domain = "yggdrasil.li"; |
157 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; | ||
155 | } | 158 | } |
156 | { domain = "nights.email"; | 159 | { domain = "nights.email"; |
160 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; | ||
157 | } | 161 | } |
158 | { domain = "141.li"; | 162 | { domain = "141.li"; |
159 | acmeDomains = ["webdav.141.li" "141.li"]; | 163 | acmeDomains = ["webdav.141.li" "141.li"]; |
164 | addACLs = { "141.li" = ["ymir_acme_acl"]; }; | ||
160 | } | 165 | } |
161 | { domain = "kleen.li"; | 166 | { domain = "kleen.li"; |
167 | addACLs = { "kleen.li" = ["ymir_acme_acl"]; }; | ||
162 | } | 168 | } |
163 | { domain = "xmpp.li"; | 169 | { domain = "xmpp.li"; |
170 | addACLs = { "xmpp.li" = ["ymir_acme_acl"]; }; | ||
164 | } | 171 | } |
165 | { domain = "dirty-haskell.org"; | 172 | { domain = "dirty-haskell.org"; |
173 | addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; }; | ||
166 | } | 174 | } |
167 | { domain = "praseodym.org"; | 175 | { domain = "praseodym.org"; |
176 | addACLs = { "praseodym.org" = ["ymir_acme_acl"]; }; | ||
168 | } | 177 | } |
169 | { domain = "rheperire.org"; | 178 | { domain = "rheperire.org"; |
179 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; | ||
170 | } | 180 | } |
171 | ]} | 181 | ]} |
172 | ''; | 182 | ''; |
diff --git a/hosts/surtr/dns/keys/ymir_acme.yaml b/hosts/surtr/dns/keys/ymir_acme.yaml new file mode 100644 index 00000000..fd3383ff --- /dev/null +++ b/hosts/surtr/dns/keys/ymir_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:byBJwbC+WjFdWWnlSQUkSyNw9J7FwNqXuXMl68IzVsIMNmRHrRj/1cUgf7q1MN4YbNHwW5SV53wM0iIsNIObXNIdhe3QVK0X6hWfEXBuZ1yf1kdcCWleIVzh7swJXNoudWCcFYQz527pUKB7FoqalzTZED8+qok7zvyrB9YAyrXhFS7+RUM/6LgmAUcd99ojhPE5N4WZOk/+rUYx/lRmDqjteBUlTsg2zbyJI5aiPJRgmeRUr6nY/g==,iv:mv0jAiWU1kD8+fOD8C/gbUryGcB2jl4g9HypRsrMqcI=,tag:1IURck5WIqn5CqpVRMGeTA==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-02-22T16:07:25Z", | ||
10 | "mac": "ENC[AES256_GCM,data:mwXrUm7h+Hn6klCDmz9ni1bqVpaJlpLTDuUUvXGKnX0RjG763szhjbvI/NVj42e7pkgoArDN83Zf0KdugmTCIEQB15PYsGvc5uRcBK8I28Gktwdz9InCbArOvXGO6BoGF47VxjNDeFy5OnUUbST0pF94WXEIeGaD/QxXn0c5ljo=,iv:koaB3cA9IxyuLY3R1qF7FOwgzh4QnkNrMmVomu4MugI=,tag:7D8qzyGF2hibcumXV3HqGQ==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-02-22T16:07:25Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAmcJoxHfANstUX5rNuujHRm1VVe8RNrwMItzqvMyh/Ssw\nha1cGkBRxuVkkSMNGX3A0uMD3bYY/CGS8706ttaSNxlkPERExs+1YT/ds1nmR3VN\n0l4BpTrOGwKutMwjbB30Jmoy9EkqkqjC6948q/lJGl+bCk0ByJ99vQR0hv8KNvIj\nV6TkiKbCHHXy+Z1n/XkKPqWcjjcth4cJBKwsDB2EU6hbc9MGrM7PgVtR9Vce/mGv\n=WPOy\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-02-22T16:07:25Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdArf8QXVpdQJH0v/0o9KN3LVbtEQAsuVco3mhjnhh5nVYw\ns0YqUAmN6hDTcDvfKljR5D/iK2iEfbZgBLGJyNsy3AbYdu3lhdGbxWerbVgrNA+p\n0l4BEzSmhqAlNqPvTwgCqRBaBnbsI7OLrqxIG08K+SAnRHs+BPc1xB0DLT4OZerm\nKNvcKNeYrEWluhipt9AVwuQzMTo3b/ZLGi97nICPsb8tu9DwS4fjcPaA52q70oSx\n=vWLx\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||