diff options
-rw-r--r-- | hosts/surtr/dns/zones/consulting.kleen.soa | 4 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.141.soa | 4 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.synapse.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 6 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/etebase/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/http/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/http/webdav/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/ruleset.nft | 4 |
11 files changed, 7 insertions, 39 deletions
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa index 5597491d..7f358b61 100644 --- a/hosts/surtr/dns/zones/consulting.kleen.soa +++ b/hosts/surtr/dns/zones/consulting.kleen.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN kleen.consulting. | 1 | $ORIGIN kleen.consulting. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013001 ; serial | 4 | 2023013000 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -71,5 +71,3 @@ mta-sts IN AAAA 2a03:4000:52:ada:: | |||
71 | mta-sts IN MX 0 mailin.kleen.consulting. | 71 | mta-sts IN MX 0 mailin.kleen.consulting. |
72 | mta-sts IN TXT "v=spf1 redirect=kleen.consulting" | 72 | mta-sts IN TXT "v=spf1 redirect=kleen.consulting" |
73 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. | 73 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. |
74 | |||
75 | mta-sts IN HTTPS 1 . alpn="h2,h3" | ||
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 8906fa84..de14e610 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013002 ; serial | 4 | 2023013000 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -69,8 +69,6 @@ spm IN MX 0 mailin.bouncy.email. | |||
69 | spm IN TXT "v=spf1 redirect=bouncy.email" | 69 | spm IN TXT "v=spf1 redirect=bouncy.email" |
70 | _acme-challenge.spm IN NS ns.yggdrasil.li. | 70 | _acme-challenge.spm IN NS ns.yggdrasil.li. |
71 | 71 | ||
72 | spm IN HTTPS 1 . alpn="h2,h3" | ||
73 | |||
74 | _mta-sts IN TXT "v=STSv1; id=2022100600" | 72 | _mta-sts IN TXT "v=STSv1; id=2022100600" |
75 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" | 73 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" |
76 | mta-sts IN A 202.61.241.61 | 74 | mta-sts IN A 202.61.241.61 |
@@ -78,5 +76,3 @@ mta-sts IN AAAA 2a03:4000:52:ada:: | |||
78 | mta-sts IN MX 0 mailin.bouncy.email. | 76 | mta-sts IN MX 0 mailin.bouncy.email. |
79 | mta-sts IN TXT "v=spf1 redirect=bouncy.email" | 77 | mta-sts IN TXT "v=spf1 redirect=bouncy.email" |
80 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. | 78 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. |
81 | |||
82 | mta-sts IN HTTPS 1 . alpn="h2,h3" | ||
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 507408e8..b17e7f6e 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN 141.li. | 1 | $ORIGIN 141.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013001 ; serial | 4 | 2023013000 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -35,8 +35,6 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li" | |||
35 | webdav IN CNAME surtr.yggdrasil.li. | 35 | webdav IN CNAME surtr.yggdrasil.li. |
36 | _acme-challenge.webdav IN NS ns.yggdrasil.li. | 36 | _acme-challenge.webdav IN NS ns.yggdrasil.li. |
37 | 37 | ||
38 | webdav IN HTTPS 1 . alpn="h2,h3" | ||
39 | |||
40 | ymir IN A 188.68.51.254 | 38 | ymir IN A 188.68.51.254 |
41 | ymir IN AAAA 2a03:4000:6:d004:: | 39 | ymir IN AAAA 2a03:4000:6:d004:: |
42 | ymir IN MX 0 ymir.yggdrasil.li | 40 | ymir IN MX 0 ymir.yggdrasil.li |
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index 564df7a3..e2d1fa22 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN synapse.li. | 1 | $ORIGIN synapse.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013002 ; serial | 4 | 2023013000 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -23,14 +23,10 @@ $TTL 3600 | |||
23 | 23 | ||
24 | _matrix._tcp IN SRV 5 0 443 synapse.li. | 24 | _matrix._tcp IN SRV 5 0 443 synapse.li. |
25 | 25 | ||
26 | @ IN HTTPS 1 . alpn="h2,h3" | ||
27 | |||
28 | element IN A 202.61.241.61 | 26 | element IN A 202.61.241.61 |
29 | element IN AAAA 2a03:4000:52:ada:: | 27 | element IN AAAA 2a03:4000:52:ada:: |
30 | _acme-challenge.element IN NS ns.yggdrasil.li. | 28 | _acme-challenge.element IN NS ns.yggdrasil.li. |
31 | 29 | ||
32 | element IN HTTPS 1 . alpn="h2,h3" | ||
33 | |||
34 | turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" | 30 | turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" |
35 | turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" | 31 | turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" |
36 | turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" | 32 | turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" |
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 62468570..25cad30b 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( | 3 | @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( |
4 | 2023013001 ; serial | 4 | 2023013000 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -59,16 +59,12 @@ etesync IN MX 0 surtr.yggdrasil.li | |||
59 | etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | 59 | etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" |
60 | _acme-challenge.etesync IN NS ns.yggdrasil.li. | 60 | _acme-challenge.etesync IN NS ns.yggdrasil.li. |
61 | 61 | ||
62 | etesync IN HTTPS 1 . alpn="h2,h3" | ||
63 | |||
64 | app.etesync IN A 202.61.241.61 | 62 | app.etesync IN A 202.61.241.61 |
65 | app.etesync IN AAAA 2a03:4000:52:ada:: | 63 | app.etesync IN AAAA 2a03:4000:52:ada:: |
66 | app.etesync IN MX 0 surtr.yggdrasil.li | 64 | app.etesync IN MX 0 surtr.yggdrasil.li |
67 | app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" | 65 | app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" |
68 | _acme-challenge.app.etesync IN NS ns.yggdrasil.li. | 66 | _acme-challenge.app.etesync IN NS ns.yggdrasil.li. |
69 | 67 | ||
70 | app.etesync IN HTTPS 1 . alpn="h2,h3" | ||
71 | |||
72 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: | 68 | vidhar IN AAAA 2a03:4000:52:ada:4:1:: |
73 | vidhar IN MX 0 ymir.yggdrasil.li | 69 | vidhar IN MX 0 ymir.yggdrasil.li |
74 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" | 70 | vidhar IN TXT "v=spf1 redirect=yggdrasil.li" |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 01c22ce5..0e2a78eb 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -716,8 +716,6 @@ in { | |||
716 | 716 | ||
717 | virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { | 717 | virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { |
718 | forceSSL = true; | 718 | forceSSL = true; |
719 | kTLS = true; | ||
720 | http3 = true; | ||
721 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; | 719 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; |
722 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; | 720 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; |
723 | extraConfig = '' | 721 | extraConfig = '' |
@@ -736,8 +734,6 @@ in { | |||
736 | }; | 734 | }; |
737 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { | 735 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { |
738 | forceSSL = true; | 736 | forceSSL = true; |
739 | kTLS = true; | ||
740 | http3 = true; | ||
741 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; | 737 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; |
742 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; | 738 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; |
743 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; | 739 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; |
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix index 3b0bd9d3..ca6d84fe 100644 --- a/hosts/surtr/etebase/default.nix +++ b/hosts/surtr/etebase/default.nix | |||
@@ -50,8 +50,6 @@ | |||
50 | 50 | ||
51 | virtualHosts = { | 51 | virtualHosts = { |
52 | "etesync.yggdrasil.li" = { | 52 | "etesync.yggdrasil.li" = { |
53 | kTLS = true; | ||
54 | http3 = true; | ||
55 | forceSSL = true; | 53 | forceSSL = true; |
56 | sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; | 54 | sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; |
57 | sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; | 55 | sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; |
@@ -83,8 +81,6 @@ | |||
83 | }; | 81 | }; |
84 | 82 | ||
85 | "app.etesync.yggdrasil.li" = { | 83 | "app.etesync.yggdrasil.li" = { |
86 | kTLS = true; | ||
87 | http3 = true; | ||
88 | forceSSL = true; | 84 | forceSSL = true; |
89 | sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; | 85 | sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; |
90 | sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; | 86 | sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; |
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 6b516b00..3d7f3ebf 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
@@ -7,7 +7,7 @@ | |||
7 | config = { | 7 | config = { |
8 | services.nginx = { | 8 | services.nginx = { |
9 | enable = true; | 9 | enable = true; |
10 | package = pkgs.nginxQuic; | 10 | # package = pkgs.nginxQuic; |
11 | recommendedGzipSettings = true; | 11 | recommendedGzipSettings = true; |
12 | recommendedProxySettings = true; | 12 | recommendedProxySettings = true; |
13 | recommendedTlsSettings = true; | 13 | recommendedTlsSettings = true; |
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index f94935ee..c5a94996 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
@@ -36,8 +36,6 @@ in { | |||
36 | 36 | ||
37 | virtualHosts."webdav.141.li" = { | 37 | virtualHosts."webdav.141.li" = { |
38 | forceSSL = true; | 38 | forceSSL = true; |
39 | kTLS = true; | ||
40 | http3 = true; | ||
41 | sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; | 39 | sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; |
42 | sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; | 40 | sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; |
43 | sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; | 41 | sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; |
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 96cceb89..5b89e321 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -151,8 +151,6 @@ with lib; | |||
151 | sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; | 151 | sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; |
152 | sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; | 152 | sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; |
153 | sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; | 153 | sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; |
154 | kTLS = true; | ||
155 | http3 = true; | ||
156 | listen = [ | 154 | listen = [ |
157 | { addr = "0.0.0.0"; port = 443; ssl = true; } | 155 | { addr = "0.0.0.0"; port = 443; ssl = true; } |
158 | { addr = "[::0]"; port = 443; ssl = true; } | 156 | { addr = "[::0]"; port = 443; ssl = true; } |
@@ -201,8 +199,6 @@ with lib; | |||
201 | 199 | ||
202 | virtualHosts."element.synapse.li" = { | 200 | virtualHosts."element.synapse.li" = { |
203 | forceSSL = true; | 201 | forceSSL = true; |
204 | kTLS = true; | ||
205 | http3 = true; | ||
206 | sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; | 202 | sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; |
207 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; | 203 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; |
208 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 204 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..4993b6b7 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft | |||
@@ -171,7 +171,6 @@ table inet filter { | |||
171 | udp dport 53 counter name dns-rx accept | 171 | udp dport 53 counter name dns-rx accept |
172 | 172 | ||
173 | tcp dport {80, 443, 8448} counter name http-rx accept | 173 | tcp dport {80, 443, 8448} counter name http-rx accept |
174 | udp dport {443, 8448} counter name http-rx accept | ||
175 | 174 | ||
176 | tcp dport {3478, 5349} counter name stun-rx accept | 175 | tcp dport {3478, 5349} counter name stun-rx accept |
177 | udp dport {3478, 5349} counter name stun-rx accept | 176 | udp dport {3478, 5349} counter name stun-rx accept |
@@ -216,8 +215,7 @@ table inet filter { | |||
216 | meta protocol ip6 udp sport {51821, 51822} counter name wg-tx | 215 | meta protocol ip6 udp sport {51821, 51822} counter name wg-tx |
217 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx | 216 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx |
218 | 217 | ||
219 | tcp sport {80, 443, 8448} counter name http-tx accept | 218 | tcp sport {80,443,8448} counter name http-tx accept |
220 | udp sport {443, 8448} counter name http-tx accept | ||
221 | 219 | ||
222 | tcp sport {3478, 5349} counter name stun-tx accept | 220 | tcp sport {3478, 5349} counter name stun-tx accept |
223 | udp sport {3478, 5349} counter name stun-tx accept | 221 | udp sport {3478, 5349} counter name stun-tx accept |