From f6e32c687607fbc666a41eda574ff1e10a630ece Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 22 Feb 2022 13:24:29 +0100 Subject: ... --- hosts/surtr/dns/default.nix | 16 +++++++++++++++- hosts/surtr/dns/keys/webdav.141.li_acme.yaml | 26 ++++++++++++++++++++++++++ hosts/surtr/dns/zones/li.141.soa | 3 ++- hosts/surtr/tls/tsig_keys/webdav.141.li | 26 ++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 hosts/surtr/dns/keys/webdav.141.li_acme.yaml create mode 100644 hosts/surtr/tls/tsig_keys/webdav.141.li diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 2079585c..971de5e8 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -25,6 +25,7 @@ in { enable = true; keyFiles = [ config.sops.secrets."rheperire.org_acme_key.yaml".path + config.sops.secrets."webdav.141.li_acme_key.yaml".path config.sops.secrets."knot_local_key.yaml".path ]; extraConfig = '' @@ -50,6 +51,9 @@ in { - id: rheperire.org_acme_acl key: rheperire.org_acme_key action: update + - id: webdav.141.li_acme_acl + key: webdav.141.li_acme_key + action: update - id: local_acl key: local_key action: update @@ -130,7 +134,12 @@ in { - domain: 141.li template: inwx_zone + acl: [local_acl, inwx_acl] file: ${./zones/li.141.soa} + - domain: _acme-challenge.webdav.141.li + template: acme_zone + acl: [webdav.141.li_acme_acl] + file: ${acmeChallengeZonefile "webdav.141.li"} - domain: kleen.li template: inwx_zone @@ -150,8 +159,8 @@ in { - domain: rheperire.org template: inwx_zone - file: ${./zones/org.rheperire.soa} acl: [local_acl, inwx_acl] + file: ${./zones/org.rheperire.soa} - domain: _acme-challenge.rheperire.org template: acme_zone acl: [rheperire.org_acme_acl] @@ -165,6 +174,11 @@ in { owner = "knot"; sopsFile = ./keys/rheperire.org_acme.yaml; }; + "webdav.141.li_acme_key.yaml" = { + format = "binary"; + owner = "knot"; + sopsFile = ./keys/webdav.141.li_acme.yaml; + }; "knot_local_key.yaml" = { format = "binary"; owner = "knot"; diff --git a/hosts/surtr/dns/keys/webdav.141.li_acme.yaml b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml new file mode 100644 index 00000000..b0f05df6 --- /dev/null +++ b/hosts/surtr/dns/keys/webdav.141.li_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:WNZ6BAzz5b0mnr2XqVQM82NFuQJz3bBK76DmnA/xvFPLvAmN4tCDzcu4NrdihcpQZ9J5ZiiIynJH1RBB/hd9ut+e/ByHv954XW3o/Ml5gb1Nl6zkCSAb3uxnjTlf5dm9ROWzx+NBLvIt8DELMYuV/NRtRq6w3ZCWbEp/I3N/r/VPhIw7PkagI9QWNkXp0l2qBml/xwxO2HnZxE7WXtphpOfNZtBuWPF49gO2UeVHrsAfxVgtGNmY9IjBExSQDThDJmo8nFUvrLVydQ==,iv:MQHy1Hi2kASjm684tL3JT5xcdc4mrTWjJWCB4adl1Uk=,tag:IzUtLbMoeRu/Km7o3RTxbg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-22T12:22:44Z", + "mac": "ENC[AES256_GCM,data:tGfEoG8C+zqkBRtfaCNrmuR6dG8kmaRexM6szkSmOsFVgzl3wGsPmVai4rFhgXsozOmt2Lchc01uRqERA+HIkkaMFdVDLWzMEGytEeE1s1JYCVNEc/RmjgeKqxwHuAv5cFGn8ZNZ9JKMF566wUFjjWM/AQffNYCdtSni8tV6eWg=,iv:qoyig97CBgl9X9Z6qbKunu8fvbiiW4uRtErM8nrb9MM=,tag:zFuAbP7ZsEgKGDOo9ACmrw==,type:str]", + "pgp": [ + { + "created_at": "2022-02-22T12:22:44Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAEvqLWBZvD3I4xE6W7MKPD9eDGyKa3hpXracLRTHT4hYw\nqy+itvTL207VL0fU8Ve+rmxFjEaMvowFgwWk7+p98thgtbCcUNTxIF4gH2HjSOWS\n0l4Bb3G2vvDhUv1i0AR5WohSdfi5eyQjvt8HqJQ/0hBBwIL4IEcWjpBE+rX/460S\n4gigrXHpgSKZ/i/Aselm6XZhB0jNUf3pZ3pnCQPJpyrLGnFXwCSqB6EaREKU+6BK\n=dSPd\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-22T12:22:44Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAWXk1C46X8TTkWhHfTMhgo1KnKlCl8A8lzsAo7mqnpzcw\ncoae53lNWGeoCSfOl5E2oSVCgZzEu5R9kC9aLRJgDushXZ56XtTUUF4ggCHogJqE\n0l4B942HOIlWHSlbfOs1/0R5QPnXC1OQ0E6XEVJmBgnUNB3EG473eCTJeabwlaq8\nNgFlL09go4ISjnlKDIgfQZGI9u1j0PyDJ3MtQTnb2j8kzfbcsGcpSLQRn7kzSsjO\n=x5xi\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 8c357b35..fbff1cad 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022022102 ; serial + 2022022200 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -31,6 +31,7 @@ surtr IN MX 0 ymir.yggdrasil.li surtr IN TXT "v=spf1 redirect=yggdrasil.li" webdav IN CNAME surtr.yggdrasil.li. +_acme-challenge.webdav IN NS ns.yggdrasil.li. ymir IN A 188.68.51.254 ymir IN AAAA 2a03:4000:6:d004:: diff --git a/hosts/surtr/tls/tsig_keys/webdav.141.li b/hosts/surtr/tls/tsig_keys/webdav.141.li new file mode 100644 index 00000000..cb2e332e --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/webdav.141.li @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:Zi4zdvMqKiEp9CGCOdC+KjWsfOUw9wurx7zuOK5DijgnfMRfCEuTZVCs8Jhs,iv:bB13accgPvkWvN74FGhLRYOYyUSTxPgSHC4NIWTVjnU=,tag:rhxq0ME8B9wsMgJXpa0/qg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-22T12:23:26Z", + "mac": "ENC[AES256_GCM,data:XwQKJBBJ3luAqk0S6auD7q+QLPwxG6Gnn/Aim5AJIO4FzgiluvuL8oNk4Ez/5Q/FVOtbMDKCQbwz+tgWJN6i2mlu8W4xR+bLOlGzcBQmnY5QIcmyRGDNhumrThoHtE+3agLwyVhWrvZmpeSruTRZ5n2EkGshOnSAi2SGZulVrPg=,iv:pInwne4YHzWd92gKgoNB0VBVMH7Hmu7q6LZMU8GO1yw=,tag:Y8J6cJommccQTR7guU4Rmw==,type:str]", + "pgp": [ + { + "created_at": "2022-02-22T12:23:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA0kfMkCzKUHK7Ox8TXe/Z+RNrU3yk8WNk5Gb0LKgc/iow\nQHecugi4Gk+ZEGLcko5MXPDXee9PDQDLGNCxLiRcClc4lLC/AgWNwfSL5j1Gw2Mg\n0l4BJGJq5dK5acKKuLjgmehIDEi2ZJZl2/Sgw3TymUZyc9Y6Xw8k2ouAidSQwyuh\n5pLkzGAOS9qeHedOR7BuZSHVkPzFeM2JE/bkQyVx2im4UBDYMw3sDc0VMsQgV8Gp\n=ZqOO\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-22T12:23:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+tTfPKdULqJRo6n4UDMGJdH06I5iHTnNf0slTxfhp1cw\n0DUkmp715+saoXFTACUEiiiBv+8r7cLTb7qOWXcRq5LP7kAPwHZ5p++9vzePyQ84\n0l4ByVQ5Ywn0t2nyYKbnRktvg3Ea0XUErBVVg1+iGpnfVT6rcUroHqqpkb8KXfBL\nQ1Mg/pHXMCHlbjnVRG/zyO3Mu6mvWpLgw39j6S3jtAFhdEmTUXSd1tdZXYPKWpyT\n=1egy\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3