6 files changed, 154 insertions, 11 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 30a9e165..add50653 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
 {
  imports = with flake.nixosModules.systemProfiles; [
    qemu-guest openssh rebuild-machines zfs
-    ./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost
+    ./zfs.nix ./dns ./tls ./http.nix ./bifrost
  ];
  config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
-{
+with lib;
+let
+  acmeChallengeZonefile = domain: let
+    reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
+  in pkgs.writeText "${reverseDomain}.zone" ''
+    $ORIGIN ${domain}.
+    @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
+    $TTL 300
+         IN NS ns.yggdrasil.li.
+  '';
+in {
  config = {
    fileSystems."/var/lib/knot" =
      { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
    
    services.knot = {
      enable = true;
+      keyFiles = [
+        config.sops.secrets."acme_rheperire.org_key".path
+      ];
      extraConfig = ''
        server:
          listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
          - id: inwx_acl
            address: 185.181.104.96
            action: transfer
+          - id: rheperire.org_acme_acl
+            key: rheperire.org_acme_key
+            action: update
        mod-rrl:
          - id: default
@@ -71,6 +90,15 @@
            dnssec-policy: ed25519
            notify: [inwx_notify]
            acl: [inwx_acl]
+          - id: acme_zone
+            storage: /var/lib/knot
+            zonefile-sync: -1
+            zonefile-load: difference-no-serial
+            serial-policy: dateserial
+            journal-content: all
+            semantic-checks: on
+            dnssec-signing: on
+            dnssec-policy: ed25519
        zone:
          - domain: yggdrasil.li
@@ -104,9 +132,21 @@
          - domain: rheperire.org
            template: inwx_zone
            file: ${./zones/org.rheperire.soa}
+          - domain: _acme-challenge.rheperire.org
+            template: acme_zone
+            acl: [ rheperire.org_acme_acl ]
+            file: ${acmeChallengeZonefile "rheperire.org"}
      '';
    };
+    sops.secrets = {
+      "rheperire.org_acme_key.yaml" = {
+        format = "yaml";
+        owner = "knot";
+        sopsFile = ./keys/rheperire.org_acme.yaml;
+      };
+    };
    fileSystems."/var/lib/unbound" =
      { device = "surtr/local/var-lib-unbound";
diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml
new file mode 100644
index 00000000..4f536273
--- /dev/null
+++ b/hosts/surtr/dns/keys/.sops.yaml
@@ -0,0 +1,3 @@
+creation_rules:
+  - path_regex: "\\.yaml$"
+    unencrypted_regex: "^(id|algorithm)$"
diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
new file mode 100644
index 00000000..16f6d19e
--- /dev/null
+++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
@@ -0,0 +1,38 @@
+#ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment]
+key:
+    - id: rheperire.org_acme
+      algorithm: hmac-sha256
+      secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-02-22T09:17:59Z"
+    mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str]
+    pgp:
+        - created_at: "2022-02-22T09:17:59Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw
+            zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE
+            0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj
+            8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA
+            =i8zc
+            -----END PGP MESSAGE-----
+          fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
+        - created_at: "2022-02-22T09:17:59Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw
+            iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ
+            0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS
+            xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0
+            =hSUL
+            -----END PGP MESSAGE-----
+          fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_regex: ^(id|algorithm)$
+    version: 3.7.1
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls/default.nix
index 2ff26e35..a1548feb 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls/default.nix
@@ -1,8 +1,12 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, customUtils, pkgs, ... }:
 with lib;
 let
+  inherit (customUtils) mapFilterAttrs;
+  tsigSecretName = domain: "${domain}_tsig-secret";
  cfg = config.security.acme;
  knotCfg = config.services.knot;
  
@@ -94,16 +98,48 @@ in {
      };
      certs =
        let
-          domainAttrset = domain: {
+          domainAttrset = domain: let
-            inherit domain;
+            tsigPath = ./tsig_keys + "/${domain}";
-            extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
+            tsigSecret = config.sops.secrets.${tsigSecretName domain};
-            dnsProvider = "exec";
+            isTsig = pathExists tsigPath;
-            credentialsFile = knotDNSCredentials domain;
+            shared = {
-            dnsResolver = "1.1.1.1:53";
+              inherit domain;
-          } // cfg.domains.${domain}.certCfg;
+              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
+              dnsResolver = "127.0.0.1:5353";
+            };
+            mkKnotc = shared // {
+              dnsProvider = "exec";
+              credentialsFile = knotDNSCredentials domain;
+            };
+            mkRFC2136 = let
+              tsigInfo = readYaml tsigPath;
+            in shared // {
+              dnsProvider = "rfc2136";
+              credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
+                RFC2136_NAMESERVER=127.0.0.1:53
+                RFC2136_TSIG_ALGORITHM=hmac-sha256.
+                RFC2136_TSIG_KEY=${domain}_acme
+                RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
+                RFC2136_PROPAGATION_TIMEOUT=300
+                RFC2136_POLLING_INTERVAL=5
+                RFC2136_TTL=300
+              '';
+            };
+          in  // cfg.domains.${domain}.certCfg;
        in genAttrs (attrNames cfg.domains) domainAttrset;
    };
+    sops.secrets = let
+      toTSIGSecret = n: v:
+        if v == "regular" || v == "symlink"
+        then nameValuePair (tsigSecretName n) {
+          format = "binary";
+          owner = if config.security.acme.useRoot then "root" else "acme";
+          group = "acme";
+          sopsFile = ./tsig_keys + "/${n}";
+        } else null;
+    in mapFilterAttrs (_: v: v != null) toTSIGSecret (readDir ./tsig_keys);
    systemd.services =
      let
        serviceAttrset = domain: {
diff --git a/hosts/surtr/tls/tsig_keys/rheperire.org b/hosts/surtr/tls/tsig_keys/rheperire.org
new file mode 100644
index 00000000..1f3dc4a4
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/rheperire.org
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Lb1IWtwPdBxeXGrOr74MlR7lKBMIg2ix3enRMVN4MPEDh7CIFv1nhAfLCDU=,iv:TcyGtcKEL7yUXgHrfJ5pDjl8r5V7ltYQw2wcnsFN1bc=,tag:gBaYj6MkQKvD/uO+Pudnzg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T09:46:27Z",
+                "mac": "ENC[AES256_GCM,data:vtymuSymOeh34ZbAumxCEcemtI0UFBoQwj4axpKf7AzVnQOubWYxPI5x23CiOE12Y+FThg1dYEnDWlkkQjMVWQvcJzfP1g25S98MuZ42E9R0nBxGzTrIaKS7kgNAriYDy8ib7Z3DUbajEGfvLLazCdHu3g9gE0dLewKcUTHaXwM=,iv:j8vS2Ej58HLf+CP9fe1rN+4UuniGlv/0M+Zzt3nlk5I=,tag:xn33GGm2knsIdH+EJ1zDcA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T09:46:26Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1++YsCSiRkVGoVF6uvYeY7JjZjsdjAUwubCF3fLDtS8w\nHFSQltgrqkul1Ei1fUFQqFbSpMSfBQhk0kMH0Xuk5SoDd1lWumqTP9gaJj/CM+yz\n0l4BHiQ4Ktyc01f127Az36nQZGKdJvL9etQAceNtNM7Y4XkLQ78OXFJoERrf81s/\n4wm5za7xqEBE1oE0QWAelzyjBqxI1iCjDl3p6heUdhqlcvAifXgqAk0qxq/4T4FG\n=2Bwl\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T09:46:26Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4jg570qc5Zu3yAJPmjf11r20eYMyjAeEWw/RreZga3Uw\nmTy2jo/de11m3r/aIxp0Q/vFZ1m4JGeoIzIgQxGnhX0s0NpfCbCih0P7UMjZRatC\n0l4BCzWq7c0A2GbjPq+aKF2IYfQV5gdwjgCAJO3Oylb/SAltwnyGChANw4ckUCjV\n9DWYIcerMP2scxpjf5nJXpHNMjpGR7fcqS71PoVoJoActMqrG0deOMUSUEOVP8nR\n=+ux+\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 30a9e165..add50653 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	qemu-guest openssh rebuild-machines zfs	4	qemu-guest openssh rebuild-machines zfs
5	./zfs.nix ./dns ./tls.nix ./http.nix ./bifrost	5	./zfs.nix ./dns ./tls ./http.nix ./bifrost
6	];	6	];
7		7
8	config = {	8	config = {


diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index feb56195..9a72a2c6 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
1	{ pkgs, ... }:	1	{ pkgs, lib, ... }:
2	{	2
		3	with lib;
		4
		5	let
		6	acmeChallengeZonefile = domain: let
		7	reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
		8	in pkgs.writeText "${reverseDomain}.zone" ''
		9	$ORIGIN ${domain}.
		10	@ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
		11	$TTL 300
		12
		13	IN NS ns.yggdrasil.li.
		14	'';
		15	in {
3	config = {	16	config = {
4	fileSystems."/var/lib/knot" =	17	fileSystems."/var/lib/knot" =
5	{ device = "surtr/safe/var-lib-knot";	18	{ device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
10		23
11	services.knot = {	24	services.knot = {
12	enable = true;	25	enable = true;
		26	keyFiles = [
		27	config.sops.secrets."acme_rheperire.org_key".path
		28	];
13	extraConfig = ''	29	extraConfig = ''
14	server:	30	server:
15	listen: 127.0.0.1@53	31	listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
27	- id: inwx_acl	43	- id: inwx_acl
28	address: 185.181.104.96	44	address: 185.181.104.96
29	action: transfer	45	action: transfer
		46	- id: rheperire.org_acme_acl
		47	key: rheperire.org_acme_key
		48	action: update
30		49
31	mod-rrl:	50	mod-rrl:
32	- id: default	51	- id: default
@@ -71,6 +90,15 @@
71	dnssec-policy: ed25519	90	dnssec-policy: ed25519
72	notify: [inwx_notify]	91	notify: [inwx_notify]
73	acl: [inwx_acl]	92	acl: [inwx_acl]
		93	- id: acme_zone
		94	storage: /var/lib/knot
		95	zonefile-sync: -1
		96	zonefile-load: difference-no-serial
		97	serial-policy: dateserial
		98	journal-content: all
		99	semantic-checks: on
		100	dnssec-signing: on
		101	dnssec-policy: ed25519
74		102
75	zone:	103	zone:
76	- domain: yggdrasil.li	104	- domain: yggdrasil.li
@@ -104,9 +132,21 @@
104	- domain: rheperire.org	132	- domain: rheperire.org
105	template: inwx_zone	133	template: inwx_zone
106	file: ${./zones/org.rheperire.soa}	134	file: ${./zones/org.rheperire.soa}
		135	- domain: _acme-challenge.rheperire.org
		136	template: acme_zone
		137	acl: [ rheperire.org_acme_acl ]
		138	file: ${acmeChallengeZonefile "rheperire.org"}
107	'';	139	'';
108	};	140	};
109		141
		142	sops.secrets = {
		143	"rheperire.org_acme_key.yaml" = {
		144	format = "yaml";
		145	owner = "knot";
		146	sopsFile = ./keys/rheperire.org_acme.yaml;
		147	};
		148	};
		149
110		150
111	fileSystems."/var/lib/unbound" =	151	fileSystems."/var/lib/unbound" =
112	{ device = "surtr/local/var-lib-unbound";	152	{ device = "surtr/local/var-lib-unbound";


diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml new file mode 100644 index 00000000..4f536273 --- /dev/null +++ b/hosts/surtr/dns/keys/.sops.yaml
@@ -0,0 +1,3 @@
		1	creation_rules:
		2	- path_regex: "\\.yaml$"
		3	unencrypted_regex: "^(id\|algorithm)$"


diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml new file mode 100644 index 00000000..16f6d19e --- /dev/null +++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml
@@ -0,0 +1,38 @@
		1	#ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment]
		2	key:
		3	- id: rheperire.org_acme
		4	algorithm: hmac-sha256
		5	secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str]
		6	sops:
		7	kms: []
		8	gcp_kms: []
		9	azure_kv: []
		10	hc_vault: []
		11	age: []
		12	lastmodified: "2022-02-22T09:17:59Z"
		13	mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str]
		14	pgp:
		15	- created_at: "2022-02-22T09:17:59Z"
		16	enc: \|
		17	-----BEGIN PGP MESSAGE-----
		18
		19	hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw
		20	zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE
		21	0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj
		22	8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA
		23	=i8zc
		24	-----END PGP MESSAGE-----
		25	fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
		26	- created_at: "2022-02-22T09:17:59Z"
		27	enc: \|
		28	-----BEGIN PGP MESSAGE-----
		29
		30	hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw
		31	iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ
		32	0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS
		33	xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0
		34	=hSUL
		35	-----END PGP MESSAGE-----
		36	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
		37	unencrypted_regex: ^(id\|algorithm)$
		38	version: 3.7.1


diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls/default.nix index 2ff26e35..a1548feb 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls/default.nix
@@ -1,8 +1,12 @@
1	{ config, lib, pkgs, ... }:	1	{ config, lib, customUtils, pkgs, ... }:
2		2
3	with lib;	3	with lib;
4		4
5	let	5	let
		6	inherit (customUtils) mapFilterAttrs;
		7
		8	tsigSecretName = domain: "${domain}_tsig-secret";
		9
6	cfg = config.security.acme;	10	cfg = config.security.acme;
7	knotCfg = config.services.knot;	11	knotCfg = config.services.knot;
8		12
@@ -94,16 +98,48 @@ in {
94	};	98	};
95	certs =	99	certs =
96	let	100	let
97	domainAttrset = domain: {	101	domainAttrset = domain: let
98	inherit domain;	102	tsigPath = ./tsig_keys + "/${domain}";
99	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";	103	tsigSecret = config.sops.secrets.${tsigSecretName domain};
100	dnsProvider = "exec";	104	isTsig = pathExists tsigPath;
101	credentialsFile = knotDNSCredentials domain;	105	shared = {
102	dnsResolver = "1.1.1.1:53";	106	inherit domain;
103	} // cfg.domains.${domain}.certCfg;	107	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
		108	dnsResolver = "127.0.0.1:5353";
		109	};
		110	mkKnotc = shared // {
		111	dnsProvider = "exec";
		112	credentialsFile = knotDNSCredentials domain;
		113	};
		114	mkRFC2136 = let
		115	tsigInfo = readYaml tsigPath;
		116	in shared // {
		117	dnsProvider = "rfc2136";
		118	credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
		119	RFC2136_NAMESERVER=127.0.0.1:53
		120	RFC2136_TSIG_ALGORITHM=hmac-sha256.
		121	RFC2136_TSIG_KEY=${domain}_acme
		122	RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
		123	RFC2136_PROPAGATION_TIMEOUT=300
		124	RFC2136_POLLING_INTERVAL=5
		125	RFC2136_TTL=300
		126	'';
		127	};
		128	in // cfg.domains.${domain}.certCfg;
104	in genAttrs (attrNames cfg.domains) domainAttrset;	129	in genAttrs (attrNames cfg.domains) domainAttrset;
105	};	130	};
106		131
		132	sops.secrets = let
		133	toTSIGSecret = n: v:
		134	if v == "regular" \|\| v == "symlink"
		135	then nameValuePair (tsigSecretName n) {
		136	format = "binary";
		137	owner = if config.security.acme.useRoot then "root" else "acme";
		138	group = "acme";
		139	sopsFile = ./tsig_keys + "/${n}";
		140	} else null;
		141	in mapFilterAttrs (_: v: v != null) toTSIGSecret (readDir ./tsig_keys);
		142
107	systemd.services =	143	systemd.services =
108	let	144	let
109	serviceAttrset = domain: {	145	serviceAttrset = domain: {


diff --git a/hosts/surtr/tls/tsig_keys/rheperire.org b/hosts/surtr/tls/tsig_keys/rheperire.org new file mode 100644 index 00000000..1f3dc4a4 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/rheperire.org
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Lb1IWtwPdBxeXGrOr74MlR7lKBMIg2ix3enRMVN4MPEDh7CIFv1nhAfLCDU=,iv:TcyGtcKEL7yUXgHrfJ5pDjl8r5V7ltYQw2wcnsFN1bc=,tag:gBaYj6MkQKvD/uO+Pudnzg==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T09:46:27Z",
		10	"mac": "ENC[AES256_GCM,data:vtymuSymOeh34ZbAumxCEcemtI0UFBoQwj4axpKf7AzVnQOubWYxPI5x23CiOE12Y+FThg1dYEnDWlkkQjMVWQvcJzfP1g25S98MuZ42E9R0nBxGzTrIaKS7kgNAriYDy8ib7Z3DUbajEGfvLLazCdHu3g9gE0dLewKcUTHaXwM=,iv:j8vS2Ej58HLf+CP9fe1rN+4UuniGlv/0M+Zzt3nlk5I=,tag:xn33GGm2knsIdH+EJ1zDcA==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T09:46:26Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1++YsCSiRkVGoVF6uvYeY7JjZjsdjAUwubCF3fLDtS8w\nHFSQltgrqkul1Ei1fUFQqFbSpMSfBQhk0kMH0Xuk5SoDd1lWumqTP9gaJj/CM+yz\n0l4BHiQ4Ktyc01f127Az36nQZGKdJvL9etQAceNtNM7Y4XkLQ78OXFJoERrf81s/\n4wm5za7xqEBE1oE0QWAelzyjBqxI1iCjDl3p6heUdhqlcvAifXgqAk0qxq/4T4FG\n=2Bwl\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T09:46:26Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4jg570qc5Zu3yAJPmjf11r20eYMyjAeEWw/RreZga3Uw\nmTy2jo/de11m3r/aIxp0Q/vFZ1m4JGeoIzIgQxGnhX0s0NpfCbCih0P7UMjZRatC\n0l4BCzWq7c0A2GbjPq+aKF2IYfQV5gdwjgCAJO3Oylb/SAltwnyGChANw4ckUCjV\n9DWYIcerMP2scxpjf5nJXpHNMjpGR7fcqS71PoVoJoActMqrG0deOMUSUEOVP8nR\n=+ux+\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file