From 9ed4c08d8c03f8d12586c25cddc33da92a20c218 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 22 Feb 2022 10:48:18 +0100
Subject: surtr: tls/dns: rfc2136 for rheperire.org

---
 hosts/surtr/dns/default.nix | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

(limited to 'hosts/surtr/dns/default.nix')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index feb56195..9a72a2c6 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -1,5 +1,18 @@
-{ pkgs, ... }:
-{
+{ pkgs, lib, ... }:
+
+with lib;
+
+let
+  acmeChallengeZonefile = domain: let
+    reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain));
+  in pkgs.writeText "${reverseDomain}.zone" ''
+    $ORIGIN ${domain}.
+    @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300
+    $TTL 300
+
+         IN NS ns.yggdrasil.li.
+  '';
+in {
   config = {
     fileSystems."/var/lib/knot" =
       { device = "surtr/safe/var-lib-knot";
@@ -10,6 +23,9 @@
     
     services.knot = {
       enable = true;
+      keyFiles = [
+        config.sops.secrets."acme_rheperire.org_key".path
+      ];
       extraConfig = ''
         server:
           listen: 127.0.0.1@53
@@ -27,6 +43,9 @@
           - id: inwx_acl
             address: 185.181.104.96
             action: transfer
+          - id: rheperire.org_acme_acl
+            key: rheperire.org_acme_key
+            action: update
 
         mod-rrl:
           - id: default
@@ -71,6 +90,15 @@
             dnssec-policy: ed25519
             notify: [inwx_notify]
             acl: [inwx_acl]
+          - id: acme_zone
+            storage: /var/lib/knot
+            zonefile-sync: -1
+            zonefile-load: difference-no-serial
+            serial-policy: dateserial
+            journal-content: all
+            semantic-checks: on
+            dnssec-signing: on
+            dnssec-policy: ed25519
 
         zone:
           - domain: yggdrasil.li
@@ -104,9 +132,21 @@
           - domain: rheperire.org
             template: inwx_zone
             file: ${./zones/org.rheperire.soa}
+          - domain: _acme-challenge.rheperire.org
+            template: acme_zone
+            acl: [ rheperire.org_acme_acl ]
+            file: ${acmeChallengeZonefile "rheperire.org"}
       '';
     };
 
+    sops.secrets = {
+      "rheperire.org_acme_key.yaml" = {
+        format = "yaml";
+        owner = "knot";
+        sopsFile = ./keys/rheperire.org_acme.yaml;
+      };
+    };
+
 
     fileSystems."/var/lib/unbound" =
       { device = "surtr/local/var-lib-unbound";
-- 
cgit v1.2.3