diff options
Diffstat (limited to 'krebs/2configs')
| -rw-r--r-- | krebs/2configs/acme.nix | 2 | ||||
| -rw-r--r-- | krebs/2configs/cal.nix | 2 | ||||
| -rw-r--r-- | krebs/2configs/hotdog-host.nix | 3 | ||||
| -rw-r--r-- | krebs/2configs/mastodon.nix | 6 | ||||
| -rw-r--r-- | krebs/2configs/nameserver.nix | 179 | ||||
| -rw-r--r-- | krebs/2configs/news-host.nix | 3 | ||||
| -rw-r--r-- | krebs/2configs/repo-sync.nix | 2 | ||||
| -rw-r--r-- | krebs/2configs/syncthing.nix | 4 | ||||
| -rw-r--r-- | krebs/2configs/tor/initrd.nix | 4 | ||||
| -rw-r--r-- | krebs/2configs/wiki.nix | 2 |
10 files changed, 195 insertions, 12 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString <secrets> + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${<secrets/radicale.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString <secrets>}/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383ed..af308b2c7 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix new file mode 100644 index 000000000..633f6f5d5 --- /dev/null +++ b/krebs/2configs/nameserver.nix @@ -0,0 +1,179 @@ +{ config, lib, pkgs, ... }: let + acmeChallenge = + { domain + , nameserver + , adminEmail + , serial ? 0 + , refresh ? 3600 + , retry ? 900 + , expire ? 604800 + , minimum ? 180 + }: + pkgs.writeText "${domain}.zone" /* bindzone */ '' + $TTL 60 + @ IN SOA ${lib.concatStringsSep " " [ + "${nameserver}." + "${lib.replaceStrings ["@"] ["."] adminEmail}." + (toString serial) + (toString refresh) + (toString retry) + (toString expire) + (toString minimum) + ]} + @ IN NS ${nameserver}. + ''; +in { + networking.firewall.allowedTCPPorts = [ + 53 # domain for AXFR + ]; + networking.firewall.allowedUDPPorts = [ + 53 # domain + ]; + + krebs.systemd.services.knot.restartIfCredentialsChange = true; + systemd.services.knot.serviceConfig.LoadCredential = [ + "keys.conf:/var/src/secrets/knot-keys.conf" + ]; + + services.knot = { + enable = true; + keyFiles = [ + "/run/credentials/knot.service/keys.conf" + ]; + extraConfig = /* yaml */ '' + server: + udp-max-payload: 4096 + listen: [ 127.0.0.53@2, ${ + lib.concatMapStringsSep ", " + (addr: "${addr}@53") + ( + config.krebs.build.host.nets.internet.addrs or [] + ++ + # This is required for hosts at OCI because the default route + # provided by DHCP is using the private address. + config.krebs.build.host.nets.intranet.addrs or [] + ) + } ] + + log: + - target: syslog + any: debug + + remote: + - id: henet_ns1 + address: 216.218.130.2 + + - id: hostingde_ns1 + address: 134.0.30.178 + + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key + + acl: + - id: acme_acl + key: acme + action: update + + - id: dane_acl + key: dane + action: update + + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + + mod-rrl: + - id: default + rate-limit: 200 # Allow 200 resp/s for each flow + slip: 2 # Every other response slips + + policy: + - id: rsa2k + algorithm: rsasha256 + ksk-size: 4096 + zsk-size: 2048 + + template: + - id: default + global-module: mod-rrl/default + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: krebsco.de + file: ${pkgs.krebs.zones."krebsco.de"} + dnssec-signing: on + dnssec-policy: rsa2k + notify: henet_ns1 + notify: hostingde_ns1 + notify: krebscode_ni + acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary + acl: transfer_to_krebscode_secondary + acl: dane_acl + + - domain: _acme-challenge.krebsco.de + file: ${acmeChallenge { + domain = "_acme-challenge.krebsco.de"; + nameserver = "ns1.krebsco.de"; + adminEmail = "spam@krebsco.de"; + }} + acl: acme_acl + + - domain: r + file: ${pkgs.krebs.zones.r} + + - domain: w + file: ${pkgs.krebs.zones.w} + ''; + }; + + systemd.services."knsupdate-krebsco.de" = { + serviceConfig = { + Type = "oneshot"; + SyslogIdentifier = "knsupdate-krebsco.de"; + ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' + set -efu + + mk_certificate_association_data() { + ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" | + ${pkgs.coreutils}/bin/cut -d= -f2 | + ${pkgs.coreutils}/bin/tr -d : + } + + certfile=/var/lib/acme/krebsco.de/cert.pem + certificate_association_data=$(mk_certificate_association_data "$certfile") + keyfile=/var/src/secrets/dane.tsig + + script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX) + trap 'rm "$script"' EXIT + ( + exec >"$script" + echo server krebsco.de. + echo zone krebsco.de. + echo origin krebsco.de. + echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo show + echo send + echo answer + echo quit + ) + ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script" + ''; + }; + }; +} diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString <secrets>}/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${<secrets/konsens.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString <secrets/syncthing.key>; - cert = toString <secrets/syncthing.cert>; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ <secrets/initrd/openssh_host_ecdsa_key> ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = <secrets/initrd>; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${<secrets/gollum.id_ed25519>}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' |