Merge remote-tracking branch 'ni/master'

7 files changed, 218 insertions, 40 deletions

diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 2f55995cf..8bb14d517 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -5,6 +5,7 @@
     <stockholm/krebs>
     <stockholm/krebs/2configs>
     <stockholm/krebs/2configs/matterbridge.nix>
+    <stockholm/krebs/2configs/nameserver.nix>
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -30,8 +31,23 @@
 
   krebs.pages.enable = true;
   krebs.pages.nginx.addSSL = true;
-  krebs.pages.nginx.enableACME = true;
+  krebs.pages.nginx.useACMEHost = "krebsco.de";
 
   security.acme.acceptTerms = true;
-  security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
+  security.acme.certs."krebsco.de" = {
+    domain = "krebsco.de";
+    extraDomainNames = [
+      "*.krebsco.de"
+    ];
+    email = "spam@krebsco.de";
+    reloadServices = [
+      "knsupdate-krebsco.de.service"
+      "nginx.service"
+    ];
+    keyType = "ec384";
+    dnsProvider = "rfc2136";
+    credentialsFile = "/var/src/secrets/acme-credentials";
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
 }
diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix
new file mode 100644
index 000000000..633f6f5d5
--- /dev/null
+++ b/krebs/2configs/nameserver.nix
@@ -0,0 +1,179 @@
+{ config, lib, pkgs, ... }: let
+  acmeChallenge =
+    { domain
+    , nameserver
+    , adminEmail
+    , serial ? 0
+    , refresh ? 3600
+    , retry ? 900
+    , expire ? 604800
+    , minimum ? 180
+    }:
+    pkgs.writeText "${domain}.zone" /* bindzone */ ''
+      $TTL 60
+      @ IN SOA ${lib.concatStringsSep " " [
+        "${nameserver}."
+        "${lib.replaceStrings ["@"] ["."] adminEmail}."
+        (toString serial)
+        (toString refresh)
+        (toString retry)
+        (toString expire)
+        (toString minimum)
+      ]}
+      @ IN NS ${nameserver}.
+    '';
+in {
+  networking.firewall.allowedTCPPorts = [
+    53 # domain for AXFR
+  ];
+  networking.firewall.allowedUDPPorts = [
+    53 # domain
+  ];
+
+  krebs.systemd.services.knot.restartIfCredentialsChange = true;
+  systemd.services.knot.serviceConfig.LoadCredential = [
+    "keys.conf:/var/src/secrets/knot-keys.conf"
+  ];
+
+  services.knot = {
+    enable = true;
+    keyFiles = [
+      "/run/credentials/knot.service/keys.conf"
+    ];
+    extraConfig = /* yaml */ ''
+      server:
+        udp-max-payload: 4096
+        listen: [ 127.0.0.53@2, ${
+          lib.concatMapStringsSep ", "
+            (addr: "${addr}@53")
+            (
+              config.krebs.build.host.nets.internet.addrs or []
+              ++
+              # This is required for hosts at OCI because the default route
+              # provided by DHCP is using the private address.
+              config.krebs.build.host.nets.intranet.addrs or []
+            )
+        } ]
+
+      log:
+        - target: syslog
+          any: debug
+
+      remote:
+        - id: henet_ns1
+          address: 216.218.130.2
+
+        - id: hostingde_ns1
+          address: 134.0.30.178
+
+        - id: krebscode_ni
+          address: ${config.krebs.hosts.ni.nets.internet.ip4.addr}
+          key: krebs_transfer_notify_key
+
+      acl:
+        - id: acme_acl
+          key: acme
+          action: update
+
+        - id: dane_acl
+          key: dane
+          action: update
+
+        - id: transfer_to_henet_secondary
+          key: henet_transfer_key
+          address: [ 216.218.133.2, 2001:470:600::2 ]
+          action: transfer
+
+        # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/
+        - id: transfer_to_hostingde_secondary
+          address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ]
+          action: transfer
+
+        - id: transfer_to_krebscode_secondary
+          key: krebs_transfer_notify_key
+          action: transfer
+
+      mod-rrl:
+        - id: default
+          rate-limit: 200   # Allow 200 resp/s for each flow
+          slip: 2           # Every other response slips
+
+      policy:
+        - id: rsa2k
+          algorithm: rsasha256
+          ksk-size: 4096
+          zsk-size: 2048
+
+      template:
+        - id: default
+          global-module: mod-rrl/default
+          semantic-checks: on
+          zonefile-sync: -1
+          zonefile-load: difference-no-serial
+          journal-content: all
+
+      zone:
+        - domain: krebsco.de
+          file: ${pkgs.krebs.zones."krebsco.de"}
+          dnssec-signing: on
+          dnssec-policy: rsa2k
+          notify: henet_ns1
+          notify: hostingde_ns1
+          notify: krebscode_ni
+          acl: transfer_to_henet_secondary
+          acl: transfer_to_hostingde_secondary
+          acl: transfer_to_krebscode_secondary
+          acl: dane_acl
+
+        - domain: _acme-challenge.krebsco.de
+          file: ${acmeChallenge {
+            domain = "_acme-challenge.krebsco.de";
+            nameserver = "ns1.krebsco.de";
+            adminEmail = "spam@krebsco.de";
+          }}
+          acl: acme_acl
+
+        - domain: r
+          file: ${pkgs.krebs.zones.r}
+
+        - domain: w
+          file: ${pkgs.krebs.zones.w}
+    '';
+  };
+
+  systemd.services."knsupdate-krebsco.de" = {
+    serviceConfig = {
+      Type = "oneshot";
+      SyslogIdentifier = "knsupdate-krebsco.de";
+      ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ ''
+        set -efu
+
+        mk_certificate_association_data() {
+          ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" |
+          ${pkgs.coreutils}/bin/cut -d= -f2 |
+          ${pkgs.coreutils}/bin/tr -d :
+        }
+
+        certfile=/var/lib/acme/krebsco.de/cert.pem
+        certificate_association_data=$(mk_certificate_association_data "$certfile")
+        keyfile=/var/src/secrets/dane.tsig
+
+        script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX)
+        trap 'rm "$script"' EXIT
+        (
+          exec >"$script"
+          echo server krebsco.de.
+          echo zone krebsco.de.
+          echo origin krebsco.de.
+          echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
+          echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
+          echo show
+          echo send
+          echo answer
+          echo quit
+        )
+        ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script"
+      '';
+    };
+  };
+}
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix
index 58f3a3c10..aba825c29 100644
--- a/krebs/3modules/ssh.nix
+++ b/krebs/3modules/ssh.nix
@@ -4,32 +4,9 @@ let
   cfg = config.krebs;
 
   out = {
-    options.krebs = api;
     config = lib.mkIf cfg.enable imp;
   };
 
-  api = {
-    zone-head-config  = mkOption {
-      type = with types; attrsOf str;
-      description = ''
-        The zone configuration head which is being used to create the
-        zone files. The string for each key is pre-pended to the zone file.
-      '';
-      # TODO: configure the default somewhere else,
-      # maybe use krebs.dns.providers
-      default = {
-
-        # github.io -> 192.30.252.154
-        "krebsco.de" = ''
-          $TTL 86400
-          @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
-                                IN NS     ns19.ovh.net.
-                                IN NS     dns19.ovh.net.
-        '';
-      };
-    };
-  };
-
   imp = lib.mkMerge [
     {
       services.openssh.hostKeys =
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index 7771d3b51..e68482d77 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -1,6 +1,25 @@
 { config, pkgs, lib, ... }:
 with lib; {
 
+  options.krebs.zone-head-config = mkOption {
+    type = lib.types.attrsOf lib.types.str;
+    description = ''
+      The zone configuration head which is being used to create the
+      zone files. The string for each key is pre-pended to the zone file.
+    '';
+    default = {
+      "krebsco.de" = /* bindzone */ ''
+        $TTL 60
+        @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
+        @ 3600 IN NS ns1
+        @ 3600 IN NS ni
+        @ 3600 IN NS ns2.he.net.
+        @ 3600 IN NS ns3.he.net.
+        @ 3600 IN NS ns2.hosting.de.
+      '';
+    };
+  };
+
   config = {
     environment.etc =
       mapAttrs'
diff --git a/krebs/5pkgs/haskell/pager.nix b/krebs/5pkgs/haskell/desktop-pager.nix
index 36709788c..1a4f94db3 100644
--- a/krebs/5pkgs/haskell/pager.nix
+++ b/krebs/5pkgs/haskell/desktop-pager.nix
@@ -4,7 +4,7 @@
 , utf8-string, X11
 }:
 mkDerivation {
-  pname = "pager";
+  pname = "desktop-pager";
   version = "1.0.0";
   src = fetchgit {
     url = "https://cgit.krebsco.de/pager";
diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix
deleted file mode 100644
index 32608e7fa..000000000
--- a/krebs/5pkgs/simple/krebszones/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-
-pkgs.writeDashBin "krebszones" ''
-  set -efu
-  export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf}
-  case $* in
-    import)
-      set -- import /etc/zones/krebsco.de krebsco.de
-      echo "+ krebszones $*" >&2
-      ;;
-  esac
-  exec ${pkgs.ovh-zone}/bin/ovh-zone "$@"
-''
diff --git a/krebs/5pkgs/simple/pager.nix b/krebs/5pkgs/simple/pager.nix
index 952b5ee1e..adc2cc67b 100644
--- a/krebs/5pkgs/simple/pager.nix
+++ b/krebs/5pkgs/simple/pager.nix
@@ -33,7 +33,7 @@ pkgs.symlinkJoin {
           -ti vt340 \
           -xrm '*geometry: 32x10' \
           -xrm '*internalBorder: 2' \
-          -e ${pkgs.haskellPackages.pager}/bin/pager "$@"
+          -e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@"
     '')
     pkgs.haskellPackages.pager
   ];