From 56db0eef6b60891b6320feba397033b68ff3ee56 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 22 Feb 2022 17:10:20 +0100
Subject: surtr: dns: open rfc2136 to ymir

---
 hosts/surtr/dns/default.nix         | 16 +++++++++++++---
 hosts/surtr/dns/keys/ymir_acme.yaml | 26 ++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 hosts/surtr/dns/keys/ymir_acme.yaml

(limited to 'hosts')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 57146d67..dc991b66 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -23,7 +23,9 @@ let
 
   indentString = indentation: str: concatMapStringsSep "\n" (str: "  ${str}") (splitString "\n" (removeSuffix "\n" str));
 
-  mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain]}: indentString "  " ''
+  mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain], addACLs ? {}}: indentString "  " (let
+    keys = acmeDomain: [(assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl")] ++ (addACLs.${acmeDomain} or []);
+  in ''
     - domain: ${domain}
       template: inwx_zone
       ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"}
@@ -31,10 +33,10 @@ let
     ${concatMapStringsSep "\n" (acmeDomain: ''
       - domain: _acme-challenge.${acmeDomain}
         template: acme_zone
-        acl: [${assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl"}]
+        acl: [${concatStringsSep ", " (keys acmeDomain)}]
         file: ${acmeChallengeZonefile acmeDomain}
     '') acmeDomains}
-  '';
+  '');
 in {
   config = {
     fileSystems."/var/lib/knot" =
@@ -152,21 +154,29 @@ in {
         zone:
         ${concatMapStringsSep "\n" mkZone [
           { domain = "yggdrasil.li";
+            addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; };
           }
           { domain = "nights.email";
+            addACLs = { "nights.email" = ["ymir_acme_acl"]; };
           }
           { domain = "141.li";
             acmeDomains = ["webdav.141.li" "141.li"];
+            addACLs = { "141.li" = ["ymir_acme_acl"]; };
           }
           { domain = "kleen.li";
+            addACLs = { "kleen.li" = ["ymir_acme_acl"]; };
           }
           { domain = "xmpp.li";
+            addACLs = { "xmpp.li" = ["ymir_acme_acl"]; };
           }
           { domain = "dirty-haskell.org";
+            addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; };
           }
           { domain = "praseodym.org";
+            addACLs = { "praseodym.org" = ["ymir_acme_acl"]; };
           }
           { domain = "rheperire.org";
+            addACLs = { "rheperire.org" = ["ymir_acme_acl"]; };
           }
         ]}
       '';
diff --git a/hosts/surtr/dns/keys/ymir_acme.yaml b/hosts/surtr/dns/keys/ymir_acme.yaml
new file mode 100644
index 00000000..fd3383ff
--- /dev/null
+++ b/hosts/surtr/dns/keys/ymir_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:byBJwbC+WjFdWWnlSQUkSyNw9J7FwNqXuXMl68IzVsIMNmRHrRj/1cUgf7q1MN4YbNHwW5SV53wM0iIsNIObXNIdhe3QVK0X6hWfEXBuZ1yf1kdcCWleIVzh7swJXNoudWCcFYQz527pUKB7FoqalzTZED8+qok7zvyrB9YAyrXhFS7+RUM/6LgmAUcd99ojhPE5N4WZOk/+rUYx/lRmDqjteBUlTsg2zbyJI5aiPJRgmeRUr6nY/g==,iv:mv0jAiWU1kD8+fOD8C/gbUryGcB2jl4g9HypRsrMqcI=,tag:1IURck5WIqn5CqpVRMGeTA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-02-22T16:07:25Z",
+		"mac": "ENC[AES256_GCM,data:mwXrUm7h+Hn6klCDmz9ni1bqVpaJlpLTDuUUvXGKnX0RjG763szhjbvI/NVj42e7pkgoArDN83Zf0KdugmTCIEQB15PYsGvc5uRcBK8I28Gktwdz9InCbArOvXGO6BoGF47VxjNDeFy5OnUUbST0pF94WXEIeGaD/QxXn0c5ljo=,iv:koaB3cA9IxyuLY3R1qF7FOwgzh4QnkNrMmVomu4MugI=,tag:7D8qzyGF2hibcumXV3HqGQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-02-22T16:07:25Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAmcJoxHfANstUX5rNuujHRm1VVe8RNrwMItzqvMyh/Ssw\nha1cGkBRxuVkkSMNGX3A0uMD3bYY/CGS8706ttaSNxlkPERExs+1YT/ds1nmR3VN\n0l4BpTrOGwKutMwjbB30Jmoy9EkqkqjC6948q/lJGl+bCk0ByJ99vQR0hv8KNvIj\nV6TkiKbCHHXy+Z1n/XkKPqWcjjcth4cJBKwsDB2EU6hbc9MGrM7PgVtR9Vce/mGv\n=WPOy\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-02-22T16:07:25Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdArf8QXVpdQJH0v/0o9KN3LVbtEQAsuVco3mhjnhh5nVYw\ns0YqUAmN6hDTcDvfKljR5D/iK2iEfbZgBLGJyNsy3AbYdu3lhdGbxWerbVgrNA+p\n0l4BEzSmhqAlNqPvTwgCqRBaBnbsI7OLrqxIG08K+SAnRHs+BPc1xB0DLT4OZerm\nKNvcKNeYrEWluhipt9AVwuQzMTo3b/ZLGi97nICPsb8tu9DwS4fjcPaA52q70oSx\n=vWLx\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3