From b9464416b97cf98d3d7d31fc00553cae0a84f0d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Wed, 14 Dec 2022 18:02:17 +0100 Subject: [PATCH 1/6] Add named on instance-20221213-1915 --- config/instance-20221213-1915.nix | 3 +- config/services/acme.nix | 4 + config/services/named-submissive.nix | 49 +++++++ config/services/named.nix | 29 ++++ secrets/nixos-8gb-fsn1-1.yaml | 10 +- zones/chir.rs.nix | 88 ++++++++--- zones/darkkirb.de.nix | 84 +++++++---- zones/int.chir.rs.nix | 14 +- zones/shitallover.me.nix | 209 +++++++++++++++++++++++++++ 9 files changed, 438 insertions(+), 52 deletions(-) create mode 100644 config/services/named-submissive.nix create mode 100644 zones/shitallover.me.nix diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index de1d78a8..2a320d19 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -13,6 +13,7 @@ ./systemd-boot.nix ./server.nix ./wireguard/public-server.nix + ./services/named-submissive.nix ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; @@ -96,5 +97,5 @@ owner = "root"; path = "/etc/secrets/initrd/ssh_host_ed25519_key"; }; - sops.age.sshKeyPaths = lib.mkForce [ "/persist/ssh/ssh_host_ed25519_key" ]; + sops.age.sshKeyPaths = lib.mkForce ["/persist/ssh/ssh_host_ed25519_key"]; } diff --git a/config/services/acme.nix b/config/services/acme.nix index 725d57f6..7e8656bc 100644 --- a/config/services/acme.nix +++ b/config/services/acme.nix @@ -17,6 +17,10 @@ _: { certs."int.chir.rs" = { domain = "*.int.chir.rs"; }; + certs."shitallover.me" = { + domain = "*.shitallover.me"; + extraDomainNames = ["shitallover.me"]; + }; certs."miifox.net" = { dnsProvider = "cloudflare"; credentialsFile = "/run/secrets/security/acme/cloudflare"; diff --git a/config/services/named-submissive.nix b/config/services/named-submissive.nix new file mode 100644 index 00000000..a24283af --- /dev/null +++ b/config/services/named-submissive.nix @@ -0,0 +1,49 @@ +{ + pkgs, + config, + dns, + hosts-list, + ... +}: let + mkZone = name: { + master = false; + masters = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; + file = "/var/lib/named/${name}"; + }; +in { + services.bind = { + zones = { + "darkkirb.de" = mkZone "darkkirb.de"; + "_acme-challenge.darkkirb.de" = mkZone "_acme-challenge.darkkirb.de"; + "chir.rs" = mkZone "chir.rs"; + "_acme-challenge.chir.rs" = mkZone "_acme-challenge.chir.rs"; + "int.chir.rs" = mkZone ".intchir.rs"; + "_acme-challenge.int.chir.rs" = mkZone "_acme-challenge.int.chir.rs"; + "shitallover.me" = mkZone "shitallover.me"; + "_acme-challenge.shitallover.me" = mkZone "_acme-challenge.shitallover.me"; + }; + extraConfig = '' + statistics-channels { + ${toString listenEntries} + }; + include "/run/secrets/services/dns/named-keys"; + ''; + extraOptions = '' + allow-recursion { + 127.0.0.1; + ::1; + fc00::/7; + }; + recursion yes; + dnssec-validation yes; + ''; + }; + networking.firewall.allowedTCPPorts = [53]; + networking.firewall.allowedUDPPorts = [53]; + services.prometheus.exporters.bind = { + enable = true; + bindGroups = ["server" "view" "tasks"]; + bindURI = "http://${internalIP.listenIP}:8653/"; + listenAddress = internalIP.listenIP; + }; +} diff --git a/config/services/named.nix b/config/services/named.nix index e337e057..bfe57d8a 100644 --- a/config/services/named.nix +++ b/config/services/named.nix @@ -13,6 +13,7 @@ int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;}; rpz-int-chir-rs = import ../../zones/rpz.int.chir.rs.nix {inherit pkgs hosts-list;}; signzone = import ../../zones/signzone.nix; + shitallover-me = import ../../zones/shitallover.me.nix {inherit dns;}; in { imports = [ (signzone { @@ -36,6 +37,13 @@ in { zone = darkkirb-de; zonename = "darkkirb.de"; }) + (signzone { + inherit dns; + ksk = "services/dns/me/shitallover/30477"; + zsk = "services/dns/me/shitallover/38310"; + zone = shitallover-me; + zonename = "shitallover.me"; + }) ]; services.bind = { @@ -44,6 +52,7 @@ in { "darkkirb.de" = { master = true; file = "/var/lib/named/darkkirb.de"; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; "_acme-challenge.darkkirb.de" = { master = true; @@ -53,10 +62,12 @@ in { grant certbot. name _acme-challenge.darkkirb.de. txt; }; ''; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; "chir.rs" = { master = true; file = "/var/lib/named/chir.rs"; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; "_acme-challenge.chir.rs" = { master = true; @@ -66,10 +77,12 @@ in { grant certbot. name _acme-challenge.chir.rs. txt; }; ''; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; "int.chir.rs" = { master = true; file = "/var/lib/named/int.chir.rs"; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; "_acme-challenge.int.chir.rs" = { master = true; @@ -79,6 +92,22 @@ in { grant certbot. name _acme-challenge.int.chir.rs. txt; }; ''; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; + }; + "shitallover.me" = { + master = true; + file = "/var/lib/named/shitallover.me"; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; + }; + "_acme-challenge.shitallover.me" = { + master = true; + file = "/var/lib/named/_acme-challenge.shitallover.me"; + extraConfig = '' + update-policy { + grant certbot. name _acme-challenge.shitallover.me. txt; + }; + ''; + slaves = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; }; #"rpz.int.chir.rs" = { # master = true; diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index 300d4777..14d5e86d 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -50,6 +50,12 @@ services: 53136.private: ENC[AES256_GCM,data:q4v6yDRuB4TVqcfGX1dhmrGXYM/c1Enzv63oFfLX9xkl7NL61T/eABXLCsHivgSahBvFFlpIdDL86FgOKRIaFeWHiRC05NS2esRKKmxOhU1acP1JK3QrPfa3+c7JUs6CLtADSQXrwfo2MOD31JVYn4CWGW5QFWZLgbpxl6PJXxRcv0O/bllZpmrFGp6NhPy6iNOnivVzOqBlUQdwArk0di5Da1QU1N52aBBkCuoIoWq1zcSAg4y7GKff1Q==,iv:pDw7pU6gEF8NYhsB/NN7Iutc8EaUmXzh7TU+ZG4+qmo=,tag:A6zS/evnWiNQtLDyxurR8g==,type:str] 61825.key: ENC[AES256_GCM,data:gMEdUk7rU8Uw3TBekE6E3CbZGFJYzMLQ3acmMQ3MldL/czh/oA5Tqaj9vN7P1jZCHMBulUG0VR+g1RdSNodB/kpTzSXVwgiI5sOh5LU1S6hQXCK8TaHIQa0w6DWFS4Wq+K20/FEoqOl7QFH+RnaREMuskLe8Y4kuZWcaFobXpIeW/qksPiyXNWx0V8VhnciYGe9yIo3TYqzCtFrkx0u318bYfz8ytRq/c51MFdlQl8xaDX4UnJkjnZnzX6AeHtM1hIfmOwg/Hc5VzSu+0llCi3wfy/9/pBgnN1MhXFbMWnIuah6VwSpKKAboK/pIRAnkrKz8HPU4enGFUqoQZCctfWJjmbaBtLCfCZo4fMDaTVFMyKMSiQocTvjRZ6n2AAT0o6WrsaIwZMUU4/NIvK4nWk92RUnOcyTXM20ePl2kaKrtpOCWr30RbIasd3R3Cwd4+v/kqnl5,iv:CA8KtC+G4LMPEjbFswzEXHjoeGpj+x8vrT9xVD6zBeU=,tag:W6Brvu5lPnFnaCttXcCpww==,type:str] 61825.private: ENC[AES256_GCM,data:MbhA2vMsEJYb0LmPKMi5N8FiTH8Ady2Ipeotqc0SjEKKYbXdbKNPxwkmm9Juyea6DPrIx/Y/evCbAKTdBLadq363Kv4St3dR8O4DA+zjmaG/P1wZZ/4tnkCfNVGPpJDp5NMQPW8fjFNxrITe+hTDI1K2q8Z8sIw2DE81PiivFM7P5BsG6o40lkaLLla6htP8lzY1jWgBpuC6yIYeX56H5Z1oALGns9YuFbgHSAXnpFg7EoSs9epuUfs2Iw==,iv:GIwdFzZmfNsjrgaNRjPF3UioJDpSjH542KP3c80ldEs=,tag:9JV5YgQM/SR+cCdJYX7Jhg==,type:str] + me: + shitallover: + 30477.key: ENC[AES256_GCM,data:l/CUl5t1hPDHwkJRBFSkKT18a519t7Zd05TpbM6AaQfjj9NnjAYvIYMS1a4mxQBjYJfPzav/WH2WY3BYFbv5UMcEMTRpFmhKRvE15TGOCwijcXaQzJCYR75X0bMhMe+gYv/iGSpNl7682jZHSxwRZLhaxAJk5Y+js75lTRWouASdinfFqf3cwOtuQ3EBWEjpbILJNr3qeLteUcAAccNtLOMKNK9Of/O570iRsrV6a3MMDRxwEuCzLPJHOT5+vOzrc4PAPqmPhlql8CTuQohJVpkY17B0jHluB99Ldnm3LiR6IGp+MwA9Kr0Z4a8kquLwvIg3Byjs2txH9tNTfi7GdPQmWVRZumQn8hth413BcOv8fq+ltYNU9lHqxRPcJ/WKxCR5+i/Wn857ovLwVaA9,iv:4e/QbNL6UybYr/EcH7YT2kYDdV5BmxibTdiO6l4+ntA=,tag:1MX8q5pBeABAANilrhB/Dw==,type:str] + 30477.private: ENC[AES256_GCM,data:djkzBTI2ndbdTeEehAeGXbMfId/38+dsIuGcCG2QcS238hRy1YFwLdcZ62vs9OH8a2+gjficGJv3KvzNMg6WD3dPN9NAZCw0DfNxHao1NYY1J3Anov1FxLFDkhUWW7+hqZ7jEDQToitttOjfXyqp9vzDDPUhCJeyhDAr57M4LXzxI5JwRaoNFPLSQgEnbTaTHYswcZ0IguFewgCVgi1Bm+OU5fq9JUz7SJ8C5dHNrqAgMV0=,iv:ZNXQky1/wBrMBG4v3cnI5CqDK452/wtd+ETlqBQfQHo=,tag:so4eI+YGFynneewbPQIVjA==,type:str] + 38310.key: ENC[AES256_GCM,data:KdyKXaKHN11ykfM8x2A8sJfLWMc6WqF8/RhmNdTb4KRoaKQ8hRNz2qmOSrngChE2BbRRepxRLsyOyHN7ubroXAj6HQIhTq/div8AHFvOdxoexEXmXKCDEbjwR52wPbwIb7i9zaGSNUCgKSqyOt/awqoeAUHBOtIzSn5G8iNnwAB8IZjm43sfgmSSB4aSMWbeaslPoE83R23zQE/2fpcwyE2VoOarLThGtj1t02acaSAuIgGg24K5nRZfRKiAXP1qkMguT7ky/xZHglmtlzuXGEqbfIIce7criaodXJxBth2WejXmx8QWOCJuUEDGbofC/FQrLMrFXThY9FKLD0KeOD0cwBvfjhw03Qu7NHhvqpxMCewE5La//1F1GrKxuIIHeEiB1qQjh5Ca3v01c6g=,iv:XgeknLHlEjXa7YX0FvcSRZKXGu1kAIQfmYVXWMJC0gc=,tag:Hpp3CGKKwrdI+KgHrIn0qQ==,type:str] + 38310.private: ENC[AES256_GCM,data:oztry2i/lpARTUg7dXAYNP4dNg9HN24rtBQnCA956yLnn36uS8aadOQ6matrZV5UOSuvPej1KsRoHPGc2m00yI55eJEYVke0MGxyMSL1EQR/vJQ4B/e+PfrspcLuNM3FaFU/gJfCGfnaaPPnqs4xCydOWl23Nn4aTbPPmnbLHsiY/O+V6mORHah9aWM+Nw4RL/A3aDTSOychj1f0oozvUfhvR2sB1uR/DAVwVmWiu5zv0pA=,iv:/WhcX0VLmANjoVwM/3Y1Fb/2Cwt1ltTeIXQ70EjvOy0=,tag:hJsg8DSEaQZb35o6Xekymg==,type:str] rs: chir: 32969.key: ENC[AES256_GCM,data:OE56/Q9eFh1sKSAAkeEcr6J+jtkfWa1jwYrvEXHBEThuSxFgmbfFeia4ZNQ4ZeotMOFx0BYcxGhPCCSlIpXQA0CFWV2c5WyzRxgVyrVkRiFfiy7jXfP4hPrE9pw8xFPX2W573MCroMhhXIHzbvKDHkdVJQ7M7dnfi46OGWe121kar5kmLneMvgtNRFVCcrL6fcQSR6sTibr8gVlKj6sneto9Dm+WRasjpo207swsSgjabdJoxmBUvvHFJBmAIaIaVPYqPIM20FGujqjywSMEzq+fLGhL+xsjYe44IR7Lag4Ui+kCll/X6LryFAIXBrp7os4wglqXfbkahST4x8FzNnHIJQocxKxbQa4zrmeQvKZml20DtBZZJvj+cAkEHsYG5uL6pJVxtWUtKPRQpUteSnME2bNkL3up62BYQ/zUXz6ptrma2iCMm3pZG/06,iv:aE7F5Zzk0/GOj/Vs1hajs5QxpTjnAvI/f7yJaMhN7/c=,tag:p/ROFt050dMG/r/kB939og==,type:str] @@ -82,8 +88,8 @@ sops: N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-07T10:10:35Z" - mac: ENC[AES256_GCM,data:UiENOfBCIQ3XZbhuQDumNH8TCm1iYQl75AIM0Hk7gsduH62J66914joXfX3D0qdmGaO9V9RoU+YZySTe0bJJXTsbQBV1ZMFfQFWMfDZCWprSYY0w+VA3aeFicrXOkJrvkDL0RklkNZRthiVvA/K0jIcOc9a3KhQ4AYg4NvpuK4o=,iv:D992NSKogA/St7mJXKKVi5fxcjyW+n2lqbgim54ABQI=,tag:jEH6qPDA/C79XSQ5AkWVuw==,type:str] + lastmodified: "2022-12-14T16:46:00Z" + mac: ENC[AES256_GCM,data:SZUAvmTDVMfzCU8j9FS4zGIHUpwyHFYC2ybPrgiISOO4ka1LAR+8FgsY9SAkI0to6BV/Ha6sf8GyTYzJhtwnhDiTzsd0nmi+ZRJHVb7wZfvUEsKr69XoYhjx4cO3hhCIhBgminxqctSnx4wtR4mxtoisTImm6hxbZOW4FL3Tbu4=,iv:5Qo/fYBph6pbhNTS44ibuyMbli4ojMeGQkQVdtMveRo=,tag:w4xzhjFXiuJT9Jw0ELUXTg==,type:str] pgp: - created_at: "2022-02-02T17:50:42Z" enc: | diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index da9576d0..16641bff 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -11,6 +11,50 @@ with dns.lib.combinators; let then {subdomains = a.subdomains // b.subdomains;} else {} ); + oracleBase = { + A = [ + (ttl zoneTTL (a "130.162.60.127")) + ]; + AAAA = [ + (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + ]; + SSHFP = [ + { + algorithm = "rsa"; + mode = "sha1"; + fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348"; + ttl = zoneTTL; + } + { + algorithm = "rsa"; + mode = "sha256"; + fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha1"; + fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha256"; + fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5"; + ttl = zoneTTL; + } + ]; + HTTPS = [ + { + svcPriority = 1; + targetName = "."; + alpn = ["http/1.1" "h2" "h3"]; + ipv4hint = ["130.162.60.127"]; + ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"]; + ttl = zoneTTL; + } + ]; + }; zoneBase = { A = [ (ttl zoneTTL (a "138.201.155.128")) @@ -44,28 +88,6 @@ with dns.lib.combinators; let ttl = zoneTTL; } ]; - /* - subdomains = { - _tcp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - _udp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - }; - */ HTTPS = [ { svcPriority = 1; @@ -102,11 +124,17 @@ with dns.lib.combinators; let SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 21; + serial = 22; }; NS = [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; MX = [ (ttl zoneTTL (mx.mx 10 "mail.chir.rs.")) @@ -179,6 +207,8 @@ with dns.lib.combinators; let mc = createZone {}; ns1 = createZone {}; ns2 = createZone {}; + ns3 = createZone oracleBase; + ns4 = createZone oracleBase; hydra = createZone {}; mastodon = createZone {}; mastodon-assets.CNAME = [ @@ -198,6 +228,12 @@ with dns.lib.combinators; let delegateTo [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ] // { DS = [ @@ -212,6 +248,12 @@ with dns.lib.combinators; let _acme-challenge = delegateTo [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; }; }; diff --git a/zones/darkkirb.de.nix b/zones/darkkirb.de.nix index f869b971..a1fc3ee7 100644 --- a/zones/darkkirb.de.nix +++ b/zones/darkkirb.de.nix @@ -11,6 +11,50 @@ with dns.lib.combinators; let then {subdomains = a.subdomains // b.subdomains;} else {} ); + oracleBase = { + A = [ + (ttl zoneTTL (a "130.162.60.127")) + ]; + AAAA = [ + (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + ]; + SSHFP = [ + { + algorithm = "rsa"; + mode = "sha1"; + fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348"; + ttl = zoneTTL; + } + { + algorithm = "rsa"; + mode = "sha256"; + fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha1"; + fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha256"; + fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5"; + ttl = zoneTTL; + } + ]; + HTTPS = [ + { + svcPriority = 1; + targetName = "."; + alpn = ["http/1.1" "h2" "h3"]; + ipv4hint = ["130.162.60.127"]; + ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"]; + ttl = zoneTTL; + } + ]; + }; zoneBase = { A = [ (ttl zoneTTL (a "138.201.155.128")) @@ -44,28 +88,6 @@ with dns.lib.combinators; let ttl = zoneTTL; } ]; - /* - subdomains = { - _tcp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - _udp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - }; - */ HTTPS = [ { svcPriority = 1; @@ -100,13 +122,19 @@ with dns.lib.combinators; let createZone = merge zoneBase; zone = createZone { SOA = { - nameServer = "ns1.chir.rs."; + nameServer = "ns1.darkkirb.de."; adminEmail = "lotte@chir.rs"; - serial = 2; + serial = 3; }; NS = [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; MX = [ (ttl zoneTTL (mx.mx 10 "mail.chir.rs.")) @@ -179,11 +207,17 @@ with dns.lib.combinators; let _acme-challenge = delegateTo [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; www = createZone {}; static = createZone {}; ns1 = createZone {}; - ns2 = createZone {}; + ns2 = createZone oracleBase; }; }; in diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index cfd67b25..a3006d93 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -15,11 +15,17 @@ in { SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 18; + serial = 19; }; NS = [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; DNSKEY = [ { @@ -268,6 +274,12 @@ in { _acme-challenge = delegateTo [ "ns1.chir.rs." "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." ]; }; } diff --git a/zones/shitallover.me.nix b/zones/shitallover.me.nix new file mode 100644 index 00000000..234fac70 --- /dev/null +++ b/zones/shitallover.me.nix @@ -0,0 +1,209 @@ +{ + dns ? (import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs, + zoneTTL ? 3600, +}: +with dns.lib.combinators; let + inherit (builtins) hasAttr; + merge = a: b: + (a // b) + // ( + if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b)) + then {subdomains = a.subdomains // b.subdomains;} + else {} + ); + oracleBase = { + A = [ + (ttl zoneTTL (a "130.162.60.127")) + ]; + AAAA = [ + (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + ]; + SSHFP = [ + { + algorithm = "rsa"; + mode = "sha1"; + fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348"; + ttl = zoneTTL; + } + { + algorithm = "rsa"; + mode = "sha256"; + fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha1"; + fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha256"; + fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5"; + ttl = zoneTTL; + } + ]; + HTTPS = [ + { + svcPriority = 1; + targetName = "."; + alpn = ["http/1.1" "h2" "h3"]; + ipv4hint = ["130.162.60.127"]; + ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"]; + ttl = zoneTTL; + } + ]; + }; + zoneBase = { + A = [ + (ttl zoneTTL (a "138.201.155.128")) + ]; + AAAA = [ + (ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49")) + ]; + SSHFP = [ + { + algorithm = "rsa"; + mode = "sha1"; + fingerprint = "97b910c37194cd98e7edca2d68104f4531721c22"; + ttl = zoneTTL; + } + { + algorithm = "rsa"; + mode = "sha256"; + fingerprint = "7915470f9275116889d5ca1fdbea20416d8372636c3d63653b272308608cf70f"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha1"; + fingerprint = "1aff467e745a8d68ba032dd3d54597e10d31ccf8"; + ttl = zoneTTL; + } + { + algorithm = "ed25519"; + mode = "sha256"; + fingerprint = "e6dcdb73dc381ee2b354528cdaf8552364e75c34316d7e0c9819801daea5c951"; + ttl = zoneTTL; + } + ]; + HTTPS = [ + { + svcPriority = 1; + targetName = "."; + alpn = ["http/1.1" "h2" "h3"]; + ipv4hint = ["138.201.155.128"]; + ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"]; + ttl = zoneTTL; + } + ]; + CAA = [ + { + issuerCritical = false; + tag = "issue"; + value = "letsencrypt.org"; + ttl = zoneTTL; + } + { + issuerCritical = false; + tag = "issuewild"; + value = "letsencrypt.org"; + ttl = zoneTTL; + } + { + issuerCritical = false; + tag = "iodef"; + value = "mailto:lotte@chir.rs"; + ttl = zoneTTL; + } + ]; + }; + createZone = merge zoneBase; + zone = createZone { + SOA = { + nameServer = "ns1.shitallover.me."; + adminEmail = "lotte@chir.rs"; + serial = 1; + }; + NS = [ + "ns1.chir.rs." + "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." + ]; + MX = [ + (ttl zoneTTL (mx.mx 10 "mail.chir.rs.")) + ]; + SRV = [ + { + service = "submission"; + proto = "tcp"; + port = 587; + target = "mail.chir.rs."; + } + { + service = "imap"; + proto = "tcp"; + port = 143; + target = "mail.chir.rs."; + } + { + service = "imaps"; + proto = "tcp"; + port = 993; + target = "mail.chir.rs."; + } + { + service = "pop3"; + proto = "tcp"; + port = 110; + target = "mail.chir.rs."; + } + { + service = "pop3s"; + proto = "tcp"; + port = 995; + target = "mail.chir.rs."; + } + ]; + TXT = [ + (ttl zoneTTL (txt "v=spf1 ip4:138.201.155.128 ip6:2a01:4f8:1c17:d953/64 -all")) + (ttl zoneTTL (txt "google-site-verification=f2XWRDvD4F99pM7ux7sMtVJ9ZGtjKRLI_rfcO2IWIMI")) + ]; + DNSKEY = [ + { + flags.zoneSigningKey = true; + flags.secureEntryPoint = true; + algorithm = "ecdsap256sha256"; + publicKey = "FZklP7KowbXVjfkT5ndAE60QFvaKoghhLY2TavukRBGFA8pyGm+ce9QHekbrjE14q8sb5x0uXl4VdyDIUNZ3XQ=="; + ttl = zoneTTL; + } + { + flags.zoneSigningKey = true; + algorithm = "ecdsap256sha256"; + publicKey = "WH9JM7Qvi2Hz3bCp7O5/WFLNdKUA/2aUkQqByfhaItfqoAm+hw6x4Qj8+umu5EDyo2A/HD/h9b/eO3zVq6pebw=="; + } + ]; + subdomains = { + _acme-challenge = delegateTo [ + "ns1.chir.rs." + "ns2.chir.rs." + "ns3.chir.rs." + "ns4.chir.rs." + "ns1.darkkirb.de." + "ns2.darkkirb.de." + "ns1.shitallover.me." + "ns2.shitallover.me." + ]; + www = createZone {}; + ns1 = createZone {}; + ns2 = createZone oracleBase; + }; + }; +in + zone From 3edce141990c66e1a15a5ff328f71206dbb8df66 Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 14 Dec 2022 18:13:01 +0100 Subject: [PATCH 2/6] Update zones/chir.rs.nix --- zones/chir.rs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index 16641bff..8ca33327 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -16,7 +16,7 @@ with dns.lib.combinators; let (ttl zoneTTL (a "130.162.60.127")) ]; AAAA = [ - (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) ]; SSHFP = [ { From e9c2073818fa276890a4b719f6d5258a7fb7cc55 Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 14 Dec 2022 18:13:10 +0100 Subject: [PATCH 3/6] Update zones/darkkirb.de.nix --- zones/darkkirb.de.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zones/darkkirb.de.nix b/zones/darkkirb.de.nix index a1fc3ee7..74061cc1 100644 --- a/zones/darkkirb.de.nix +++ b/zones/darkkirb.de.nix @@ -16,7 +16,7 @@ with dns.lib.combinators; let (ttl zoneTTL (a "130.162.60.127")) ]; AAAA = [ - (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) ]; SSHFP = [ { From dcc4e75c1e642a99743b81dd86cd75486355f100 Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 14 Dec 2022 18:13:18 +0100 Subject: [PATCH 4/6] Update zones/shitallover.me.nix --- zones/shitallover.me.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zones/shitallover.me.nix b/zones/shitallover.me.nix index 234fac70..8dbf959e 100644 --- a/zones/shitallover.me.nix +++ b/zones/shitallover.me.nix @@ -16,7 +16,7 @@ with dns.lib.combinators; let (ttl zoneTTL (a "130.162.60.127")) ]; AAAA = [ - (ttl zoneTTL (aaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) ]; SSHFP = [ { From 2992707a7c509ca27d497f2255b0d30679456e0c Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 14 Dec 2022 18:16:18 +0100 Subject: [PATCH 5/6] Apply suggestions from code review --- config/services/named-submissive.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/services/named-submissive.nix b/config/services/named-submissive.nix index a24283af..e15221bf 100644 --- a/config/services/named-submissive.nix +++ b/config/services/named-submissive.nix @@ -5,6 +5,9 @@ hosts-list, ... }: let + internalIP = import ../../utils/getInternalIP.nix config; + createListenEntry = ip: "inet ${ip} port 8653 allow { any; };"; + listenEntries = builtins.map createListenEntry internalIP.listenIPsBare; mkZone = name: { master = false; masters = ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"]; From 276aba3929a8caa3e78c36b428de842c84601a4d Mon Sep 17 00:00:00 2001 From: Charlotte Date: Wed, 14 Dec 2022 18:23:54 +0100 Subject: [PATCH 6/6] Update config/services/named-submissive.nix --- config/services/named-submissive.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/services/named-submissive.nix b/config/services/named-submissive.nix index e15221bf..cda5129c 100644 --- a/config/services/named-submissive.nix +++ b/config/services/named-submissive.nix @@ -15,6 +15,7 @@ }; in { services.bind = { + enable = true; zones = { "darkkirb.de" = mkZone "darkkirb.de"; "_acme-challenge.darkkirb.de" = mkZone "_acme-challenge.darkkirb.de";