From a7255ba16633d70c22e8bed75ae52c49f08e1c18 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 22 Feb 2022 15:48:59 +0100 Subject: surtr: dns/tls: rfc2136 --- hosts/surtr/dns/default.nix | 137 +++++++++++++++++++++----------------------- 1 file changed, 64 insertions(+), 73 deletions(-) (limited to 'hosts/surtr/dns/default.nix') diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 5d55c815..57146d67 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -3,15 +3,38 @@ with lib; let - acmeChallengeZonefile = domain: let - reverseDomain = concatStringsSep "." (reverseList (["_acme-challenge"] ++ splitString "." domain)); - in pkgs.writeText "${reverseDomain}.zone" '' + reverseDomain = domain: concatStringsSep "." (reverseList (splitString "." domain)); + + acmeChallengeZonefile = domain: pkgs.writeText "${reverseDomain "_acme-challenge.${domain}"}.soa" '' $ORIGIN _acme-challenge.${domain}. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. 2022022103 10800 3600 604800 30 IN NS ns.yggdrasil.li. ''; + + knotKeys = let + dir = ./keys; + toKeyInfo = name: v: + if v == "regular" || v == "symlink" + then { path = dir + "/${name}"; inherit name; } + else null; + in filter (v: v != null) (mapAttrsToList toKeyInfo (builtins.readDir dir)); + + indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); + + mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain]}: indentString " " '' + - domain: ${domain} + template: inwx_zone + ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} + file: ${path} + ${concatMapStringsSep "\n" (acmeDomain: '' + - domain: _acme-challenge.${acmeDomain} + template: acme_zone + acl: [${assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl"}] + file: ${acmeChallengeZonefile acmeDomain} + '') acmeDomains} + ''; in { config = { fileSystems."/var/lib/knot" = @@ -23,11 +46,7 @@ in { services.knot = { enable = true; - keyFiles = [ - config.sops.secrets."rheperire.org_acme_key.yaml".path - config.sops.secrets."webdav.141.li_acme_key.yaml".path - config.sops.secrets."knot_local_key.yaml".path - ]; + keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; extraConfig = '' server: listen: 127.0.0.1@53 @@ -48,16 +67,23 @@ in { - id: inwx_acl address: 185.181.104.96 action: transfer - - id: rheperire.org_acme_acl - key: rheperire.org_acme_key - action: update - - id: webdav.141.li_acme_acl - key: webdav.141.li_acme_key - action: update - id: local_acl key: local_key action: update update-type: DS + ${let + toACMEACL = { name, ... }: + if hasSuffix "_acme.yaml" name + then + let + base = removeSuffix ".yaml" name; + in indentString " " '' + - id: ${base}_acl + key: ${base}_key + action: update + '' + else null; + in concatStringsSep "\n" (filter (v: v != null) (map toACMEACL knotKeys))} mod-rrl: - id: default @@ -124,68 +150,33 @@ in { dnssec-policy: ed25519_local-push zone: - - domain: yggdrasil.li - template: inwx_zone - file: ${./zones/li.yggdrasil.soa} - - - domain: nights.email - template: inwx_zone - file: ${./zones/email.nights.soa} - - - domain: 141.li - template: inwx_zone - acl: [local_acl, inwx_acl] - file: ${./zones/li.141.soa} - - domain: _acme-challenge.webdav.141.li - template: acme_zone - acl: [webdav.141.li_acme_acl] - file: ${acmeChallengeZonefile "webdav.141.li"} - - - domain: kleen.li - template: inwx_zone - file: ${./zones/li.kleen.soa} - - - domain: xmpp.li - template: inwx_zone - file: ${./zones/li.xmpp.soa} - - - domain: dirty-haskell.org - template: inwx_zone - file: ${./zones/org.dirty-haskell.soa} - - - domain: praseodym.org - template: inwx_zone - file: ${./zones/org.praseodym.soa} - - - domain: rheperire.org - template: inwx_zone - acl: [local_acl, inwx_acl] - file: ${./zones/org.rheperire.soa} - - domain: _acme-challenge.rheperire.org - template: acme_zone - acl: [rheperire.org_acme_acl] - file: ${acmeChallengeZonefile "rheperire.org"} + ${concatMapStringsSep "\n" mkZone [ + { domain = "yggdrasil.li"; + } + { domain = "nights.email"; + } + { domain = "141.li"; + acmeDomains = ["webdav.141.li" "141.li"]; + } + { domain = "kleen.li"; + } + { domain = "xmpp.li"; + } + { domain = "dirty-haskell.org"; + } + { domain = "praseodym.org"; + } + { domain = "rheperire.org"; + } + ]} ''; }; - sops.secrets = { - "rheperire.org_acme_key.yaml" = { - format = "binary"; - owner = "knot"; - sopsFile = ./keys/rheperire.org_acme.yaml; - }; - "webdav.141.li_acme_key.yaml" = { - format = "binary"; - owner = "knot"; - sopsFile = ./keys/webdav.141.li_acme.yaml; - }; - "knot_local_key.yaml" = { - format = "binary"; - owner = "knot"; - sopsFile = ./keys/local_key.yaml; - }; - }; - + sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { + format = "binary"; + owner = "knot"; + sopsFile = path; + }) knotKeys); fileSystems."/var/lib/unbound" = { device = "surtr/local/var-lib-unbound"; -- cgit v1.2.3