summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-22 10:48:18 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-22 10:48:18 +0100
commit9ed4c08d8c03f8d12586c25cddc33da92a20c218 (patch)
tree961619e42ede6ba7115ffd25d104fc0d8a11684e
parent4a037a644a1ec9c85e28f5430da79ef5292e6afc (diff)
downloadnixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.gz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.bz2
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.xz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.zip
surtr: tls/dns: rfc2136 for rheperire.org
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/surtr/dns/default.nix44
-rw-r--r--hosts/surtr/dns/keys/.sops.yaml3
-rw-r--r--hosts/surtr/dns/keys/rheperire.org_acme.yaml38
-rw-r--r--hosts/surtr/tls/default.nix (renamed from hosts/surtr/tls.nix)52
-rw-r--r--hosts/surtr/tls/tsig_keys/rheperire.org26
6 files changed, 154 insertions, 11 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 30a9e165..add50653 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines zfs 4 qemu-guest openssh rebuild-machines zfs
5 ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost 5 ./zfs.nix ./dns ./tls ./http.nix ./bifrost
6 ]; 6 ];
7 7
8 config = { 8 config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
1{ pkgs, ... }: 1{ pkgs, lib, ... }:
2{ 2
3with lib;
4
5let
6 acmeChallengeZonefile = domain: let
7 reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
8 in pkgs.writeText "${reverseDomain}.zone" ''
9 $ORIGIN ${domain}.
10 @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
11 $TTL 300
12
13 IN NS ns.yggdrasil.li.
14 '';
15in {
3 config = { 16 config = {
4 fileSystems."/var/lib/knot" = 17 fileSystems."/var/lib/knot" =
5 { device = "surtr/safe/var-lib-knot"; 18 { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
10 23
11 services.knot = { 24 services.knot = {
12 enable = true; 25 enable = true;
26 keyFiles = [
27 config.sops.secrets."acme_rheperire.org_key".path
28 ];
13 extraConfig = '' 29 extraConfig = ''
14 server: 30 server:
15 listen: 127.0.0.1@53 31 listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
27 - id: inwx_acl 43 - id: inwx_acl
28 address: 185.181.104.96 44 address: 185.181.104.96
29 action: transfer 45 action: transfer
46 - id: rheperire.org_acme_acl
47 key: rheperire.org_acme_key
48 action: update
30 49
31 mod-rrl: 50 mod-rrl:
32 - id: default 51 - id: default
@@ -71,6 +90,15 @@
71 dnssec-policy: ed25519 90 dnssec-policy: ed25519
72 notify: [inwx_notify] 91 notify: [inwx_notify]
73 acl: [inwx_acl] 92 acl: [inwx_acl]
93 - id: acme_zone
94 storage: /var/lib/knot
95 zonefile-sync: -1
96 zonefile-load: difference-no-serial
97 serial-policy: dateserial
98 journal-content: all
99 semantic-checks: on
100 dnssec-signing: on
101 dnssec-policy: ed25519
74 102
75 zone: 103 zone:
76 - domain: yggdrasil.li 104 - domain: yggdrasil.li
@@ -104,9 +132,21 @@
104 - domain: rheperire.org 132 - domain: rheperire.org
105 template: inwx_zone 133 template: inwx_zone
106 file: ${./zones/org.rheperire.soa} 134 file: ${./zones/org.rheperire.soa}
135 - domain: _acme-challenge.rheperire.org
136 template: acme_zone
137 acl: [ rheperire.org_acme_acl ]
138 file: ${acmeChallengeZonefile "rheperire.org"}
107 ''; 139 '';
108 }; 140 };
109 141
142 sops.secrets = {
143 "rheperire.org_acme_key.yaml" = {
144 format = "yaml";
145 owner = "knot";
146 sopsFile = ./keys/rheperire.org_acme.yaml;
147 };
148 };
149
110 150
111 fileSystems."/var/lib/unbound" = 151 fileSystems."/var/lib/unbound" =
112 { device = "surtr/local/var-lib-unbound"; 152 { device = "surtr/local/var-lib-unbound";
diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml
new file mode 100644
index 00000000..4f536273
--- /dev/null
+++ b/hosts/surtr/dns/keys/.sops.yaml
@@ -0,0 +1,3 @@
1creation_rules:
2 - path_regex: "\\.yaml$"
3 unencrypted_regex: "^(id|algorithm)$"
diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
new file mode 100644
index 00000000..16f6d19e
--- /dev/null
+++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
@@ -0,0 +1,38 @@
1#ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment]
2key:
3 - id: rheperire.org_acme
4 algorithm: hmac-sha256
5 secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str]
6sops:
7 kms: []
8 gcp_kms: []
9 azure_kv: []
10 hc_vault: []
11 age: []
12 lastmodified: "2022-02-22T09:17:59Z"
13 mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str]
14 pgp:
15 - created_at: "2022-02-22T09:17:59Z"
16 enc: |
17 -----BEGIN PGP MESSAGE-----
18
19 hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw
20 zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE
21 0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj
22 8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA
23 =i8zc
24 -----END PGP MESSAGE-----
25 fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
26 - created_at: "2022-02-22T09:17:59Z"
27 enc: |
28 -----BEGIN PGP MESSAGE-----
29
30 hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw
31 iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ
32 0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS
33 xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0
34 =hSUL
35 -----END PGP MESSAGE-----
36 fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
37 unencrypted_regex: ^(id|algorithm)$
38 version: 3.7.1
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls/default.nix
index 2ff26e35..a1548feb 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls/default.nix
@@ -1,8 +1,12 @@
1{ config, lib, pkgs, ... }: 1{ config, lib, customUtils, pkgs, ... }:
2 2
3with lib; 3with lib;
4 4
5let 5let
6 inherit (customUtils) mapFilterAttrs;
7
8 tsigSecretName = domain: "${domain}_tsig-secret";
9
6 cfg = config.security.acme; 10 cfg = config.security.acme;
7 knotCfg = config.services.knot; 11 knotCfg = config.services.knot;
8 12
@@ -94,16 +98,48 @@ in {
94 }; 98 };
95 certs = 99 certs =
96 let 100 let
97 domainAttrset = domain: { 101 domainAttrset = domain: let
98 inherit domain; 102 tsigPath = ./tsig_keys + "/${domain}";
99 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; 103 tsigSecret = config.sops.secrets.${tsigSecretName domain};
100 dnsProvider = "exec"; 104 isTsig = pathExists tsigPath;
101 credentialsFile = knotDNSCredentials domain; 105 shared = {
102 dnsResolver = "1.1.1.1:53"; 106 inherit domain;
103 } // cfg.domains.${domain}.certCfg; 107 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
108 dnsResolver = "127.0.0.1:5353";
109 };
110 mkKnotc = shared // {
111 dnsProvider = "exec";
112 credentialsFile = knotDNSCredentials domain;
113 };
114 mkRFC2136 = let
115 tsigInfo = readYaml tsigPath;
116 in shared // {
117 dnsProvider = "rfc2136";
118 credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
119 RFC2136_NAMESERVER=127.0.0.1:53
120 RFC2136_TSIG_ALGORITHM=hmac-sha256.
121 RFC2136_TSIG_KEY=${domain}_acme
122 RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
123 RFC2136_PROPAGATION_TIMEOUT=300
124 RFC2136_POLLING_INTERVAL=5
125 RFC2136_TTL=300
126 '';
127 };
128 in // cfg.domains.${domain}.certCfg;
104 in genAttrs (attrNames cfg.domains) domainAttrset; 129 in genAttrs (attrNames cfg.domains) domainAttrset;
105 }; 130 };
106 131
132 sops.secrets = let
133 toTSIGSecret = n: v:
134 if v == "regular" || v == "symlink"
135 then nameValuePair (tsigSecretName n) {
136 format = "binary";
137 owner = if config.security.acme.useRoot then "root" else "acme";
138 group = "acme";
139 sopsFile = ./tsig_keys + "/${n}";
140 } else null;
141 in mapFilterAttrs (_: v: v != null) toTSIGSecret (readDir ./tsig_keys);
142
107 systemd.services = 143 systemd.services =
108 let 144 let
109 serviceAttrset = domain: { 145 serviceAttrset = domain: {
diff --git a/hosts/surtr/tls/tsig_keys/rheperire.org b/hosts/surtr/tls/tsig_keys/rheperire.org
new file mode 100644
index 00000000..1f3dc4a4
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/rheperire.org
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:Lb1IWtwPdBxeXGrOr74MlR7lKBMIg2ix3enRMVN4MPEDh7CIFv1nhAfLCDU=,iv:TcyGtcKEL7yUXgHrfJ5pDjl8r5V7ltYQw2wcnsFN1bc=,tag:gBaYj6MkQKvD/uO+Pudnzg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-22T09:46:27Z",
10 "mac": "ENC[AES256_GCM,data:vtymuSymOeh34ZbAumxCEcemtI0UFBoQwj4axpKf7AzVnQOubWYxPI5x23CiOE12Y+FThg1dYEnDWlkkQjMVWQvcJzfP1g25S98MuZ42E9R0nBxGzTrIaKS7kgNAriYDy8ib7Z3DUbajEGfvLLazCdHu3g9gE0dLewKcUTHaXwM=,iv:j8vS2Ej58HLf+CP9fe1rN+4UuniGlv/0M+Zzt3nlk5I=,tag:xn33GGm2knsIdH+EJ1zDcA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-22T09:46:26Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1++YsCSiRkVGoVF6uvYeY7JjZjsdjAUwubCF3fLDtS8w\nHFSQltgrqkul1Ei1fUFQqFbSpMSfBQhk0kMH0Xuk5SoDd1lWumqTP9gaJj/CM+yz\n0l4BHiQ4Ktyc01f127Az36nQZGKdJvL9etQAceNtNM7Y4XkLQ78OXFJoERrf81s/\n4wm5za7xqEBE1oE0QWAelzyjBqxI1iCjDl3p6heUdhqlcvAifXgqAk0qxq/4T4FG\n=2Bwl\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-22T09:46:26Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4jg570qc5Zu3yAJPmjf11r20eYMyjAeEWw/RreZga3Uw\nmTy2jo/de11m3r/aIxp0Q/vFZ1m4JGeoIzIgQxGnhX0s0NpfCbCih0P7UMjZRatC\n0l4BCzWq7c0A2GbjPq+aKF2IYfQV5gdwjgCAJO3Oylb/SAltwnyGChANw4ckUCjV\n9DWYIcerMP2scxpjf5nJXpHNMjpGR7fcqS71PoVoJoActMqrG0deOMUSUEOVP8nR\n=+ux+\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file