From 9ed4c08d8c03f8d12586c25cddc33da92a20c218 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 22 Feb 2022 10:48:18 +0100 Subject: surtr: tls/dns: rfc2136 for rheperire.org --- hosts/surtr/dns/default.nix | 44 ++++++++++++++++++++++++++-- hosts/surtr/dns/keys/.sops.yaml | 3 ++ hosts/surtr/dns/keys/rheperire.org_acme.yaml | 38 ++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 hosts/surtr/dns/keys/.sops.yaml create mode 100644 hosts/surtr/dns/keys/rheperire.org_acme.yaml (limited to 'hosts/surtr/dns') diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index feb56195..9a72a2c6 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -1,5 +1,18 @@ -{ pkgs, ... }: -{ +{ pkgs, lib, ... }: + +with lib; + +let + acmeChallengeZonefile = domain: let + reverseDomain = concatStringsSep "." (reverseList ("_acme-challenge" ++ splitString "." domain)); + in pkgs.writeText "${reverseDomain}.zone" '' + $ORIGIN ${domain}. + @ 3600 IN SOA _acme-challenge.${domain}. root.yggdrasil.li. 2022022102 7200 3600 86400 300 + $TTL 300 + + IN NS ns.yggdrasil.li. + ''; +in { config = { fileSystems."/var/lib/knot" = { device = "surtr/safe/var-lib-knot"; @@ -10,6 +23,9 @@ services.knot = { enable = true; + keyFiles = [ + config.sops.secrets."acme_rheperire.org_key".path + ]; extraConfig = '' server: listen: 127.0.0.1@53 @@ -27,6 +43,9 @@ - id: inwx_acl address: 185.181.104.96 action: transfer + - id: rheperire.org_acme_acl + key: rheperire.org_acme_key + action: update mod-rrl: - id: default @@ -71,6 +90,15 @@ dnssec-policy: ed25519 notify: [inwx_notify] acl: [inwx_acl] + - id: acme_zone + storage: /var/lib/knot + zonefile-sync: -1 + zonefile-load: difference-no-serial + serial-policy: dateserial + journal-content: all + semantic-checks: on + dnssec-signing: on + dnssec-policy: ed25519 zone: - domain: yggdrasil.li @@ -104,9 +132,21 @@ - domain: rheperire.org template: inwx_zone file: ${./zones/org.rheperire.soa} + - domain: _acme-challenge.rheperire.org + template: acme_zone + acl: [ rheperire.org_acme_acl ] + file: ${acmeChallengeZonefile "rheperire.org"} ''; }; + sops.secrets = { + "rheperire.org_acme_key.yaml" = { + format = "yaml"; + owner = "knot"; + sopsFile = ./keys/rheperire.org_acme.yaml; + }; + }; + fileSystems."/var/lib/unbound" = { device = "surtr/local/var-lib-unbound"; diff --git a/hosts/surtr/dns/keys/.sops.yaml b/hosts/surtr/dns/keys/.sops.yaml new file mode 100644 index 00000000..4f536273 --- /dev/null +++ b/hosts/surtr/dns/keys/.sops.yaml @@ -0,0 +1,3 @@ +creation_rules: + - path_regex: "\\.yaml$" + unencrypted_regex: "^(id|algorithm)$" diff --git a/hosts/surtr/dns/keys/rheperire.org_acme.yaml b/hosts/surtr/dns/keys/rheperire.org_acme.yaml new file mode 100644 index 00000000..16f6d19e --- /dev/null +++ b/hosts/surtr/dns/keys/rheperire.org_acme.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:exIBsQRSUnOhewl0P3WCqktpjsdFFIJ610rodabSsbKK/XF/0WwRU2ErAyv3wlmtXUJMY3jSugkzbRmnND9GIrj6n8M20BVoOeXzUA==,iv:SJBizi+kSa80964nQ78+43sapNDTGifSiV1kOheuujk=,tag:j4eowYRr4cmwUzXGwm3CAA==,type:comment] +key: + - id: rheperire.org_acme + algorithm: hmac-sha256 + secret: ENC[AES256_GCM,data:rgw4nQczDhEeI5JMl1fJA3HX5ZVBpjTQEEk2pkA3c9M1CWYpFvzFRtCAxe8=,iv:Y0G3+A161Lefpwknm+S2jj8rTfm/jlrP+pnR3vR6/mk=,tag:IHsCnkIU2p3hCmRokecbtw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-22T09:17:59Z" + mac: ENC[AES256_GCM,data:tYWQT6iDQGsYm4zCtNbqvZhIYIMm3+Q9faRbqVpeERdq3oJlEvKIL3MAP2fj6789EbCKf/6zdah5HzYK9k4RsZWxtPfqxYXZp7gWvWwKwm5MRZfQtYzR7ThhD/8QANJKLVffl+PknJqhUYsUq9aeYTbLnyuR2AHY1WkR/fPwcLg=,iv:wGmozslNHE1dc4tpmNVGQJw2hhojB4L3gf7qu963ItA=,tag:4WrPw6biusQDV1OTWmXv6Q==,type:str] + pgp: + - created_at: "2022-02-22T09:17:59Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DyFKFNkTVG5oSAQdAcxKwhh0Poivpl/A7YU53ab+rMWLWKRpeUSwehL6LPEMw + zv+AtmWUPtAL1GpyruFTYoT0P7CJ/PJLYYUDZPH/4oNcaU+5XiBi6sj3svWH5HQE + 0l4BBkvxjYvgPNYSw68AJz/AlzRig4SL7q1VwaYH9w+UWnpwK2CeIZSn11lzDdcj + 8jUZK34aJFFcGWBM2ZKEtQDm3n5B2nRxwb5kLjqwith5zczJ289VNPDmnlVRU4BA + =i8zc + -----END PGP MESSAGE----- + fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8 + - created_at: "2022-02-22T09:17:59Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DXxoViZlp6dISAQdALxbhftpZmVeTmFU8ujPPR5w0Z8ljkZbI8SHAWmC2QEIw + iTS491iicbH7kzF+l3SZZ1XAFn9p4ZjQyZNeOHXD/q1KXxCWGn3UTRSbXlgzzmKZ + 0l4BSZpnpgmEgLospl5mS6smVEO58Q3XXjVTQVKAjQaxD9Oe1DRCgW4kOq4xKGWS + xF55QHP3bPt5ziF2nwF+Gs28HW4UzAFVcr7r7Bz9CxwHixFx5qjvzAWh+Pp+TdY0 + =hSUL + -----END PGP MESSAGE----- + fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + unencrypted_regex: ^(id|algorithm)$ + version: 3.7.1 -- cgit v1.2.3