From 39094f52acc0b3c38fc1a50718b5cc8e25b8fb7a Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 30 Jan 2023 12:41:51 +0100
Subject: ...

---
 hosts/surtr/dns/default.nix      |  7 ++-----
 hosts/vidhar/dns/default.nix     |  7 ++++++-
 hosts/vidhar/dns/keys/local      | 26 ++++++++++++++++++++++++++
 hosts/vidhar/dns/keys/local_yaml | 26 --------------------------
 4 files changed, 34 insertions(+), 32 deletions(-)
 create mode 100644 hosts/vidhar/dns/keys/local
 delete mode 100644 hosts/vidhar/dns/keys/local_yaml

(limited to 'hosts')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index e79f4bfb..ab2a3cd5 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -46,12 +46,12 @@ in {
 
     systemd.services.knot = {
       unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
-      serviceConfig.LoadCredential = map ({name, ...}: "${name}:${config.sops.secrets.${name}.path}") knotKeys;
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
     };
 
     services.knot = {
       enable = true;
-      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}.yaml") knotKeys;
       extraConfig = ''
         server:
           listen: 127.0.0.1@53
@@ -109,20 +109,17 @@ in {
             algorithm: rsasha256
             ksk-size: 4096
             zsk-size: 2048
-            zsk-lifetime: 30d
             ksk-submission: validating-resolver
           - id: ed25519
             algorithm: ed25519
             nsec3: on
             nsec3-iterations: 0
-            ksk-lifetime: 360d
             signing-threads: 2
             ksk-submission: validating-resolver
           - id: ed25519_local-push
             algorithm: ed25519
             nsec3: on
             nsec3-iterations: 0
-            ksk-lifetime: 360d
             signing-threads: 2
             ksk-submission: validating-resolver
             cds-cdnskey-publish: double-ds
diff --git a/hosts/vidhar/dns/default.nix b/hosts/vidhar/dns/default.nix
index 2e943afc..ade884e7 100644
--- a/hosts/vidhar/dns/default.nix
+++ b/hosts/vidhar/dns/default.nix
@@ -79,9 +79,14 @@ in {
       };
     };
 
+    systemd.services.knot = {
+      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
+    };
+
     services.knot = {
       enable = true;
-      keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}.yaml") knotKeys;
       extraConfig = ''
         server:
           listen: 127.0.0.1@5353
diff --git a/hosts/vidhar/dns/keys/local b/hosts/vidhar/dns/keys/local
new file mode 100644
index 00000000..f682f05e
--- /dev/null
+++ b/hosts/vidhar/dns/keys/local
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:hpWdnmsmBmO01PkTlmRLHdmXrPX6POuU/PWrOUMgH6glThzsFdk84tskUExnsl3N39ryCmgZwotIZ8zCWduPBn+nN3VTEP5Z4xltC8I82C6F283gWC3gxpTXFSwF7JetRM5uBQV0FFd9iXHUySEHdzoRqsGuZTMYdT44Bm6gGQHyt7N3/EeLHyJKa7MH+SLLznjlaTnmrAxEyGP8Talda0s/mkh4nRqQnbxX6aOTQpQ=,iv:eRQuxRNQGU2Zwudaqjr+QvLLpJ5QqrjvAN/uL6x8hUs=,tag:CYEt1K+gOGiOX9qQR/Q9jw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3RzluYjcwZ0lzb2dkQ1dW\nTi9WUVNzcFl2SFlKOWhydDRJUDZwV0ZiRlE4ClpJMi9iKys2c0UzMC91aDAyUmdi\nM2hGM2pEbldvWVJxVE9xTGkzS3k1M3cKLS0tIHZ6amlrK2MrTk0zbVM3K0hud2R0\naEpTUFdLbTJDeUdtV3B3ZlRiaEhRVnMKnhQlTzVT4SexBeLOfr2lzmt/HNLX3i8L\nMzy38YXRX7zlyABV7ARCUfv8iJuTEdwagmN7GNFKjBYJKnJdx/I5KA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-03-15T13:30:32Z",
+		"mac": "ENC[AES256_GCM,data:PG4ywF/U6ITmdRB4OU5uXu54YabYt9Yyy2oYEMx0XpMlpKWH5bmg2qQNFakxBD6wCy2H6e3LmwcUl2N692crm3n/qQRNPQ0ETHVlaPlRFG85tiz/Ngi6tasoKG+ciLAXMy05c+yY6oENN7grm1TTMZRGSIyxo27ZU+k4kmz4eVM=,iv:fluwCnXHAJ/z2oGWCLXbjooymXbViPrZdVJOnoSrn1g=,tag:QtNGIKMBDtKnb3JPuRqmiA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2023-01-30T11:19:26Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA3cFA0mdDezP+pRvGq6iso68awdx9b7MBBUIiHEzcBEow\ndsh5K9hQX2fe7zhBkS2wqt9uMvfXrohAgibJj/XmgFoiJFh6dg+t5AQNNZ1YPZ10\n0l4BVavPT6fUC2xusU7XH0oJ6ALL8WEA5PEipzxANTCgZZ6mz9H2inYOJAFLvWeU\nQoZVGQVAIU1HksNi2gC671IkfL9yLQpxafOVYIsD+aP/D7unXcZ4u30nJa/ACcsk\n=yXpx\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
diff --git a/hosts/vidhar/dns/keys/local_yaml b/hosts/vidhar/dns/keys/local_yaml
deleted file mode 100644
index f682f05e..00000000
--- a/hosts/vidhar/dns/keys/local_yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:hpWdnmsmBmO01PkTlmRLHdmXrPX6POuU/PWrOUMgH6glThzsFdk84tskUExnsl3N39ryCmgZwotIZ8zCWduPBn+nN3VTEP5Z4xltC8I82C6F283gWC3gxpTXFSwF7JetRM5uBQV0FFd9iXHUySEHdzoRqsGuZTMYdT44Bm6gGQHyt7N3/EeLHyJKa7MH+SLLznjlaTnmrAxEyGP8Talda0s/mkh4nRqQnbxX6aOTQpQ=,iv:eRQuxRNQGU2Zwudaqjr+QvLLpJ5QqrjvAN/uL6x8hUs=,tag:CYEt1K+gOGiOX9qQR/Q9jw==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3RzluYjcwZ0lzb2dkQ1dW\nTi9WUVNzcFl2SFlKOWhydDRJUDZwV0ZiRlE4ClpJMi9iKys2c0UzMC91aDAyUmdi\nM2hGM2pEbldvWVJxVE9xTGkzS3k1M3cKLS0tIHZ6amlrK2MrTk0zbVM3K0hud2R0\naEpTUFdLbTJDeUdtV3B3ZlRiaEhRVnMKnhQlTzVT4SexBeLOfr2lzmt/HNLX3i8L\nMzy38YXRX7zlyABV7ARCUfv8iJuTEdwagmN7GNFKjBYJKnJdx/I5KA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2022-03-15T13:30:32Z",
-		"mac": "ENC[AES256_GCM,data:PG4ywF/U6ITmdRB4OU5uXu54YabYt9Yyy2oYEMx0XpMlpKWH5bmg2qQNFakxBD6wCy2H6e3LmwcUl2N692crm3n/qQRNPQ0ETHVlaPlRFG85tiz/Ngi6tasoKG+ciLAXMy05c+yY6oENN7grm1TTMZRGSIyxo27ZU+k4kmz4eVM=,iv:fluwCnXHAJ/z2oGWCLXbjooymXbViPrZdVJOnoSrn1g=,tag:QtNGIKMBDtKnb3JPuRqmiA==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2023-01-30T11:19:26Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA3cFA0mdDezP+pRvGq6iso68awdx9b7MBBUIiHEzcBEow\ndsh5K9hQX2fe7zhBkS2wqt9uMvfXrohAgibJj/XmgFoiJFh6dg+t5AQNNZ1YPZ10\n0l4BVavPT6fUC2xusU7XH0oJ6ALL8WEA5PEipzxANTCgZZ6mz9H2inYOJAFLvWeU\nQoZVGQVAIU1HksNi2gC671IkfL9yLQpxafOVYIsD+aP/D7unXcZ4u30nJa/ACcsk\n=yXpx\n-----END PGP MESSAGE-----\n",
-				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.1"
-	}
-}
\ No newline at end of file
-- 
cgit v1.2.3