summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-01-30 16:09:43 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-01-30 16:19:44 +0100
commit68645f75136d6e82bfb7e27b50c531d1b416c4d5 (patch)
tree12f4804798ad4c78507b05f5e3573a11c7ab8b0c
parent5915a25064e01c38c49787322ca1309d0da0386a (diff)
downloadnixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar
nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.gz
nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.bz2
nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.xz
nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.zip
...
-rw-r--r--hosts/surtr/dns/zones/consulting.kleen.soa4
-rw-r--r--hosts/surtr/dns/zones/email.bouncy.soa6
-rw-r--r--hosts/surtr/dns/zones/li.141.soa4
-rw-r--r--hosts/surtr/dns/zones/li.synapse.soa6
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa6
-rw-r--r--hosts/surtr/email/default.nix4
-rw-r--r--hosts/surtr/etebase/default.nix4
-rw-r--r--hosts/surtr/http/default.nix2
-rw-r--r--hosts/surtr/http/webdav/default.nix2
-rw-r--r--hosts/surtr/matrix/default.nix4
-rw-r--r--hosts/surtr/ruleset.nft4
11 files changed, 39 insertions, 7 deletions
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa
index 7f358b61..5597491d 100644
--- a/hosts/surtr/dns/zones/consulting.kleen.soa
+++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -1,7 +1,7 @@
1$ORIGIN kleen.consulting. 1$ORIGIN kleen.consulting.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013000 ; serial 4 2023013001 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -71,3 +71,5 @@ mta-sts IN AAAA 2a03:4000:52:ada::
71mta-sts IN MX 0 mailin.kleen.consulting. 71mta-sts IN MX 0 mailin.kleen.consulting.
72mta-sts IN TXT "v=spf1 redirect=kleen.consulting" 72mta-sts IN TXT "v=spf1 redirect=kleen.consulting"
73_acme-challenge.mta-sts IN NS ns.yggdrasil.li. 73_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
74
75mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index de14e610..8906fa84 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1$ORIGIN bouncy.email. 1$ORIGIN bouncy.email.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013000 ; serial 4 2023013002 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -69,6 +69,8 @@ spm IN MX 0 mailin.bouncy.email.
69spm IN TXT "v=spf1 redirect=bouncy.email" 69spm IN TXT "v=spf1 redirect=bouncy.email"
70_acme-challenge.spm IN NS ns.yggdrasil.li. 70_acme-challenge.spm IN NS ns.yggdrasil.li.
71 71
72spm IN HTTPS 1 . alpn="h2,h3"
73
72_mta-sts IN TXT "v=STSv1; id=2022100600" 74_mta-sts IN TXT "v=STSv1; id=2022100600"
73_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" 75_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
74mta-sts IN A 202.61.241.61 76mta-sts IN A 202.61.241.61
@@ -76,3 +78,5 @@ mta-sts IN AAAA 2a03:4000:52:ada::
76mta-sts IN MX 0 mailin.bouncy.email. 78mta-sts IN MX 0 mailin.bouncy.email.
77mta-sts IN TXT "v=spf1 redirect=bouncy.email" 79mta-sts IN TXT "v=spf1 redirect=bouncy.email"
78_acme-challenge.mta-sts IN NS ns.yggdrasil.li. 80_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
81
82mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index b17e7f6e..507408e8 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1$ORIGIN 141.li. 1$ORIGIN 141.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013000 ; serial 4 2023013001 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -35,6 +35,8 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li"
35webdav IN CNAME surtr.yggdrasil.li. 35webdav IN CNAME surtr.yggdrasil.li.
36_acme-challenge.webdav IN NS ns.yggdrasil.li. 36_acme-challenge.webdav IN NS ns.yggdrasil.li.
37 37
38webdav IN HTTPS 1 . alpn="h2,h3"
39
38ymir IN A 188.68.51.254 40ymir IN A 188.68.51.254
39ymir IN AAAA 2a03:4000:6:d004:: 41ymir IN AAAA 2a03:4000:6:d004::
40ymir IN MX 0 ymir.yggdrasil.li 42ymir IN MX 0 ymir.yggdrasil.li
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index e2d1fa22..564df7a3 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
1$ORIGIN synapse.li. 1$ORIGIN synapse.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013000 ; serial 4 2023013002 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -23,10 +23,14 @@ $TTL 3600
23 23
24_matrix._tcp IN SRV 5 0 443 synapse.li. 24_matrix._tcp IN SRV 5 0 443 synapse.li.
25 25
26@ IN HTTPS 1 . alpn="h2,h3"
27
26element IN A 202.61.241.61 28element IN A 202.61.241.61
27element IN AAAA 2a03:4000:52:ada:: 29element IN AAAA 2a03:4000:52:ada::
28_acme-challenge.element IN NS ns.yggdrasil.li. 30_acme-challenge.element IN NS ns.yggdrasil.li.
29 31
32element IN HTTPS 1 . alpn="h2,h3"
33
30turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" 34turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
31turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" 35turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01"
32turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" 36turn IN CAA 128 iodef "mailto:caa@yggdrasil.li"
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 25cad30b..62468570 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil.li. 1$ORIGIN yggdrasil.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013000 ; serial 4 2023013001 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -59,12 +59,16 @@ etesync IN MX 0 surtr.yggdrasil.li
59etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" 59etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
60_acme-challenge.etesync IN NS ns.yggdrasil.li. 60_acme-challenge.etesync IN NS ns.yggdrasil.li.
61 61
62etesync IN HTTPS 1 . alpn="h2,h3"
63
62app.etesync IN A 202.61.241.61 64app.etesync IN A 202.61.241.61
63app.etesync IN AAAA 2a03:4000:52:ada:: 65app.etesync IN AAAA 2a03:4000:52:ada::
64app.etesync IN MX 0 surtr.yggdrasil.li 66app.etesync IN MX 0 surtr.yggdrasil.li
65app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" 67app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
66_acme-challenge.app.etesync IN NS ns.yggdrasil.li. 68_acme-challenge.app.etesync IN NS ns.yggdrasil.li.
67 69
70app.etesync IN HTTPS 1 . alpn="h2,h3"
71
68vidhar IN AAAA 2a03:4000:52:ada:4:1:: 72vidhar IN AAAA 2a03:4000:52:ada:4:1::
69vidhar IN MX 0 ymir.yggdrasil.li 73vidhar IN MX 0 ymir.yggdrasil.li
70vidhar IN TXT "v=spf1 redirect=yggdrasil.li" 74vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 0e2a78eb..01c22ce5 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -716,6 +716,8 @@ in {
716 716
717 virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { 717 virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
718 forceSSL = true; 718 forceSSL = true;
719 kTLS = true;
720 http3 = true;
719 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; 721 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
720 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; 722 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
721 extraConfig = '' 723 extraConfig = ''
@@ -734,6 +736,8 @@ in {
734 }; 736 };
735 }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { 737 }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" {
736 forceSSL = true; 738 forceSSL = true;
739 kTLS = true;
740 http3 = true;
737 sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; 741 sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem";
738 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; 742 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem";
739 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; 743 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem";
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
index ca6d84fe..3b0bd9d3 100644
--- a/hosts/surtr/etebase/default.nix
+++ b/hosts/surtr/etebase/default.nix
@@ -50,6 +50,8 @@
50 50
51 virtualHosts = { 51 virtualHosts = {
52 "etesync.yggdrasil.li" = { 52 "etesync.yggdrasil.li" = {
53 kTLS = true;
54 http3 = true;
53 forceSSL = true; 55 forceSSL = true;
54 sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; 56 sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
55 sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; 57 sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
@@ -81,6 +83,8 @@
81 }; 83 };
82 84
83 "app.etesync.yggdrasil.li" = { 85 "app.etesync.yggdrasil.li" = {
86 kTLS = true;
87 http3 = true;
84 forceSSL = true; 88 forceSSL = true;
85 sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; 89 sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
86 sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; 90 sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 3d7f3ebf..6b516b00 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -7,7 +7,7 @@
7 config = { 7 config = {
8 services.nginx = { 8 services.nginx = {
9 enable = true; 9 enable = true;
10 # package = pkgs.nginxQuic; 10 package = pkgs.nginxQuic;
11 recommendedGzipSettings = true; 11 recommendedGzipSettings = true;
12 recommendedProxySettings = true; 12 recommendedProxySettings = true;
13 recommendedTlsSettings = true; 13 recommendedTlsSettings = true;
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index c5a94996..f94935ee 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -36,6 +36,8 @@ in {
36 36
37 virtualHosts."webdav.141.li" = { 37 virtualHosts."webdav.141.li" = {
38 forceSSL = true; 38 forceSSL = true;
39 kTLS = true;
40 http3 = true;
39 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; 41 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
40 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; 42 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
41 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; 43 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 5b89e321..96cceb89 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -151,6 +151,8 @@ with lib;
151 sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; 151 sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
152 sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; 152 sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
153 sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; 153 sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
154 kTLS = true;
155 http3 = true;
154 listen = [ 156 listen = [
155 { addr = "0.0.0.0"; port = 443; ssl = true; } 157 { addr = "0.0.0.0"; port = 443; ssl = true; }
156 { addr = "[::0]"; port = 443; ssl = true; } 158 { addr = "[::0]"; port = 443; ssl = true; }
@@ -199,6 +201,8 @@ with lib;
199 201
200 virtualHosts."element.synapse.li" = { 202 virtualHosts."element.synapse.li" = {
201 forceSSL = true; 203 forceSSL = true;
204 kTLS = true;
205 http3 = true;
202 sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; 206 sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
203 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; 207 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
204 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 208 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 4993b6b7..ee72614f 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -171,6 +171,7 @@ table inet filter {
171 udp dport 53 counter name dns-rx accept 171 udp dport 53 counter name dns-rx accept
172 172
173 tcp dport {80, 443, 8448} counter name http-rx accept 173 tcp dport {80, 443, 8448} counter name http-rx accept
174 udp dport {443, 8448} counter name http-rx accept
174 175
175 tcp dport {3478, 5349} counter name stun-rx accept 176 tcp dport {3478, 5349} counter name stun-rx accept
176 udp dport {3478, 5349} counter name stun-rx accept 177 udp dport {3478, 5349} counter name stun-rx accept
@@ -215,7 +216,8 @@ table inet filter {
215 meta protocol ip6 udp sport {51821, 51822} counter name wg-tx 216 meta protocol ip6 udp sport {51821, 51822} counter name wg-tx
216 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 217 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
217 218
218 tcp sport {80,443,8448} counter name http-tx accept 219 tcp sport {80, 443, 8448} counter name http-tx accept
220 udp sport {443, 8448} counter name http-tx accept
219 221
220 tcp sport {3478, 5349} counter name stun-tx accept 222 tcp sport {3478, 5349} counter name stun-tx accept
221 udp sport {3478, 5349} counter name stun-tx accept 223 udp sport {3478, 5349} counter name stun-tx accept