summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/dns/zones/consulting.kleen.soa4
-rw-r--r--hosts/surtr/dns/zones/email.bouncy.soa6
-rw-r--r--hosts/surtr/dns/zones/li.141.soa4
-rw-r--r--hosts/surtr/dns/zones/li.synapse.soa6
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa6
-rw-r--r--hosts/surtr/email/default.nix4
-rw-r--r--hosts/surtr/etebase/default.nix4
-rw-r--r--hosts/surtr/http/default.nix2
-rw-r--r--hosts/surtr/http/webdav/default.nix2
-rw-r--r--hosts/surtr/matrix/default.nix4
-rw-r--r--hosts/surtr/ruleset.nft4
11 files changed, 7 insertions, 39 deletions
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa
index 5597491d..7f358b61 100644
--- a/hosts/surtr/dns/zones/consulting.kleen.soa
+++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -1,7 +1,7 @@
1$ORIGIN kleen.consulting. 1$ORIGIN kleen.consulting.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013001 ; serial 4 2023013000 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -71,5 +71,3 @@ mta-sts IN AAAA 2a03:4000:52:ada::
71mta-sts IN MX 0 mailin.kleen.consulting. 71mta-sts IN MX 0 mailin.kleen.consulting.
72mta-sts IN TXT "v=spf1 redirect=kleen.consulting" 72mta-sts IN TXT "v=spf1 redirect=kleen.consulting"
73_acme-challenge.mta-sts IN NS ns.yggdrasil.li. 73_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
74
75mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 8906fa84..de14e610 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1$ORIGIN bouncy.email. 1$ORIGIN bouncy.email.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013002 ; serial 4 2023013000 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -69,8 +69,6 @@ spm IN MX 0 mailin.bouncy.email.
69spm IN TXT "v=spf1 redirect=bouncy.email" 69spm IN TXT "v=spf1 redirect=bouncy.email"
70_acme-challenge.spm IN NS ns.yggdrasil.li. 70_acme-challenge.spm IN NS ns.yggdrasil.li.
71 71
72spm IN HTTPS 1 . alpn="h2,h3"
73
74_mta-sts IN TXT "v=STSv1; id=2022100600" 72_mta-sts IN TXT "v=STSv1; id=2022100600"
75_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" 73_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
76mta-sts IN A 202.61.241.61 74mta-sts IN A 202.61.241.61
@@ -78,5 +76,3 @@ mta-sts IN AAAA 2a03:4000:52:ada::
78mta-sts IN MX 0 mailin.bouncy.email. 76mta-sts IN MX 0 mailin.bouncy.email.
79mta-sts IN TXT "v=spf1 redirect=bouncy.email" 77mta-sts IN TXT "v=spf1 redirect=bouncy.email"
80_acme-challenge.mta-sts IN NS ns.yggdrasil.li. 78_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
81
82mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 507408e8..b17e7f6e 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1$ORIGIN 141.li. 1$ORIGIN 141.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013001 ; serial 4 2023013000 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -35,8 +35,6 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li"
35webdav IN CNAME surtr.yggdrasil.li. 35webdav IN CNAME surtr.yggdrasil.li.
36_acme-challenge.webdav IN NS ns.yggdrasil.li. 36_acme-challenge.webdav IN NS ns.yggdrasil.li.
37 37
38webdav IN HTTPS 1 . alpn="h2,h3"
39
40ymir IN A 188.68.51.254 38ymir IN A 188.68.51.254
41ymir IN AAAA 2a03:4000:6:d004:: 39ymir IN AAAA 2a03:4000:6:d004::
42ymir IN MX 0 ymir.yggdrasil.li 40ymir IN MX 0 ymir.yggdrasil.li
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index 564df7a3..e2d1fa22 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
1$ORIGIN synapse.li. 1$ORIGIN synapse.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013002 ; serial 4 2023013000 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -23,14 +23,10 @@ $TTL 3600
23 23
24_matrix._tcp IN SRV 5 0 443 synapse.li. 24_matrix._tcp IN SRV 5 0 443 synapse.li.
25 25
26@ IN HTTPS 1 . alpn="h2,h3"
27
28element IN A 202.61.241.61 26element IN A 202.61.241.61
29element IN AAAA 2a03:4000:52:ada:: 27element IN AAAA 2a03:4000:52:ada::
30_acme-challenge.element IN NS ns.yggdrasil.li. 28_acme-challenge.element IN NS ns.yggdrasil.li.
31 29
32element IN HTTPS 1 . alpn="h2,h3"
33
34turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" 30turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
35turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" 31turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01"
36turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" 32turn IN CAA 128 iodef "mailto:caa@yggdrasil.li"
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 62468570..25cad30b 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1$ORIGIN yggdrasil.li. 1$ORIGIN yggdrasil.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023013001 ; serial 4 2023013000 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -59,16 +59,12 @@ etesync IN MX 0 surtr.yggdrasil.li
59etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" 59etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
60_acme-challenge.etesync IN NS ns.yggdrasil.li. 60_acme-challenge.etesync IN NS ns.yggdrasil.li.
61 61
62etesync IN HTTPS 1 . alpn="h2,h3"
63
64app.etesync IN A 202.61.241.61 62app.etesync IN A 202.61.241.61
65app.etesync IN AAAA 2a03:4000:52:ada:: 63app.etesync IN AAAA 2a03:4000:52:ada::
66app.etesync IN MX 0 surtr.yggdrasil.li 64app.etesync IN MX 0 surtr.yggdrasil.li
67app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" 65app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
68_acme-challenge.app.etesync IN NS ns.yggdrasil.li. 66_acme-challenge.app.etesync IN NS ns.yggdrasil.li.
69 67
70app.etesync IN HTTPS 1 . alpn="h2,h3"
71
72vidhar IN AAAA 2a03:4000:52:ada:4:1:: 68vidhar IN AAAA 2a03:4000:52:ada:4:1::
73vidhar IN MX 0 ymir.yggdrasil.li 69vidhar IN MX 0 ymir.yggdrasil.li
74vidhar IN TXT "v=spf1 redirect=yggdrasil.li" 70vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 01c22ce5..0e2a78eb 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -716,8 +716,6 @@ in {
716 716
717 virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { 717 virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
718 forceSSL = true; 718 forceSSL = true;
719 kTLS = true;
720 http3 = true;
721 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; 719 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
722 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; 720 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
723 extraConfig = '' 721 extraConfig = ''
@@ -736,8 +734,6 @@ in {
736 }; 734 };
737 }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { 735 }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" {
738 forceSSL = true; 736 forceSSL = true;
739 kTLS = true;
740 http3 = true;
741 sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; 737 sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem";
742 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; 738 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem";
743 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; 739 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem";
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
index 3b0bd9d3..ca6d84fe 100644
--- a/hosts/surtr/etebase/default.nix
+++ b/hosts/surtr/etebase/default.nix
@@ -50,8 +50,6 @@
50 50
51 virtualHosts = { 51 virtualHosts = {
52 "etesync.yggdrasil.li" = { 52 "etesync.yggdrasil.li" = {
53 kTLS = true;
54 http3 = true;
55 forceSSL = true; 53 forceSSL = true;
56 sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; 54 sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
57 sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; 55 sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
@@ -83,8 +81,6 @@
83 }; 81 };
84 82
85 "app.etesync.yggdrasil.li" = { 83 "app.etesync.yggdrasil.li" = {
86 kTLS = true;
87 http3 = true;
88 forceSSL = true; 84 forceSSL = true;
89 sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; 85 sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
90 sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; 86 sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 6b516b00..3d7f3ebf 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -7,7 +7,7 @@
7 config = { 7 config = {
8 services.nginx = { 8 services.nginx = {
9 enable = true; 9 enable = true;
10 package = pkgs.nginxQuic; 10 # package = pkgs.nginxQuic;
11 recommendedGzipSettings = true; 11 recommendedGzipSettings = true;
12 recommendedProxySettings = true; 12 recommendedProxySettings = true;
13 recommendedTlsSettings = true; 13 recommendedTlsSettings = true;
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index f94935ee..c5a94996 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -36,8 +36,6 @@ in {
36 36
37 virtualHosts."webdav.141.li" = { 37 virtualHosts."webdav.141.li" = {
38 forceSSL = true; 38 forceSSL = true;
39 kTLS = true;
40 http3 = true;
41 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; 39 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
42 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; 40 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
43 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; 41 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 96cceb89..5b89e321 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -151,8 +151,6 @@ with lib;
151 sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; 151 sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
152 sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; 152 sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
153 sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; 153 sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
154 kTLS = true;
155 http3 = true;
156 listen = [ 154 listen = [
157 { addr = "0.0.0.0"; port = 443; ssl = true; } 155 { addr = "0.0.0.0"; port = 443; ssl = true; }
158 { addr = "[::0]"; port = 443; ssl = true; } 156 { addr = "[::0]"; port = 443; ssl = true; }
@@ -201,8 +199,6 @@ with lib;
201 199
202 virtualHosts."element.synapse.li" = { 200 virtualHosts."element.synapse.li" = {
203 forceSSL = true; 201 forceSSL = true;
204 kTLS = true;
205 http3 = true;
206 sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; 202 sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
207 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; 203 sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
208 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 204 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index ee72614f..4993b6b7 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -171,7 +171,6 @@ table inet filter {
171 udp dport 53 counter name dns-rx accept 171 udp dport 53 counter name dns-rx accept
172 172
173 tcp dport {80, 443, 8448} counter name http-rx accept 173 tcp dport {80, 443, 8448} counter name http-rx accept
174 udp dport {443, 8448} counter name http-rx accept
175 174
176 tcp dport {3478, 5349} counter name stun-rx accept 175 tcp dport {3478, 5349} counter name stun-rx accept
177 udp dport {3478, 5349} counter name stun-rx accept 176 udp dport {3478, 5349} counter name stun-rx accept
@@ -216,8 +215,7 @@ table inet filter {
216 meta protocol ip6 udp sport {51821, 51822} counter name wg-tx 215 meta protocol ip6 udp sport {51821, 51822} counter name wg-tx
217 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 216 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
218 217
219 tcp sport {80, 443, 8448} counter name http-tx accept 218 tcp sport {80,443,8448} counter name http-tx accept
220 udp sport {443, 8448} counter name http-tx accept
221 219
222 tcp sport {3478, 5349} counter name stun-tx accept 220 tcp sport {3478, 5349} counter name stun-tx accept
223 udp sport {3478, 5349} counter name stun-tx accept 221 udp sport {3478, 5349} counter name stun-tx accept