From 85816b60c2002ea3ea68e51523b9fc2490f0a8e5 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 14:06:03 +0200 Subject: zones: import misplaced options from ssh --- krebs/3modules/ssh.nix | 23 ----------------------- krebs/3modules/zones.nix | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 23 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index 58f3a3c10..aba825c29 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -4,32 +4,9 @@ let cfg = config.krebs; out = { - options.krebs = api; config = lib.mkIf cfg.enable imp; }; - api = { - zone-head-config = mkOption { - type = with types; attrsOf str; - description = '' - The zone configuration head which is being used to create the - zone files. The string for each key is pre-pended to the zone file. - ''; - # TODO: configure the default somewhere else, - # maybe use krebs.dns.providers - default = { - - # github.io -> 192.30.252.154 - "krebsco.de" = '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - IN NS ns19.ovh.net. - IN NS dns19.ovh.net. - ''; - }; - }; - }; - imp = lib.mkMerge [ { services.openssh.hostKeys = diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 7771d3b51..a7bd867f5 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,6 +1,22 @@ { config, pkgs, lib, ... }: with lib; { + options.krebs.zone-head-config = mkOption { + type = lib.types.attrsOf lib.types.str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + default = { + "krebsco.de" = /* bindzone */ '' + $TTL 86400 + @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) + @ IN NS ns19.ovh.net. + @ IN NS dns19.ovh.net. + ''; + }; + }; + config = { environment.etc = mapAttrs' -- cgit v1.2.3 From 99e21a074648d2586fd608d800e1a106a72986da Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:26:14 +0200 Subject: nameserver config: init --- krebs/2configs/nameserver.nix | 150 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 krebs/2configs/nameserver.nix (limited to 'krebs') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix new file mode 100644 index 000000000..4b205a13d --- /dev/null +++ b/krebs/2configs/nameserver.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: let + acmeChallenge = + { domain + , nameserver + , adminEmail + , serial ? 0 + , refresh ? 3600 + , retry ? 900 + , expire ? 604800 + , minimum ? 180 + }: + pkgs.writeText "${domain}.zone" /* bindzone */ '' + $TTL 60 + @ IN SOA ${lib.concatStringsSep " " [ + "${nameserver}." + "${lib.replaceStrings ["@"] ["."] adminEmail}." + (toString serial) + (toString refresh) + (toString retry) + (toString expire) + (toString minimum) + ]} + @ IN NS ${nameserver}. + ''; +in { + networking.firewall.allowedTCPPorts = [ + 53 # domain for AXFR + ]; + networking.firewall.allowedUDPPorts = [ + 53 # domain + ]; + + krebs.systemd.services.knot.restartIfCredentialsChange = true; + systemd.services.knot.serviceConfig.LoadCredential = [ + "keys.conf:/var/src/secrets/knot-keys.conf" + ]; + + services.knot = { + enable = true; + keyFiles = [ + "/run/credentials/knot.service/keys.conf" + ]; + extraConfig = /* yaml */ '' + server: + udp-max-payload: 4096 + listen: [ 127.0.0.53@2, ${ + lib.concatMapStringsSep ", " + (addr: "${addr}@53") + ( + config.krebs.build.host.nets.internet.addrs or [] + ++ + # This is required for hosts at OCI because the default route + # provided by DHCP is using the private address. + config.krebs.build.host.nets.intranet.addrs or [] + ) + } ] + + log: + - target: syslog + any: debug + + remote: + + acl: + - id: acme_acl + key: acme + action: update + + - id: dane_acl + key: dane + action: update + + mod-rrl: + - id: default + rate-limit: 200 # Allow 200 resp/s for each flow + slip: 2 # Every other response slips + + policy: + - id: rsa2k + algorithm: rsasha256 + ksk-size: 4096 + zsk-size: 2048 + + template: + - id: default + global-module: mod-rrl/default + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: krebsco.de + file: ${pkgs.krebs.zones."krebsco.de"} + dnssec-signing: on + dnssec-policy: rsa2k + acl: dane_acl + + - domain: _acme-challenge.krebsco.de + file: ${acmeChallenge { + domain = "_acme-challenge.krebsco.de"; + nameserver = "ns1.krebsco.de"; + adminEmail = "spam@krebsco.de"; + }} + acl: acme_acl + + - domain: r + file: ${pkgs.krebs.zones.r} + + - domain: w + file: ${pkgs.krebs.zones.w} + ''; + }; + + systemd.services."knsupdate-krebsco.de" = { + serviceConfig = { + Type = "oneshot"; + SyslogIdentifier = "knsupdate-krebsco.de"; + ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' + set -efu + + mk_certificate_association_data() { + ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" | + ${pkgs.coreutils}/bin/cut -d= -f2 | + ${pkgs.coreutils}/bin/tr -d : + } + + certfile=/var/lib/acme/krebsco.de/cert.pem + certificate_association_data=$(mk_certificate_association_data "$certfile") + keyfile=/var/src/secrets/dane.tsig + + script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX) + trap 'rm "$script"' EXIT + ( + exec >"$script" + echo server krebsco.de. + echo zone krebsco.de. + echo origin krebsco.de. + echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo show + echo send + echo answer + echo quit + ) + ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script" + ''; + }; + }; +} -- cgit v1.2.3 From b63f7920b5bce1670692e6278eb87db52b1ba0af Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:09 +0200 Subject: zones: update default head config --- krebs/3modules/zones.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index a7bd867f5..1d63548b8 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -9,10 +9,9 @@ with lib; { ''; default = { "krebsco.de" = /* bindzone */ '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - @ IN NS ns19.ovh.net. - @ IN NS dns19.ovh.net. + $TTL 60 + @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 ''; }; }; -- cgit v1.2.3 From 068fbd791257b3f3dc4cab7e11716171a8ef39fb Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:59 +0200 Subject: ponte: add nameserver config --- krebs/1systems/ponte/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 2f55995cf..0b9b1c563 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -5,6 +5,7 @@ + ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; -- cgit v1.2.3 From 73a64cc57af95a876168151654f06277f91a2243 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:29:42 +0200 Subject: ponte: use DNS-01 challenge --- krebs/1systems/ponte/config.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'krebs') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 0b9b1c563..8bb14d517 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -31,8 +31,23 @@ krebs.pages.enable = true; krebs.pages.nginx.addSSL = true; - krebs.pages.nginx.enableACME = true; + krebs.pages.nginx.useACMEHost = "krebsco.de"; security.acme.acceptTerms = true; - security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; + security.acme.certs."krebsco.de" = { + domain = "krebsco.de"; + extraDomainNames = [ + "*.krebsco.de" + ]; + email = "spam@krebsco.de"; + reloadServices = [ + "knsupdate-krebsco.de.service" + "nginx.service" + ]; + keyType = "ec384"; + dnsProvider = "rfc2136"; + credentialsFile = "/var/src/secrets/acme-credentials"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } -- cgit v1.2.3 From 7cd50a3c07e788fa0b4ab53c78b9dea10ff30b2d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 11:39:33 +0200 Subject: nameserver config: add ni as secondary --- krebs/2configs/nameserver.nix | 9 +++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 10 insertions(+) (limited to 'krebs') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4b205a13d..a4c4b5f05 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key acl: - id: acme_acl @@ -70,6 +73,10 @@ in { key: dane action: update + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + mod-rrl: - id: default rate-limit: 200 # Allow 200 resp/s for each flow @@ -94,6 +101,8 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: krebscode_ni + acl: transfer_to_krebscode_secondary acl: dane_acl - domain: _acme-challenge.krebsco.de diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 1d63548b8..bf904a268 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -12,6 +12,7 @@ with lib; { $TTL 60 @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 + @ 3600 IN NS ni ''; }; }; -- cgit v1.2.3 From 193baa8f2f64a4909e38069d4f21ac6c46d2796b Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 15:53:27 +0200 Subject: nameserver config: add he.net as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 2 ++ 2 files changed, 12 insertions(+) (limited to 'krebs') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index a4c4b5f05..4c6b95516 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: henet_ns1 + address: 216.218.130.2 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -73,6 +76,11 @@ in { key: dane action: update + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -101,7 +109,9 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: henet_ns1 notify: krebscode_ni + acl: transfer_to_henet_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index bf904a268..8cb68c4f7 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -13,6 +13,8 @@ with lib; { @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 @ 3600 IN NS ni + @ 3600 IN NS ns2.he.net. + @ 3600 IN NS ns3.he.net. ''; }; }; -- cgit v1.2.3 From 7e98588f8e626c4e2800e1238ea8a1df1f5c8f7a Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 17:42:32 +0200 Subject: nameserver config: add hosting.de as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 11 insertions(+) (limited to 'krebs') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4c6b95516..633f6f5d5 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -63,6 +63,9 @@ in { - id: henet_ns1 address: 216.218.130.2 + - id: hostingde_ns1 + address: 134.0.30.178 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -81,6 +84,11 @@ in { address: [ 216.218.133.2, 2001:470:600::2 ] action: transfer + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -110,8 +118,10 @@ in { dnssec-signing: on dnssec-policy: rsa2k notify: henet_ns1 + notify: hostingde_ns1 notify: krebscode_ni acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 8cb68c4f7..e68482d77 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -15,6 +15,7 @@ with lib; { @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. @ 3600 IN NS ns3.he.net. + @ 3600 IN NS ns2.hosting.de. ''; }; }; -- cgit v1.2.3 From 363b381eeca12c54c83b4841198d189d470d345e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 18:14:32 +0200 Subject: krebszones: RIP --- krebs/5pkgs/simple/krebszones/default.nix | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 krebs/5pkgs/simple/krebszones/default.nix (limited to 'krebs') diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix deleted file mode 100644 index 32608e7fa..000000000 --- a/krebs/5pkgs/simple/krebszones/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeDashBin "krebszones" '' - set -efu - export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf} - case $* in - import) - set -- import /etc/zones/krebsco.de krebsco.de - echo "+ krebszones $*" >&2 - ;; - esac - exec ${pkgs.ovh-zone}/bin/ovh-zone "$@" -'' -- cgit v1.2.3 From da3c1f05f595ac6919f26e994094d5513936a06e Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 4 Sep 2023 10:54:17 +0200 Subject: haskellPackages: pager -> desktop-pager Rename pager to desktop-pager to prevent a name clash with https://hackage.haskell.org/package/pager, causing hledger-lib to not build. --- krebs/5pkgs/haskell/desktop-pager.nix | 24 ++++++++++++++++++++++++ krebs/5pkgs/haskell/pager.nix | 24 ------------------------ krebs/5pkgs/simple/pager.nix | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) create mode 100644 krebs/5pkgs/haskell/desktop-pager.nix delete mode 100644 krebs/5pkgs/haskell/pager.nix (limited to 'krebs') diff --git a/krebs/5pkgs/haskell/desktop-pager.nix b/krebs/5pkgs/haskell/desktop-pager.nix new file mode 100644 index 000000000..1a4f94db3 --- /dev/null +++ b/krebs/5pkgs/haskell/desktop-pager.nix @@ -0,0 +1,24 @@ +{ mkDerivation, aeson, base, blessings, bytestring, containers +, data-default, extra, fetchgit, hack, lib, optparse-applicative +, probability, scanner, speculate, split, terminal-size, text, unix +, utf8-string, X11 +}: +mkDerivation { + pname = "desktop-pager"; + version = "1.0.0"; + src = fetchgit { + url = "https://cgit.krebsco.de/pager"; + sha256 = "07wjlhnb27vfhkqq5vhi768mlrcpwl4b2yfk04v3lw047q6pmby0"; + rev = "dfa3ff346d22d332ffbadd46963f1cc5cb2a4939"; + fetchSubmodules = true; + }; + isLibrary = true; + isExecutable = true; + libraryHaskellDepends = [ base extra utf8-string X11 ]; + executableHaskellDepends = [ + aeson base blessings bytestring containers data-default hack + optparse-applicative probability scanner speculate split + terminal-size text unix X11 + ]; + license = lib.licenses.mit; +} diff --git a/krebs/5pkgs/haskell/pager.nix b/krebs/5pkgs/haskell/pager.nix deleted file mode 100644 index 36709788c..000000000 --- a/krebs/5pkgs/haskell/pager.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ mkDerivation, aeson, base, blessings, bytestring, containers -, data-default, extra, fetchgit, hack, lib, optparse-applicative -, probability, scanner, speculate, split, terminal-size, text, unix -, utf8-string, X11 -}: -mkDerivation { - pname = "pager"; - version = "1.0.0"; - src = fetchgit { - url = "https://cgit.krebsco.de/pager"; - sha256 = "07wjlhnb27vfhkqq5vhi768mlrcpwl4b2yfk04v3lw047q6pmby0"; - rev = "dfa3ff346d22d332ffbadd46963f1cc5cb2a4939"; - fetchSubmodules = true; - }; - isLibrary = true; - isExecutable = true; - libraryHaskellDepends = [ base extra utf8-string X11 ]; - executableHaskellDepends = [ - aeson base blessings bytestring containers data-default hack - optparse-applicative probability scanner speculate split - terminal-size text unix X11 - ]; - license = lib.licenses.mit; -} diff --git a/krebs/5pkgs/simple/pager.nix b/krebs/5pkgs/simple/pager.nix index 952b5ee1e..adc2cc67b 100644 --- a/krebs/5pkgs/simple/pager.nix +++ b/krebs/5pkgs/simple/pager.nix @@ -33,7 +33,7 @@ pkgs.symlinkJoin { -ti vt340 \ -xrm '*geometry: 32x10' \ -xrm '*internalBorder: 2' \ - -e ${pkgs.haskellPackages.pager}/bin/pager "$@" + -e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@" '') pkgs.haskellPackages.pager ]; -- cgit v1.2.3