summaryrefslogtreecommitdiff
path: root/hosts/surtr/dns
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-22 17:10:20 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-22 17:10:20 +0100
commit56db0eef6b60891b6320feba397033b68ff3ee56 (patch)
tree43300690be0c3f54954c54ef80f71f11d713e9f4 /hosts/surtr/dns
parenta7255ba16633d70c22e8bed75ae52c49f08e1c18 (diff)
downloadnixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar
nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.gz
nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.bz2
nixos-56db0eef6b60891b6320feba397033b68ff3ee56.tar.xz
nixos-56db0eef6b60891b6320feba397033b68ff3ee56.zip
surtr: dns: open rfc2136 to ymir
Diffstat (limited to 'hosts/surtr/dns')
-rw-r--r--hosts/surtr/dns/default.nix16
-rw-r--r--hosts/surtr/dns/keys/ymir_acme.yaml26
2 files changed, 39 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 57146d67..dc991b66 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -23,7 +23,9 @@ let
23 23
24 indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); 24 indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str));
25 25
26 mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain]}: indentString " " '' 26 mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain], addACLs ? {}}: indentString " " (let
27 keys = acmeDomain: [(assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl")] ++ (addACLs.${acmeDomain} or []);
28 in ''
27 - domain: ${domain} 29 - domain: ${domain}
28 template: inwx_zone 30 template: inwx_zone
29 ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} 31 ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"}
@@ -31,10 +33,10 @@ let
31 ${concatMapStringsSep "\n" (acmeDomain: '' 33 ${concatMapStringsSep "\n" (acmeDomain: ''
32 - domain: _acme-challenge.${acmeDomain} 34 - domain: _acme-challenge.${acmeDomain}
33 template: acme_zone 35 template: acme_zone
34 acl: [${assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl"}] 36 acl: [${concatStringsSep ", " (keys acmeDomain)}]
35 file: ${acmeChallengeZonefile acmeDomain} 37 file: ${acmeChallengeZonefile acmeDomain}
36 '') acmeDomains} 38 '') acmeDomains}
37 ''; 39 '');
38in { 40in {
39 config = { 41 config = {
40 fileSystems."/var/lib/knot" = 42 fileSystems."/var/lib/knot" =
@@ -152,21 +154,29 @@ in {
152 zone: 154 zone:
153 ${concatMapStringsSep "\n" mkZone [ 155 ${concatMapStringsSep "\n" mkZone [
154 { domain = "yggdrasil.li"; 156 { domain = "yggdrasil.li";
157 addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
155 } 158 }
156 { domain = "nights.email"; 159 { domain = "nights.email";
160 addACLs = { "nights.email" = ["ymir_acme_acl"]; };
157 } 161 }
158 { domain = "141.li"; 162 { domain = "141.li";
159 acmeDomains = ["webdav.141.li" "141.li"]; 163 acmeDomains = ["webdav.141.li" "141.li"];
164 addACLs = { "141.li" = ["ymir_acme_acl"]; };
160 } 165 }
161 { domain = "kleen.li"; 166 { domain = "kleen.li";
167 addACLs = { "kleen.li" = ["ymir_acme_acl"]; };
162 } 168 }
163 { domain = "xmpp.li"; 169 { domain = "xmpp.li";
170 addACLs = { "xmpp.li" = ["ymir_acme_acl"]; };
164 } 171 }
165 { domain = "dirty-haskell.org"; 172 { domain = "dirty-haskell.org";
173 addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; };
166 } 174 }
167 { domain = "praseodym.org"; 175 { domain = "praseodym.org";
176 addACLs = { "praseodym.org" = ["ymir_acme_acl"]; };
168 } 177 }
169 { domain = "rheperire.org"; 178 { domain = "rheperire.org";
179 addACLs = { "rheperire.org" = ["ymir_acme_acl"]; };
170 } 180 }
171 ]} 181 ]}
172 ''; 182 '';
diff --git a/hosts/surtr/dns/keys/ymir_acme.yaml b/hosts/surtr/dns/keys/ymir_acme.yaml
new file mode 100644
index 00000000..fd3383ff
--- /dev/null
+++ b/hosts/surtr/dns/keys/ymir_acme.yaml
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:byBJwbC+WjFdWWnlSQUkSyNw9J7FwNqXuXMl68IzVsIMNmRHrRj/1cUgf7q1MN4YbNHwW5SV53wM0iIsNIObXNIdhe3QVK0X6hWfEXBuZ1yf1kdcCWleIVzh7swJXNoudWCcFYQz527pUKB7FoqalzTZED8+qok7zvyrB9YAyrXhFS7+RUM/6LgmAUcd99ojhPE5N4WZOk/+rUYx/lRmDqjteBUlTsg2zbyJI5aiPJRgmeRUr6nY/g==,iv:mv0jAiWU1kD8+fOD8C/gbUryGcB2jl4g9HypRsrMqcI=,tag:1IURck5WIqn5CqpVRMGeTA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-02-22T16:07:25Z",
10 "mac": "ENC[AES256_GCM,data:mwXrUm7h+Hn6klCDmz9ni1bqVpaJlpLTDuUUvXGKnX0RjG763szhjbvI/NVj42e7pkgoArDN83Zf0KdugmTCIEQB15PYsGvc5uRcBK8I28Gktwdz9InCbArOvXGO6BoGF47VxjNDeFy5OnUUbST0pF94WXEIeGaD/QxXn0c5ljo=,iv:koaB3cA9IxyuLY3R1qF7FOwgzh4QnkNrMmVomu4MugI=,tag:7D8qzyGF2hibcumXV3HqGQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-02-22T16:07:25Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAmcJoxHfANstUX5rNuujHRm1VVe8RNrwMItzqvMyh/Ssw\nha1cGkBRxuVkkSMNGX3A0uMD3bYY/CGS8706ttaSNxlkPERExs+1YT/ds1nmR3VN\n0l4BpTrOGwKutMwjbB30Jmoy9EkqkqjC6948q/lJGl+bCk0ByJ99vQR0hv8KNvIj\nV6TkiKbCHHXy+Z1n/XkKPqWcjjcth4cJBKwsDB2EU6hbc9MGrM7PgVtR9Vce/mGv\n=WPOy\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-02-22T16:07:25Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdArf8QXVpdQJH0v/0o9KN3LVbtEQAsuVco3mhjnhh5nVYw\ns0YqUAmN6hDTcDvfKljR5D/iK2iEfbZgBLGJyNsy3AbYdu3lhdGbxWerbVgrNA+p\n0l4BEzSmhqAlNqPvTwgCqRBaBnbsI7OLrqxIG08K+SAnRHs+BPc1xB0DLT4OZerm\nKNvcKNeYrEWluhipt9AVwuQzMTo3b/ZLGi97nICPsb8tu9DwS4fjcPaA52q70oSx\n=vWLx\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file