diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-01-30 16:09:43 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-01-30 16:19:44 +0100 |
commit | 68645f75136d6e82bfb7e27b50c531d1b416c4d5 (patch) | |
tree | 12f4804798ad4c78507b05f5e3573a11c7ab8b0c | |
parent | 5915a25064e01c38c49787322ca1309d0da0386a (diff) | |
download | nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.gz nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.bz2 nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.tar.xz nixos-68645f75136d6e82bfb7e27b50c531d1b416c4d5.zip |
...
-rw-r--r-- | hosts/surtr/dns/zones/consulting.kleen.soa | 4 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.141.soa | 4 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.synapse.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/etebase/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/http/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/http/webdav/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/ruleset.nft | 4 |
11 files changed, 39 insertions, 7 deletions
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa index 7f358b61..5597491d 100644 --- a/hosts/surtr/dns/zones/consulting.kleen.soa +++ b/hosts/surtr/dns/zones/consulting.kleen.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN kleen.consulting. | 1 | $ORIGIN kleen.consulting. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013000 ; serial | 4 | 2023013001 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -71,3 +71,5 @@ mta-sts IN AAAA 2a03:4000:52:ada:: | |||
71 | mta-sts IN MX 0 mailin.kleen.consulting. | 71 | mta-sts IN MX 0 mailin.kleen.consulting. |
72 | mta-sts IN TXT "v=spf1 redirect=kleen.consulting" | 72 | mta-sts IN TXT "v=spf1 redirect=kleen.consulting" |
73 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. | 73 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. |
74 | |||
75 | mta-sts IN HTTPS 1 . alpn="h2,h3" | ||
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index de14e610..8906fa84 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013000 ; serial | 4 | 2023013002 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -69,6 +69,8 @@ spm IN MX 0 mailin.bouncy.email. | |||
69 | spm IN TXT "v=spf1 redirect=bouncy.email" | 69 | spm IN TXT "v=spf1 redirect=bouncy.email" |
70 | _acme-challenge.spm IN NS ns.yggdrasil.li. | 70 | _acme-challenge.spm IN NS ns.yggdrasil.li. |
71 | 71 | ||
72 | spm IN HTTPS 1 . alpn="h2,h3" | ||
73 | |||
72 | _mta-sts IN TXT "v=STSv1; id=2022100600" | 74 | _mta-sts IN TXT "v=STSv1; id=2022100600" |
73 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" | 75 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" |
74 | mta-sts IN A 202.61.241.61 | 76 | mta-sts IN A 202.61.241.61 |
@@ -76,3 +78,5 @@ mta-sts IN AAAA 2a03:4000:52:ada:: | |||
76 | mta-sts IN MX 0 mailin.bouncy.email. | 78 | mta-sts IN MX 0 mailin.bouncy.email. |
77 | mta-sts IN TXT "v=spf1 redirect=bouncy.email" | 79 | mta-sts IN TXT "v=spf1 redirect=bouncy.email" |
78 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. | 80 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. |
81 | |||
82 | mta-sts IN HTTPS 1 . alpn="h2,h3" | ||
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index b17e7f6e..507408e8 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN 141.li. | 1 | $ORIGIN 141.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013000 ; serial | 4 | 2023013001 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -35,6 +35,8 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li" | |||
35 | webdav IN CNAME surtr.yggdrasil.li. | 35 | webdav IN CNAME surtr.yggdrasil.li. |
36 | _acme-challenge.webdav IN NS ns.yggdrasil.li. | 36 | _acme-challenge.webdav IN NS ns.yggdrasil.li. |
37 | 37 | ||
38 | webdav IN HTTPS 1 . alpn="h2,h3" | ||
39 | |||
38 | ymir IN A 188.68.51.254 | 40 | ymir IN A 188.68.51.254 |
39 | ymir IN AAAA 2a03:4000:6:d004:: | 41 | ymir IN AAAA 2a03:4000:6:d004:: |
40 | ymir IN MX 0 ymir.yggdrasil.li | 42 | ymir IN MX 0 ymir.yggdrasil.li |
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index e2d1fa22..564df7a3 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN synapse.li. | 1 | $ORIGIN synapse.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013000 ; serial | 4 | 2023013002 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -23,10 +23,14 @@ $TTL 3600 | |||
23 | 23 | ||
24 | _matrix._tcp IN SRV 5 0 443 synapse.li. | 24 | _matrix._tcp IN SRV 5 0 443 synapse.li. |
25 | 25 | ||
26 | @ IN HTTPS 1 . alpn="h2,h3" | ||
27 | |||
26 | element IN A 202.61.241.61 | 28 | element IN A 202.61.241.61 |
27 | element IN AAAA 2a03:4000:52:ada:: | 29 | element IN AAAA 2a03:4000:52:ada:: |
28 | _acme-challenge.element IN NS ns.yggdrasil.li. | 30 | _acme-challenge.element IN NS ns.yggdrasil.li. |
29 | 31 | ||
32 | element IN HTTPS 1 . alpn="h2,h3" | ||
33 | |||
30 | turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" | 34 | turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" |
31 | turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" | 35 | turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" |
32 | turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" | 36 | turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" |
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 25cad30b..62468570 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013000 ; serial | 4 | 2023013001 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -59,12 +59,16 @@ etesync IN MX 0 surtr.yggdrasil.li | |||
59 | etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | 59 | etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" |
60 | _acme-challenge.etesync IN NS ns.yggdrasil.li. | 60 | _acme-challenge.etesync IN NS ns.yggdrasil.li. |
61 | 61 | ||
62 | etesync IN HTTPS 1 . alpn="h2,h3" | ||
63 | |||
62 | app.etesync IN A 202.61.241.61 | 64 | app.etesync IN A 202.61.241.61 |
63 | app.etesync IN AAAA 2a03:4000:52:ada:: | 65 | app.etesync IN AAAA 2a03:4000:52:ada:: |
64 | app.etesync IN MX 0 surtr.yggdrasil.li | 66 | app.etesync IN MX 0 surtr.yggdrasil.li |
65 | app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | 67 | app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" |
66 | _acme-challenge.app.etesync IN NS ns.yggdrasil.li. | 68 | _acme-challenge.app.etesync IN NS ns.yggdrasil.li. |
67 | 69 | ||
70 | app.etesync IN HTTPS 1 . alpn="h2,h3" | ||
71 | |||
68 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: | 72 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: |
69 | vidhar IN MX 0 ymir.yggdrasil.li | 73 | vidhar IN MX 0 ymir.yggdrasil.li |
70 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" | 74 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 0e2a78eb..01c22ce5 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -716,6 +716,8 @@ in { | |||
716 | 716 | ||
717 | virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { | 717 | virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { |
718 | forceSSL = true; | 718 | forceSSL = true; |
719 | kTLS = true; | ||
720 | http3 = true; | ||
719 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; | 721 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; |
720 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; | 722 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; |
721 | extraConfig = '' | 723 | extraConfig = '' |
@@ -734,6 +736,8 @@ in { | |||
734 | }; | 736 | }; |
735 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { | 737 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { |
736 | forceSSL = true; | 738 | forceSSL = true; |
739 | kTLS = true; | ||
740 | http3 = true; | ||
737 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; | 741 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; |
738 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; | 742 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; |
739 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; | 743 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; |
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix index ca6d84fe..3b0bd9d3 100644 --- a/hosts/surtr/etebase/default.nix +++ b/hosts/surtr/etebase/default.nix | |||
@@ -50,6 +50,8 @@ | |||
50 | 50 | ||
51 | virtualHosts = { | 51 | virtualHosts = { |
52 | "etesync.yggdrasil.li" = { | 52 | "etesync.yggdrasil.li" = { |
53 | kTLS = true; | ||
54 | http3 = true; | ||
53 | forceSSL = true; | 55 | forceSSL = true; |
54 | sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; | 56 | sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; |
55 | sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; | 57 | sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; |
@@ -81,6 +83,8 @@ | |||
81 | }; | 83 | }; |
82 | 84 | ||
83 | "app.etesync.yggdrasil.li" = { | 85 | "app.etesync.yggdrasil.li" = { |
86 | kTLS = true; | ||
87 | http3 = true; | ||
84 | forceSSL = true; | 88 | forceSSL = true; |
85 | sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; | 89 | sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; |
86 | sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; | 90 | sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; |
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 3d7f3ebf..6b516b00 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
@@ -7,7 +7,7 @@ | |||
7 | config = { | 7 | config = { |
8 | services.nginx = { | 8 | services.nginx = { |
9 | enable = true; | 9 | enable = true; |
10 | # package = pkgs.nginxQuic; | 10 | package = pkgs.nginxQuic; |
11 | recommendedGzipSettings = true; | 11 | recommendedGzipSettings = true; |
12 | recommendedProxySettings = true; | 12 | recommendedProxySettings = true; |
13 | recommendedTlsSettings = true; | 13 | recommendedTlsSettings = true; |
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index c5a94996..f94935ee 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
@@ -36,6 +36,8 @@ in { | |||
36 | 36 | ||
37 | virtualHosts."webdav.141.li" = { | 37 | virtualHosts."webdav.141.li" = { |
38 | forceSSL = true; | 38 | forceSSL = true; |
39 | kTLS = true; | ||
40 | http3 = true; | ||
39 | sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; | 41 | sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; |
40 | sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; | 42 | sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; |
41 | sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; | 43 | sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; |
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 5b89e321..96cceb89 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -151,6 +151,8 @@ with lib; | |||
151 | sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; | 151 | sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; |
152 | sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; | 152 | sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; |
153 | sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; | 153 | sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; |
154 | kTLS = true; | ||
155 | http3 = true; | ||
154 | listen = [ | 156 | listen = [ |
155 | { addr = "0.0.0.0"; port = 443; ssl = true; } | 157 | { addr = "0.0.0.0"; port = 443; ssl = true; } |
156 | { addr = "[::0]"; port = 443; ssl = true; } | 158 | { addr = "[::0]"; port = 443; ssl = true; } |
@@ -199,6 +201,8 @@ with lib; | |||
199 | 201 | ||
200 | virtualHosts."element.synapse.li" = { | 202 | virtualHosts."element.synapse.li" = { |
201 | forceSSL = true; | 203 | forceSSL = true; |
204 | kTLS = true; | ||
205 | http3 = true; | ||
202 | sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; | 206 | sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; |
203 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; | 207 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; |
204 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 208 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index 4993b6b7..ee72614f 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
@@ -171,6 +171,7 @@ table inet filter { | |||
171 | udp dport 53 counter name dns-rx accept | 171 | udp dport 53 counter name dns-rx accept |
172 | 172 | ||
173 | tcp dport {80, 443, 8448} counter name http-rx accept | 173 | tcp dport {80, 443, 8448} counter name http-rx accept |
174 | udp dport {443, 8448} counter name http-rx accept | ||
174 | 175 | ||
175 | tcp dport {3478, 5349} counter name stun-rx accept | 176 | tcp dport {3478, 5349} counter name stun-rx accept |
176 | udp dport {3478, 5349} counter name stun-rx accept | 177 | udp dport {3478, 5349} counter name stun-rx accept |
@@ -215,7 +216,8 @@ table inet filter { | |||
215 | meta protocol ip6 udp sport {51821, 51822} counter name wg-tx | 216 | meta protocol ip6 udp sport {51821, 51822} counter name wg-tx |
216 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
217 | 218 | ||
218 | tcp sport {80,443,8448} counter name http-tx accept | 219 | tcp sport {80, 443, 8448} counter name http-tx accept |
220 | udp sport {443, 8448} counter name http-tx accept | ||
219 | 221 | ||
220 | tcp sport {3478, 5349} counter name stun-tx accept | 222 | tcp sport {3478, 5349} counter name stun-tx accept |
221 | udp sport {3478, 5349} counter name stun-tx accept | 223 | udp sport {3478, 5349} counter name stun-tx accept |