summaryrefslogtreecommitdiff
path: root/hosts/surtr/dns
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-22 10:48:18 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-22 10:48:18 +0100
commit9ed4c08d8c03f8d12586c25cddc33da92a20c218 (patch)
tree961619e42ede6ba7115ffd25d104fc0d8a11684e /hosts/surtr/dns
parent4a037a644a1ec9c85e28f5430da79ef5292e6afc (diff)
downloadnixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.gz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.bz2
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.tar.xz
nixos-9ed4c08d8c03f8d12586c25cddc33da92a20c218.zip
surtr: tls/dns: rfc2136 for rheperire.org
Diffstat (limited to 'hosts/surtr/dns')
-rw-r--r--hosts/surtr/dns/default.nix44
-rw-r--r--hosts/surtr/dns/keys/.sops.yaml3
-rw-r--r--hosts/surtr/dns/keys/rheperire.org_acme.yaml38
3 files changed, 83 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
1{ pkgs, ... }: 1{ pkgs, lib, ... }:
2{ 2
3with lib;
4
5let
6 acmeChallengeZonefile = domain: let
7 reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
8 in pkgs.writeText "${reverseDomain}.zone" ''
9 $ORIGIN ${domain}.
10 @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
11 $TTL 300
12
13 IN NS ns.yggdrasil.li.
14 '';
15in {
3 config = { 16 config = {
4 fileSystems."/var/lib/knot" = 17 fileSystems."/var/lib/knot" =
5 { device = "surtr/safe/var-lib-knot"; 18 { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
10 23
11 services.knot = { 24 services.knot = {
12 enable = true; 25 enable = true;
26 keyFiles = [
27 config.sops.secrets."acme_rheperire.org_key".path
28 ];
13 extraConfig = '' 29 extraConfig = ''
14 server: 30 server:
15 listen: 127.0.0.1@53 31 listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
27 - id: inwx_acl 43 - id: inwx_acl
28 address: 185.181.104.96 44 address: 185.181.104.96
29 action: transfer 45 action: transfer
46 - id: rheperire.org_acme_acl
47 key: rheperire.org_acme_key
48 action: update
30 49
31 mod-rrl: 50 mod-rrl:
32 - id: default 51 - id: default
@@ -71,6 +90,15 @@
71 dnssec-policy: ed25519 90 dnssec-policy: ed25519
72 notify: [inwx_notify] 91 notify: [inwx_notify]
73 acl: [inwx_acl] 92 acl: [inwx_acl]
93 - id: acme_zone
94 storage: /var/lib/knot
95 zonefile-sync: -1
96 zonefile-load: difference-no-serial
97 serial-policy: dateserial
98 journal-content: all
99 semantic-checks: on
100 dnssec-signing: on
101 dnssec-policy: ed25519
74 102
75 zone: 103 zone:
76 - domain: yggdrasil.li 104 - domain: yggdrasil.li
@@ -104,9 +132,21 @@
104 - domain: rheperire.org 132 - domain: rheperire.org
105 template: inwx_zone 133 template: inwx_zone
106 file: ${./zones/org.rheperire.soa} 134 file: ${./zones/org.rheperire.soa}
135 - domain: _acme-challenge.rheperire.org
136 template: acme_zone
137 acl: [ rheperire.org_acme_acl ]
138 file: ${acmeChallengeZonefile "rheperire.org"}
107 ''; 139 '';
108 }; 140 };
109 141
142 sops.secrets = {
143 "rheperire.org_acme_key.yaml" = {
144 format = "yaml";
145 owner = "knot";
146 sopsFile = ./keys/rheperire.org_acme.yaml;
147 };
148 };
149
110 150
111 fileSystems."/var/lib/unbound" = 151 fileSystems."/var/lib/unbound" =
112 { device = "surtr/local/var-lib-unbound"; 152 { device = "surtr/local/var-lib-unbound";
diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml
new file mode 100644
index 00000000..4f536273
--- /dev/null
+++ b/hosts/surtr/dns/keys/.sops.yaml
@@ -0,0 +1,3 @@
1creation_rules:
2 - path_regex: "\\.yaml$"
3 unencrypted_regex: "^(id|algorithm)$"
diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
new file mode 100644
index 00000000..16f6d19e
--- /dev/null
+++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
@@ -0,0 +1,38 @@
1#ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment]
2key:
3 - id: rheperire.org_acme
4 algorithm: hmac-sha256
5 secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str]
6sops:
7 kms: []
8 gcp_kms: []
9 azure_kv: []
10 hc_vault: []
11 age: []
12 lastmodified: "2022-02-22T09:17:59Z"
13 mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str]
14 pgp:
15 - created_at: "2022-02-22T09:17:59Z"
16 enc: |
17 -----BEGIN PGP MESSAGE-----
18
19 hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw
20 zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE
21 0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj
22 8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA
23 =i8zc
24 -----END PGP MESSAGE-----
25 fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
26 - created_at: "2022-02-22T09:17:59Z"
27 enc: |
28 -----BEGIN PGP MESSAGE-----
29
30 hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw
31 iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ
32 0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS
33 xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0
34 =hSUL
35 -----END PGP MESSAGE-----
36 fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
37 unencrypted_regex: ^(id|algorithm)$
38 version: 3.7.1