From 68645f75136d6e82bfb7e27b50c531d1b416c4d5 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 30 Jan 2023 16:09:43 +0100
Subject: ...
---
hosts/surtr/dns/zones/consulting.kleen.soa | 4 +++-
hosts/surtr/dns/zones/email.bouncy.soa | 6 +++++-
hosts/surtr/dns/zones/li.141.soa | 4 +++-
hosts/surtr/dns/zones/li.synapse.soa | 6 +++++-
hosts/surtr/dns/zones/li.yggdrasil.soa | 6 +++++-
hosts/surtr/email/default.nix | 4 ++++
hosts/surtr/etebase/default.nix | 4 ++++
hosts/surtr/http/default.nix | 2 +-
hosts/surtr/http/webdav/default.nix | 2 ++
hosts/surtr/matrix/default.nix | 4 ++++
hosts/surtr/ruleset.nft | 4 +++-
11 files changed, 39 insertions(+), 7 deletions(-)
(limited to 'hosts')
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa
index 7f358b61..5597491d 100644
--- a/hosts/surtr/dns/zones/consulting.kleen.soa
+++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -1,7 +1,7 @@
$ORIGIN kleen.consulting.
$TTL 3600
@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
- 2023013000 ; serial
+ 2023013001 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
@@ -71,3 +71,5 @@ mta-sts IN AAAA 2a03:4000:52:ada::
mta-sts IN MX 0 mailin.kleen.consulting.
mta-sts IN TXT "v=spf1 redirect=kleen.consulting"
_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
+
+mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index de14e610..8906fa84 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
$ORIGIN bouncy.email.
$TTL 3600
@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
- 2023013000 ; serial
+ 2023013002 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
@@ -69,6 +69,8 @@ spm IN MX 0 mailin.bouncy.email.
spm IN TXT "v=spf1 redirect=bouncy.email"
_acme-challenge.spm IN NS ns.yggdrasil.li.
+spm IN HTTPS 1 . alpn="h2,h3"
+
_mta-sts IN TXT "v=STSv1; id=2022100600"
_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
mta-sts IN A 202.61.241.61
@@ -76,3 +78,5 @@ mta-sts IN AAAA 2a03:4000:52:ada::
mta-sts IN MX 0 mailin.bouncy.email.
mta-sts IN TXT "v=spf1 redirect=bouncy.email"
_acme-challenge.mta-sts IN NS ns.yggdrasil.li.
+
+mta-sts IN HTTPS 1 . alpn="h2,h3"
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index b17e7f6e..507408e8 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
$ORIGIN 141.li.
$TTL 3600
@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
- 2023013000 ; serial
+ 2023013001 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
@@ -35,6 +35,8 @@ surtr IN TXT "v=spf1 redirect=yggdrasil.li"
webdav IN CNAME surtr.yggdrasil.li.
_acme-challenge.webdav IN NS ns.yggdrasil.li.
+webdav IN HTTPS 1 . alpn="h2,h3"
+
ymir IN A 188.68.51.254
ymir IN AAAA 2a03:4000:6:d004::
ymir IN MX 0 ymir.yggdrasil.li
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index e2d1fa22..564df7a3 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
$ORIGIN synapse.li.
$TTL 3600
@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
- 2023013000 ; serial
+ 2023013002 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
@@ -23,10 +23,14 @@ $TTL 3600
_matrix._tcp IN SRV 5 0 443 synapse.li.
+@ IN HTTPS 1 . alpn="h2,h3"
+
element IN A 202.61.241.61
element IN AAAA 2a03:4000:52:ada::
_acme-challenge.element IN NS ns.yggdrasil.li.
+element IN HTTPS 1 . alpn="h2,h3"
+
turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01"
turn IN CAA 128 iodef "mailto:caa@yggdrasil.li"
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 25cad30b..62468570 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
$ORIGIN yggdrasil.li.
$TTL 3600
@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
- 2023013000 ; serial
+ 2023013001 ; serial
10800 ; refresh
3600 ; retry
604800 ; expire
@@ -59,12 +59,16 @@ etesync IN MX 0 surtr.yggdrasil.li
etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
_acme-challenge.etesync IN NS ns.yggdrasil.li.
+etesync IN HTTPS 1 . alpn="h2,h3"
+
app.etesync IN A 202.61.241.61
app.etesync IN AAAA 2a03:4000:52:ada::
app.etesync IN MX 0 surtr.yggdrasil.li
app.etesync IN TXT "v=spf1 redirect=surtr.yggdrasil.li"
_acme-challenge.app.etesync IN NS ns.yggdrasil.li.
+app.etesync IN HTTPS 1 . alpn="h2,h3"
+
vidhar IN AAAA 2a03:4000:52:ada:4:1::
vidhar IN MX 0 ymir.yggdrasil.li
vidhar IN TXT "v=spf1 redirect=yggdrasil.li"
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 0e2a78eb..01c22ce5 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -716,6 +716,8 @@ in {
virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
forceSSL = true;
+ kTLS = true;
+ http3 = true;
sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
extraConfig = ''
@@ -734,6 +736,8 @@ in {
};
}) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" {
forceSSL = true;
+ kTLS = true;
+ http3 = true;
sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem";
sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem";
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
index ca6d84fe..3b0bd9d3 100644
--- a/hosts/surtr/etebase/default.nix
+++ b/hosts/surtr/etebase/default.nix
@@ -50,6 +50,8 @@
virtualHosts = {
"etesync.yggdrasil.li" = {
+ kTLS = true;
+ http3 = true;
forceSSL = true;
sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem";
@@ -81,6 +83,8 @@
};
"app.etesync.yggdrasil.li" = {
+ kTLS = true;
+ http3 = true;
forceSSL = true;
sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem";
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 3d7f3ebf..6b516b00 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -7,7 +7,7 @@
config = {
services.nginx = {
enable = true;
- # package = pkgs.nginxQuic;
+ package = pkgs.nginxQuic;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index c5a94996..f94935ee 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -36,6 +36,8 @@ in {
virtualHosts."webdav.141.li" = {
forceSSL = true;
+ kTLS = true;
+ http3 = true;
sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 5b89e321..96cceb89 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -151,6 +151,8 @@ with lib;
sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
+ kTLS = true;
+ http3 = true;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "[::0]"; port = 443; ssl = true; }
@@ -199,6 +201,8 @@ with lib;
virtualHosts."element.synapse.li" = {
forceSSL = true;
+ kTLS = true;
+ http3 = true;
sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 4993b6b7..ee72614f 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -171,6 +171,7 @@ table inet filter {
udp dport 53 counter name dns-rx accept
tcp dport {80, 443, 8448} counter name http-rx accept
+ udp dport {443, 8448} counter name http-rx accept
tcp dport {3478, 5349} counter name stun-rx accept
udp dport {3478, 5349} counter name stun-rx accept
@@ -215,7 +216,8 @@ table inet filter {
meta protocol ip6 udp sport {51821, 51822} counter name wg-tx
iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
- tcp sport {80,443,8448} counter name http-tx accept
+ tcp sport {80, 443, 8448} counter name http-tx accept
+ udp sport {443, 8448} counter name http-tx accept
tcp sport {3478, 5349} counter name stun-tx accept
udp sport {3478, 5349} counter name stun-tx accept
--
cgit v1.2.3