diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 13:24:29 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 13:24:29 +0100 |
commit | f6e32c687607fbc666a41eda574ff1e10a630ece (patch) | |
tree | b6f65088fac4cde37a45be249fa5b6033f390e24 /hosts/surtr/dns | |
parent | 579c228bb7fa946f778fd805eefaff02e1e5b6e9 (diff) | |
download | nixos-f6e32c687607fbc666a41eda574ff1e10a630ece.tar nixos-f6e32c687607fbc666a41eda574ff1e10a630ece.tar.gz nixos-f6e32c687607fbc666a41eda574ff1e10a630ece.tar.bz2 nixos-f6e32c687607fbc666a41eda574ff1e10a630ece.tar.xz nixos-f6e32c687607fbc666a41eda574ff1e10a630ece.zip |
...
Diffstat (limited to 'hosts/surtr/dns')
-rw-r--r-- | hosts/surtr/dns/default.nix | 16 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/webdav.141.li_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.141.soa | 3 |
3 files changed, 43 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 2079585c..971de5e8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -25,6 +25,7 @@ in { | |||
25 | enable = true; | 25 | enable = true; |
26 | keyFiles = [ | 26 | keyFiles = [ |
27 | config.sops.secrets."rheperire.org_acme_key.yaml".path | 27 | config.sops.secrets."rheperire.org_acme_key.yaml".path |
28 | config.sops.secrets."webdav.141.li_acme_key.yaml".path | ||
28 | config.sops.secrets."knot_local_key.yaml".path | 29 | config.sops.secrets."knot_local_key.yaml".path |
29 | ]; | 30 | ]; |
30 | extraConfig = '' | 31 | extraConfig = '' |
@@ -50,6 +51,9 @@ in { | |||
50 | - id: rheperire.org_acme_acl | 51 | - id: rheperire.org_acme_acl |
51 | key: rheperire.org_acme_key | 52 | key: rheperire.org_acme_key |
52 | action: update | 53 | action: update |
54 | - id: webdav.141.li_acme_acl | ||
55 | key: webdav.141.li_acme_key | ||
56 | action: update | ||
53 | - id: local_acl | 57 | - id: local_acl |
54 | key: local_key | 58 | key: local_key |
55 | action: update | 59 | action: update |
@@ -130,7 +134,12 @@ in { | |||
130 | 134 | ||
131 | - domain: 141.li | 135 | - domain: 141.li |
132 | template: inwx_zone | 136 | template: inwx_zone |
137 | acl: [local_acl, inwx_acl] | ||
133 | file: ${./zones/li.141.soa} | 138 | file: ${./zones/li.141.soa} |
139 | - domain: _acme-challenge.webdav.141.li | ||
140 | template: acme_zone | ||
141 | acl: [webdav.141.li_acme_acl] | ||
142 | file: ${acmeChallengeZonefile "webdav.141.li"} | ||
134 | 143 | ||
135 | - domain: kleen.li | 144 | - domain: kleen.li |
136 | template: inwx_zone | 145 | template: inwx_zone |
@@ -150,8 +159,8 @@ in { | |||
150 | 159 | ||
151 | - domain: rheperire.org | 160 | - domain: rheperire.org |
152 | template: inwx_zone | 161 | template: inwx_zone |
153 | file: ${./zones/org.rheperire.soa} | ||
154 | acl: [local_acl, inwx_acl] | 162 | acl: [local_acl, inwx_acl] |
163 | file: ${./zones/org.rheperire.soa} | ||
155 | - domain: _acme-challenge.rheperire.org | 164 | - domain: _acme-challenge.rheperire.org |
156 | template: acme_zone | 165 | template: acme_zone |
157 | acl: [rheperire.org_acme_acl] | 166 | acl: [rheperire.org_acme_acl] |
@@ -165,6 +174,11 @@ in { | |||
165 | owner = "knot"; | 174 | owner = "knot"; |
166 | sopsFile = ./keys/rheperire.org_acme.yaml; | 175 | sopsFile = ./keys/rheperire.org_acme.yaml; |
167 | }; | 176 | }; |
177 | "webdav.141.li_acme_key.yaml" = { | ||
178 | format = "binary"; | ||
179 | owner = "knot"; | ||
180 | sopsFile = ./keys/webdav.141.li_acme.yaml; | ||
181 | }; | ||
168 | "knot_local_key.yaml" = { | 182 | "knot_local_key.yaml" = { |
169 | format = "binary"; | 183 | format = "binary"; |
170 | owner = "knot"; | 184 | owner = "knot"; |
diff --git a/hosts/surtr/dns/keys/webdav.141.li_acme.yaml b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml new file mode 100644 index 00000000..b0f05df6 --- /dev/null +++ b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:WNZ6BAzz5b0mnr2XqVQM82NFuQJz3bBK76DmnA/xvFPLvAmN4tCDzcu4NrdihcpQZ9J5ZiiIynJH1RBB/hd9ut+e/ByHv954XW3o/Ml5gb1Nl6zkCSAb3uxnjTlf5dm9ROWzx+NBLvIt8DELMYuV/NRtRq6w3ZCWbEp/I3N/r/VPhIw7PkagI9QWNkXp0l2qBml/xwxO2HnZxE7WXtphpOfNZtBuWPF49gO2UeVHrsAfxVgtGNmY9IjBExSQDThDJmo8nFUvrLVydQ==,iv:MQHy1Hi2kASjm684tL3JT5xcdc4mrTWjJWCB4adl1Uk=,tag:IzUtLbMoeRu/Km7o3RTxbg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-02-22T12:22:44Z", | ||
10 | "mac": "ENC[AES256_GCM,data:tGfEoG8C+zqkBRtfaCNrmuR6dG8kmaRexM6szkSmOsFVgzl3wGsPmVai4rFhgXsozOmt2Lchc01uRqERA+HIkkaMFdVDLWzMEGytEeE1s1JYCVNEc/RmjgeKqxwHuAv5cFGn8ZNZ9JKMF566wUFjjWM/AQffNYCdtSni8tV6eWg=,iv:qoyig97CBgl9X9Z6qbKunu8fvbiiW4uRtErM8nrb9MM=,tag:zFuAbP7ZsEgKGDOo9ACmrw==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-02-22T12:22:44Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEvqLWBZvD3I4xE6W7MKPD9eDGyKa3hpXracLRTHT4hYw\nqy+itvTL207VL0fU8Ve+rmxFjEaMvowFgwWk7+p98thgtbCcUNTxIF4gH2HjSOWS\n0l4Bb3G2vvDhUv1i0AR5WohSdfi5eyQjvt8HqJQ/0hBBwIL4IEcWjpBE+rX/460S\n4gigrXHpgSKZ/i/Aselm6XZhB0jNUf3pZ3pnCQPJpyrLGnFXwCSqB6EaREKU+6BK\n=dSPd\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-02-22T12:22:44Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAWXk1C46X8TTkWhHfTMhgo1KnKlCl8A8lzsAo7mqnpzcw\ncoae53lNWGeoCSfOl5E2oSVCgZzEu5R9kC9aLRJgDushXZ56XtTUUF4ggCHogJqE\n0l4B942HOIlWHSlbfOs1/0R5QPnXC1OQ0E6XEVJmBgnUNB3EG473eCTJeabwlaq8\nNgFlL09go4ISjnlKDIgfQZGI9u1j0PyDJ3MtQTnb2j8kzfbcsGcpSLQRn7kzSsjO\n=x5xi\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 8c357b35..fbff1cad 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN 141.li. | 1 | $ORIGIN 141.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022022102 ; serial | 4 | 2022022200 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -31,6 +31,7 @@ surtr IN MX 0 ymir.yggdrasil.li | |||
31 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" | 31 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" |
32 | 32 | ||
33 | webdav IN CNAME surtr.yggdrasil.li. | 33 | webdav IN CNAME surtr.yggdrasil.li. |
34 | _acme-challenge.webdav IN NS ns.yggdrasil.li. | ||
34 | 35 | ||
35 | ymir IN A 188.68.51.254 | 36 | ymir IN A 188.68.51.254 |
36 | ymir IN AAAA 2a03:4000:6:d004:: | 37 | ymir IN AAAA 2a03:4000:6:d004:: |