...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 11:30:39 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-22 11:30:39 +0100
commit: c8c5313ecfe8958819509a00528b1eb27a415bbd (patch)
tree: b8a626ba91ea8a8b9ac083a8c63514be67a72be3 /hosts/surtr
parent: dfa02cb2e26afd4b51b864d8ff6ae1bac3fbd8b5 (diff)
download: nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar
nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.gz
nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.bz2
nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.xz
nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.zip
2 files changed, 49 insertions, 1 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 5f69c350..695ac292 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -25,6 +25,7 @@ in {
      enable = true;
      keyFiles = [
        config.sops.secrets."rheperire.org_acme_key.yaml".path
+        config.sops.secrets."knot_local_key.yaml".path
      ];
      extraConfig = ''
        server:
@@ -38,6 +39,9 @@ in {
            address: 185.181.104.96@53
          - id: recursive
            address: ::1@5353
+          - id: local
+            address: ::1@53
+            key: local_key
        acl:
          - id: inwx_acl
@@ -46,6 +50,10 @@ in {
          - id: rheperire.org_acme_acl
            key: rheperire.org_acme_key
            action: update
+          - id: local_acl
+            key: local_key
+            action: update
+            update-type: DS
        mod-rrl:
          - id: default
@@ -75,6 +83,15 @@ in {
            ksk-lifetime: 360d
            signing-threads: 2
            ksk-submission: validating-resolver
+          - id: ed25519_local-push
+            algorithm: ed25519
+            nsec3: on
+            nsec3-iterations: 0
+            ksk-lifetime: 360d
+            signing-threads: 2
+            ksk-submission: validating-resolver
+            cds-cdnskey-publish: none
+            ds-push: [local]
        template:
          - id: default
@@ -98,7 +115,7 @@ in {
            journal-content: all
            semantic-checks: on
            dnssec-signing: on
-            dnssec-policy: ed25519
+            dnssec-policy: ed25519_local-push
        zone:
          - domain: yggdrasil.li
@@ -145,6 +162,11 @@ in {
        owner = "knot";
        sopsFile = ./keys/rheperire.org_acme.yaml;
      };
+      "knot_local_key.yaml" = {
+        format = "binary";
+        owner = "knot";
+        sopsFile = ./keys/local_key.yaml;
+      };
    };
diff --git a/hosts/surtr/dns/keys/knot_local_key.yaml b/hosts/surtr/dns/keys/knot_local_key.yaml
new file mode 100644
index 00000000..a170ff72
--- /dev/null
+++ b/hosts/surtr/dns/keys/knot_local_key.yaml
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:kSTzSFxJhKHPlAfdDT04v88yha8cIagAZZ3hJKqKrfB5tHi5Ek2Yzz/qndvjyBHb3B2PbbeVOUGuNXdZziJYpT0rdwK9vTGnxkaZS1cw0jKf9p/CLRAi3bDgCUti4oPjtQDh5Jj8gDokRs3u6SthaBcz2tZOqDyjKfWWzGlIMtRfSnx7KjgX2Anrhf2/B7vr2Van9XhMTTFiacLpYjZUXeo7v6ZOb49G2b+XxzxrYrY=,iv:b5DeWUu+BpvxhYrKBxpr6m+Ivz+1oLPY5sTZYq6GsJA=,tag:Tvb6w/8Qbro3I7MZ97HKlA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T10:29:34Z",
+                "mac": "ENC[AES256_GCM,data:wBzMMSuaNfITvC42rOCWznMCATwjLrz66h+0QURoJONGw/GMVejkdQ+F9s0UFz7PyVKPAxWgSC4Km+ve9nX2c+f1lGyo4YpWDYKtVlZuUd7/Alf1ctl4epZLZihZVc0XLRNgH/Th7D4c+7WyHi8XT1l/AHmbixG4Jxwh8/b0TIY=,iv:vTs3qIMHLIt39RSze3YRkJUkuOUganvtIs90qsXekcc=,tag:EaVQq7DyPvM1CufOtrFDsw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T10:29:34Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAqtTjcOaobAeRPtdIlgNBWcHMyJjWoeDdXI/s/Um0lX4w\nIe0pVT/t8t5vakDey0Mu6uTZOM64UKFyH2mTJCOWtbf96tI1ML+03bJGrKNTKEKU\n0l4BTRKRJwKrnjST0/NBc6YwBYfBeKoStoh60aBm072JlWS5/SprDysqMa9xpSxy\npz9HuF5g3/slPaeohUCh8457LtdQgLzZDBbpOWHwpU55Oix+518qAEZ5AspdnHHe\n=8Y8Z\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T10:29:34Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAk0ne1fjj2mV1P+4GDfDE/1SuyvWJ6sqKjkfYgdneNEIw\ns1qLAQzboXcMm073fV/XiegSP4AVL5sa6TOy+ajHGedOk2AkTBa9dYj0QJLJAxxW\n0l4BJdS01hYhj51x2CjAMan37oDZaoNr1Z9V6SPxfnLIs74kPZuAWT9U5YvoD8bj\nwEPGgvJOHPSQbmKpRXsd7MIHxRAe2PEsTGujd6CEv+ZAfjG95EpW5P6Aie73ZZE+\n=1kB3\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 11:30:39 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-22 11:30:39 +0100
commit	c8c5313ecfe8958819509a00528b1eb27a415bbd (patch)
tree	b8a626ba91ea8a8b9ac083a8c63514be67a72be3 /hosts/surtr
parent	dfa02cb2e26afd4b51b864d8ff6ae1bac3fbd8b5 (diff)
download	nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.gz nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.bz2 nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.tar.xz nixos-c8c5313ecfe8958819509a00528b1eb27a415bbd.zip

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 5f69c350..695ac292 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -25,6 +25,7 @@ in {
25	enable = true;	25	enable = true;
26	keyFiles = [	26	keyFiles = [
27	config.sops.secrets."rheperire.org_acme_key.yaml".path	27	config.sops.secrets."rheperire.org_acme_key.yaml".path
		28	config.sops.secrets."knot_local_key.yaml".path
28	];	29	];
29	extraConfig = ''	30	extraConfig = ''
30	server:	31	server:
@@ -38,6 +39,9 @@ in {
38	address: 185.181.104.96@53	39	address: 185.181.104.96@53
39	- id: recursive	40	- id: recursive
40	address: ::1@5353	41	address: ::1@5353
		42	- id: local
		43	address: ::1@53
		44	key: local_key
41		45
42	acl:	46	acl:
43	- id: inwx_acl	47	- id: inwx_acl
@@ -46,6 +50,10 @@ in {
46	- id: rheperire.org_acme_acl	50	- id: rheperire.org_acme_acl
47	key: rheperire.org_acme_key	51	key: rheperire.org_acme_key
48	action: update	52	action: update
		53	- id: local_acl
		54	key: local_key
		55	action: update
		56	update-type: DS
49		57
50	mod-rrl:	58	mod-rrl:
51	- id: default	59	- id: default
@@ -75,6 +83,15 @@ in {
75	ksk-lifetime: 360d	83	ksk-lifetime: 360d
76	signing-threads: 2	84	signing-threads: 2
77	ksk-submission: validating-resolver	85	ksk-submission: validating-resolver
		86	- id: ed25519_local-push
		87	algorithm: ed25519
		88	nsec3: on
		89	nsec3-iterations: 0
		90	ksk-lifetime: 360d
		91	signing-threads: 2
		92	ksk-submission: validating-resolver
		93	cds-cdnskey-publish: none
		94	ds-push: [local]
78		95
79	template:	96	template:
80	- id: default	97	- id: default
@@ -98,7 +115,7 @@ in {
98	journal-content: all	115	journal-content: all
99	semantic-checks: on	116	semantic-checks: on
100	dnssec-signing: on	117	dnssec-signing: on
101	dnssec-policy: ed25519	118	dnssec-policy: ed25519_local-push
102		119
103	zone:	120	zone:
104	- domain: yggdrasil.li	121	- domain: yggdrasil.li
@@ -145,6 +162,11 @@ in {
145	owner = "knot";	162	owner = "knot";
146	sopsFile = ./keys/rheperire.org_acme.yaml;	163	sopsFile = ./keys/rheperire.org_acme.yaml;
147	};	164	};
		165	"knot_local_key.yaml" = {
		166	format = "binary";
		167	owner = "knot";
		168	sopsFile = ./keys/local_key.yaml;
		169	};
148	};	170	};
149		171
150		172


diff --git a/hosts/surtr/dns/keys/knot_local_key.yaml b/hosts/surtr/dns/keys/knot_local_key.yaml new file mode 100644 index 00000000..a170ff72 --- /dev/null +++ b/hosts/surtr/dns/keys/knot_local_key.yaml
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:kSTzSFxJhKHPlAfdDT04v88yha8cIagAZZ3hJKqKrfB5tHi5Ek2Yzz/qndvjyBHb3B2PbbeVOUGuNXdZziJYpT0rdwK9vTGnxkaZS1cw0jKf9p/CLRAi3bDgCUti4oPjtQDh5Jj8gDokRs3u6SthaBcz2tZOqDyjKfWWzGlIMtRfSnx7KjgX2Anrhf2/B7vr2Van9XhMTTFiacLpYjZUXeo7v6ZOb49G2b+XxzxrYrY=,iv:b5DeWUu+BpvxhYrKBxpr6m+Ivz+1oLPY5sTZYq6GsJA=,tag:Tvb6w/8Qbro3I7MZ97HKlA==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T10:29:34Z",
		10	"mac": "ENC[AES256_GCM,data:wBzMMSuaNfITvC42rOCWznMCATwjLrz66h+0QURoJONGw/GMVejkdQ+F9s0UFz7PyVKPAxWgSC4Km+ve9nX2c+f1lGyo4YpWDYKtVlZuUd7/Alf1ctl4epZLZihZVc0XLRNgH/Th7D4c+7WyHi8XT1l/AHmbixG4Jxwh8/b0TIY=,iv:vTs3qIMHLIt39RSze3YRkJUkuOUganvtIs90qsXekcc=,tag:EaVQq7DyPvM1CufOtrFDsw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T10:29:34Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAqtTjcOaobAeRPtdIlgNBWcHMyJjWoeDdXI/s/Um0lX4w\nIe0pVT/t8t5vakDey0Mu6uTZOM64UKFyH2mTJCOWtbf96tI1ML+03bJGrKNTKEKU\n0l4BTRKRJwKrnjST0/NBc6YwBYfBeKoStoh60aBm072JlWS5/SprDysqMa9xpSxy\npz9HuF5g3/slPaeohUCh8457LtdQgLzZDBbpOWHwpU55Oix+518qAEZ5AspdnHHe\n=8Y8Z\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T10:29:34Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAk0ne1fjj2mV1P+4GDfDE/1SuyvWJ6sqKjkfYgdneNEIw\ns1qLAQzboXcMm073fV/XiegSP4AVL5sa6TOy+ajHGedOk2AkTBa9dYj0QJLJAxxW\n0l4BJdS01hYhj51x2CjAMan37oDZaoNr1Z9V6SPxfnLIs74kPZuAWT9U5YvoD8bj\nwEPGgvJOHPSQbmKpRXsd7MIHxRAe2PEsTGujd6CEv+ZAfjG95EpW5P6Aie73ZZE+\n=1kB3\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file