From 1cfa380f3038d748ba0d2c6bc09e975bfebd207c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Sat, 19 Oct 2024 08:10:38 +0200 Subject: [PATCH 1/3] fix certs for darkkirb.de --- config/services/acme.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/services/acme.nix b/config/services/acme.nix index c737988c..a9f39b94 100644 --- a/config/services/acme.nix +++ b/config/services/acme.nix @@ -9,6 +9,9 @@ certs."darkkirb.de" = { domain = "*.darkkirb.de"; extraDomainNames = ["darkkirb.de"]; + dnsProvider = "gcloud"; + credentialsFile = config.sops.secrets."security/acme/gcloud".path; + dnsResolver = "1.1.1.1:53"; }; certs."chir.rs" = { domain = "*.chir.rs"; From 0ff2cd73e55f5d69fa619970535aed7ef5291b1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Sat, 19 Oct 2024 08:13:14 +0200 Subject: [PATCH 2/3] remove darkkirb.de zones on bind --- config/services/named-submissive.nix | 2 - config/services/named.nix | 23 --- zones/darkkirb.de.nix | 216 --------------------------- 3 files changed, 241 deletions(-) delete mode 100644 zones/darkkirb.de.nix diff --git a/config/services/named-submissive.nix b/config/services/named-submissive.nix index f60c2eb0..bc059453 100644 --- a/config/services/named-submissive.nix +++ b/config/services/named-submissive.nix @@ -13,10 +13,8 @@ in { services.bind = { enable = true; zones = { - "darkkirb.de" = mkZone "darkkirb.de"; "chir.rs" = mkZone "chir.rs"; "int.chir.rs" = mkZone "int.chir.rs"; - "shitallover.me" = mkZone "shitallover.me"; }; extraConfig = '' statistics-channels { diff --git a/config/services/named.nix b/config/services/named.nix index 6879e324..9e54784c 100644 --- a/config/services/named.nix +++ b/config/services/named.nix @@ -4,7 +4,6 @@ dns, ... }: let - darkkirb-de = import ../../zones/darkkirb.de.nix {inherit dns;}; chir-rs = import ../../zones/chir.rs.nix {inherit dns;}; int-chir-rs = import ../../zones/int.chir.rs.nix {inherit dns;}; signzone = import ../../zones/signzone.nix; @@ -24,33 +23,11 @@ in { zone = int-chir-rs; zonename = "int.chir.rs"; }) - (signzone { - inherit dns; - ksk = "services/dns/de/darkkirb/53136"; - zsk = "services/dns/de/darkkirb/61825"; - zone = darkkirb-de; - zonename = "darkkirb.de"; - }) ]; services.bind = { enable = true; zones = { - "darkkirb.de" = { - master = true; - file = "/var/lib/named/darkkirb.de"; - slaves = ["fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b" "100.99.173.107"]; - extraConfig = "also-notify {fd7a:115c:a1e0:ab12:4843:cd96:6263:ad6b; 100.99.173.107;};"; - }; - "_acme-challenge.darkkirb.de" = { - master = true; - file = "/var/lib/named/_acme-challenge.darkkirb.de"; - extraConfig = '' - update-policy { - grant certbot. name _acme-challenge.darkkirb.de. txt; - }; - ''; - }; "chir.rs" = { master = true; file = "/var/lib/named/chir.rs"; diff --git a/zones/darkkirb.de.nix b/zones/darkkirb.de.nix deleted file mode 100644 index a4ec5396..00000000 --- a/zones/darkkirb.de.nix +++ /dev/null @@ -1,216 +0,0 @@ -{ - dns ? (import (builtins.fetchTarball "https://github.com/DarkKirb/dns.nix/archive/master.zip")).outputs, - zoneTTL ? 3600, -}: -with dns.lib.combinators; let - inherit (builtins) hasAttr; - merge = a: b: - (a // b) - // ( - if ((hasAttr "subdomains" a) && (hasAttr "subdomains" b)) - then {subdomains = a.subdomains // b.subdomains;} - else {} - ); - oracleBase = { - A = [ - (ttl zoneTTL (a "130.162.60.127")) - ]; - AAAA = [ - (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) - ]; - SSHFP = [ - { - algorithm = "rsa"; - mode = "sha1"; - fingerprint = "b44a837703b22d8cbc2ca4e7019af4bcb0185348"; - ttl = zoneTTL; - } - { - algorithm = "rsa"; - mode = "sha256"; - fingerprint = "8f276ce01188fdd2bbf2aaa03d477c58c911a6c1f9bee3f8ab35ca4b42aa19a9"; - ttl = zoneTTL; - } - { - algorithm = "ed25519"; - mode = "sha1"; - fingerprint = "8dfd784c5f239822b086dc4fa7c058f260331e5d"; - ttl = zoneTTL; - } - { - algorithm = "ed25519"; - mode = "sha256"; - fingerprint = "82d51bd3ab43af3b94801c6b68812c4f1db013ac5b53a466fbcdbb955de6d3e5"; - ttl = zoneTTL; - } - ]; - HTTPS = [ - { - svcPriority = 1; - targetName = "."; - alpn = ["http/1.1" "h2" "h3"]; - ipv4hint = ["130.162.60.127"]; - ipv6hint = ["2603:c020:8009:f100:f09a:894d:ef57:a278"]; - ttl = zoneTTL; - } - ]; - }; - zoneBase = { - A = [ - (ttl zoneTTL (a "138.201.155.128")) - ]; - AAAA = [ - (ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49")) - ]; - SSHFP = [ - { - algorithm = "rsa"; - mode = "sha1"; - fingerprint = "97b910c37194cd98e7edca2d68104f4531721c22"; - ttl = zoneTTL; - } - { - algorithm = "rsa"; - mode = "sha256"; - fingerprint = "7915470f9275116889d5ca1fdbea20416d8372636c3d63653b272308608cf70f"; - ttl = zoneTTL; - } - { - algorithm = "ed25519"; - mode = "sha1"; - fingerprint = "1aff467e745a8d68ba032dd3d54597e10d31ccf8"; - ttl = zoneTTL; - } - { - algorithm = "ed25519"; - mode = "sha256"; - fingerprint = "e6dcdb73dc381ee2b354528cdaf8552364e75c34316d7e0c9819801daea5c951"; - ttl = zoneTTL; - } - ]; - HTTPS = [ - { - svcPriority = 1; - targetName = "."; - alpn = ["http/1.1" "h2" "h3"]; - ipv4hint = ["138.201.155.128"]; - ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"]; - ttl = zoneTTL; - } - ]; - CAA = [ - { - issuerCritical = false; - tag = "issue"; - value = "letsencrypt.org"; - ttl = zoneTTL; - } - { - issuerCritical = false; - tag = "issuewild"; - value = "letsencrypt.org"; - ttl = zoneTTL; - } - { - issuerCritical = false; - tag = "iodef"; - value = "mailto:lotte@chir.rs"; - ttl = zoneTTL; - } - ]; - }; - createZone = merge zoneBase; - zone = createZone { - SOA = { - nameServer = "ns1.darkkirb.de."; - adminEmail = "lotte@chir.rs"; - serial = 5; - }; - NS = [ - "ns1.chir.rs." - "ns2.chir.rs." - "ns3.chir.rs." - "ns4.chir.rs." - "ns1.darkkirb.de." - "ns2.darkkirb.de." - ]; - MX = [ - (ttl zoneTTL (mx.mx 10 "mail.chir.rs.")) - ]; - SRV = [ - { - service = "submission"; - proto = "tcp"; - port = 587; - target = "mail.chir.rs."; - } - { - service = "imap"; - proto = "tcp"; - port = 143; - target = "mail.chir.rs."; - } - { - service = "imaps"; - proto = "tcp"; - port = 993; - target = "mail.chir.rs."; - } - { - service = "pop3"; - proto = "tcp"; - port = 110; - target = "mail.chir.rs."; - } - { - service = "pop3s"; - proto = "tcp"; - port = 995; - target = "mail.chir.rs."; - } - ]; - TXT = [ - (ttl zoneTTL (txt "v=spf1 ip4:138.201.155.128 ip6:2a01:4f8:1c17:d953/64 -all")) - (ttl zoneTTL (txt "google-site-verification=f2XWRDvD4F99pM7ux7sMtVJ9ZGtjKRLI_rfcO2IWIMI")) - ]; - DNSKEY = [ - { - flags.zoneSigningKey = true; - flags.secureEntryPoint = true; - algorithm = "ecdsap256sha256"; - publicKey = "FZklP7KowbXVjfkT5ndAE60QFvaKoghhLY2TavukRBGFA8pyGm+ce9QHekbrjE14q8sb5x0uXl4VdyDIUNZ3XQ=="; - ttl = zoneTTL; - } - { - flags.zoneSigningKey = true; - algorithm = "ecdsap256sha256"; - publicKey = "WH9JM7Qvi2Hz3bCp7O5/WFLNdKUA/2aUkQqByfhaItfqoAm+hw6x4Qj8+umu5EDyo2A/HD/h9b/eO3zVq6pebw=="; - } - ]; - subdomains = { - _dmarc.TXT = [ - (ttl zoneTTL (txt "v=DMARC1; p=quarantine; rua=mailto:dmarc@chir.rs; ruf=dmarc@chir.rs; fo=1; adkim=s; aspf=s; sp=reject;")) - ]; - _domainkey.subdomains = { - dkim.TXT = [ - (ttl zoneTTL (txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDk4XK4c7xWGIalV+yTj5F8B2eXOeFtp0p9VNMlG/dZMv1GGS9hUBEkZOOYhAuE2GhKhHsGtxMalGAIbCqJJglVBLTxDerPGLRAsgZ9EZCyhIh9ebOqv0SfhTfdoz6RZkNrB2DK4nnvzaOa0NQzp+a8a5pAN6niDFBbTF3FFBwkOQIDAQAB")) - ]; - mail.TXT = [ - (ttl zoneTTL (txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHmbBT9OJwDu5x7C2C/WhzeHirrxAlLwuh8Z9q7UBGS98MsLbS1NnCvZic4N3H/z80RHABF9KFhvJWy60NhM+UKWDEYSlgc8Z3KJZjuqOCUsajjf2cdhaTOKLbu57388tjghBD0cpK3mdqPU5aw2GY4jJR4YC4c0fqJ6vRTvyOSwIDAQAB")) - ]; - }; - _keybase.TXT = [ - (ttl zoneTTL (txt "keybase-site-verification=9DC6G-moMF8zfcm7_lpjhh2cvT9gL4hHV5yQqf_RgBk")) - ]; - _acme-challenge = delegateTo [ - "ns1.chir.rs." - "ns2.chir.rs." - ]; - www = createZone {}; - static = createZone {}; - ns1 = createZone {}; - ns2 = createZone oracleBase; - }; - }; -in - zone From 0d6207ab720743b172b7fe7f11c310e3b84d59d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Sat, 19 Oct 2024 08:14:05 +0200 Subject: [PATCH 3/3] remove darkkirb.de delegations --- zones/chir.rs.nix | 4 +--- zones/int.chir.rs.nix | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index b0749093..06c7bd4c 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -144,15 +144,13 @@ with dns.lib.combinators; let SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 55; + serial = 56; }; NS = [ "ns1.chir.rs." "ns2.chir.rs." "ns3.chir.rs." "ns4.chir.rs." - "ns1.darkkirb.de." - "ns2.darkkirb.de." ]; MX = [ (ttl zoneTTL (mx.mx 10 "mx.zoho.eu.")) diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index b80cf18a..8b5ec2eb 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -15,15 +15,13 @@ in { SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 38; + serial = 39; }; NS = [ "ns1.chir.rs." "ns2.chir.rs." "ns3.chir.rs." "ns4.chir.rs." - "ns1.darkkirb.de." - "ns2.darkkirb.de." ]; DNSKEY = [ {