diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 10:48:18 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-22 10:48:18 +0100 |
commit | 9ed4c08d8c03f8d12586c25cddc33da92a20c218 (patch) | |
tree | 961619e42ede6ba7115ffd25d104fc0d8a11684e /hosts/surtr/dns | |
parent | 4a037a644a1ec9c85e28f5430da79ef5292e6afc (diff) | |
download | nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.gz nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.bz2 nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.xz nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.zip |
surtr: tls/dns: rfc2136 for rheperire.org
Diffstat (limited to 'hosts/surtr/dns')
-rw-r--r-- | hosts/surtr/dns/default.nix | 44 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/.sops.yaml | 3 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/rheperire.org_acme.yaml | 38 |
3 files changed, 83 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index feb56195..9a72a2c6 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -1,5 +1,18 @@ | |||
1 | { pkgs, ... }: | 1 | { pkgs, lib, ... }: |
2 | { | 2 | |
3 | with lib; | ||
4 | |||
5 | let | ||
6 | acmeChallengeZonefile = domain: let | ||
7 | reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain)); | ||
8 | in pkgs.writeText "${reverseDomain}.zone" '' | ||
9 | $ORIGIN ${domain}. | ||
10 | @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300 | ||
11 | $TTL 300 | ||
12 | |||
13 | IN NS ns.yggdrasil.li. | ||
14 | ''; | ||
15 | in { | ||
3 | config = { | 16 | config = { |
4 | fileSystems."/var/lib/knot" = | 17 | fileSystems."/var/lib/knot" = |
5 | { device = "surtr/safe/var-lib-knot"; | 18 | { device = "surtr/safe/var-lib-knot"; |
@@ -10,6 +23,9 @@ | |||
10 | 23 | ||
11 | services.knot = { | 24 | services.knot = { |
12 | enable = true; | 25 | enable = true; |
26 | keyFiles = [ | ||
27 | config.sops.secrets."acme_rheperire.org_key".path | ||
28 | ]; | ||
13 | extraConfig = '' | 29 | extraConfig = '' |
14 | server: | 30 | server: |
15 | listen: 127.0.0.1@53 | 31 | listen: 127.0.0.1@53 |
@@ -27,6 +43,9 @@ | |||
27 | - id: inwx_acl | 43 | - id: inwx_acl |
28 | address: 185.181.104.96 | 44 | address: 185.181.104.96 |
29 | action: transfer | 45 | action: transfer |
46 | - id: rheperire.org_acme_acl | ||
47 | key: rheperire.org_acme_key | ||
48 | action: update | ||
30 | 49 | ||
31 | mod-rrl: | 50 | mod-rrl: |
32 | - id: default | 51 | - id: default |
@@ -71,6 +90,15 @@ | |||
71 | dnssec-policy: ed25519 | 90 | dnssec-policy: ed25519 |
72 | notify: [inwx_notify] | 91 | notify: [inwx_notify] |
73 | acl: [inwx_acl] | 92 | acl: [inwx_acl] |
93 | - id: acme_zone | ||
94 | storage: /var/lib/knot | ||
95 | zonefile-sync: -1 | ||
96 | zonefile-load: difference-no-serial | ||
97 | serial-policy: dateserial | ||
98 | journal-content: all | ||
99 | semantic-checks: on | ||
100 | dnssec-signing: on | ||
101 | dnssec-policy: ed25519 | ||
74 | 102 | ||
75 | zone: | 103 | zone: |
76 | - domain: yggdrasil.li | 104 | - domain: yggdrasil.li |
@@ -104,9 +132,21 @@ | |||
104 | - domain: rheperire.org | 132 | - domain: rheperire.org |
105 | template: inwx_zone | 133 | template: inwx_zone |
106 | file: ${./zones/org.rheperire.soa} | 134 | file: ${./zones/org.rheperire.soa} |
135 | - domain: _acme-challenge.rheperire.org | ||
136 | template: acme_zone | ||
137 | acl: [ rheperire.org_acme_acl ] | ||
138 | file: ${acmeChallengeZonefile "rheperire.org"} | ||
107 | ''; | 139 | ''; |
108 | }; | 140 | }; |
109 | 141 | ||
142 | sops.secrets = { | ||
143 | "rheperire.org_acme_key.yaml" = { | ||
144 | format = "yaml"; | ||
145 | owner = "knot"; | ||
146 | sopsFile = ./keys/rheperire.org_acme.yaml; | ||
147 | }; | ||
148 | }; | ||
149 | |||
110 | 150 | ||
111 | fileSystems."/var/lib/unbound" = | 151 | fileSystems."/var/lib/unbound" = |
112 | { device = "surtr/local/var-lib-unbound"; | 152 | { device = "surtr/local/var-lib-unbound"; |
diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml new file mode 100644 index 00000000..4f536273 --- /dev/null +++ b/hosts/surtr/dns/keys/.sops.yaml | |||
@@ -0,0 +1,3 @@ | |||
1 | creation_rules: | ||
2 | - path_regex: "\\.yaml$" | ||
3 | unencrypted_regex: "^(id|algorithm)$" | ||
diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml new file mode 100644 index 00000000..16f6d19e --- /dev/null +++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml | |||
@@ -0,0 +1,38 @@ | |||
1 | #ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment] | ||
2 | key: | ||
3 | - id: rheperire.org_acme | ||
4 | algorithm: hmac-sha256 | ||
5 | secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str] | ||
6 | sops: | ||
7 | kms: [] | ||
8 | gcp_kms: [] | ||
9 | azure_kv: [] | ||
10 | hc_vault: [] | ||
11 | age: [] | ||
12 | lastmodified: "2022-02-22T09:17:59Z" | ||
13 | mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str] | ||
14 | pgp: | ||
15 | - created_at: "2022-02-22T09:17:59Z" | ||
16 | enc: | | ||
17 | -----BEGIN PGP MESSAGE----- | ||
18 | |||
19 | hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw | ||
20 | zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE | ||
21 | 0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj | ||
22 | 8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA | ||
23 | =i8zc | ||
24 | -----END PGP MESSAGE----- | ||
25 | fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8 | ||
26 | - created_at: "2022-02-22T09:17:59Z" | ||
27 | enc: | | ||
28 | -----BEGIN PGP MESSAGE----- | ||
29 | |||
30 | hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw | ||
31 | iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ | ||
32 | 0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS | ||
33 | xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0 | ||
34 | =hSUL | ||
35 | -----END PGP MESSAGE----- | ||
36 | fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 | ||
37 | unencrypted_regex: ^(id|algorithm)$ | ||
38 | version: 3.7.1 | ||