summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/sif/default.nix355
-rw-r--r--hosts/sif/hw.nix35
-rw-r--r--hosts/sif/mail/default.nix66
-rw-r--r--hosts/sif/mail/secrets.yaml33
-rw-r--r--hosts/sif/wacom.conf15
-rw-r--r--hosts/surtr/default.nix126
-rw-r--r--hosts/surtr/dns/default.nix92
-rw-r--r--hosts/surtr/dns/zones/email.nights.soa38
-rw-r--r--hosts/surtr/dns/zones/li.141.soa50
-rw-r--r--hosts/surtr/dns/zones/li.kleen.soa40
-rw-r--r--hosts/surtr/dns/zones/li.xmpp.soa40
-rw-r--r--hosts/surtr/dns/zones/li.yggdrasil.soa58
-rw-r--r--hosts/surtr/dns/zones/org.dirty-haskell.soa32
-rw-r--r--hosts/surtr/dns/zones/org.praseodym.soa45
-rw-r--r--hosts/surtr/dns/zones/org.rheperire.soa25
-rw-r--r--hosts/surtr/tls.nix70
-rw-r--r--hosts/surtr/zfs.nix101
17 files changed, 1221 insertions, 0 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
new file mode 100644
index 00000000..c0b7f50c
--- /dev/null
+++ b/hosts/sif/default.nix
@@ -0,0 +1,355 @@
1{ flake, pkgs, customUtils, lib, config, path, ... }:
2{
3 imports = with flake.nixosModules.systemProfiles; [
4 ./hw.nix
5 ./mail
6 initrd-all-crypto-modules default-locale openssh
7 ];
8
9 config = {
10 nixpkgs = {
11 system = "x86_64-linux";
12 config = {
13 allowUnfree = true;
14 };
15 };
16
17 boot = {
18 initrd = {
19 luks.devices = {
20 nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
21 nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
22 };
23 availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
24 kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
25 };
26
27 blacklistedKernelModules = [ "nouveau" ];
28
29 # Use the systemd-boot EFI boot loader.
30 loader = {
31 systemd-boot.enable = true;
32 efi.canTouchEfiVariables = true;
33 timeout = null;
34 };
35
36 plymouth.enable = true;
37
38 kernelPackages = pkgs.linuxPackages_latest;
39 kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
40 extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
41 kernelModules = ["v4l2loopback"];
42
43 tmpOnTmpfs = true;
44 };
45
46 networking = {
47 domain = "midgard.yggdrasil";
48 hosts = {
49 "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
50 "::1" = [ "sif.midgard.yggdrasil" "sif" ];
51 };
52
53 firewall = {
54 enable = true;
55 allowedTCPPorts = [ 22 # ssh
56 8000 # quickserve
57 ];
58 allowedUDPPorts = [ 8554 # gopro webcam
59 ];
60 };
61
62 networkmanager = {
63 enable = true;
64 dhcp = "internal";
65 dns = lib.mkForce "dnsmasq";
66 extraConfig = ''
67 [connectivity]
68 uri=https://online.yggdrasil.li
69 '';
70 };
71
72 wlanInterfaces = {
73 wlan0 = {
74 device = "wlp82s0";
75 };
76 };
77
78 bonds = {
79 "lan" = {
80 interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
81 driverOptions = {
82 miimon = "1000";
83 mode = "active-backup";
84 primary_reselect = "always";
85 };
86 };
87 };
88
89 dhcpcd.enable = false;
90 useDHCP = false;
91 useNetworkd = true;
92
93 interfaces.yggdrasil = {
94 virtual = true;
95 virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
96 macAddress = "5c:93:21:c3:61:39";
97 };
98 };
99
100 systemd.services."NetworkManager-wait-online".enable = false;
101 systemd.services."systemd-networkd-wait-online".enable = false;
102
103 environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
104 text = ''
105 server=/sif.libvirt/192.168.122.1
106 '';
107 };
108
109 services.openssh.enable = true;
110
111 powerManagement = {
112 enable = true;
113
114 cpuFreqGovernor = "schedutil";
115 };
116
117 environment.systemPackages = with pkgs; [
118 nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
119 ];
120
121 services = {
122 tinc.yggdrasil.enable = true;
123
124 uucp = {
125 enable = true;
126 nodeName = "sif";
127 remoteNodes = {
128 "ymir" = {
129 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
130 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
131 };
132 };
133
134 defaultCommands = lib.mkForce [];
135 };
136
137 avahi.enable = true;
138
139 fwupd.enable = true;
140
141 fprintd.enable = true;
142
143 blueman.enable = true;
144
145 colord.enable = true;
146
147 vnstat.enable = true;
148
149 logind = {
150 lidSwitch = "suspend";
151 lidSwitchDocked = "lock";
152 lidSwitchExternalPower = "lock";
153 };
154
155 atd = {
156 enable = true;
157 allowEveryone = true;
158 };
159
160 xserver = {
161 enable = true;
162
163 layout = "us";
164 xkbVariant = "dvp";
165 xkbOptions = "compose:caps";
166
167 displayManager.lightdm = {
168 enable = true;
169 greeters.gtk = {
170 clock-format = "%H:%M %a %b %_d";
171 indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
172 theme = {
173 package = pkgs.equilux-theme;
174 name = "Equilux-compact";
175 };
176 iconTheme = {
177 package = pkgs.paper-icon-theme;
178 name = "Paper";
179 };
180 extraConfig = ''
181 background = #000000
182 user-background = false
183 active-monitor = #cursor
184 hide-user-image = true
185
186 [monitor: DP-2]
187 laptop = true
188 '';
189 };
190 };
191
192 displayManager.setupCommands = ''
193 ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
194 '';
195
196 desktopManager.xterm.enable = true;
197 windowManager.twm.enable = true;
198 displayManager.defaultSession = "xterm+twm";
199
200 wacom.enable = true;
201 libinput.enable = true;
202
203 dpi = 282;
204
205 videoDrivers = [ "nvidia" ];
206
207 screenSection = ''
208 Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
209 '';
210
211 deviceSection = ''
212 Option "AccelMethod" "SNA"
213 Option "TearFree" "True"
214 '';
215
216 exportConfiguration = true;
217 };
218 };
219
220 users = {
221 users.gkleen.extraGroups = [ "media" ];
222 groups.media = {};
223 };
224
225 hardware = {
226 pulseaudio = {
227 enable = true;
228 package = with pkgs; pulseaudioFull;
229 support32Bit = true;
230 };
231
232 bluetooth = {
233 enable = true;
234 settings = {
235 General = {
236 Enable = "Source,Sink,Media,Socket";
237 };
238 };
239 };
240
241 trackpoint = {
242 enable = true;
243 emulateWheel = true;
244 sensitivity = 255;
245 speed = 255;
246 };
247
248 nvidia = {
249 modesetting.enable = true;
250 prime = {
251 nvidiaBusId = "PCI:1:0:0";
252 intelBusId = "PCI:0:2:0";
253 sync.enable = true;
254 };
255 };
256
257 opengl = {
258 enable = true;
259 driSupport32Bit = true;
260 setLdLibraryPath = true;
261 };
262
263 firmware = [ pkgs.firmwareLinuxNonfree ];
264 };
265
266 sound.enable = true;
267
268 nix = {
269 autoOptimiseStore = true;
270 daemonNiceLevel = 10;
271 daemonIONiceLevel = 3;
272 };
273
274 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
275
276 systemd.services."ac-plugged" = {
277 description = "Inhibit handling of lid-switch and sleep";
278
279 path = with pkgs; [ systemd coreutils ];
280
281 script = ''
282 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
283 '';
284
285 serviceConfig = {
286 Type = "simple";
287 };
288 };
289
290 services.udev.extraRules = with pkgs; lib.mkAfter ''
291 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
292 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
293 ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0"
294 '';
295
296 services.borgbackup = {
297 snapshots = "btrfs";
298 prefix = "yggdrasil.midgard.sif.";
299 targets = {
300 "munin" = {
301 repo = "borg.munin:borg";
302 paths = [ "/home/gkleen" ];
303 prune = {
304 "home" =
305 [ "--keep-within" "24H"
306 "--keep-daily" "31"
307 "--keep-monthly" "12"
308 "--keep-yearly" "-1"
309 ];
310 };
311 keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
312 };
313 };
314 };
315 sops.secrets.borg-repokey--borg_munin__borg = {
316 sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
317 key = "key";
318 };
319
320 services.btrfs.autoScrub = {
321 enable = true;
322 fileSystems = [ "/" "/home" ];
323 interval = "weekly";
324 };
325
326 systemd.services."nix-daemon".serviceConfig = {
327 MemoryAccounting = true;
328 MemoryHigh = "50%";
329 MemoryMax = "75%";
330 };
331
332 services.journald.extraConfig = ''
333 SystemMaxUse=100M
334 '';
335
336 services.dbus.packages = with pkgs;
337 [ dbus gnome3.dconf
338 ];
339
340 programs = {
341 light.enable = true;
342 wireshark.enable = true;
343 };
344
345 virtualisation.libvirtd = {
346 enable = true;
347 };
348
349 zramSwap.enable = true;
350
351 services.pcscd.enable = true;
352
353 system.stateVersion = "20.03";
354 };
355}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
new file mode 100644
index 00000000..92afb7c9
--- /dev/null
+++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
1{ config, lib, pkgs, ... }:
2
3{
4 fileSystems."/" =
5 { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
6 fsType = "btrfs";
7 };
8
9 fileSystems."/boot" =
10 { device = "/dev/disk/by-uuid/B3A2-D029";
11 fsType = "vfat";
12 };
13
14 fileSystems."/home" =
15 { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
16 fsType = "btrfs";
17 };
18
19 fileSystems."/var/media" =
20 { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
21 fsType = "btrfs";
22 };
23
24 swapDevices =
25 [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
26 ];
27
28 nix.maxJobs = 12;
29 # High-DPI console
30 console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
31
32 hardware.cpu.intel.updateMicrocode = true;
33
34 hardware.enableRedistributableFirmware = true;
35}
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..29bfb4f1
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
1{ config, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = true;
6 enableSubmission = false;
7 setSendmail = true;
8 networksStyle = "host";
9 hostname = "sif.midgard.yggdrasil";
10 destination = [];
11 relayHost = "uucp:ymir";
12 recipientDelimiter = "+";
13 masterConfig = {
14 uucp = {
15 type = "unix";
16 private = true;
17 privileged = true;
18 chroot = false;
19 command = "pipe";
20 args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
21 };
22 };
23 transport = ''
24 odin.asgard.yggdrasil uucp:odin
25 '';
26 config = {
27 always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
28
29 default_transport = "uucp:ymir";
30
31 inet_interfaces = "loopback-only";
32
33 authorized_submit_users = ["!uucp" "static:anyone"];
34 message_size_limit = "0";
35
36 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
37 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
38 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
39 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
40 ''}'';
41 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
42 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
43 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
44 ''}'';
45
46 smtp_sasl_auth_enable = true;
47 smtp_sender_dependent_authentication = true;
48 smtp_sasl_tls_security_options = "noanonymous";
49 smtp_sasl_mechanism_filter = ["plain"];
50 smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
51 smtp_cname_overrides_servername = false;
52 smtp_always_send_ehlo = true;
53 smtp_tls_security_level = "dane";
54
55 smtp_tls_loglevel = "1";
56 smtp_dns_support_level = "dnssec";
57 };
58 };
59
60 sops.secrets.postfix-sasl-passwd = {
61 key = "sasl-passwd";
62 path = "/var/db/postfix/sasl_passwd";
63 owner = "postfix";
64 sopsFile = ./secrets.yaml;
65 };
66}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..06a2ad40
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
1sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
2sops:
3 kms: []
4 gcp_kms: []
5 azure_kv: []
6 hc_vault: []
7 lastmodified: '2021-01-18T09:46:15Z'
8 mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
9 pgp:
10 - created_at: '2021-01-02T19:29:14Z'
11 enc: |
12 -----BEGIN PGP MESSAGE-----
13
14 hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
15 4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
16 0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
17 Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
18 =7rOv
19 -----END PGP MESSAGE-----
20 fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
21 - created_at: '2021-01-02T19:29:14Z'
22 enc: |
23 -----BEGIN PGP MESSAGE-----
24
25 hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
26 8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
27 0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
28 ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
29 =E/qh
30 -----END PGP MESSAGE-----
31 fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
32 unencrypted_suffix: _unencrypted
33 version: 3.6.1
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf
new file mode 100644
index 00000000..864409f1
--- /dev/null
+++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
1Section "InputClass"
2 Identifier "Wacom USB device class"
3 MatchUSBID "056a:*"
4 MatchDevicePath "/dev/input/event*"
5 Driver "wacom"
6EndSection
7
8Section "InputClass"
9 Identifier "calibration"
10 MatchProduct "Wacom USB device class"
11 Option "MinX" "58"
12 Option "MaxX" "30982"
13 Option "MinY" "87"
14 Option "MaxY" "17328"
15EndSection \ No newline at end of file
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
new file mode 100644
index 00000000..72ed81ae
--- /dev/null
+++ b/hosts/surtr/default.nix
@@ -0,0 +1,126 @@
1{ flake, pkgs, lib, ... }:
2{
3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix
5 ];
6
7 config = {
8 nixpkgs = {
9 system = "x86_64-linux";
10 };
11
12 networking.hostId = "a64cf4d7";
13 environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";
14
15 boot = {
16 loader.grub = {
17 enable = true;
18 version = 2;
19 device = "/dev/vda";
20 };
21
22 kernelPackages = pkgs.linuxPackages_latest;
23
24 tmpOnTmpfs = true;
25
26 supportedFilesystems = [ "zfs" ];
27 zfs = {
28 enableUnstable = true;
29 devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
30 };
31
32 kernelModules = ["ptp_kvm"];
33 };
34
35 fileSystems = {
36 "/" = {
37 fsType = "tmpfs";
38 options = [ "mode=0755" ];
39 };
40
41 "/boot" =
42 { device = "/dev/disk/by-label/boot";
43 fsType = "vfat";
44 };
45 };
46
47 networking = {
48 hostName = "surtr";
49 domain = "muspelheim.yggdrasil";
50 search = [ "muspelheim.yggdrasil" "yggdrasil" ];
51
52 enableIPv6 = true;
53 dhcpcd.enable = false;
54 useDHCP = false;
55 useNetworkd = true;
56 defaultGateway = { address = "202.61.240.1"; };
57 defaultGateway6 = { address = "fe80::1"; };
58 interfaces."ens3" = {
59 ipv4.addresses = [
60 { address = "202.61.241.61"; prefixLength = 22; }
61 ];
62 ipv6.addresses = [
63 { address = "2a03:4000:52:ada::"; prefixLength = 64; }
64 ];
65 };
66
67 firewall = {
68 enable = true;
69 allowPing = true;
70 allowedTCPPorts = [
71 22 # ssh
72 ];
73 allowedUDPPortRanges = [
74 { from = 60000; to = 61000; } # mosh
75 ];
76 };
77 };
78
79 systemd.network.networks."40-ens3".networkConfig = {
80 Domains = lib.mkForce "~.";
81 DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
82 };
83
84 services.timesyncd.enable = false;
85 services.chrony = {
86 enable = true;
87 servers = [];
88 extraConfig = ''
89 pool time.cloudflare.com iburst nts
90 pool nts.ntp.se iburst nts
91 server nts.sth1.ntp.se iburst nts
92 server nts.sth2.ntp.se iburst nts
93 server ptbtime1.ptb.de iburst nts
94 server ptbtime2.ptb.de iburst nts
95 server ptbtime3.ptb.de iburst nts
96
97 refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3
98
99 makestep 0.1 3
100
101 cmdport 0
102 '';
103 };
104
105 services.openssh = {
106 enable = true;
107 passwordAuthentication = false;
108 challengeResponseAuthentication = false;
109 extraConfig = ''
110 AllowGroups ssh
111 '';
112 };
113 users.groups."ssh" = {
114 members = ["root"];
115 };
116
117 security.sudo.extraConfig = ''
118 Defaults lecture = never
119 '';
120
121 nix.gc = {
122 automatic = true;
123 options = "--delete-older-than 30d";
124 };
125 };
126}
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
new file mode 100644
index 00000000..ce909b72
--- /dev/null
+++ b/hosts/surtr/dns/default.nix
@@ -0,0 +1,92 @@
1{...}:
2{
3 config = {
4 fileSystems."/var/lib/knot" =
5 { device = "surtr/safe/var-lib-knot";
6 fsType = "zfs";
7 };
8
9 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
10
11 networking.firewall = {
12 allowedTCPPorts = [
13 53 # DNS
14 ];
15 allowedUDPPorts = [
16 53 # DNS
17 ];
18 };
19
20 services.knot = {
21 enable = true;
22 extraConfig = ''
23 server:
24 listen: 127.0.0.1@53
25 listen: ::1@53
26 listen: 202.61.241.61@53
27 listen: 2a03:4000:52:ada::@53
28
29 remote:
30 - id: inwx_notify
31 address: 185.181.104.96@53
32
33 acl:
34 - id: inwx_acl
35 address: 185.181.104.96
36 action: transfer
37
38 template:
39 - id: inwx_zone
40 storage: /var/lib/knot
41 zonefile-sync: -1
42 zonefile-load: difference-no-serial
43 serial-policy: dateserial
44 journal-content: all
45 semantic-checks: on
46 dnssec-signing: on
47 notify: [inwx_notify]
48 acl: [inwx_acl]
49
50 policy:
51 - id: rsa
52 algorithm: rsasha256
53 ksk-size: 4096
54 zsk-size: 2048
55 zsk-lifetime: 30d
56
57 zone:
58 - domain: yggdrasil.li
59 template: inwx_zone
60 file: ${./zones/li.yggdrasil.soa}
61
62 - domain: nights.email
63 template: inwx_zone
64 file: ${./zones/email.nights.soa}
65
66 - domain: 141.li
67 template: inwx_zone
68 file: ${./zones/li.141.soa}
69
70 - domain: kleen.li
71 template: inwx_zone
72 file: ${./zones/li.kleen.soa}
73
74 - domain: xmpp.li
75 template: inwx_zone
76 file: ${./zones/li.xmpp.soa}
77
78 - domain: dirty-haskell.org
79 template: inwx_zone
80 file: ${./zones/org.dirty-haskell.soa}
81
82 - domain: praseodym.org
83 template: inwx_zone
84 file: ${./zones/org.praseodym.soa}
85
86 - domain: rheperire.org
87 template: inwx_zone
88 file: ${./zones/org.rheperire.soa}
89 '';
90 };
91 };
92}
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa
new file mode 100644
index 00000000..e0589dd3
--- /dev/null
+++ b/hosts/surtr/dns/zones/email.nights.soa
@@ -0,0 +1,38 @@
1$ORIGIN nights.email.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053002 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
37_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
38_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
new file mode 100644
index 00000000..6f974439
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -0,0 +1,50 @@
1$ORIGIN 141.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25surtr IN A 202.61.241.61
26surtr IN AAAA 2a03:4000:52:ada::
27surtr IN MX 0 ymir.yggdrasil.li
28surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
29
30ymir IN A 188.68.51.254
31ymir IN AAAA 2a03:4000:6:d004::
32ymir IN MX 0 ymir.yggdrasil.li
33ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li"
34
35_acme-challenge 30 IN TXT ""
36
37ymir._domainkey IN TXT (
38 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
39 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
40 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
41)
42
43_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
44_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
45
46_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
47
48_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
49_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
50_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
new file mode 100644
index 00000000..5a3d2a11
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -0,0 +1,40 @@
1$ORIGIN kleen.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
37
38_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
39_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
40_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.xmpp.soa b/hosts/surtr/dns/zones/li.xmpp.soa
new file mode 100644
index 00000000..b123f4a5
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.xmpp.soa
@@ -0,0 +1,40 @@
1$ORIGIN xmpp.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
26
27ymir._domainkey IN TXT (
28 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
29 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
30 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
31)
32
33_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
35
36_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
37
38_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
39_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
40_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
new file mode 100644
index 00000000..a9b87b76
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -0,0 +1,58 @@
1$ORIGIN yggdrasil.li.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053000 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15ns IN A 202.61.241.61
16ns IN AAAA 2a03:4000:52:ada::
17
18@ IN A 188.68.51.254
19@ IN AAAA 2a03:4000:6:d004::
20@ IN MX 0 ymir.yggdrasil.li.
21@ IN TXT "v=spf1 a:mailout.yggdrasil.li -all"
22
23* IN A 188.68.51.254
24* IN AAAA 2a03:4000:6:d004::
25* IN MX 0 ymir.yggdrasil.li.
26* IN TXT "v=spf1 redirect=yggdrasil.li"
27
28ymir IN A 188.68.51.254
29ymir IN AAAA 2a03:4000:6:d004::
30ymir IN MX 0 ymir.yggdrasil.li.
31ymir IN TXT "v=spf1 redirect=yggdrasil.li"
32
33surtr IN A 202.61.241.61
34surtr IN AAAA 2a03:4000:52:ada::
35surtr IN MX 0 ymir.yggdrasil.li
36surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
37
38mailout IN A 188.68.51.254
39mailout IN AAAA 2a03:4000:6:d004::
40mailout IN MX 0 ymir.yggdrasil.li
41mailout IN TXT "v=spf1 redirect=yggdrasil.li"
42
43_acme-challenge 30 IN TXT ""
44
45ymir._domainkey IN TXT (
46 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
47 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
48 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
49)
50
51_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
52_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
53
54_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
55
56_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
57_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
58_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.dirty-haskell.soa b/hosts/surtr/dns/zones/org.dirty-haskell.soa
new file mode 100644
index 00000000..74aed5fd
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.dirty-haskell.soa
@@ -0,0 +1,32 @@
1$ORIGIN dirty-haskell.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053001 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15
16@ IN A 188.68.51.254
17@ IN AAAA 2a03:4000:6:d004::
18@ IN MX 10 ymir.yggdrasil.li.
19@ IN TXT "v=spf1 redirect=yggdrasil.li"
20
21* IN A 188.68.51.254
22* IN AAAA 2a03:4000:6:d004::
23* IN MX 0 ymir.yggdrasil.li.
24* IN TXT "v=spf1 redirect=yggdrasil.li"
25
26_acme-challenge 30 IN TXT ""
27
28ymir._domainkey IN TXT (
29 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
30 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
31 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
32)
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
new file mode 100644
index 00000000..6f2c676f
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -0,0 +1,45 @@
1$ORIGIN praseodym.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053000 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25surtr IN A 202.61.241.61
26surtr IN AAAA 2a03:4000:52:ada::
27surtr IN MX 0 ymir.yggdrasil.li
28surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
29
30_acme-challenge 30 IN TXT ""
31
32ymir._domainkey IN TXT (
33 "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
34 "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
35 "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
36)
37
38_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
39_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.
40
41_infinoted._tcp IN SRV 5 0 6523 ymir.yggdrasil.li.
42
43_submission._tcp IN SRV 5 0 25 ymir.yggdrasil.li.
44_imap._tcp IN SRV 5 0 143 ymir.yggdrasil.li.
45_imaps._tcp IN SRV 5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.rheperire.soa b/hosts/surtr/dns/zones/org.rheperire.soa
new file mode 100644
index 00000000..43b1e862
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.rheperire.soa
@@ -0,0 +1,25 @@
1$ORIGIN rheperire.org.
2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2021053010 ; serial
5 10800 ; refresh
6 3600 ; retry
7 604800 ; expire
8 3600 ; min TTL
9)
10 IN NS ns.yggdrasil.li.
11 IN NS ns.inwx.de.
12 IN NS ns2.inwx.de.
13 IN NS ns3.inwx.eu.
14
15@ IN A 188.68.51.254
16@ IN AAAA 2a03:4000:6:d004::
17@ IN MX 0 ymir.yggdrasil.li.
18@ IN TXT "v=spf1 redirect=yggdrasil.li"
19
20* IN A 188.68.51.254
21* IN AAAA 2a03:4000:6:d004::
22* IN MX 0 ymir.yggdrasil.li.
23* IN TXT "v=spf1 redirect=yggdrasil.li"
24
25_acme-challenge 30 IN TXT ""
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..9581dd60
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,70 @@
1{ config, pkgs, ... }:
2let
3 knotCfg = config.services.knot;
4
5 knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
6 EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
7 EXEC_PROPAGATION_TIMEOUT=300
8 EXEC_POLLING_INTERVAL=5
9 '';
10 knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
11 #!${pkgs.zsh}/bin/zsh -xe
12
13 mode=$1
14 fqdn=$2
15 challenge=$3
16
17 owner=''${fqdn%".${zone}."}
18
19 commited=
20 function abort() {
21 [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
22 }
23
24 ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
25 trap abort EXIT
26
27 case "''${mode}" in
28 present)
29 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
30 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
31 ;;
32 cleanup)
33 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
34 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
35 ;;
36 *)
37 exit 2
38 ;;
39 esac
40
41 ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
42 commited=yes
43 '';
44in {
45 config = {
46 fileSystems."/var/lib/acme" =
47 { device = "surtr/safe/var-lib-acme";
48 fsType = "zfs";
49 };
50
51 security.acme = {
52 server = "https://acme-staging-v02.api.letsencrypt.org/directory";
53
54 acceptTerms = true;
55 preliminarySelfsigned = false;
56 email = "phikeebaogobaegh@141.li";
57 certs = {
58 "rheperire.org" = {
59 domain = "rheperire.org";
60 extraDomainNames = [ "*.rheperire.org" ];
61 dnsProvider = "exec";
62 credentialsFile = knotDNSCredentials "rheperire.org";
63 dnsResolver = "1.1.1.1:53";
64 };
65 };
66 };
67
68 users.groups."knot".members = [ "acme" ];
69 };
70}
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
new file mode 100644
index 00000000..3cbd0cf0
--- /dev/null
+++ b/hosts/surtr/zfs.nix
@@ -0,0 +1,101 @@
1{ pkgs, config, ... }:
2let
3 snapshotNames = ["frequent" "hourly" "daily" "monthly" "yearly"];
4 snapshotCount = {
5 frequent = 24;
6 hourly = 24;
7 daily = 30;
8 monthly = 12;
9 yearly = 5;
10 };
11 snapshotTimerConfig = {
12 frequent = { OnCalendar = "*:0/5 UTC"; Persistent = true; };
13 hourly = { OnCalendar = "hourly UTC"; Persistent = true; };
14 daily = { OnCalendar = "daily UTC"; Persistent = true; };
15 monthly = { OnCalendar = "monthly UTC"; Persistent = true; };
16 yearly = { OnCalendar = "yearly UTC"; Persistent = true; };
17 };
18 snapshotDescr = {
19 frequent = "few minutes";
20 hourly = "hour";
21 daily = "day";
22 monthly = "month";
23 yearly = "year";
24 };
25
26 zfs = config.boot.zfs.package;
27
28 autosnapPackage = pkgs.zfstools.override { inherit zfs; };
29in {
30 config = {
31 fileSystems = {
32 "/nix" =
33 { device = "surtr/local/nix";
34 fsType = "zfs";
35 };
36
37 "/root" =
38 { device = "surtr/safe/home-root";
39 fsType = "zfs";
40 neededForBoot = true;
41 };
42
43 "/var/lib/systemd" =
44 { device = "surtr/local/var-lib-systemd";
45 fsType = "zfs";
46 neededForBoot = true;
47 };
48
49 "/var/lib/nixos" =
50 { device = "surtr/local/var-lib-nixos";
51 fsType = "zfs";
52 neededForBoot = true;
53 };
54
55 "/var/log" =
56 { device = "surtr/local/var-log";
57 fsType = "zfs";
58 };
59
60 "/home" =
61 { device = "surtr/safe/home";
62 fsType = "zfs";
63 };
64 };
65
66 systemd.services =
67 let mkSnapService = snapName: {
68 name = "zfs-snapshot-${snapName}";
69 value = {
70 description = "ZFS auto-snapshot every ${snapshotDescr.${snapName}}";
71 after = [ "zfs-import.target" ];
72 serviceConfig = {
73 Type = "oneshot";
74 ExecStart = "${autosnapPackage}/bin/zfs-auto-snapshot -k -p -u ${snapName} ${toString snapshotCount.${snapName}}";
75 };
76 restartIfChanged = false;
77
78 preStart = ''
79 ${zfs}/bin/zfs set com.sun:auto-snapshot=true surtr/safe
80 '';
81 };
82 };
83 in builtins.listToAttrs (map mkSnapService snapshotNames);
84
85 systemd.timers =
86 let mkSnapTimer = snapName: {
87 name = "zfs-snapshot-${snapName}";
88 value = {
89 wantedBy = [ "timers.target" ];
90 timerConfig = snapshotTimerConfig.${snapName};
91 };
92 };
93 in builtins.listToAttrs (map mkSnapTimer snapshotNames);
94
95 services.zfs.trim.enable = false;
96 services.zfs.autoScrub = {
97 enable = true;
98 interval = "Sun *-*-1..7 04:00:00";
99 };
100 };
101}