Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

dns: got a working letsencrypt setup

Browse source
This commit is contained in:
silver 2023-04-23 04:22:01 +01:00
parent ef37392f07
commit 6119c9a88a
6 changed files with 145 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

192
applications/dns.nix
View file

@ -73,106 +73,124 @@ in {
}; };
services.bind = { services.bind = {
enable = true; enable = true;
ipv4Only = true; ipv4Only = true;
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
extraConfig = '' extraConfig = ''
include "/run/agenix/dns_dnskeys"; include "/run/agenix/dns_dnskeys";
''; '';
# set the upstream dns servers # set the upstream dns servers
# overrides the default dns servers # overrides the default dns servers
forwarders = [ forwarders = [
# Cloudflare # Cloudflare
"1.1.1.1" "1.1.1.1"
# Google # Google
"8.8.8.8" "8.8.8.8"
# Quad9 # Quad9
"9.9.9.9" "9.9.9.9"
]; ];
cacheNetworks = [ cacheNetworks = [
# this server itself # this server itself
"127.0.0.0/24" "127.0.0.0/24"
# all of skynet can use this as a resolver # all of skynet can use this as a resolver
"193.1.99.64/26" "193.1.99.64/26"
]; ];
zones = { zones = {
/* /*
put any other zones above skynet and link to their files like so: put any other zones above skynet and link to their files like so:
example.ie = { example.ie = {
extraConfig = ""; extraConfig = "";
file = ./dns/example; file = ./dns/example;
master = true;
masters = [];
slaves = [ ];
};
Skynet is handled a bit more dynamically since it is the key one we should focus on
*/
"skynet.ie" = {
extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
# really wish teh nixos config didnt use master/slave
master = true; master = true;
masters = [];
slaves = [ ]; slaves = [ ];
# need to write this to a file
file = pkgs.writeText "dns_zone_skynet"
# no leading whitespace for first line
''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
; @ stands for teh root domain so teh A record below is where skynet.ie points to
A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
'';
}; };
Skynet is handled a bit more dynamically since it is the key one we should focus on
*/
"skynet.ie" = {
extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
# really wish teh nixos config didnt use master/slave
master = true;
slaves = [ ];
# need to write this to a file
file = "/etc/dns_custom/dns_zone_skynet";
# no leading whitespace for first line
}; };
}; };
}; };
# creates a folder in /etc for the dns to use
users.users.named = {
createHome = true;
home = "/etc/dns_custom";
};
environment.etc = {
# Creates /etc/dns_custom/dns_zone_skynet
"dns_custom/dns_zone_skynet" = {
user = "named";
group = "named";
# The UNIX file mode bits
mode = "0644";
text =
''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
; @ stands for teh root domain so teh A record below is where skynet.ie points to
A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
'';
};
};
};
} }

10
machines/_base.nix
View file

@ -35,16 +35,16 @@
# cannot use our own it seems? # cannot use our own it seems?
nameservers = [ nameservers = [
# ns2 # ns2
#"193.1.99.109" "193.1.99.109"
# ns1 # ns1
#"193.1.99.120" "193.1.99.120"
# Cloudflare # Cloudflare
"1.1.1.1" #"1.1.1.1"
# Google # Google
"8.8.8.8" #"8.8.8.8"
# Quad9 # Quad9
"9.9.9.9" #"9.9.9.9"
]; ];
}; };

BIN
secrets/dns_certs.secret.age
View file

Binary file not shown.

48
secrets/dns_dnskeys.conf.age
View file

@ -1,19 +1,31 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 2ktkYzbOCI8Sedb7cFXrmOL7HqPmMFSmavTgJ/kXVyA -> ssh-ed25519 V1pwNA sW0/BN/WfF+8VshBdG/RcuJNUJFoRiV207qXHJ+nEQU
3kcv57UNk7Hryd8RckwYzuzN7eY6Lle4+DdG+QC86Hk 3xBHqOiK1MXQpfefvXpsUCAtB8SmpPYQxgWnKLY4/Mo
-> ssh-ed25519 rIwlvw MoH0rHRt6ZL/3Ew1O7zHN9pz5CSA6YxbJ840gx0jCGY -> ssh-ed25519 rIwlvw 5N++1xasQ3ngJK8rWcnV1febLgOxdQxzj2FdwLeuvm0
AO7z51p5PlbAYUZgmk/joTdGeK4SxlCc+VgMcOrxkP0 Ync9n2pX/MPHi6fKcBw/rir/KUOBDRZapaxxsu+XQyI
-> ssh-ed25519 bPfq4g zu5ZfmzDiMBSn0UUpyO9iFieE7b+MMbuk4X5ABSUwhg -> ssh-ed25519 bPfq4g GM5ZOInllLXKdpyIREUMWU0QToOgJe7TNWVoMXbYHTk
HKNFCsxNqEK94tEnYz5+cVypheP5Cf+5tYRft3rCucY EfTBSko70+g28s21kPAWixZmkgbwfmTzosmP11q5Kh0
-> ssh-ed25519 P1ilJQ pnX29lb1zHoXzv4S6+D4VtLPJEsrnkyhfNjsaNwkJmw -> ssh-ed25519 P1ilJQ 6NcCV8qZcm4zCPAixGhazZvwh2bQxqHsz0p3XuS54z0
hXc9XLxtvyzUJNdhPi40bMFzdpuUKOHkpZ3gWMfjWwk wUPo7zXREnpUkS8mRTU3tM3WR9QuYiC48Rlzl7CyPdk
-> ssh-ed25519 XSrA6w +h7/dC7DYOcRK1nxTDvdsgDEM43bBChM6vJ4PuL45ww -> ssh-ed25519 XSrA6w XV0e5v8rRSuTgsFPNjQOcaQnAJJ4JOCViTsiK7ClFUI
n0mVPplmTM3A76iF27Wt62RDJ4yeoZa51q6bRhPEcXA BgY93FYHCAE2BmcNm8SRYKRqMoXc3IshLxkNlJVGxrU
-> ssh-ed25519 pBdJmw b/oJKbk8mXkUsd0oRuzrAQHTsiZdE8cW5bDC3dM3Vn8 -> ssh-ed25519 pBdJmw /ppt+XqNCOj3ToS59AbT40lliyPi5aYdgsb+nOd70Cc
6L+Zry15OyCXKOE71iqihTFVc2WB2Y7X7ZuFZSWXFSw pXQqbfdC00/ITW9zblgGS+SCaM84BcWRrVr12Gkaqqk
-> ssh-ed25519 v2Y09A DBZDXfWnm/3d83xG4a7XnMDAU+WYR2l4UDOjWAwlVxA -> ssh-ed25519 v2Y09A 25QeUKlLkjSOKFIBUHi8I0yQFtjJ10eMd5skrgB4wh4
4wE9Ss/D2Mmq4WddUsoa79S3db4Z6vpDs9zQR+zLROw 87j2b0Lvx+Qow8ggjVmkqDTc9par1RUAfmPxB9hL810
-> R9;-grease -> ssh-rsa l6p0xw
C4FHCe8aUuP55YV6ZnrphOE aXJe3/ZW4d1wW58cGO43c1c7VqUid6LQNudUXZQF7hDGwWp66zUeTtJS8iK1uVRr
--- /fL2KiOXipdwzKNjkkfwON+3h9JGa+M8wod12lkJ37A fBEd9MfCQXZ6e4mmeEsFDYhhsrihjFNqjv/V229VRfvlh6PFjyFsi8kOZmN0IyPC
tæwkGï°h€<EFBFBD>mhg?:LïŠXJÍîá^NN0O|a|<7C>ˆ3Æ|8E"%™3Z~žuÕ†—brÚˆA. ú)ñqëò,­62ÕÆؼa`/<1'—rÝËÂÖIV3ÌñP ­_…éìID )RÝ”cVÌc)BüG<C3BC>ƦO±<4F>²Õ¬;¦RÕö×Ù#4(Å-e£¯DÔ rffk42oS9cVuG1JT/98kE56vUdJ098E+D7W5vHD6lVayp97DpncQRNqXyTWMdYB+
75aHyUnI3JXmhftwPmQXthwKqYm/z5Q1yHtUWqo3VZ/UIN2fWD17XOxIVVdksSh6
WdhJ7B+KYP1oXHZKeTGMpmPP7FYrgybbFlNl2Bg3+hc2g+Pav63ovnokr4hzmxf9
+Vy0/gwE5tLKYXhSgCsfYLoYLcjh2LtdyWttG7z12TjKFtoxS1wfO71PBmQAWwV6
MAaOfZdCbxZ6xpcJuvONmuvXaxzOxbZ5bgtrd2msEf2L3xlDDAPzUB786kvTLjjh
SkQFZvX8SWQBB4u7GKu7jwUYl8zcBfczVvQQ0APL/UUdIyYEClhbJO1MKJHgFAGN
mnuU0GQguxllgsT6+lNyKT9yP9W7wP92Bh+FzfRBH39Rq+FTb+VSQ5aOdoxtmbdQ
G99WJKDW0v3JXnveUeNGLXe0p0kH5qBdsZmRGcXmu1Wqwa5iIZKC80HEzztYFngc
n9dxirg30yQYoGUdASEQUDA55ZWb4hsrY7O1bz/fJ/g
-> B21^W'i:-grease X\JYH |@t jh9o
t4jio4eAlhMaiiGmy7ZKe7feRi36XQpUMkHAWyF42EMDbwzRcNVcvophXSQ
--- mvcfX2P6vxluKGbahXGgsl0bnjzgZF7Gd1HNEDnPh0o
ç”×<EFBFBD>³íK˜/Z7ÀA´0+ÕF)VçoÃe(ÉOñþ}ç¸cùu([(àm6rBy“ÃÛX1=³ð-œî˜ <>_8Ò&âå»ü˔ۊçwÓ?Y,I9 €=8FÌ]oaÀWó<0F>íXG;2ó<32>jÃìem­.Høƒ†Þ <0C>Š?ÿ"mÒKF9¢Š èX¹‰R

6
secrets/secrets.nix
View file

@ -16,6 +16,9 @@ let
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea"; galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
# for testing configs at home
silver_homelab = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCG1JzosOwS7oKjgm0+FlqMKrUbu+M5403un+VA7LwiGRQnneawuq6aqQsIoDqAlb9AzUdLTeBQb+rBf94kx7yVGdEIz1i34WdMK3kgl176jnDIR4TWeNKdj8Q6+4d7tn5mZrqmpXZ/+1KSauV9JHxytR+7A4NVexkhGX1Mq3efGBYsCKzUQh83lHs2baWUYuxaPCCR6vy6uklzQRQfg+NsxCCUKkbgJwv1ar5U1ccr4N89EWiR2Yu4XsPzXr0JJUQcUy587l+G7QYVoCwVgUKHevCRqtRlmnI6JrzWctQJPpAmWF4EF66QnWccdXUS+aVc0IKP0ORqmz8Nps4NWWVPjRRxeshl2XfFawWxGlgT4WJ0+qv/EDVPZQvNBrjFvY5QBAaU08Nnkg6QzehlwD4/zQQMFiDjMb7sUuhXdq0vOK235QMhS4jtX7Sm2ki6mJdXrlErq9dIaqcoYuw9EtfajaM/NnGYIy97JUOrfztQTAwiuPgrc4DijpdR0QtvYK7NvefiJYcW+osmcv+FYM03kMXK9uGtM6KI44i27ZdsUFWTIHeiR1yBGUfP1ObFLLaNx5E42jSA77RLF8BSUaPbGgRv3OciACNftIKhAJrV4AZGvBbaUvAlzC8CryFAcRDgQwIVlXBJzChc7Rh9/V8I5342Tq7xMmzBQ2WcQdqZ9Q== root@galatea";
systems = [ systems = [
agentjones agentjones
@ -23,12 +26,13 @@ let
galatea galatea
vendetta vendetta
vigil vigil
silver_homelab
]; ];
in in
{ {
# nix run github:ryantm/agenix -- -e secret1.age # nix run github:ryantm/agenix -- -e secret1.age
"wireguard.age".publicKeys = users ++ systems;
"dns_certs.secret.age".publicKeys = users ++ systems; "dns_certs.secret.age".publicKeys = users ++ systems;
"dns_dnskeys.conf.age".publicKeys = users ++ systems; "dns_dnskeys.conf.age".publicKeys = users ++ systems;

BIN
secrets/stream_ulfm.age
View file

Binary file not shown.