surtr: dns/tls: rfc2136

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 15:48:59 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 15:48:59 +0100
commit: a7255ba16633d70c22e8bed75ae52c49f08e1c18 (patch)
tree: 71f1cdc442efef13fe239e8694b4fe9bcc58b923 /hosts/surtr/tls
parent: ef600c518e5fdb4962fdd4d4851413a024fa52f7 (diff)
download: nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar
nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.gz
nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.bz2
nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.xz
nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.zip
10 files changed, 191 insertions, 50 deletions
diff --git a/hosts/surtr/tls/Gupfile b/hosts/surtr/tls/Gupfile
new file mode 100644
index 00000000..13ba8cf6
--- /dev/null
+++ b/hosts/surtr/tls/Gupfile
@@ -0,0 +1,2 @@
+tsig_key.gup:
+  tsig_keys/*
+\ No newline at end of file
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 01c9050e..b28d33e9 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -8,51 +8,6 @@ let
  tsigSecretName = domain: "${domain}_tsig-secret";
  cfg = config.security.acme;
-  knotCfg = config.services.knot;
-  
-  knotDNSCredentials = domain: let
-    zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
-  in pkgs.writeText "lego-credentials" ''
-    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
-    EXEC_PROPAGATION_TIMEOUT=300
-    EXEC_POLLING_INTERVAL=5
-  '';
-  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
-    #!${pkgs.zsh}/bin/zsh -xe
-    mode=$1
-    fqdn=$2
-    challenge=$3
-    owner=''${fqdn%".${zone}."}
-    commited=
-    function abort() {
-      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
-    }
-    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
-    trap abort EXIT
-    case "''${mode}" in
-      present)
-        if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
-          ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
-        fi
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
-        ;;
-      cleanup)
-        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
-        ;;
-      *)
-        exit 2
-        ;;
-    esac
-    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
-    commited=yes
-  '';
  
  domainOptions = {
    options = {
@@ -111,10 +66,6 @@ in {
              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
              dnsResolver = "127.0.0.1:5353";
            };
-            mkKnotc = shared // {
-              dnsProvider = "exec";
-              credentialsFile = knotDNSCredentials domain;
-            };
            mkRFC2136 = let
              tsigInfo = readYaml tsigPath;
            in shared // {
@@ -129,7 +80,7 @@ in {
                RFC2136_POLLING_INTERVAL=2
              '';
            };
-          in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg;
+          in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
        in genAttrs (attrNames cfg.domains) domainAttrset;
    };
diff --git a/hosts/surtr/tls/tsig_key.gup b/hosts/surtr/tls/tsig_key.gup
new file mode 100644
index 00000000..3d81b603
--- /dev/null
+++ b/hosts/surtr/tls/tsig_key.gup
@@ -0,0 +1,6 @@
+#!/usr/bin/env zsh
+keyFile=../dns/keys/${2:t}_acme.yaml
+gup -u $keyFile
+sops -d --input-type=binary --output-type=binary ${keyFile} | yq -r '.key[0].secret' > $1
+sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary -e -i $1
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/141.li b/hosts/surtr/tls/tsig_keys/141.li
new file mode 100644
index 00000000..f94b492f
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/141.li
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:wjjG+kaLFnWG8vTKCMHRsTB2ksZEQV/lZON7OTGs4RGF2UGyzr7uFiaPEu69,iv:x29NlTSg48NuDZmNwQx7WFhKPanOLEziDF59GpAbYIU=,tag:U0jQimah+7dfJ8+rElb75w==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:15:30Z",
+                "mac": "ENC[AES256_GCM,data:NVzJqLoMPP1I322E002PPHB4hp6K2FpZTz1+E+eggsVnXtcU3da0zzRZTe+1JRRRLgTp1nFafxkDZbOF53byUgcuA+YVD0lIcX/Zk4JtkihS/AKBgCFSDXox+WFPulT+Jy8piRQuLFIj9m//FrPqbbZje4tT9MqtU8GFtQ/RZSA=,iv:ZXv5MXjUH939pbFZTHLICovdKgDxN3HkJWjzEBu0mIM=,tag:0h6XiH4oIeFEH3dFivHe2g==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:15:29Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA3LvoKvgJIXhXYc5cnoUHE4k9EnJzrSokuwHX6vsXMF4w\nl/Am3E8SYCRLW6GH84v5nRogvRi4/njDTUMltRil4AreR8AKs6O22K/dotFDFpm8\n0l4BjzIFo5lin5t/fJQnam+Q9N0sRu6CKe74id93IEWn4fh8jnGm2z45VQf08edv\n5TT3atYJPXK3BoOGZqWLbYk1zZMxlj/yNDC/gsoNzkv7tFfQyd8Rk0pbGOELrvlq\n=QUbV\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:15:29Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdApyLjA3a/6MiK3911+Dp7+GldIgztIqDfePqSVGQ9Tngw\n8ojc86qm6daCc2aceZGmmvt28kPX4XNmd5KOnFhF6B33o1tSI2duoVeYMOMY5sc0\n0l4BXL2CeNPvdX5To1I4OAUV6t3HEhgnW41/b6B3LqaGg34KBI4i7xNb8+djVSxu\nMEtYkD9QoSkDdNOpDAlH5GnPmrIVPHY9ml70agC1ctwET+P6L9qt0lzwCs2K1oT2\n=/Ukj\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/dirty-haskell.org b/hosts/surtr/tls/tsig_keys/dirty-haskell.org
new file mode 100644
index 00000000..b9effeda
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/dirty-haskell.org
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:c4XzB/MbBfDcgR+6/FRNxDsRxtfdOR8oaKj7eLByJfnDyDrnN/p5DHrwNOe+,iv:TmCVdXMFJtRb1eT0M8Tga23rxoyUldjPATPX04n7I18=,tag:AhqhULrs/FVtfPUeWv5SdQ==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:20:36Z",
+                "mac": "ENC[AES256_GCM,data:AZxoNR2oE7c5LXEg8o3cBYTflBMeGadPWr1cJ5GEyBJUJUloN9V9iTjnN/62Pj1zkTQvOhL4vkoOd0q812mOV1QgCi/RbLTPIn55dDWJ8d8jYQLlqrMV3LR+xtsGDDBDOPWJ8pNIug9D7f3BwVQpbvj3W2WOnJvm3oAZNHa0RJ8=,iv:YVFNSC74bZQgGpVLxWFCkC1oouSYwJjQ+k3beSeXUJc=,tag:oi7bSs83GsDl4qpsJ8zqCw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:20:35Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAhNF59zErbJlEDeJjF5kFLUVeAF81ageD34K/7NjVf3Ew\nFAn32mbWKZmoY4ekfOyZesKWTvpaYH8vnLj0r0vTc4nnqIejrVbz5T7nxl9mKgxX\n0l4BS9jVKuC7mGvTlKvpABPEP7uQS083JRVdTQ9nLFF3kOgf3rHWTX7I+QNMT+7E\nWqdm0q8OV09wk0I94lpRVjQjeosZmLGV58E8Q1D5x9xKjwS1Z9IT2SHONaZDAc5a\n=jdQT\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:20:35Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAMpNL9Ff2tSQLZYJlJCc3zUeTIiJYBwPXngz89tnrtxMw\n7cBQezv8MW/nKS5+8VPsr5NA2EfbPRlPAGDs3i7c82iNyaq8wjlZ7E5kJt9Cp1UA\n0l4BUddH560+QD8JZ7Tas943jI0GvBSrP3gm/dpILXS6APmIo8cY1Ex8Qkyvp0vn\nfumu+TRaUIjgSo5ZbqbJx+/duUjTg+j+p0Zu1xvBDQizbP894y5LFfsEsWQB2tkC\n=QZbr\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/kleen.li b/hosts/surtr/tls/tsig_keys/kleen.li
new file mode 100644
index 00000000..3f31b1ec
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/kleen.li
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Jjw1uufbrTcNTY9QLDbC98BXyDsUpO7jlS56qHmrIC4gBT0DF29v4thHgDe/,iv:AJeaK7SA2dlVMZKT7VGYXpjYOvIlWsSPghylvwq5hfE=,tag:af6RdYpyPSioqiTpnuLYNQ==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:43:58Z",
+                "mac": "ENC[AES256_GCM,data:Ws+LHpDFB9tKzfV5zVg5POTbzwb5KNFigPCQON85yIupazVMKesW5mpBZTzbknL0IwPfVnCQNX92bnJ6RBqJ+vIdOdax/eZzuIMvXyUGw1gjafkE3F9gv0CWu3n34SoLOynEIHXOrM/nTVWOLs6+DP1fH8MmscjhvaX52yIxe8E=,iv:OhYYyc0tcI2BrL8i2ZWADso9AcHzhb/wNrqVEnTXUJY=,tag:+GoBXxlveNe2puCbFz2foQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:43:58Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAHUWRBd0g/lAt4SNSRTyY084xlAmLVFiWY38oItiWEzUw\ngFigoJRqCtFsfRgmPC/VyasEAsUCSmmA15rGH+C1DA0HRyXLNUVGEcsnL1J7yNxS\n0lwBVaPi+AgmKtV48v6YzArTeY36TA9CInZl588Wy/YFitnTX6wqIuoZeJlDgEhN\nVF4XQVjb1mQhHFHbgD7SJSW6fHi8KWb+B3Tr6qt+p+CzwCycH/IaDbWbhIRSZg==\n=06jP\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:43:58Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAZbcJU1YXpht/sVq+NgOi23+BCjuiT/DH2Q4o9oQwEBkw\nLlQGzqtLfKPAjZWCECgsgz7ssAQVY90S9MDM3fUYWX56TXZabFkgz18Bn0cq1Ywa\n0lwBeS1RQX6gyjLNrO3B52eL9t/FW01RtWWS51nGN0WafVgoIaohV00lDCFZPAD/\noajw9vLd7Njjk11Pqv6H7pUanQOk69+tX5pKpzwGlRE0eZre6OSPZp9WTgfLTQ==\n=Af2i\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/nights.email b/hosts/surtr/tls/tsig_keys/nights.email
new file mode 100644
index 00000000..5e387091
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/nights.email
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:WrhKcorA/PdPrt6tr1eDuVA/Wdr/DaRtc5ETixVKZtxDZzKQakF5ltVB49Dj,iv:f/1Ko1m064gAVPEbt2SnHt7zee/PQvMZb+/qneVc0ls=,tag:qimiralQNxwOZ/uAs1T7/g==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:44:08Z",
+                "mac": "ENC[AES256_GCM,data:+/9QfW6yc0AXNKu73Mkp7hK98lWWyNn3WLJ2wdi6mh7dAR/pYxcuIa8a9b8Kv41WrExwExVbWbI886v2hC63GMI+rZeiOXAZEEFNCpYQwyog0bzWedZ9gE5ZmymaErrPsVJYauys+8NYomhtj+3ufB5FZNwfmEOO76dzcr10qZY=,iv:ecyJqhBYHHNj97JvOCFgFg4jxaBySUdj3ZgZKY6ulLw=,tag:a62hRw50887xQarS6O/GgA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:44:08Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwkyJitOwmF+FeN4F3Z72t5wf8vTizR+TjlBPU/OwRUYw\nYVBQCma/uqjRj4UZeWXo6lq3weKI+gRp17z3Fvzc0YCWdtGq7lKyVtmwPltrvEXc\n0l4B4h6XT2+EcPuqtvkpNwIUoNphYZV8xGUD4v6lAQqUOYFsJvZfZbYe7tukcAQg\nwvbuWE2Hht0cxPpY65cVURA92wEcs7aP6Bp9Mqb/lQn7Ju1sv1a4bAvYvNVFnqu2\n=OkoI\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:44:08Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFIJLO7eo3lhEVg13E2zI8DMn3ljuQv9JggBD2mHk4Xcw\nDjk54ugbH3AacQN4zsoGJsAjZEUpfCBhGl/fpVZYEVzgMLzA2SRqRol94YPyNpM3\n0l4Bived0rDJwIYAEhpCplpX/JKAN48BaauPC14QuWDxgBpZTWSKqa+BoYpTbBoc\nN0amWuqWp7WGLrRizpfah1w/+Og6QycgccXzG/dz5aRVC71ddxycvjbR2k6sH3tr\n=m8ZH\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/praseodym.org b/hosts/surtr/tls/tsig_keys/praseodym.org
new file mode 100644
index 00000000..c4afce5d
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/praseodym.org
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:LLr/euxUJL1qSnjx2HlUG/X5dIg15WXb3VryAnVtHCLHUxnfrUF2PNlAoneL,iv:7OeUpmgXb7PfyDwfgNvaqhnPn9UKqYd4ug8as01gIDU=,tag:CYKMKyol09ahPr6SKGB9kA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:43:37Z",
+                "mac": "ENC[AES256_GCM,data:dMgOwAv7CWEsP568dNX/1mGOcVIXc/eU92gJUSkZaQBWoJExa7Y1K0Ocyin9YsdQsFGcBFgjyo1DtdVUrf8j5/V69CG8xXiWwf82O247lifK+V2/Etgys7W71GZXxX+C5+fnN8SgsVQeOKX47ljiDeajKMXOptQEx7Awooe1vYM=,iv:GP57gibgf20yrZTgGzGxewOEWnu+1E7uJUYYJO85n9Q=,tag:Zhl9FmLYUyydiNzbXjLN4g==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:43:37Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEwneu5Lzspri3SHXIFgp8G+nTOpl3DGEoQTCaxeJvkgw\n/q3IUfiNFbpH32V7V07oOk3CD3SIlVVLNcxD/3DuOLHLeCehnWJ6OAtzaakvR2zW\n0l4BEBu/NBzhrtxbOt2vJnUyIoPwJIQuzQ92nUppd3gdaMoHyA+Wk/CAByTZ6+Gu\nq4jPWyeVwGeItpQ3PfpnCKJJQGhs/2E9TQrrovr2vhurnaxiEW80U/NdCQ3eMXiw\n=vKZP\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:43:37Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA1KY9DWpdJsUWLsvl4jJWel1tsdiNJ4z1VJw1W1Uiti0w\nLBhjFCiX4trrvYZf/s27t3CEE3j1xHpk+nhG+5rvh4PKOy9+4Z4dQ7ePr3khWK8d\n0l4BrSZXnmP1+i49AjR4F94EvezVS5MMNlqbHOfChBaybXO95oXl8CamSu2X0kSC\naJJe/ovfYblK2QCD1+kAb/e4LOedAHkL/YSOFtKa0WVhKNJoRIocAAYfCAXuQSRP\n=GWol\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/xmpp.li b/hosts/surtr/tls/tsig_keys/xmpp.li
new file mode 100644
index 00000000..35acd462
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/xmpp.li
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Bice54S+zPCtUASZD0wnqFeBDekIKAfaZmNc4BJ8yFzzP1AeenJqOow69lf/,iv:dsBceXehjvhfTSd+KXE2QOvpTwNTY7gr9ef0hNFdDms=,tag:6iMISbLkELFP5OBbRgcdqA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:43:10Z",
+                "mac": "ENC[AES256_GCM,data:IACasoGWgaouc0QnJAztTJkRnD60D0r0pXdxhXnDqpsz3qeS4Nnc5wgjMjSC6iTLNTDsGHw5s8egoIYKNhMVv1Gi7jYPgaIMGkjtg5iGIGmd12dqQTT4LPTfvrA0zqvu6BjzjO1BEBaJ26u8SBWw6yIg76b0BPpmM6afmyKo4X0=,iv:el8SzvnpQzURe1POMWNI3d2vYbAHqgfWzkzFi6GTQx8=,tag:HWABf4iOAZZLiJiMivGQ7Q==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:43:10Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAqBgOG0dMrKdKrPfL605eIH0q4zc/qLSepP3Mbi4wUCAw\nwVXV+LDTZKtCiT3RioyM3Vlf6blY1i5A8VgCKPHKFSy7TEMmhsHKKQGExahE35tm\n0l4BSmNYGiyW6mdiOlVS4uHlztG0SkzxAKoWs7lgwXufP97M0c9GaGLwVUCaOrWj\n416XfTI1wL8HmLBHaa8s2GyVPo+VWRKUpPu9gXAjTpqmRxeFjt7j749nIK8X27y8\n=2zXf\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:43:10Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4FILrqlN0ta93yHezBedT+3UuCQqonGlarHvrwi77DUw\nIi4IxaLcYRwqISIhsjz0k7MzJ/BlP1/Qg/NMaB9CoSQIoVc8P7TK/gdP81ORE+r2\n0l4BT9n00HJPJ4IHJKcKmG+Ta5xOPHsVqRNgLSp7Ss71I0HLEa6YqhE/4z3kwvcE\nD7fWKVLkMuA6PMzjEa+ZGY/baqHL0VFW+Vy3/Fn+E0nStUT17Ya0ANB5kuyRp/v6\n=cwHX\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/yggdrasil.li b/hosts/surtr/tls/tsig_keys/yggdrasil.li
new file mode 100644
index 00000000..7c75602c
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/yggdrasil.li
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:nfXCp4v2HFGHzceTQJY7knQ3ci8sPUGdiYL5Cy9epu3LK1QULNFb+eA+vFHG,iv:xBdtLNYMgGQfLsdjj63uwc9NWe8UvVnVmyuMAM0S1bQ=,tag:9xSy1U4+crLKvWr7eKti4w==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T14:43:24Z",
+                "mac": "ENC[AES256_GCM,data:DzSO3ir1Q2KWzwcmrW9ksw9GFRJXOVkb2tuhgDQxzV+sHC8O6VLMvYUZCNrYSKlZR0i2xiGuQD+3cO09YRYMF9MoR3ODl1BAGi5C0z0UKYPxf8BE/8x1qj2ak4Qdp7BHtaAQHo+IU+dX8AK64DJ5b2pJ/ThZzRSlfaeYp3X8cgA=,iv:FeuDzZzI8R2sZxWry5Jr1eoUWQlLkSqiNLutrvBviKI=,tag:VQJoQSodDkHIkrDXsnPG7Q==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T14:43:23Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAP/YAe2yfGvQ3TcChWjoRsi1bSezMKA2VDWPgRZuA1xQw\nEXhjL2Iu/ORRaktmd6ortqSxckYo2WOosqLXLLWXSnSpBK0mpSFO4/DJbMeKapCA\n0lwB0Tq0hP1Knh7jrTm/9mj2zcqonJY4P8mDwobBI4p1Ll29HxG4KCExrsxFFV6S\nQj1/r9Sz3SLsA9+z8hS8SQO3+877ITmAF518LTjs5clelO4I3KYCQqezXTVOSA==\n=2jir\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T14:43:23Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdArOyejysX1GDvK5g928BoioPtvEz1VzindL8Ng3Ta/Bcw\nUCB1/NKkCM8Ex2jALoGrBeZ5GdL2eRAOmQysaYPpeYRSG84/6e3DUixsbavL63tO\n0lwB+fVTe4tsLKFQ/j+GRJrBkHWNLVSjq50t68OhqTMQ31e8FejeTdAmsFG33MjH\ntumC/AGjz9qAGR7G690wu6WZaJRFD+aPMAJdFN2Fu3A+Imdra3hlTExs8ZAVaA==\n=7NiP\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 15:48:59 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 15:48:59 +0100
commit	a7255ba16633d70c22e8bed75ae52c49f08e1c18 (patch)
tree	71f1cdc442efef13fe239e8694b4fe9bcc58b923 /hosts/surtr/tls
parent	ef600c518e5fdb4962fdd4d4851413a024fa52f7 (diff)
download	nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.gz nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.bz2 nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.tar.xz nixos-a7255ba16633d70c22e8bed75ae52c49f08e1c18.zip

diff --git a/hosts/surtr/tls/Gupfile b/hosts/surtr/tls/Gupfile new file mode 100644 index 00000000..13ba8cf6 --- /dev/null +++ b/hosts/surtr/tls/Gupfile
@@ -0,0 +1,2 @@
		1	tsig_key.gup:
		2	tsig_keys/* \ No newline at end of file


diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 01c9050e..b28d33e9 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix
@@ -8,51 +8,6 @@ let
8	tsigSecretName = domain: "${domain}_tsig-secret";	8	tsigSecretName = domain: "${domain}_tsig-secret";
9		9
10	cfg = config.security.acme;	10	cfg = config.security.acme;
11	knotCfg = config.services.knot;
12
13	knotDNSCredentials = domain: let
14	zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
15	in pkgs.writeText "lego-credentials" ''
16	EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
17	EXEC_PROPAGATION_TIMEOUT=300
18	EXEC_POLLING_INTERVAL=5
19	'';
20	knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
21	#!${pkgs.zsh}/bin/zsh -xe
22
23	mode=$1
24	fqdn=$2
25	challenge=$3
26
27	owner=''${fqdn%".${zone}."}
28
29	commited=
30	function abort() {
31	[[ -n "''${commited}" ]] \|\| ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
32	}
33
34	${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
35	trap abort EXIT
36
37	case "''${mode}" in
38	present)
39	if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
40	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
41	fi
42	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
43	;;
44	cleanup)
45	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
46	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
47	;;
48	*)
49	exit 2
50	;;
51	esac
52
53	${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
54	commited=yes
55	'';
56		11
57	domainOptions = {	12	domainOptions = {
58	options = {	13	options = {
@@ -111,10 +66,6 @@ in {
111	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";	66	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
112	dnsResolver = "127.0.0.1:5353";	67	dnsResolver = "127.0.0.1:5353";
113	};	68	};
114	mkKnotc = shared // {
115	dnsProvider = "exec";
116	credentialsFile = knotDNSCredentials domain;
117	};
118	mkRFC2136 = let	69	mkRFC2136 = let
119	tsigInfo = readYaml tsigPath;	70	tsigInfo = readYaml tsigPath;
120	in shared // {	71	in shared // {
@@ -129,7 +80,7 @@ in {
129	RFC2136_POLLING_INTERVAL=2	80	RFC2136_POLLING_INTERVAL=2
130	'';	81	'';
131	};	82	};
132	in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg;	83	in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
133	in genAttrs (attrNames cfg.domains) domainAttrset;	84	in genAttrs (attrNames cfg.domains) domainAttrset;
134	};	85	};
135		86


diff --git a/hosts/surtr/tls/tsig_key.gup b/hosts/surtr/tls/tsig_key.gup new file mode 100644 index 00000000..3d81b603 --- /dev/null +++ b/hosts/surtr/tls/tsig_key.gup
@@ -0,0 +1,6 @@
		1	#!/usr/bin/env zsh
		2
		3	keyFile=../dns/keys/${2:t}_acme.yaml
		4	gup -u $keyFile
		5	sops -d --input-type=binary --output-type=binary ${keyFile} \| yq -r '.key[0].secret' > $1
		6	sops -p '7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8,30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51' --input-type=binary -e -i $1 \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/141.li b/hosts/surtr/tls/tsig_keys/141.li new file mode 100644 index 00000000..f94b492f --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/141.li
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:wjjG+kaLFnWG8vTKCMHRsTB2ksZEQV/lZON7OTGs4RGF2UGyzr7uFiaPEu69,iv:x29NlTSg48NuDZmNwQx7WFhKPanOLEziDF59GpAbYIU=,tag:U0jQimah+7dfJ8+rElb75w==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:15:30Z",
		10	"mac": "ENC[AES256_GCM,data:NVzJqLoMPP1I322E002PPHB4hp6K2FpZTz1+E+eggsVnXtcU3da0zzRZTe+1JRRRLgTp1nFafxkDZbOF53byUgcuA+YVD0lIcX/Zk4JtkihS/AKBgCFSDXox+WFPulT+Jy8piRQuLFIj9m//FrPqbbZje4tT9MqtU8GFtQ/RZSA=,iv:ZXv5MXjUH939pbFZTHLICovdKgDxN3HkJWjzEBu0mIM=,tag:0h6XiH4oIeFEH3dFivHe2g==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:15:29Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA3LvoKvgJIXhXYc5cnoUHE4k9EnJzrSokuwHX6vsXMF4w\nl/Am3E8SYCRLW6GH84v5nRogvRi4/njDTUMltRil4AreR8AKs6O22K/dotFDFpm8\n0l4BjzIFo5lin5t/fJQnam+Q9N0sRu6CKe74id93IEWn4fh8jnGm2z45VQf08edv\n5TT3atYJPXK3BoOGZqWLbYk1zZMxlj/yNDC/gsoNzkv7tFfQyd8Rk0pbGOELrvlq\n=QUbV\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:15:29Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdApyLjA3a/6MiK3911+Dp7+GldIgztIqDfePqSVGQ9Tngw\n8ojc86qm6daCc2aceZGmmvt28kPX4XNmd5KOnFhF6B33o1tSI2duoVeYMOMY5sc0\n0l4BXL2CeNPvdX5To1I4OAUV6t3HEhgnW41/b6B3LqaGg34KBI4i7xNb8+djVSxu\nMEtYkD9QoSkDdNOpDAlH5GnPmrIVPHY9ml70agC1ctwET+P6L9qt0lzwCs2K1oT2\n=/Ukj\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/dirty-haskell.org b/hosts/surtr/tls/tsig_keys/dirty-haskell.org new file mode 100644 index 00000000..b9effeda --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/dirty-haskell.org
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:c4XzB/MbBfDcgR+6/FRNxDsRxtfdOR8oaKj7eLByJfnDyDrnN/p5DHrwNOe+,iv:TmCVdXMFJtRb1eT0M8Tga23rxoyUldjPATPX04n7I18=,tag:AhqhULrs/FVtfPUeWv5SdQ==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:20:36Z",
		10	"mac": "ENC[AES256_GCM,data:AZxoNR2oE7c5LXEg8o3cBYTflBMeGadPWr1cJ5GEyBJUJUloN9V9iTjnN/62Pj1zkTQvOhL4vkoOd0q812mOV1QgCi/RbLTPIn55dDWJ8d8jYQLlqrMV3LR+xtsGDDBDOPWJ8pNIug9D7f3BwVQpbvj3W2WOnJvm3oAZNHa0RJ8=,iv:YVFNSC74bZQgGpVLxWFCkC1oouSYwJjQ+k3beSeXUJc=,tag:oi7bSs83GsDl4qpsJ8zqCw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:20:35Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAhNF59zErbJlEDeJjF5kFLUVeAF81ageD34K/7NjVf3Ew\nFAn32mbWKZmoY4ekfOyZesKWTvpaYH8vnLj0r0vTc4nnqIejrVbz5T7nxl9mKgxX\n0l4BS9jVKuC7mGvTlKvpABPEP7uQS083JRVdTQ9nLFF3kOgf3rHWTX7I+QNMT+7E\nWqdm0q8OV09wk0I94lpRVjQjeosZmLGV58E8Q1D5x9xKjwS1Z9IT2SHONaZDAc5a\n=jdQT\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:20:35Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAMpNL9Ff2tSQLZYJlJCc3zUeTIiJYBwPXngz89tnrtxMw\n7cBQezv8MW/nKS5+8VPsr5NA2EfbPRlPAGDs3i7c82iNyaq8wjlZ7E5kJt9Cp1UA\n0l4BUddH560+QD8JZ7Tas943jI0GvBSrP3gm/dpILXS6APmIo8cY1Ex8Qkyvp0vn\nfumu+TRaUIjgSo5ZbqbJx+/duUjTg+j+p0Zu1xvBDQizbP894y5LFfsEsWQB2tkC\n=QZbr\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/kleen.li b/hosts/surtr/tls/tsig_keys/kleen.li new file mode 100644 index 00000000..3f31b1ec --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/kleen.li
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Jjw1uufbrTcNTY9QLDbC98BXyDsUpO7jlS56qHmrIC4gBT0DF29v4thHgDe/,iv:AJeaK7SA2dlVMZKT7VGYXpjYOvIlWsSPghylvwq5hfE=,tag:af6RdYpyPSioqiTpnuLYNQ==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:43:58Z",
		10	"mac": "ENC[AES256_GCM,data:Ws+LHpDFB9tKzfV5zVg5POTbzwb5KNFigPCQON85yIupazVMKesW5mpBZTzbknL0IwPfVnCQNX92bnJ6RBqJ+vIdOdax/eZzuIMvXyUGw1gjafkE3F9gv0CWu3n34SoLOynEIHXOrM/nTVWOLs6+DP1fH8MmscjhvaX52yIxe8E=,iv:OhYYyc0tcI2BrL8i2ZWADso9AcHzhb/wNrqVEnTXUJY=,tag:+GoBXxlveNe2puCbFz2foQ==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:43:58Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAHUWRBd0g/lAt4SNSRTyY084xlAmLVFiWY38oItiWEzUw\ngFigoJRqCtFsfRgmPC/VyasEAsUCSmmA15rGH+C1DA0HRyXLNUVGEcsnL1J7yNxS\n0lwBVaPi+AgmKtV48v6YzArTeY36TA9CInZl588Wy/YFitnTX6wqIuoZeJlDgEhN\nVF4XQVjb1mQhHFHbgD7SJSW6fHi8KWb+B3Tr6qt+p+CzwCycH/IaDbWbhIRSZg==\n=06jP\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:43:58Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAZbcJU1YXpht/sVq+NgOi23+BCjuiT/DH2Q4o9oQwEBkw\nLlQGzqtLfKPAjZWCECgsgz7ssAQVY90S9MDM3fUYWX56TXZabFkgz18Bn0cq1Ywa\n0lwBeS1RQX6gyjLNrO3B52eL9t/FW01RtWWS51nGN0WafVgoIaohV00lDCFZPAD/\noajw9vLd7Njjk11Pqv6H7pUanQOk69+tX5pKpzwGlRE0eZre6OSPZp9WTgfLTQ==\n=Af2i\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/nights.email b/hosts/surtr/tls/tsig_keys/nights.email new file mode 100644 index 00000000..5e387091 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/nights.email
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:WrhKcorA/PdPrt6tr1eDuVA/Wdr/DaRtc5ETixVKZtxDZzKQakF5ltVB49Dj,iv:f/1Ko1m064gAVPEbt2SnHt7zee/PQvMZb+/qneVc0ls=,tag:qimiralQNxwOZ/uAs1T7/g==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:44:08Z",
		10	"mac": "ENC[AES256_GCM,data:+/9QfW6yc0AXNKu73Mkp7hK98lWWyNn3WLJ2wdi6mh7dAR/pYxcuIa8a9b8Kv41WrExwExVbWbI886v2hC63GMI+rZeiOXAZEEFNCpYQwyog0bzWedZ9gE5ZmymaErrPsVJYauys+8NYomhtj+3ufB5FZNwfmEOO76dzcr10qZY=,iv:ecyJqhBYHHNj97JvOCFgFg4jxaBySUdj3ZgZKY6ulLw=,tag:a62hRw50887xQarS6O/GgA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:44:08Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwkyJitOwmF+FeN4F3Z72t5wf8vTizR+TjlBPU/OwRUYw\nYVBQCma/uqjRj4UZeWXo6lq3weKI+gRp17z3Fvzc0YCWdtGq7lKyVtmwPltrvEXc\n0l4B4h6XT2+EcPuqtvkpNwIUoNphYZV8xGUD4v6lAQqUOYFsJvZfZbYe7tukcAQg\nwvbuWE2Hht0cxPpY65cVURA92wEcs7aP6Bp9Mqb/lQn7Ju1sv1a4bAvYvNVFnqu2\n=OkoI\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:44:08Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFIJLO7eo3lhEVg13E2zI8DMn3ljuQv9JggBD2mHk4Xcw\nDjk54ugbH3AacQN4zsoGJsAjZEUpfCBhGl/fpVZYEVzgMLzA2SRqRol94YPyNpM3\n0l4Bived0rDJwIYAEhpCplpX/JKAN48BaauPC14QuWDxgBpZTWSKqa+BoYpTbBoc\nN0amWuqWp7WGLrRizpfah1w/+Og6QycgccXzG/dz5aRVC71ddxycvjbR2k6sH3tr\n=m8ZH\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/praseodym.org b/hosts/surtr/tls/tsig_keys/praseodym.org new file mode 100644 index 00000000..c4afce5d --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/praseodym.org
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:LLr/euxUJL1qSnjx2HlUG/X5dIg15WXb3VryAnVtHCLHUxnfrUF2PNlAoneL,iv:7OeUpmgXb7PfyDwfgNvaqhnPn9UKqYd4ug8as01gIDU=,tag:CYKMKyol09ahPr6SKGB9kA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:43:37Z",
		10	"mac": "ENC[AES256_GCM,data:dMgOwAv7CWEsP568dNX/1mGOcVIXc/eU92gJUSkZaQBWoJExa7Y1K0Ocyin9YsdQsFGcBFgjyo1DtdVUrf8j5/V69CG8xXiWwf82O247lifK+V2/Etgys7W71GZXxX+C5+fnN8SgsVQeOKX47ljiDeajKMXOptQEx7Awooe1vYM=,iv:GP57gibgf20yrZTgGzGxewOEWnu+1E7uJUYYJO85n9Q=,tag:Zhl9FmLYUyydiNzbXjLN4g==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:43:37Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEwneu5Lzspri3SHXIFgp8G+nTOpl3DGEoQTCaxeJvkgw\n/q3IUfiNFbpH32V7V07oOk3CD3SIlVVLNcxD/3DuOLHLeCehnWJ6OAtzaakvR2zW\n0l4BEBu/NBzhrtxbOt2vJnUyIoPwJIQuzQ92nUppd3gdaMoHyA+Wk/CAByTZ6+Gu\nq4jPWyeVwGeItpQ3PfpnCKJJQGhs/2E9TQrrovr2vhurnaxiEW80U/NdCQ3eMXiw\n=vKZP\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:43:37Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA1KY9DWpdJsUWLsvl4jJWel1tsdiNJ4z1VJw1W1Uiti0w\nLBhjFCiX4trrvYZf/s27t3CEE3j1xHpk+nhG+5rvh4PKOy9+4Z4dQ7ePr3khWK8d\n0l4BrSZXnmP1+i49AjR4F94EvezVS5MMNlqbHOfChBaybXO95oXl8CamSu2X0kSC\naJJe/ovfYblK2QCD1+kAb/e4LOedAHkL/YSOFtKa0WVhKNJoRIocAAYfCAXuQSRP\n=GWol\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/xmpp.li b/hosts/surtr/tls/tsig_keys/xmpp.li new file mode 100644 index 00000000..35acd462 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/xmpp.li
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Bice54S+zPCtUASZD0wnqFeBDekIKAfaZmNc4BJ8yFzzP1AeenJqOow69lf/,iv:dsBceXehjvhfTSd+KXE2QOvpTwNTY7gr9ef0hNFdDms=,tag:6iMISbLkELFP5OBbRgcdqA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:43:10Z",
		10	"mac": "ENC[AES256_GCM,data:IACasoGWgaouc0QnJAztTJkRnD60D0r0pXdxhXnDqpsz3qeS4Nnc5wgjMjSC6iTLNTDsGHw5s8egoIYKNhMVv1Gi7jYPgaIMGkjtg5iGIGmd12dqQTT4LPTfvrA0zqvu6BjzjO1BEBaJ26u8SBWw6yIg76b0BPpmM6afmyKo4X0=,iv:el8SzvnpQzURe1POMWNI3d2vYbAHqgfWzkzFi6GTQx8=,tag:HWABf4iOAZZLiJiMivGQ7Q==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:43:10Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAqBgOG0dMrKdKrPfL605eIH0q4zc/qLSepP3Mbi4wUCAw\nwVXV+LDTZKtCiT3RioyM3Vlf6blY1i5A8VgCKPHKFSy7TEMmhsHKKQGExahE35tm\n0l4BSmNYGiyW6mdiOlVS4uHlztG0SkzxAKoWs7lgwXufP97M0c9GaGLwVUCaOrWj\n416XfTI1wL8HmLBHaa8s2GyVPo+VWRKUpPu9gXAjTpqmRxeFjt7j749nIK8X27y8\n=2zXf\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:43:10Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4FILrqlN0ta93yHezBedT+3UuCQqonGlarHvrwi77DUw\nIi4IxaLcYRwqISIhsjz0k7MzJ/BlP1/Qg/NMaB9CoSQIoVc8P7TK/gdP81ORE+r2\n0l4BT9n00HJPJ4IHJKcKmG+Ta5xOPHsVqRNgLSp7Ss71I0HLEa6YqhE/4z3kwvcE\nD7fWKVLkMuA6PMzjEa+ZGY/baqHL0VFW+Vy3/Fn+E0nStUT17Ya0ANB5kuyRp/v6\n=cwHX\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/tls/tsig_keys/yggdrasil.li b/hosts/surtr/tls/tsig_keys/yggdrasil.li new file mode 100644 index 00000000..7c75602c --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/yggdrasil.li
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:nfXCp4v2HFGHzceTQJY7knQ3ci8sPUGdiYL5Cy9epu3LK1QULNFb+eA+vFHG,iv:xBdtLNYMgGQfLsdjj63uwc9NWe8UvVnVmyuMAM0S1bQ=,tag:9xSy1U4+crLKvWr7eKti4w==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T14:43:24Z",
		10	"mac": "ENC[AES256_GCM,data:DzSO3ir1Q2KWzwcmrW9ksw9GFRJXOVkb2tuhgDQxzV+sHC8O6VLMvYUZCNrYSKlZR0i2xiGuQD+3cO09YRYMF9MoR3ODl1BAGi5C0z0UKYPxf8BE/8x1qj2ak4Qdp7BHtaAQHo+IU+dX8AK64DJ5b2pJ/ThZzRSlfaeYp3X8cgA=,iv:FeuDzZzI8R2sZxWry5Jr1eoUWQlLkSqiNLutrvBviKI=,tag:VQJoQSodDkHIkrDXsnPG7Q==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T14:43:23Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAP/YAe2yfGvQ3TcChWjoRsi1bSezMKA2VDWPgRZuA1xQw\nEXhjL2Iu/ORRaktmd6ortqSxckYo2WOosqLXLLWXSnSpBK0mpSFO4/DJbMeKapCA\n0lwB0Tq0hP1Knh7jrTm/9mj2zcqonJY4P8mDwobBI4p1Ll29HxG4KCExrsxFFV6S\nQj1/r9Sz3SLsA9+z8hS8SQO3+877ITmAF518LTjs5clelO4I3KYCQqezXTVOSA==\n=2jir\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T14:43:23Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdArOyejysX1GDvK5g928BoioPtvEz1VzindL8Ng3Ta/Bcw\nUCB1/NKkCM8Ex2jALoGrBeZ5GdL2eRAOmQysaYPpeYRSG84/6e3DUixsbavL63tO\n0lwB+fVTe4tsLKFQ/j+GRJrBkHWNLVSjq50t68OhqTMQ31e8FejeTdAmsFG33MjH\ntumC/AGjz9qAGR7G690wu6WZaJRFD+aPMAJdFN2Fu3A+Imdra3hlTExs8ZAVaA==\n=7NiP\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file