From 9ed4c08d8c03f8d12586c25cddc33da92a20c218 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 22 Feb 2022 10:48:18 +0100 Subject: surtr: tls/dns: rfc2136 for rheperire.org --- hosts/surtr/tls/default.nix | 156 ++++++++++++++++++++++++++++++++ hosts/surtr/tls/tsig_keys/rheperire.org | 26 ++++++ 2 files changed, 182 insertions(+) create mode 100644 hosts/surtr/tls/default.nix create mode 100644 hosts/surtr/tls/tsig_keys/rheperire.org (limited to 'hosts/surtr/tls') diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix new file mode 100644 index 00000000..a1548feb --- /dev/null +++ b/hosts/surtr/tls/default.nix @@ -0,0 +1,156 @@ +{ config, lib, customUtils, pkgs, ... }: + +with lib; + +let + inherit (customUtils) mapFilterAttrs; + + tsigSecretName = domain: "${domain}_tsig-secret"; + + cfg = config.security.acme; + knotCfg = config.services.knot; + + knotDNSCredentials = domain: let + zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone; + in pkgs.writeText "lego-credentials" '' + EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh + EXEC_PROPAGATION_TIMEOUT=300 + EXEC_POLLING_INTERVAL=5 + ''; + knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' + #!${pkgs.zsh}/bin/zsh -xe + + mode=$1 + fqdn=$2 + challenge=$3 + + owner=''${fqdn%".${zone}."} + + commited= + function abort() { + [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" + } + + ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" + trap abort EXIT + + case "''${mode}" in + present) + if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then + ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' + fi + ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" + ;; + cleanup) + ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" + ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' + ;; + *) + exit 2 + ;; + esac + + ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" + commited=yes + ''; + + domainOptions = { + options = { + wildcard = mkOption { + type = types.bool; + default = false; + }; + zone = mkOption { + type = types.nullOr types.str; + default = null; + }; + certCfg = mkOption { + type = types.attrs; + default = {}; + }; + }; + }; +in { + options = { + security.acme = { + domains = mkOption { + type = types.attrsOf (types.submodule domainOptions); + default = {}; + }; + }; + }; + + config = { + security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; }); + + fileSystems."/var/lib/acme" = + { device = "surtr/safe/var-lib-acme"; + fsType = "zfs"; + }; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = true; # DNS challenge is slow + defaults = { + email = "phikeebaogobaegh@141.li"; + keyType = "rsa4096"; # we don't like NIST curves + # extraLegoFlags = ["--preferred-chain" "ISRG Root X1"]; + }; + certs = + let + domainAttrset = domain: let + tsigPath = ./tsig_keys + "/${domain}"; + tsigSecret = config.sops.secrets.${tsigSecretName domain}; + isTsig = pathExists tsigPath; + shared = { + inherit domain; + extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; + dnsResolver = "127.0.0.1:5353"; + }; + mkKnotc = shared // { + dnsProvider = "exec"; + credentialsFile = knotDNSCredentials domain; + }; + mkRFC2136 = let + tsigInfo = readYaml tsigPath; + in shared // { + dnsProvider = "rfc2136"; + credentialsFile = pkgs.writeText "${domain}_credentials.env" '' + RFC2136_NAMESERVER=127.0.0.1:53 + RFC2136_TSIG_ALGORITHM=hmac-sha256. + RFC2136_TSIG_KEY=${domain}_acme + RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} + RFC2136_PROPAGATION_TIMEOUT=300 + RFC2136_POLLING_INTERVAL=5 + RFC2136_TTL=300 + ''; + }; + in // cfg.domains.${domain}.certCfg; + in genAttrs (attrNames cfg.domains) domainAttrset; + }; + + sops.secrets = let + toTSIGSecret = n: v: + if v == "regular" || v == "symlink" + then nameValuePair (tsigSecretName n) { + format = "binary"; + owner = if config.security.acme.useRoot then "root" else "acme"; + group = "acme"; + sopsFile = ./tsig_keys + "/${n}"; + } else null; + in mapFilterAttrs (_: v: v != null) toTSIGSecret (readDir ./tsig_keys); + + systemd.services = + let + serviceAttrset = domain: { + after = [ "knot.service" ]; + bindsTo = [ "knot.service" ]; + serviceConfig = { + ReadWritePaths = ["/run/knot/knot.sock"]; + SupplementaryGroups = ["knot"]; + RestrictAddressFamilies = ["AF_UNIX"]; + }; + }; + in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); + }; +} diff --git a/hosts/surtr/tls/tsig_keys/rheperire.org b/hosts/surtr/tls/tsig_keys/rheperire.org new file mode 100644 index 00000000..1f3dc4a4 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/rheperire.org @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:Lb1IWtwPdBxeXGrOr74MlR7lKBMIg2ix3enRMVN4MPEDh7CIFv1nhAfLCDU=,iv:TcyGtcKEL7yUXgHrfJ5pDjl8r5V7ltYQw2wcnsFN1bc=,tag:gBaYj6MkQKvD/uO+Pudnzg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-22T09:46:27Z", + "mac": "ENC[AES256_GCM,data:vtymuSymOeh34ZbAumxCEcemtI0UFBoQwj4axpKf7AzVnQOubWYxPI5x23CiOE12Y+FThg1dYEnDWlkkQjMVWQvcJzfP1g25S98MuZ42E9R0nBxGzTrIaKS7kgNAriYDy8ib7Z3DUbajEGfvLLazCdHu3g9gE0dLewKcUTHaXwM=,iv:j8vS2Ej58HLf+CP9fe1rN+4UuniGlv/0M+Zzt3nlk5I=,tag:xn33GGm2knsIdH+EJ1zDcA==,type:str]", + "pgp": [ + { + "created_at": "2022-02-22T09:46:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1++YsCSiRkVGoVF6uvYeY7JjZjsdjAUwubCF3fLDtS8w\nHFSQltgrqkul1Ei1fUFQqFbSpMSfBQhk0kMH0Xuk5SoDd1lWumqTP9gaJj/CM+yz\n0l4BHiQ4Ktyc01f127Az36nQZGKdJvL9etQAceNtNM7Y4XkLQ78OXFJoERrf81s/\n4wm5za7xqEBE1oE0QWAelzyjBqxI1iCjDl3p6heUdhqlcvAifXgqAk0qxq/4T4FG\n=2Bwl\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-22T09:46:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA4jg570qc5Zu3yAJPmjf11r20eYMyjAeEWw/RreZga3Uw\nmTy2jo/de11m3r/aIxp0Q/vFZ1m4JGeoIzIgQxGnhX0s0NpfCbCih0P7UMjZRatC\n0l4BCzWq7c0A2GbjPq+aKF2IYfQV5gdwjgCAJO3Oylb/SAltwnyGChANw4ckUCjV\n9DWYIcerMP2scxpjf5nJXpHNMjpGR7fcqS71PoVoJoActMqrG0deOMUSUEOVP8nR\n=+ux+\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3