summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/default.nix126
-rw-r--r--hosts/surtr/dns/default.nix92
-rw-r--r--hosts/surtr/dns/zones/email.nights.soa38
-rw-r--r--hosts/surtr/dns/zones/li.141.soa50
-rw-r--r--hosts/surtr/dns/zones/li.kleen.soa40
-rw-r--r--hosts/surtr/dns/zones/li.xmpp.soa40
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa58
-rw-r--r--hosts/surtr/dns/zones/org.dirty-haskell.soa32
-rw-r--r--hosts/surtr/dns/zones/org.praseodym.soa45
-rw-r--r--hosts/surtr/dns/zones/org.rheperire.soa25
-rw-r--r--hosts/surtr/tls.nix70
-rw-r--r--hosts/surtr/zfs.nix101
12 files changed, 717 insertions, 0 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
new file mode 100644
index 00000000..72ed81ae
--- /dev/null
+++ b/hosts/surtr/default.nix
@@ -0,0 +1,126 @@
1{ flake, pkgs, lib, ... }:
2{
3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix
5 ];
6
7 config = {
8 nixpkgs = {
9 system = "x86_64-linux";
10 };
11
12 networking.hostId = "a64cf4d7";
13 environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";
14
15 boot = {
16 loader.grub = {
17 enable = true;
18 version = 2;
19 device = "/dev/vda";
20 };
21
22 kernelPackages = pkgs.linuxPackages_latest;
23
24 tmpOnTmpfs = true;
25
26 supportedFilesystems = [ "zfs" ];
27 zfs = {
28 enableUnstable = true;
29 devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
30 };
31
32 kernelModules = ["ptp_kvm"];
33 };
34
35 fileSystems = {
36 "/" = {
37 fsType = "tmpfs";
38 options = [ "mode=0755" ];
39 };
40
41 "/boot" =
42 { device = "/dev/disk/by-label/boot";
43 fsType = "vfat";
44 };
45 };
46
47 networking = {
48 hostName = "surtr";
49 domain = "muspelheim.yggdrasil";
50 search = [ "muspelheim.yggdrasil" "yggdrasil" ];
51
52 enableIPv6 = true;
53 dhcpcd.enable = false;
54 useDHCP = false;
55 useNetworkd = true;
56 defaultGateway = { address = "202.61.240.1"; };
57 defaultGateway6 = { address = "fe80::1"; };
58 interfaces."ens3" = {
59 ipv4.addresses = [
60 { address = "202.61.241.61"; prefixLength = 22; }
61 ];
62 ipv6.addresses = [
63 { address = "2a03:4000:52:ada::"; prefixLength = 64; }
64 ];
65 };
66
67 firewall = {
68 enable = true;
69 allowPing = true;
70 allowedTCPPorts = [
71 22 # ssh
72 ];
73 allowedUDPPortRanges = [
74 { from = 60000; to = 61000; } # mosh
75 ];
76 };
77 };
78
79 systemd.network.networks."40-ens3".networkConfig = {
80 Domains = lib.mkForce "~.";
81 DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
82 };
83
84 services.timesyncd.enable = false;
85 services.chrony = {
86 enable = true;
87 servers = [];
88 extraConfig = ''
89 pool time.cloudflare.com iburst nts
90 pool nts.ntp.se iburst nts
91 server nts.sth1.ntp.se iburst nts
92 server nts.sth2.ntp.se iburst nts
93 server ptbtime1.ptb.de iburst nts
94 server ptbtime2.ptb.de iburst nts
95 server ptbtime3.ptb.de iburst nts
96
97 refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3
98
99 makestep 0.1 3
100
101 cmdport 0
102 '';
103 };
104
105 services.openssh = {
106 enable = true;
107 passwordAuthentication = false;
108 challengeResponseAuthentication = false;
109 extraConfig = ''
110 AllowGroups ssh
111 '';
112 };
113 users.groups."ssh" = {
114 members = ["root"];
115 };
116
117 security.sudo.extraConfig = ''
118 Defaults lecture = never
119 '';
120
121 nix.gc = {
122 automatic = true;
123 options = "--delete-older-than 30d";
124 };
125 };
126}
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
new file mode 100644
index 00000000..ce909b72
--- /dev/null
+++ b/hosts/surtr/dns/default.nix
@@ -0,0 +1,92 @@
1{...}:
2{
3 config = {
4 fileSystems."/var/lib/knot" =
5 { device = "surtr/safe/var-lib-knot";
6 fsType = "zfs";
7 };
8
9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
10
11 networking.firewall = {
12 allowedTCPPorts = [
13 53 # DNS
14 ];
15 allowedUDPPorts = [
16 53 # DNS
17 ];
18 };
19
20 services.knot = {
21 enable = true;
22 extraConfig = ''
23 server:
24 listen: 127.0.0.1@53
25 listen: ::1@53
26 listen: 202.61.241.61@53
27 listen: 2a03:4000:52:ada::@53
28
29 remote:
30 - id: inwx_notify
31 address: 185.181.104.96@53
32
33 acl:
34 - id: inwx_acl
35 address: 185.181.104.96
36 action: transfer
37
38 template:
39 - id: inwx_zone
40 storage: /var/lib/knot
41 zonefile-sync: -1
42 zonefile-load: difference-no-serial
43 serial-policy: dateserial
44 journal-content: all
45 semantic-checks: on
46 dnssec-signing: on
47 notify: [inwx_notify]
48 acl: [inwx_acl]
49
50 policy:
51 - id: rsa
52 algorithm: rsasha256
53 ksk-size: 4096
54 zsk-size: 2048
55 zsk-lifetime: 30d
56
57 zone:
58 - domain: yggdrasil.li
59 template: inwx_zone
60 file: ${./zones/li.yggdrasil.soa}
61
62 - domain: nights.email
63 template: inwx_zone
64 file: ${./zones/email.nights.soa}
65
66 - domain: 141.li
67 template: inwx_zone
68 file: ${./zones/li.141.soa}
69
70 - domain: kleen.li
71 template: inwx_zone
72 file: ${./zones/li.kleen.soa}
73
74 - domain: xmpp.li
75 template: inwx_zone
76 file: ${./zones/li.xmpp.soa}
77
78 - domain: dirty-haskell.org
79 template: inwx_zone
80 file: ${./zones/org.dirty-haskell.soa}
81
82 - domain: praseodym.org
83 template: inwx_zone
84 file: ${./zones/org.praseodym.soa}
85
86 - domain: rheperire.org
87 template: inwx_zone
88 file: ${./zones/org.rheperire.soa}
89 '';
90 };
91 };
92}
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa
new file mode 100644
index 00000000..e0589dd3
--- /dev/null
+++ b/hosts/surtr/dns/zones/email.nights.soa
@@ -0,0 +1,38 @@
1$ORIGIN nights.email.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053002 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
37_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
38_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
new file mode 100644
index 00000000..6f974439
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -0,0 +1,50 @@
1$ORIGIN 141.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25surtr IN A 202.61.241.61
26surtr IN AAAA 2a03:4000:52:ada::
27surtr IN MX 0 ymir.yggdrasil.li
28surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
29
30ymir IN A 188.68.51.254
31ymir IN AAAA 2a03:4000:6:d004::
32ymir IN MX 0 ymir.yggdrasil.li
33ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li"
34
35_acme-challenge 30 IN TXT ""
36
37ymir._domainkey IN TXT (
38 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
39 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
40 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
41)
42
43_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
44_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
45
46_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
47
48_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
49_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
50_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
new file mode 100644
index 00000000..5a3d2a11
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -0,0 +1,40 @@
1$ORIGIN kleen.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
37
38_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
39_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
40_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.xmpp.soa b/hosts/surtr/dns/zones/li.xmpp.soa
new file mode 100644
index 00000000..b123f4a5
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.xmpp.soa
@@ -0,0 +1,40 @@
1$ORIGIN xmpp.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
37
38_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
39_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
40_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
new file mode 100644
index 00000000..a9b87b76
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -0,0 +1,58 @@
1$ORIGIN yggdrasil.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053000 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15ns IN A 202.61.241.61
16ns IN AAAA 2a03:4000:52:ada::
17
18@ IN A 188.68.51.254
19@ IN AAAA 2a03:4000:6:d004::
20@ IN MX 0 ymir.yggdrasil.li.
21@ IN TXT "v=spf1 a:mailout.yggdrasil.li -all"
22
23* IN A 188.68.51.254
24* IN AAAA 2a03:4000:6:d004::
25* IN MX 0 ymir.yggdrasil.li.
26* IN TXT "v=spf1 redirect=yggdrasil.li"
27
28ymir IN A 188.68.51.254
29ymir IN AAAA 2a03:4000:6:d004::
30ymir IN MX 0 ymir.yggdrasil.li.
31ymir IN TXT "v=spf1 redirect=yggdrasil.li"
32
33surtr IN A 202.61.241.61
34surtr IN AAAA 2a03:4000:52:ada::
35surtr IN MX 0 ymir.yggdrasil.li
36surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
37
38mailout IN A 188.68.51.254
39mailout IN AAAA 2a03:4000:6:d004::
40mailout IN MX 0 ymir.yggdrasil.li
41mailout IN TXT "v=spf1 redirect=yggdrasil.li"
42
43_acme-challenge 30 IN TXT ""
44
45ymir._domainkey IN TXT (
46 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
47 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
48 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
49)
50
51_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
52_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
53
54_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
55
56_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
57_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
58_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.dirty-haskell.soa b/hosts/surtr/dns/zones/org.dirty-haskell.soa
new file mode 100644
index 00000000..74aed5fd
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.dirty-haskell.soa
@@ -0,0 +1,32 @@
1$ORIGIN dirty-haskell.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15
16@ IN A 188.68.51.254
17@ IN AAAA 2a03:4000:6:d004::
18@ IN MX 10 ymir.yggdrasil.li.
19@ IN TXT "v=spf1 redirect=yggdrasil.li"
20
21* IN A 188.68.51.254
22* IN AAAA 2a03:4000:6:d004::
23* IN MX 0 ymir.yggdrasil.li.
24* IN TXT "v=spf1 redirect=yggdrasil.li"
25
26_acme-challenge 30 IN TXT ""
27
28ymir._domainkey IN TXT (
29 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
30 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
31 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
32)
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
new file mode 100644
index 00000000..6f2c676f
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -0,0 +1,45 @@
1$ORIGIN praseodym.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053000 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25surtr IN A 202.61.241.61
26surtr IN AAAA 2a03:4000:52:ada::
27surtr IN MX 0 ymir.yggdrasil.li
28surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
29
30_acme-challenge 30 IN TXT ""
31
32ymir._domainkey IN TXT (
33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
34 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
35 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
36)
37
38_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
39_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
40
41_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
42
43_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
44_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
45_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.rheperire.soa b/hosts/surtr/dns/zones/org.rheperire.soa
new file mode 100644
index 00000000..43b1e862
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.rheperire.soa
@@ -0,0 +1,25 @@
1$ORIGIN rheperire.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053010 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..9581dd60
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,70 @@
1{ config, pkgs, ... }:
2let
3 knotCfg = config.services.knot;
4
5 knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
6 EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
7 EXEC_PROPAGATION_TIMEOUT=300
8 EXEC_POLLING_INTERVAL=5
9 '';
10 knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
11 #!${pkgs.zsh}/bin/zsh -xe
12
13 mode=$1
14 fqdn=$2
15 challenge=$3
16
17 owner=''${fqdn%".${zone}."}
18
19 commited=
20 function abort() {
21 [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
22 }
23
24 ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
25 trap abort EXIT
26
27 case "''${mode}" in
28 present)
29 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
30 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
31 ;;
32 cleanup)
33 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
34 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
35 ;;
36 *)
37 exit 2
38 ;;
39 esac
40
41 ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
42 commited=yes
43 '';
44in {
45 config = {
46 fileSystems."/var/lib/acme" =
47 { device = "surtr/safe/var-lib-acme";
48 fsType = "zfs";
49 };
50
51 security.acme = {
52 server = "https://acme-staging-v02.api.letsencrypt.org/directory";
53
54 acceptTerms = true;
55 preliminarySelfsigned = false;
56 email = "phikeebaogobaegh@141.li";
57 certs = {
58 "rheperire.org" = {
59 domain = "rheperire.org";
60 extraDomainNames = [ "*.rheperire.org" ];
61 dnsProvider = "exec";
62 credentialsFile = knotDNSCredentials "rheperire.org";
63 dnsResolver = "1.1.1.1:53";
64 };
65 };
66 };
67
68 users.groups."knot".members = [ "acme" ];
69 };
70}
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
new file mode 100644
index 00000000..3cbd0cf0
--- /dev/null
+++ b/hosts/surtr/zfs.nix
@@ -0,0 +1,101 @@
1{ pkgs, config, ... }:
2let
3 snapshotNames = ["frequent" "hourly" "daily" "monthly" "yearly"];
4 snapshotCount = {
5 frequent = 24;
6 hourly = 24;
7 daily = 30;
8 monthly = 12;
9 yearly = 5;
10 };
11 snapshotTimerConfig = {
12 frequent = { OnCalendar = "*:0/5 UTC"; Persistent = true; };
13 hourly = { OnCalendar = "hourly UTC"; Persistent = true; };
14 daily = { OnCalendar = "daily UTC"; Persistent = true; };
15 monthly = { OnCalendar = "monthly UTC"; Persistent = true; };
16 yearly = { OnCalendar = "yearly UTC"; Persistent = true; };
17 };
18 snapshotDescr = {
19 frequent = "few minutes";
20 hourly = "hour";
21 daily = "day";
22 monthly = "month";
23 yearly = "year";
24 };
25
26 zfs = config.boot.zfs.package;
27
28 autosnapPackage = pkgs.zfstools.override { inherit zfs; };
29in {
30 config = {
31 fileSystems = {
32 "/nix" =
33 { device = "surtr/local/nix";
34 fsType = "zfs";
35 };
36
37 "/root" =
38 { device = "surtr/safe/home-root";
39 fsType = "zfs";
40 neededForBoot = true;
41 };
42
43 "/var/lib/systemd" =
44 { device = "surtr/local/var-lib-systemd";
45 fsType = "zfs";
46 neededForBoot = true;
47 };
48
49 "/var/lib/nixos" =
50 { device = "surtr/local/var-lib-nixos";
51 fsType = "zfs";
52 neededForBoot = true;
53 };
54
55 "/var/log" =
56 { device = "surtr/local/var-log";
57 fsType = "zfs";
58 };
59
60 "/home" =
61 { device = "surtr/safe/home";
62 fsType = "zfs";
63 };
64 };
65
66 systemd.services =
67 let mkSnapService = snapName: {
68 name = "zfs-snapshot-${snapName}";
69 value = {
70 description = "ZFS auto-snapshot every ${snapshotDescr.${snapName}}";
71 after = [ "zfs-import.target" ];
72 serviceConfig = {
73 Type = "oneshot";
74 ExecStart = "${autosnapPackage}/bin/zfs-auto-snapshot -k -p -u ${snapName} ${toString snapshotCount.${snapName}}";
75 };
76 restartIfChanged = false;
77
78 preStart = ''
79 ${zfs}/bin/zfs set com.sun:auto-snapshot=true surtr/safe
80 '';
81 };
82 };
83 in builtins.listToAttrs (map mkSnapService snapshotNames);
84
85 systemd.timers =
86 let mkSnapTimer = snapName: {
87 name = "zfs-snapshot-${snapName}";
88 value = {
89 wantedBy = [ "timers.target" ];
90 timerConfig = snapshotTimerConfig.${snapName};
91 };
92 };
93 in builtins.listToAttrs (map mkSnapTimer snapshotNames);
94
95 services.zfs.trim.enable = false;
96 services.zfs.autoScrub = {
97 enable = true;
98 interval = "Sun *-*-1..7 04:00:00";
99 };
100 };
101}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 17:02:51 +0000