From 1e82933a01dcc3810d635567dbef0de286c1e8f2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 30 Jan 2023 16:19:57 +0100 Subject: Revert "..." This reverts commit 68645f75136d6e82bfb7e27b50c531d1b416c4d5. --- hosts/surtr/dns/zones/consulting.kleen.soa | 4 +--- hosts/surtr/dns/zones/email.bouncy.soa | 6 +----- hosts/surtr/dns/zones/li.141.soa | 4 +--- hosts/surtr/dns/zones/li.synapse.soa | 6 +----- hosts/surtr/dns/zones/li.yggdrasil.soa | 6 +----- hosts/surtr/email/default.nix | 4 ---- hosts/surtr/etebase/default.nix | 4 ---- hosts/surtr/http/default.nix | 2 +- hosts/surtr/http/webdav/default.nix | 2 -- hosts/surtr/matrix/default.nix | 4 ---- hosts/surtr/ruleset.nft | 4 +--- 11 files changed, 7 insertions(+), 39 deletions(-) diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa index 5597491d..7f358b61 100644 --- a/hosts/surtr/dns/zones/consulting.kleen.soa +++ b/hosts/surtr/dns/zones/consulting.kleen.soa @@ -1,7 +1,7 @@ $ORIGIN kleen.consulting. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023013001 ; serial + 2023013000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -71,5 +71,3 @@ mta-sts IN AAAA 2a03:4000:52:ada:: mta-sts IN MX 0 mailin.kleen.consulting. mta-sts IN TXT "v=spf1 redirect=kleen.consulting" _acme-challenge.mta-sts IN NS ns.yggdrasil.li. - -mta-sts IN HTTPS 1 . alpn="h2,h3" diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 8906fa84..de14e610 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023013002 ; serial + 2023013000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -69,8 +69,6 @@ spm IN MX 0 mailin.bouncy.email. spm IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.spm IN NS ns.yggdrasil.li. -spm IN HTTPS 1 . alpn="h2,h3" - _mta-sts IN TXT "v=STSv1; id=2022100600" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email" mta-sts IN A 202.61.241.61 @@ -78,5 +76,3 @@ mta-sts IN AAAA 2a03:4000:52:ada:: mta-sts IN MX 0 mailin.bouncy.email. mta-sts IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.mta-sts IN NS ns.yggdrasil.li. - -mta-sts IN HTTPS 1 . alpn="h2,h3" diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 507408e8..b17e7f6e 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023013001 ; serial + 2023013000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -35,8 +35,6 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li" webdav IN CNAME surtr.yggdrasil.li. _acme-challenge.webdav IN NS ns.yggdrasil.li. -webdav IN HTTPS 1 . alpn="h2,h3" - ymir IN A 188.68.51.254 ymir IN AAAA 2a03:4000:6:d004:: ymir IN MX 0 ymir.yggdrasil.li diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index 564df7a3..e2d1fa22 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa @@ -1,7 +1,7 @@ $ORIGIN synapse.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023013002 ; serial + 2023013000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -23,14 +23,10 @@ $TTL 3600 _matrix._tcp IN SRV 5 0 443 synapse.li. -@ IN HTTPS 1 . alpn="h2,h3" - element IN A 202.61.241.61 element IN AAAA 2a03:4000:52:ada:: _acme-challenge.element IN NS ns.yggdrasil.li. -element IN HTTPS 1 . alpn="h2,h3" - turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 62468570..25cad30b 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023013001 ; serial + 2023013000 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -59,16 +59,12 @@ etesync IN MX 0 surtr.yggdrasil.li etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" _acme-challenge.etesync IN NS ns.yggdrasil.li. -etesync IN HTTPS 1 . alpn="h2,h3" - app.etesync IN A 202.61.241.61 app.etesync IN AAAA 2a03:4000:52:ada:: app.etesync IN MX 0 surtr.yggdrasil.li app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li" _acme-challenge.app.etesync IN NS ns.yggdrasil.li. -app.etesync IN HTTPS 1 . alpn="h2,h3" - vidhar IN AAAA 2a03:4000:52:ada:4:1:: vidhar IN MX 0 ymir.yggdrasil.li vidhar IN TXT "v=spf1 redirect=yggdrasil.li" diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 01c22ce5..0e2a78eb 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -716,8 +716,6 @@ in { virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { forceSSL = true; - kTLS = true; - http3 = true; sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; extraConfig = '' @@ -736,8 +734,6 @@ in { }; }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { forceSSL = true; - kTLS = true; - http3 = true; sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix index 3b0bd9d3..ca6d84fe 100644 --- a/hosts/surtr/etebase/default.nix +++ b/hosts/surtr/etebase/default.nix @@ -50,8 +50,6 @@ virtualHosts = { "etesync.yggdrasil.li" = { - kTLS = true; - http3 = true; forceSSL = true; sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; @@ -83,8 +81,6 @@ }; "app.etesync.yggdrasil.li" = { - kTLS = true; - http3 = true; forceSSL = true; sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 6b516b00..3d7f3ebf 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix @@ -7,7 +7,7 @@ config = { services.nginx = { enable = true; - package = pkgs.nginxQuic; + # package = pkgs.nginxQuic; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedTlsSettings = true; diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index f94935ee..c5a94996 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix @@ -36,8 +36,6 @@ in { virtualHosts."webdav.141.li" = { forceSSL = true; - kTLS = true; - http3 = true; sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 96cceb89..5b89e321 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -151,8 +151,6 @@ with lib; sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; - kTLS = true; - http3 = true; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "[::0]"; port = 443; ssl = true; } @@ -201,8 +199,6 @@ with lib; virtualHosts."element.synapse.li" = { forceSSL = true; - kTLS = true; - http3 = true; sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..4993b6b7 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -171,7 +171,6 @@ table inet filter { udp dport 53 counter name dns-rx accept tcp dport {80, 443, 8448} counter name http-rx accept - udp dport {443, 8448} counter name http-rx accept tcp dport {3478, 5349} counter name stun-rx accept udp dport {3478, 5349} counter name stun-rx accept @@ -216,8 +215,7 @@ table inet filter { meta protocol ip6 udp sport {51821, 51822} counter name wg-tx iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx - tcp sport {80, 443, 8448} counter name http-tx accept - udp sport {443, 8448} counter name http-tx accept + tcp sport {80,443,8448} counter name http-tx accept tcp sport {3478, 5349} counter name stun-tx accept udp sport {3478, 5349} counter name stun-tx accept -- cgit v1.2.3