4 files changed, 69 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 2079585c..971de5e8 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -25,6 +25,7 @@ in {
      enable = true;
      keyFiles = [
        config.sops.secrets."rheperire.org_acme_key.yaml".path
+        config.sops.secrets."webdav.141.li_acme_key.yaml".path
        config.sops.secrets."knot_local_key.yaml".path
      ];
      extraConfig = ''
@@ -50,6 +51,9 @@ in {
          - id: rheperire.org_acme_acl
            key: rheperire.org_acme_key
            action: update
+          - id: webdav.141.li_acme_acl
+            key: webdav.141.li_acme_key
+            action: update
          - id: local_acl
            key: local_key
            action: update
@@ -130,7 +134,12 @@ in {
          - domain: 141.li
            template: inwx_zone
+            acl: [local_acl, inwx_acl]
            file: ${./zones/li.141.soa}
+          - domain: _acme-challenge.webdav.141.li
+            template: acme_zone
+            acl: [webdav.141.li_acme_acl]
+            file: ${acmeChallengeZonefile "webdav.141.li"}
          - domain: kleen.li
            template: inwx_zone
@@ -150,8 +159,8 @@ in {
          - domain: rheperire.org
            template: inwx_zone
-            file: ${./zones/org.rheperire.soa}
            acl: [local_acl, inwx_acl]
+            file: ${./zones/org.rheperire.soa}
          - domain: _acme-challenge.rheperire.org
            template: acme_zone
            acl: [rheperire.org_acme_acl]
@@ -165,6 +174,11 @@ in {
        owner = "knot";
        sopsFile = ./keys/rheperire.org_acme.yaml;
      };
+      "webdav.141.li_acme_key.yaml" = {
+        format = "binary";
+        owner = "knot";
+        sopsFile = ./keys/webdav.141.li_acme.yaml;
+      };
      "knot_local_key.yaml" = {
        format = "binary";
        owner = "knot";
diff --git a/hosts/surtr/dns/keys/webdav.141.li_acme.yaml b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml
new file mode 100644
index 00000000..b0f05df6
--- /dev/null
+++ b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:WNZ6BAzz5b0mnr2XqVQM82NFuQJz3bBK76DmnA/xvFPLvAmN4tCDzcu4NrdihcpQZ9J5ZiiIynJH1RBB/hd9ut+e/ByHv954XW3o/Ml5gb1Nl6zkCSAb3uxnjTlf5dm9ROWzx+NBLvIt8DELMYuV/NRtRq6w3ZCWbEp/I3N/r/VPhIw7PkagI9QWNkXp0l2qBml/xwxO2HnZxE7WXtphpOfNZtBuWPF49gO2UeVHrsAfxVgtGNmY9IjBExSQDThDJmo8nFUvrLVydQ==,iv:MQHy1Hi2kASjm684tL3JT5xcdc4mrTWjJWCB4adl1Uk=,tag:IzUtLbMoeRu/Km7o3RTxbg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T12:22:44Z",
+                "mac": "ENC[AES256_GCM,data:tGfEoG8C+zqkBRtfaCNrmuR6dG8kmaRexM6szkSmOsFVgzl3wGsPmVai4rFhgXsozOmt2Lchc01uRqERA+HIkkaMFdVDLWzMEGytEeE1s1JYCVNEc/RmjgeKqxwHuAv5cFGn8ZNZ9JKMF566wUFjjWM/AQffNYCdtSni8tV6eWg=,iv:qoyig97CBgl9X9Z6qbKunu8fvbiiW4uRtErM8nrb9MM=,tag:zFuAbP7ZsEgKGDOo9ACmrw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T12:22:44Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEvqLWBZvD3I4xE6W7MKPD9eDGyKa3hpXracLRTHT4hYw\nqy+itvTL207VL0fU8Ve+rmxFjEaMvowFgwWk7+p98thgtbCcUNTxIF4gH2HjSOWS\n0l4Bb3G2vvDhUv1i0AR5WohSdfi5eyQjvt8HqJQ/0hBBwIL4IEcWjpBE+rX/460S\n4gigrXHpgSKZ/i/Aselm6XZhB0jNUf3pZ3pnCQPJpyrLGnFXwCSqB6EaREKU+6BK\n=dSPd\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T12:22:44Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAWXk1C46X8TTkWhHfTMhgo1KnKlCl8A8lzsAo7mqnpzcw\ncoae53lNWGeoCSfOl5E2oSVCgZzEu5R9kC9aLRJgDushXZ56XtTUUF4ggCHogJqE\n0l4B942HOIlWHSlbfOs1/0R5QPnXC1OQ0E6XEVJmBgnUNB3EG473eCTJeabwlaq8\nNgFlL09go4ISjnlKDIgfQZGI9u1j0PyDJ3MtQTnb2j8kzfbcsGcpSLQRn7kzSsjO\n=x5xi\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 8c357b35..fbff1cad 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
 $ORIGIN 141.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022022102 ; serial
+  2022022200 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -31,6 +31,7 @@ surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=yggdrasil.li"
 webdav                  IN      CNAME   surtr.yggdrasil.li.
+_acme-challenge.webdav  IN      NS      ns.yggdrasil.li.
 ymir                    IN      A       188.68.51.254
 ymir                    IN      AAAA    2a03:4000:6:d004::
diff --git a/hosts/surtr/tls/tsig_keys/webdav.141.li b/hosts/surtr/tls/tsig_keys/webdav.141.li
new file mode 100644
index 00000000..cb2e332e
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/webdav.141.li
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Zi4zdvMqKiEp9CGCOdC+KjWsfOUw9wurx7zuOK5DijgnfMRfCEuTZVCs8Jhs,iv:bB13accgPvkWvN74FGhLRYOYyUSTxPgSHC4NIWTVjnU=,tag:rhxq0ME8B9wsMgJXpa0/qg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-22T12:23:26Z",
+                "mac": "ENC[AES256_GCM,data:XwQKJBBJ3luAqk0S6auD7q+QLPwxG6Gnn/Aim5AJIO4FzgiluvuL8oNk4Ez/5Q/FVOtbMDKCQbwz+tgWJN6i2mlu8W4xR+bLOlGzcBQmnY5QIcmyRGDNhumrThoHtE+3agLwyVhWrvZmpeSruTRZ5n2EkGshOnSAi2SGZulVrPg=,iv:pInwne4YHzWd92gKgoNB0VBVMH7Hmu7q6LZMU8GO1yw=,tag:Y8J6cJommccQTR7guU4Rmw==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-22T12:23:26Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA0kfMkCzKUHK7Ox8TXe/Z+RNrU3yk8WNk5Gb0LKgc/iow\nQHecugi4Gk+ZEGLcko5MXPDXee9PDQDLGNCxLiRcClc4lLC/AgWNwfSL5j1Gw2Mg\n0l4BJGJq5dK5acKKuLjgmehIDEi2ZJZl2/Sgw3TymUZyc9Y6Xw8k2ouAidSQwyuh\n5pLkzGAOS9qeHedOR7BuZSHVkPzFeM2JE/bkQyVx2im4UBDYMw3sDc0VMsQgV8Gp\n=ZqOO\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-22T12:23:26Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+tTfPKdULqJRo6n4UDMGJdH06I5iHTnNf0slTxfhp1cw\n0DUkmp715+saoXFTACUEiiiBv+8r7cLTb7qOWXcRq5LP7kAPwHZ5p++9vzePyQ84\n0l4ByVQ5Ywn0t2nyYKbnRktvg3Ea0XUErBVVg1+iGpnfVT6rcUroHqqpkb8KXfBL\nQ1Mg/pHXMCHlbjnVRG/zyO3Mu6mvWpLgw39j6S3jtAFhdEmTUXSd1tdZXYPKWpyT\n=1egy\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 2079585c..971de5e8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -25,6 +25,7 @@ in {
25	enable = true;	25	enable = true;
26	keyFiles = [	26	keyFiles = [
27	config.sops.secrets."rheperire.org_acme_key.yaml".path	27	config.sops.secrets."rheperire.org_acme_key.yaml".path
		28	config.sops.secrets."webdav.141.li_acme_key.yaml".path
28	config.sops.secrets."knot_local_key.yaml".path	29	config.sops.secrets."knot_local_key.yaml".path
29	];	30	];
30	extraConfig = ''	31	extraConfig = ''
@@ -50,6 +51,9 @@ in {
50	- id: rheperire.org_acme_acl	51	- id: rheperire.org_acme_acl
51	key: rheperire.org_acme_key	52	key: rheperire.org_acme_key
52	action: update	53	action: update
		54	- id: webdav.141.li_acme_acl
		55	key: webdav.141.li_acme_key
		56	action: update
53	- id: local_acl	57	- id: local_acl
54	key: local_key	58	key: local_key
55	action: update	59	action: update
@@ -130,7 +134,12 @@ in {
130		134
131	- domain: 141.li	135	- domain: 141.li
132	template: inwx_zone	136	template: inwx_zone
		137	acl: [local_acl, inwx_acl]
133	file: ${./zones/li.141.soa}	138	file: ${./zones/li.141.soa}
		139	- domain: _acme-challenge.webdav.141.li
		140	template: acme_zone
		141	acl: [webdav.141.li_acme_acl]
		142	file: ${acmeChallengeZonefile "webdav.141.li"}
134		143
135	- domain: kleen.li	144	- domain: kleen.li
136	template: inwx_zone	145	template: inwx_zone
@@ -150,8 +159,8 @@ in {
150		159
151	- domain: rheperire.org	160	- domain: rheperire.org
152	template: inwx_zone	161	template: inwx_zone
153	file: ${./zones/org.rheperire.soa}
154	acl: [local_acl, inwx_acl]	162	acl: [local_acl, inwx_acl]
		163	file: ${./zones/org.rheperire.soa}
155	- domain: _acme-challenge.rheperire.org	164	- domain: _acme-challenge.rheperire.org
156	template: acme_zone	165	template: acme_zone
157	acl: [rheperire.org_acme_acl]	166	acl: [rheperire.org_acme_acl]
@@ -165,6 +174,11 @@ in {
165	owner = "knot";	174	owner = "knot";
166	sopsFile = ./keys/rheperire.org_acme.yaml;	175	sopsFile = ./keys/rheperire.org_acme.yaml;
167	};	176	};
		177	"webdav.141.li_acme_key.yaml" = {
		178	format = "binary";
		179	owner = "knot";
		180	sopsFile = ./keys/webdav.141.li_acme.yaml;
		181	};
168	"knot_local_key.yaml" = {	182	"knot_local_key.yaml" = {
169	format = "binary";	183	format = "binary";
170	owner = "knot";	184	owner = "knot";


diff --git a/hosts/surtr/dns/keys/webdav.141.li_acme.yaml b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml new file mode 100644 index 00000000..b0f05df6 --- /dev/null +++ b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:WNZ6BAzz5b0mnr2XqVQM82NFuQJz3bBK76DmnA/xvFPLvAmN4tCDzcu4NrdihcpQZ9J5ZiiIynJH1RBB/hd9ut+e/ByHv954XW3o/Ml5gb1Nl6zkCSAb3uxnjTlf5dm9ROWzx+NBLvIt8DELMYuV/NRtRq6w3ZCWbEp/I3N/r/VPhIw7PkagI9QWNkXp0l2qBml/xwxO2HnZxE7WXtphpOfNZtBuWPF49gO2UeVHrsAfxVgtGNmY9IjBExSQDThDJmo8nFUvrLVydQ==,iv:MQHy1Hi2kASjm684tL3JT5xcdc4mrTWjJWCB4adl1Uk=,tag:IzUtLbMoeRu/Km7o3RTxbg==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T12:22:44Z",
		10	"mac": "ENC[AES256_GCM,data:tGfEoG8C+zqkBRtfaCNrmuR6dG8kmaRexM6szkSmOsFVgzl3wGsPmVai4rFhgXsozOmt2Lchc01uRqERA+HIkkaMFdVDLWzMEGytEeE1s1JYCVNEc/RmjgeKqxwHuAv5cFGn8ZNZ9JKMF566wUFjjWM/AQffNYCdtSni8tV6eWg=,iv:qoyig97CBgl9X9Z6qbKunu8fvbiiW4uRtErM8nrb9MM=,tag:zFuAbP7ZsEgKGDOo9ACmrw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T12:22:44Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEvqLWBZvD3I4xE6W7MKPD9eDGyKa3hpXracLRTHT4hYw\nqy+itvTL207VL0fU8Ve+rmxFjEaMvowFgwWk7+p98thgtbCcUNTxIF4gH2HjSOWS\n0l4Bb3G2vvDhUv1i0AR5WohSdfi5eyQjvt8HqJQ/0hBBwIL4IEcWjpBE+rX/460S\n4gigrXHpgSKZ/i/Aselm6XZhB0jNUf3pZ3pnCQPJpyrLGnFXwCSqB6EaREKU+6BK\n=dSPd\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T12:22:44Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAWXk1C46X8TTkWhHfTMhgo1KnKlCl8A8lzsAo7mqnpzcw\ncoae53lNWGeoCSfOl5E2oSVCgZzEu5R9kC9aLRJgDushXZ56XtTUUF4ggCHogJqE\n0l4B942HOIlWHSlbfOs1/0R5QPnXC1OQ0E6XEVJmBgnUNB3EG473eCTJeabwlaq8\nNgFlL09go4ISjnlKDIgfQZGI9u1j0PyDJ3MtQTnb2j8kzfbcsGcpSLQRn7kzSsjO\n=x5xi\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 8c357b35..fbff1cad 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1	$ORIGIN 141.li.	1	$ORIGIN 141.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (	3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4	2022022102 ; serial	4	2022022200 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -31,6 +31,7 @@ surtr IN MX 0 ymir.yggdrasil.li
31	surtr IN TXT "v=spf1 redirect=yggdrasil.li"	31	surtr IN TXT "v=spf1 redirect=yggdrasil.li"
32		32
33	webdav IN CNAME surtr.yggdrasil.li.	33	webdav IN CNAME surtr.yggdrasil.li.
		34	_acme-challenge.webdav IN NS ns.yggdrasil.li.
34		35
35	ymir IN A 188.68.51.254	36	ymir IN A 188.68.51.254
36	ymir IN AAAA 2a03:4000:6:d004::	37	ymir IN AAAA 2a03:4000:6:d004::


diff --git a/hosts/surtr/tls/tsig_keys/webdav.141.li b/hosts/surtr/tls/tsig_keys/webdav.141.li new file mode 100644 index 00000000..cb2e332e --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/webdav.141.li
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Zi4zdvMqKiEp9CGCOdC+KjWsfOUw9wurx7zuOK5DijgnfMRfCEuTZVCs8Jhs,iv:bB13accgPvkWvN74FGhLRYOYyUSTxPgSHC4NIWTVjnU=,tag:rhxq0ME8B9wsMgJXpa0/qg==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-02-22T12:23:26Z",
		10	"mac": "ENC[AES256_GCM,data:XwQKJBBJ3luAqk0S6auD7q+QLPwxG6Gnn/Aim5AJIO4FzgiluvuL8oNk4Ez/5Q/FVOtbMDKCQbwz+tgWJN6i2mlu8W4xR+bLOlGzcBQmnY5QIcmyRGDNhumrThoHtE+3agLwyVhWrvZmpeSruTRZ5n2EkGshOnSAi2SGZulVrPg=,iv:pInwne4YHzWd92gKgoNB0VBVMH7Hmu7q6LZMU8GO1yw=,tag:Y8J6cJommccQTR7guU4Rmw==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-02-22T12:23:26Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA0kfMkCzKUHK7Ox8TXe/Z+RNrU3yk8WNk5Gb0LKgc/iow\nQHecugi4Gk+ZEGLcko5MXPDXee9PDQDLGNCxLiRcClc4lLC/AgWNwfSL5j1Gw2Mg\n0l4BJGJq5dK5acKKuLjgmehIDEi2ZJZl2/Sgw3TymUZyc9Y6Xw8k2ouAidSQwyuh\n5pLkzGAOS9qeHedOR7BuZSHVkPzFeM2JE/bkQyVx2im4UBDYMw3sDc0VMsQgV8Gp\n=ZqOO\n-----END PGP MESSAGE-----\n",
		15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
		16	},
		17	{
		18	"created_at": "2022-02-22T12:23:26Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+tTfPKdULqJRo6n4UDMGJdH06I5iHTnNf0slTxfhp1cw\n0DUkmp715+saoXFTACUEiiiBv+8r7cLTb7qOWXcRq5LP7kAPwHZ5p++9vzePyQ84\n0l4ByVQ5Ywn0t2nyYKbnRktvg3Ea0XUErBVVg1+iGpnfVT6rcUroHqqpkb8KXfBL\nQ1Mg/pHXMCHlbjnVRG/zyO3Mu6mvWpLgw39j6S3jtAFhdEmTUXSd1tdZXYPKWpyT\n=1egy\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file