surtr: tls/dns: rfc2136 for rheperire.org

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 10:48:18 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 10:48:18 +0100
commit: 9ed4c08d8c03f8d12586c25cddc33da92a20c218 (patch)
tree: 961619e42ede6ba7115ffd25d104fc0d8a11684e /hosts/surtr/dns/default.nix
parent: 4a037a644a1ec9c85e28f5430da79ef5292e6afc (diff)
download: nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.gz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.bz2
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.xz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.zip
1 files changed, 42 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
-{
+with lib;
+let
+  acmeChallengeZonefile = domain: let
+    reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
+  in pkgs.writeText "${reverseDomain}.zone" ''
+    $ORIGIN ${domain}.
+    @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
+    $TTL 300
+         IN NS ns.yggdrasil.li.
+  '';
+in {
  config = {
    fileSystems."/var/lib/knot" =
      { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
    
    services.knot = {
      enable = true;
+      keyFiles = [
+        config.sops.secrets."acme_rheperire.org_key".path
+      ];
      extraConfig = ''
        server:
          listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
          - id: inwx_acl
            address: 185.181.104.96
            action: transfer
+          - id: rheperire.org_acme_acl
+            key: rheperire.org_acme_key
+            action: update
        mod-rrl:
          - id: default
@@ -71,6 +90,15 @@
            dnssec-policy: ed25519
            notify: [inwx_notify]
            acl: [inwx_acl]
+          - id: acme_zone
+            storage: /var/lib/knot
+            zonefile-sync: -1
+            zonefile-load: difference-no-serial
+            serial-policy: dateserial
+            journal-content: all
+            semantic-checks: on
+            dnssec-signing: on
+            dnssec-policy: ed25519
        zone:
          - domain: yggdrasil.li
@@ -104,9 +132,21 @@
          - domain: rheperire.org
            template: inwx_zone
            file: ${./zones/org.rheperire.soa}
+          - domain: _acme-challenge.rheperire.org
+            template: acme_zone
+            acl: [ rheperire.org_acme_acl ]
+            file: ${acmeChallengeZonefile "rheperire.org"}
      '';
    };
+    sops.secrets = {
+      "rheperire.org_acme_key.yaml" = {
+        format = "yaml";
+        owner = "knot";
+        sopsFile = ./keys/rheperire.org_acme.yaml;
+      };
+    };
    fileSystems."/var/lib/unbound" =
      { device = "surtr/local/var-lib-unbound";
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 10:48:18 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 10:48:18 +0100
commit	9ed4c08d8c03f8d12586c25cddc33da92a20c218 (patch)
tree	961619e42ede6ba7115ffd25d104fc0d8a11684e /hosts/surtr/dns/default.nix
parent	4a037a644a1ec9c85e28f5430da79ef5292e6afc (diff)
download	nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.gz nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.bz2 nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.xz nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.zip

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index feb56195..9a72a2c6 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
1	{ pkgs, ... }:	1	{ pkgs, lib, ... }:
2	{	2
		3	with lib;
		4
		5	let
		6	acmeChallengeZonefile = domain: let
		7	reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
		8	in pkgs.writeText "${reverseDomain}.zone" ''
		9	$ORIGIN ${domain}.
		10	@ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
		11	$TTL 300
		12
		13	IN NS ns.yggdrasil.li.
		14	'';
		15	in {
3	config = {	16	config = {
4	fileSystems."/var/lib/knot" =	17	fileSystems."/var/lib/knot" =
5	{ device = "surtr/safe/var-lib-knot";	18	{ device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
10		23
11	services.knot = {	24	services.knot = {
12	enable = true;	25	enable = true;
		26	keyFiles = [
		27	config.sops.secrets."acme_rheperire.org_key".path
		28	];
13	extraConfig = ''	29	extraConfig = ''
14	server:	30	server:
15	listen: 127.0.0.1@53	31	listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
27	- id: inwx_acl	43	- id: inwx_acl
28	address: 185.181.104.96	44	address: 185.181.104.96
29	action: transfer	45	action: transfer
		46	- id: rheperire.org_acme_acl
		47	key: rheperire.org_acme_key
		48	action: update
30		49
31	mod-rrl:	50	mod-rrl:
32	- id: default	51	- id: default
@@ -71,6 +90,15 @@
71	dnssec-policy: ed25519	90	dnssec-policy: ed25519
72	notify: [inwx_notify]	91	notify: [inwx_notify]
73	acl: [inwx_acl]	92	acl: [inwx_acl]
		93	- id: acme_zone
		94	storage: /var/lib/knot
		95	zonefile-sync: -1
		96	zonefile-load: difference-no-serial
		97	serial-policy: dateserial
		98	journal-content: all
		99	semantic-checks: on
		100	dnssec-signing: on
		101	dnssec-policy: ed25519
74		102
75	zone:	103	zone:
76	- domain: yggdrasil.li	104	- domain: yggdrasil.li
@@ -104,9 +132,21 @@
104	- domain: rheperire.org	132	- domain: rheperire.org
105	template: inwx_zone	133	template: inwx_zone
106	file: ${./zones/org.rheperire.soa}	134	file: ${./zones/org.rheperire.soa}
		135	- domain: _acme-challenge.rheperire.org
		136	template: acme_zone
		137	acl: [ rheperire.org_acme_acl ]
		138	file: ${acmeChallengeZonefile "rheperire.org"}
107	'';	139	'';
108	};	140	};
109		141
		142	sops.secrets = {
		143	"rheperire.org_acme_key.yaml" = {
		144	format = "yaml";
		145	owner = "knot";
		146	sopsFile = ./keys/rheperire.org_acme.yaml;
		147	};
		148	};
		149
110		150
111	fileSystems."/var/lib/unbound" =	151	fileSystems."/var/lib/unbound" =
112	{ device = "surtr/local/var-lib-unbound";	152	{ device = "surtr/local/var-lib-unbound";