commit a554c9417dc61515dba854e7fa9adc3f4b7d2af1
parent 738e987d8e52ff9d2818a5bc4b73e5d62296a4c0
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 21 May 2025 14:01:16 +0200
parent 738e987d8e52ff9d2818a5bc4b73e5d62296a4c0
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 21 May 2025 14:01:16 +0200
katja: add dns server and le-ssl with dns-challenge
9 files changed, 229 insertions(+), 5 deletions(-)
A
|
87
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/.sops.yaml b/.sops.yaml @@ -21,3 +21,15 @@ creation_rules: - *huntii pgp: - *katja + - path_regex: secrets/morio\.yaml$ + key_groups: + - age: + - *morio + pgp: + - *katja + - path_regex: secrets/novus\.yaml$ + key_groups: + - age: + - *novus + pgp: + - *katja
diff --git a/config/nixos/modules/presets/katja/dnsServer.nix b/config/nixos/modules/presets/katja/dnsServer.nix @@ -0,0 +1,87 @@ +{ + inputs, + povSelf, + pkgs, + lib, + config, + hostConfig, + dnsNix, + ... +}: +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + isPrimary = { + type = types.bool; + default = config.networking.hostName == "morio"; + }; + }; + + config = lib.mkIf cfg.enable (let + allZones = with dnsNix.combinators; let + CAA = [ { issuerCritical = false; tag = "issue"; value = "letsencrypt.org"; } ]; + NS = [ "morio.infra.zaphyra.eu." "novus.infra.zaphyra.eu." ]; + SOA = { + nameServer = "morio.infra.zaphyra.eu."; + adminEmail = "dns@zaphyra.eu"; # Email address with a real `@`! + serial = 0; + }; + + in { + "zaphyra.eu" = { + inherit SOA NS CAA; + + subdomains = { + "acme.infra".NS = [ "morio.infra.zaphyra.eu." "novus.infra.zaphyra.eu." ]; + }; + }; + }; + + in { + sops.secrets.knotKeys = lib.mkIf cfg.isPrimary { + owner = "knot"; + group = "knot"; + }; + + dns = { + enable = true; + allZones = allZones; + }; + + modules.services = { + knot = { + enable = true; + primary = cfg.isPrimary; + keyFiles = lib.mkIf cfg.isPrimary [ + config.sops.secrets.knotKeys.path + ]; + zones = lib.mkIf cfg.isPrimary ( + config.dns.zoneFiles + |> lib.mapAttrs (name: value: { + file = value; + journal-content = "all"; + zonefile-sync = -1; + zonefile-load = "difference-no-serial"; + }) + ); + }; + knotACME = { + enable = cfg.isPrimary; + zone = "acme.infra.zaphyra.eu"; + zones = lib.attrNames allZones; + nameServers = [ "morio.infra.zaphyra.eu." "novus.infra.zaphyra.eu." ]; + keyFile = config.sops.secrets.knotKeys.path; + }; + }; + }); + +}
diff --git a/config/nixos/modules/presets/katja/enable.nix b/config/nixos/modules/presets/katja/enable.nix @@ -1,3 +1,4 @@ + { povSelf, pkgs, @@ -19,6 +20,8 @@ in }; config = lib.mkIf cfg { + sops.secrets.acmeTSIGKey = {}; + users.users.root = { extraGroups = [ "ssh" ]; openssh.authorizedKeys.keys = [ @@ -26,7 +29,15 @@ in ]; }; + dns.zones."zaphyra.eu".subdomains."${config.networking.hostName}.infra" = lib.mkIf (hostConfig ? networking) (let + networkCfg = hostConfig.networking; + in { + AAAA = lib.mkIf ((networkCfg ? ip6Address) && !networkCfg.ip6IsPrivate) [ networkCfg.ip6Address ]; + A = lib.mkIf ((networkCfg ? ip4Address) && !networkCfg.ip4IsPrivate) [ networkCfg.ip4Address ]; + }); + modules = { + presets.katja = { syncthing.enable = lib.mkDefault true; }; @@ -43,6 +54,32 @@ in }; }; + security.acme = { + acceptTerms = true; + defaults = { + email = "letsencrypt@zaphyra.eu"; + keyType = "ec384"; + dnsProvider = "rfc2136"; + environmentFile = pkgs.writeText "acme-dns-env" '' + RFC2136_NAMESERVER=morio.infra.zaphyra.eu + RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName} + RFC2136_TSIG_ALGORITHM=hmac-sha384 + ''; + credentialFiles = { + RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path; + }; + }; + certs."${config.networking.fqdn}" = { + group = lib.mkIf config.services.nginx.enable "nginx"; + extraDomainNames = ( + config.services.nginx.virtualHosts + |> lib.mapAttrsToList (key: config: [ (if config ? serverAliases then config.serverAliases else []) key ]) + |> lib.flatten + ); + }; + }; + + environment.systemPackages = with pkgs; [ ghostty.terminfo ];
diff --git a/hosts/huntii/default.nix b/hosts/huntii/default.nix @@ -3,7 +3,7 @@ system = "x86_64-linux"; nixpkgsStable = true; - domain = "infra.katja.wtf"; + domain = "infra.zaphyra.eu"; sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMX8q2ux3YdAFGLRfD8/fCEAEalqxsRQwkOSp6gYedFt";
diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix @@ -45,9 +45,12 @@ presets = { base.enable = true; - katja.enable = true; - katja.syncthing.enable = false; netcup.enable = true; + katja = { + enable = true; + syncthing.enable = false; + dnsServer.enable = true; + }; }; users.katja.enable = true;
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -49,6 +49,7 @@ katja = { enable = true; syncthing.enable = false; + dnsServer.enable = true; }; };
diff --git a/secrets/huntii.yaml b/secrets/huntii.yaml @@ -1,3 +1,4 @@ +acmeTSIGKey: ENC[AES256_GCM,data:fB7CDRbheyldWpoCX47bozeA4baGS/bmhnsy1KqYzPplK92HMer7v6eZx1S3vsNjCd862FK9iLo3AlIdLu3Vew==,iv:/R+FjiAGfZgjebPv6bV3BoqHt/lAiAJjVNsyy2jBtpQ=,tag:W6vcwVfKpnRRIyWKNWHhHA==,type:str] syncthingCert: ENC[AES256_GCM,data:f1IFEblA+0kkM11HZCKlRxAKKxRt78W+iYoYiFdE3OBgBanEkbCIXYFAXclZE5WxHkIk2j7Qyf1d4IZN0tyMI+b+AfyjmPHHEO7MxrxHwjg0hzjMRjwO9TOtITnK7Ayz2OTdCcbCgJJK9QF2DqPSK/eQ+aB9bq8RoSedo5+gFJZY1MPW9SeKYYVb0c4cIDimc5WnhvXo/Ma+sXqIKz/YXTAFJig8FJTT7fz8sF/PxGRBln8YWFe4w6VIwsZk0Gerlq9Lt1OyWc7IJw7RxoQpBX6Yi4qqmjeYaVS0R2UsVafnoUzXLt1CMT6EJsW+y+0samy9qTIPnmn/xZEmzIiXKJJGyeMJiVA010S/feXFukcU0xxrfVhCRyCi1/oP15WePjZUOX2ezJLLFPRUbfXQKVJgsD4/EPvfahqXRuz9SOnJeLR0pfMA3hWMDMLY+PuUEaQIDiAF0mt4jZz/ASERaxRegDD0RGEnqu0fcJk1UrpqnUvFXcADW41psdCm5CJB7oG9ydARkEXMmLW5lO60yItWFl1zAVd5QXoLERSBH3SR5xUF9B9ip+9ruPxjlAMK+v84ZiHiXDgOphJYNsODPBtZ5s96LL5/pLAWk0g4AviJNwvIsg7MqvN2rO9cl60g6JVQhQq7jHFBYJOlfa9pLoRDZW+BYWo3Hw+5SfPK/phNtCFxdNC2Uk7dOd4bK0v8q+nWPmqx1FdGmbvVomTHnnDInlNhKwfSSeN4a9Hb4rhZIjB3RKQU/ILSfgWQ9n1+MtQV9moESqZhHP3UgAMoXt7fiI4hVQayUtvPVo3pUlUwNYNyof0axtAciLs/uSlNpI6zbVNTKK/UtoLly4FWdUgX7wySiv7sEKdunCheZ2M7olIqLJk6Bsd1YMwoAR2S5a7nEtip+jELimwViAaJFvQ97RcLePXoe7elQc1TjH+DuRzx54KPbi6bs2xMETDAiosP987928zj0mn423DDuJevQAv5KunEtKcLjxtE7edFaxGjAENhpGN+JrZqtR4xiNvvl2Xtrd6G+sjatrrqG4JCfFx8FeUZ1IA=,iv:8mxfqZ660MYkK9PUPk9xLqtaQzHbtg7IcmwOMRoheVk=,tag:oAwxflAm1NYTqZ7O9WIK8Q==,type:str] syncthingKey: ENC[AES256_GCM,data:JSu2c+Pq5TD1JF441OrZYOXX8hggGMtjKNsuOBBywk8DEtZwep3gVUTNpjNlvYc/HicsLTgPLt1ZND622ctmt8JcXdAGfSkj8kq1KqpkC6leyEDU57MODoSnFIPVPfqvPCQMYKYhCmbcceJE8Rw3tT9NEH8N0aPMRuTYDgsGmZ8zEDVzSuAcGlHN2EOttX9ohjXh2ApEmvuBbHENLLqasIlW38RvMCAUrmMI+cqRspWfaOoeb3uH23FGPSQLYwDQ8bKBm78elbKukC3t5sTurLday3koHctuKtUYpA2LQCWarAnI/+z/wZ5OKHqayMtzvoqJN0aERniaxOoSjkrTwLiJeZSqvof8a3lqw4XnXhsStTvK30kuVSxqQkHAFONz,iv:YVvzB6+bcnTCpaJvDa9G5mOwxnsZ0bMRGn7/mhyqZiY=,tag:S+i1RKmy/ASUN4dxOeJBuA==,type:str] sops: @@ -15,8 +16,8 @@ sops: TUtXbmR3YytXUERmUEJ6RkMxMmd0S0EKT6cYgH7eYLmyUDN/EpV845zzYlRonl3i qcDpc1SfZHh5xxnfLmY0p+WPQTi1OAMQLBVehz0+dEDCVGkgZpQLVA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-16T09:31:46Z" - mac: ENC[AES256_GCM,data:gHlGI+9ZEOZ5MqLNvkxak1iQKAXmm2Y+hVI1VbsDZckuJNFZy+t2BnrcLzBMlF2JzUJhSiORbtYchtgPynZ80njHVIsJGRMdmMZo6Kizu1ALrJtObaEAxQkFn5SXd0DYHbu1UiUm97e0i3JbgVN3MCkUzuFi8MEGWU9sU2v4704=,iv:UuYs+lVzKAJ2YmvKt4BqpDPUW8/UzOQGd5YdOxe/REU=,tag:NW9B30r4yvCKp93Gjx/0Uw==,type:str] + lastmodified: "2025-05-21T08:49:12Z" + mac: ENC[AES256_GCM,data:occMDesqaWRh0WObV46wwRQlVWpL91LD0Pzyz2/Pr4wyQNv0+34JzUzdG8iJ1jGHVdpq/wR9Mfq8V5ZWpE5AfhvVTlXXLF0vNlXUpgN+1XsSx2E1VgdKop+ZY38oo2vEWP99ZFndf3prvK98+YTLGtHX9CJKwk3uRfS+SD8eXH4=,iv:2ToQ+aL8qx1tRVKnpq8vfdaF8ulFlDUZrXKWCtFkjk8=,tag:/5g0oMv2MeVOv+8CPxGXwg==,type:str] pgp: - created_at: "2025-05-16T08:59:20Z" enc: |-
diff --git a/secrets/morio.yaml b/secrets/morio.yaml @@ -0,0 +1,42 @@ +acmeTSIGKey: ENC[AES256_GCM,data:XbTSbHisL5ZszYY4hvKplyWG98eK4DUeiSpA24Am/QPjEw8ofHWzU2WmV9hzj8Jd29Z0Yf0u/m5T/FESS2Gt9w==,iv:liySg99CmJ9RePJ84pD2+2mNsvZ4SbEXt3d58kDsHgI=,tag:zNwYe1ZfhFGmfP2s+OLj3Q==,type:str] +knotKeys: ENC[AES256_GCM,data:rlTFDvonfEQFST1eSHHcaG3e1CSt5paDUTvfoYmInBV7mjqe7PwT5dtg01W2ANZJYl+SN/cdI3eEvAdJvwYR6FK+7g1LPwn6G1coE68a/XwzsWM5WpSemmDfTykoUiguEUfRCZ0Q3M7YqV0/jDWrKMaH0iKqKqvlv7nEy6VXB5SZBX+aN18KvPVygw5FixQ/kD3XFI2HTTST4vqlMma3CTsjnK6Uwf1421JOIe3JR32qd0V7IfhFvL0mErMIRhLnITO9uJ//t1HJoeaOV7FEY4K6Ohacng1c68fkUjVX5wYBTd6X657nFqevvLiMRDiQnASOJrAJUAeq4Kwf5R7C/I/MeVh+1Hq/U+z4ZQKh/DViEE8+TkJwDMBAWarzlyOz7xDF8O+fj4iH5jTX8H3FmJLU/TVU0QXqnwjcAAVs/YNARNVt0wGdWTb9iyvD7vEIZE57wIp+TIGE8XFjOO11/DRC/0kC8HFkvoXke9IRrTIj1pCP1VIrv31v7aIyphWa5hBuBHfVb0f8g5eaqyKumM03Rge+Fo+jtM/NP7H2gao6uaZM/K4a625nVx+M1lUpW+1c0sIAME2SlDjSyuhTkMknOPGAAYXMwVQGazoOJna6sEBl6jYcgn31w3dHtJXGKyAB0eqELxjt5b0tzcBfJ4pXi7HO7w2yhKrqyL7GuE5LtLp5mkguC5eZbiX+VlGTLX6V2z1kDRUdYDDZMMh3cYGBIrGVoJhWx8xLWrLGm7TrvifiwYJq5Mq13tt2hS7HpY8T8YGBD2x3IdPAHtikZUYgv5cQxs7drSJi8zFQAwDUKofxhJQUvqrnmvNf+eiGkfgI7lQ0//NLg9o4t+5g+T3mV8IUkW4nbJsP46k6azQGBt3udYAVhgrFy/jTE++KrA==,iv:+5NBUUC1QhPjN+6E8nWhzd2SNuH9mLbhsFwDTm8Hy+U=,tag:RtSO5Rmb0wNR9ovtpwJIIg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wpffcr5p88a2x9dzx5v3sq4jqurvygu94fx773n229fqk4p95qzs840cmn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTGl5ZDdUOGgrcThMRDBm + SnVmQWFRS2UxQncrQUFTazl2NDBSSDdkU2gwCllGVkVQU1gzdTRTcklrdnlKV0Uz + emcwMENwNk1JVlU1U2RZL0JrdEZxQjgKLS0tIGtYcXM1Z2dFZ2ZaekVGRzB0MDk1 + bDRhUEtDdmlZa0ZENFhSVnNqVjFCR1UKEIkSg3tKFkwlnNXFFqCBtdZBGz1bEmWl + wghkTtqTl++759zZAAmjdnFFQWs/AoCZ5g/GUidz6HHcFdxMpGVmiA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-21T10:53:45Z" + mac: ENC[AES256_GCM,data:N7NTYDFRqb57D/sxbTGvOI1HqAJ3GmGCzwq7+Yi6refzpi8Ch3hh/gs5aqWmGJN1kMCR7P1kijnnCgMzpKNZ4hZ9VWtIwGmzkfAOuA8D8tE1uCS1D2eYuaiStKWgpDj4m//6nqaiUO7KN7snKE4M68ZPlh5k430dhBLvBRpF7sY=,iv:OcCo/c4P8zcAZWWXdQecZbUr1eLUq8wBJaCoXDqU1Dc=,tag:AVAdT5bC6lOsyhJehJ1qYA==,type:str] + pgp: + - created_at: "2025-05-21T08:09:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzmqVs6bjEjqARAAhlMwKVosN58qCcDc2wDCKX2iCBCFN1uoARyBrJIfvb2N + C2fHVliFuNIfF/c3/RkVCJvqaC0ehGW6EUC6jbIIlBJyWcREGyGUIBb7dz4Ba8vV + IP9jOZL/Q2Qd4QF7AdS4HtENOArn3Voa8M440GxEjBXLmekWd32SBK5tXiGLpx2t + opfs6EDJGD83X+AI10ZXWfP5UEdKzX6Upuf2auew5EkrHc8IckO21IJr72rLrzcV + ES+H75sWt8MgX0NYuDiGygS8EkFsWl2iWOiKcnAOexRHoLPlJ+riwkvZO9cSNfqN + 7SN5boLLVnkLwsMjavNwXLKXUATh0Qlyr0fjwnvIlFOk8mfXHLusH0DE+2LkRTjo + fC9y5jd0o7+SuEBNDH6Boxu/f3CinX75/by+i2AqenDUAisd8Di3TubkntBwKZlD + 3mKAf6FNjewmh48i6mdvhfgvU5omh4J/AW5c+Gh/EUPG9gX48XVmgCr9E6Hw6g8E + dSmWzvEXmzWnc6DjJSVaRQg9WJeHHXsVsqLLL3/xu5editod7oqTf3PuUkcPoQT7 + En+TEhFCGoayTg6RcR7IrkBPplSRI/o9pZj8U9xKaQVPFfkvqz015vbVeQmo5Gnq + oPTW9CapC2hV8upS47SxpjGxZlDuthI45RynBxtLvG7yIakGDcTgU5/d5oX2yWrS + XAHai9/m5Nm/qMKpeqwXtvjD4pKAha+mSbYF0ETHRez4ltUdKMrJ2MkGFUPDlpiC + 1CMRbYLNnxIHKigxTKoekIRu9PImm3jFSP2eEonl+0rafKtRHYQEhMpXsG5h + =bxQ2 + -----END PGP MESSAGE----- + fp: 9D7CACD7039E5AD616FD25879F935DB630A167E7 + unencrypted_suffix: _unencrypted + version: 3.9.4
diff --git a/secrets/novus.yaml b/secrets/novus.yaml @@ -0,0 +1,41 @@ +acmeTSIGKey: ENC[AES256_GCM,data:a34wyBRoW3Mo6Mep66wi99xfuZLecCrDgpH4EFy4T8PpHYnhR/pLubXVzZpwouKrC+g0E+3hyBR6Bmc/1arKmQ==,iv:938iHOR2NwCjZEBQpjhnCEG11DcxtfeBLGmRh06LaRg=,tag:uhMkBrc9G7inEBg7ddWvZg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tud4lvpmpx5nqceyp09ls9ej8l80zlh29d8cpjxcajfnnyy85fvqs63snm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK1ZrRHErbW50MktvU0hX + aTFpdlI0cXNZcUQ4cFZFZlQxcmJYQmFWM3dnCjVKM1RuMDQ3eHo0cmt1eTNXa2FV + NTVVS1dRbkdNVXM2TEJwV0llVVgreFUKLS0tIC9mbmhvVDl5TDJKblNrS25FbnEw + N0dBZExjdWpSVDJmYlFmOHluZEJUWkUKhkWONhK0LiVhAY+pdemXOBHtBALV65ZP + EClQs/bns2HUF4E5Lc6mv8WvogFNhm/TLGYX/sOWSvAYExRNiHtssQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-21T10:30:19Z" + mac: ENC[AES256_GCM,data:V5M4wAn+CL1pJvWTC1sXIGorR3cFgIXrTKI40orO7FOqkisod6KB5ln5bVZ+OU61NzwdDUPqYXms8qlnwJzRVglAEqceCd7bnmiOPWPQWpLDZY602QPNW1UXkKfHM9BaLT84lnown8Gqt9JTAAo23ZyOtBjP9MUT3FvgRAvRMw0=,iv:lGgu4dJzjsw9g1vro34VSowD6+IXap+hDDE2uYbTaWs=,tag:fwSuJZSMVRTdqaDABWx3OA==,type:str] + pgp: + - created_at: "2025-05-21T10:26:58Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzmqVs6bjEjqAQ//f88FKbX18nljfjgd9ZrndwJSeBtV54MLdgJPWnSW/Dag + cz+U3PRcAjoARBq7tcEACouHwHKXyki1AkDxEyRhaY+GHzQWNMIwcm1VPya2fFAI + xX7KKn+wlhe/Hqyfl7xdGCgqoeEkhmpXnsZWjmDnB7QZKTx7yisiAqah7/yblLag + YidIO8BP0Nkuqfm9kWsKqEtfAvjdAGt8kvCfnzyGymIAVdQv+M2ae4NlGDNpMi+H + qy+dxjuDCGIie7VXTcA5tcyM/WhvAo8nHa5eOEeMglNzzgQwPaypkyCPH9IFx+MW + 4ny0H6OFdFRxlCTpgDtNxCJ4A42wYNnl75kzvy8RHZ/B001tQh+UPkfRnd2V89C8 + EyHIwSoxJ5XKz0a23/vybmnvqbDtK9hA8q05OlAF+t2H9X5GRrbrzREwC1rQ5CZk + 9eT9fiNHfgiKbJny7yK8zxp6++tOzMWI4q22uGvGjXwsnaq3Xbga97nRmTUukw2A + dCeA+5XWvAU8YDQU3E7cUmYCZy0PELVCwG6GwCpO6u8plGkJdVddCFj1I8FDmJGI + zqh/KNX8DzGC7OXkz8laNEON2oqxzeqD3Z3kRfcwO9OD1tGHFkQiGr/Xx2mUxA4p + YQ3m8iOpInyPJ1/jsSFFx8CTNhrMEh0Byx9wyAGr/2nPHPRByF/EShuStw4zt/vS + XgGOJ+1P3lddwIZ58gdiTLGEnbygAG8NV8B/lb8WBDCTy2lbXuy3AefM+8QHaPkX + RHDWalT6yyvicKKJb8vSXEDA/hYGHGRxztqQJOFTPbu883NA4LCh1JpWm3DvAGA= + =G+8u + -----END PGP MESSAGE----- + fp: 9D7CACD7039E5AD616FD25879F935DB630A167E7 + unencrypted_suffix: _unencrypted + version: 3.9.4