From 59180b66917123f7cb1e30da89ad6f701b974826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 28 Jan 2024 00:18:40 +0100 Subject: [PATCH] Migrate bind to knot --- .sops.yaml | 16 +-- flake.nix | 14 +-- hosts/bind/default.nix | 120 ---------------------- hosts/knot/default.nix | 165 ++++++++++++++++++++++++++++++ hosts/{bind => knot}/secrets.yaml | 14 +-- 5 files changed, 188 insertions(+), 141 deletions(-) delete mode 100644 hosts/bind/default.nix create mode 100644 hosts/knot/default.nix rename hosts/{bind => knot}/secrets.yaml (86%) diff --git a/.sops.yaml b/.sops.yaml index 68e1183c..5660c7e8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,9 +18,8 @@ keys: # Generate AGE keys from SSH keys with: # nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - - &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x - &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy - - &bind age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6 + - &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x - &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz - &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte - &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0 @@ -39,6 +38,7 @@ keys: - &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r - &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459 - &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a + - &knot age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6 - &mailtngbert age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj - &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt - &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6 @@ -51,20 +51,20 @@ keys: - &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q - &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f - &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s + - &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k - &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5 - &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu - &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q - &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8 - &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k - &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7 + - &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf - &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37 - &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva - - &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf - &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7 - - &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g - &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu + - &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g - &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl - - &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k - &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun creation_rules: @@ -112,7 +112,6 @@ creation_rules: age: - *polygon-snowflake - *auth - - *bind - *blogs - *broker - *buzzrelay @@ -128,6 +127,7 @@ creation_rules: - *hedgedoc - *hydra - *jabber + - *knot - *mailtngbert - *mastodon - *matemat @@ -167,11 +167,11 @@ creation_rules: - *auth - *polygon-snowflake - - path_regex: hosts/bind/secrets\.yaml$ + - path_regex: hosts/knot/secrets\.yaml$ key_groups: - pgp: *admins age: - - *bind + - *knot - *polygon-snowflake - path_regex: hosts/blogs/secrets\.yaml$ diff --git a/flake.nix b/flake.nix index 2fe79915..a8b90968 100644 --- a/flake.nix +++ b/flake.nix @@ -279,13 +279,6 @@ ]; }; - bind = nixosSystem' { - modules = [ - self.nixosModules.microvm - ./hosts/bind - ]; - }; - blogs = nixosSystem' { modules = [ self.nixosModules.microvm @@ -345,6 +338,13 @@ ]; }; + knot = nixosSystem' { + modules = [ + self.nixosModules.microvm + ./hosts/knot + ]; + }; + drone = nixosSystem' { modules = [ self.nixosModules.microvm diff --git a/hosts/bind/default.nix b/hosts/bind/default.nix deleted file mode 100644 index e8ed1689..00000000 --- a/hosts/bind/default.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ zentralwerk, config, pkgs, ... }: -let - # wrap reload in freeze/thaw so that zones are reloaded that had - # been updated by dyndns - reloadCommand = with pkgs; writeScriptBin "reload-bind" '' - #!${runtimeShell} - - rndc() { - ${bind}/sbin/rndc -k /etc/bind/rndc.key $@ - } - - chmod a+rwx /var/lib/c3d2-dns/zones - rndc freeze - rndc reload - rndc thaw - ''; -in -{ - c3d2 = { - hq.statistics.enable = true; - deployment.server = "server10"; - }; - - environment = { - etc.gitconfig.text = '' - [url "gitea@gitea.c3d2.de:"] - insteadOf = https://gitea.c3d2.de/ - ''; - systemPackages = with pkgs; [ - rsync # used in drone CI - ]; - }; - - networking = { - hostName = "bind"; - firewall = { - allowedTCPPorts = [ - # DNS - 53 - ]; - allowedUDPPorts = [ - # DNS - 53 - ]; - }; - }; - - # Privileged commands triggered by deploy-c3d2-dns - security.sudo.extraRules = [ { - users = [ "c3d2-dns" ]; - commands = [ { - command = "/etc/profiles/per-user/c3d2-dns/bin/reload-bind"; - options = [ "NOPASSWD" ]; - } ]; - } ]; - - # DNS server - services.bind = { - enable = true; - extraConfig = '' - include "${config.users.users.c3d2-dns.home}/zones.conf"; - include "${zentralwerk.packages.${pkgs.system}.dns-slaves}"; - - # for collectd - statistics-channels { - inet 127.0.0.1 port 8053; - }; - ''; - }; - - # BIND statistics in Grafana - services.collectd.plugins.bind = '' - URL "http://127.0.0.1:8053/"; - ParseTime false - OpCodes true - QTypes true - ServerStats true - ZoneMaintStats true - ResolverStats false - MemoryStats true - ''; - - sops = { - defaultSopsFile = ./secrets.yaml; - secrets = { - "ssh-keys/c3d2-dns/private" = { - owner = "c3d2-dns"; - path = "/var/lib/c3d2-dns/.ssh/id_ed25519"; - }; - "ssh-keys/c3d2-dns/public" = { - owner = "c3d2-dns"; - path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub"; - }; - }; - }; - - system.stateVersion = "22.05"; - - systemd.services.bind.serviceConfig = { - Restart = "always"; - RestartSec = "5s"; - }; - - systemd.tmpfiles.rules = [ - "d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -" - "d /var/lib/bind/slave 0755 named nogroup - -" - ]; - - # Build user - users.groups.c3d2-dns = {}; - users.users.c3d2-dns = { - isNormalUser = true; - group = "c3d2-dns"; - home = "/var/lib/c3d2-dns"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2" - ]; - packages = [ reloadCommand ]; - }; -} diff --git a/hosts/knot/default.nix b/hosts/knot/default.nix new file mode 100644 index 00000000..54f4eadb --- /dev/null +++ b/hosts/knot/default.nix @@ -0,0 +1,165 @@ +{ config, pkgs, ... }: + +{ + c3d2 = { + hq.statistics.enable = true; + deployment.server = "server10"; + }; + + environment = { + etc.gitconfig.text = /* gitconfig */ '' + [url "gitea@gitea.c3d2.de:"] + insteadOf = https://gitea.c3d2.de/ + ''; + systemPackages = with pkgs; [ + rsync # used in drone CI + ]; + }; + + # changes in knot config cause a rebuild because tools like keymgr are wrapped with the config file *and* contain the man pages + documentation.man.generateCaches = false; + + networking = { + hostName = "knot"; + firewall = { + allowedTCPPorts = [ + # DNS + 53 + ]; + allowedUDPPorts = [ + # DNS + 53 + ]; + }; + }; + + services.knot = { + enable = true; + keyFiles = [ config.sops.secrets."knot/keyFile".path ]; + settings = { + acl = [ + { + id = "jabber"; + key = "jabber"; + action = "update"; + update-owner = "name"; + update-owner-match = "sub-or-equal"; + update-owner-name = [ "jabber.c3d2.de." ]; + } + ]; + + log = [ { + target = "syslog"; + any = "info"; + } ]; + + mod-stats = [ { + id = "default"; + query-type = "on"; + } ]; + + remote = [ + { + id = "ns.spaceboyz.net"; + address = [ "95.217.229.209" "2a01:4f9:4b:39ec::4" ]; + } { + # TODO: drop + id = "ns0.q-ix.net"; + address = [ "217.115.12.65" "2a00:1328:e101:b01::1" ]; + } { + id = "ns1.supersandro.de"; + address = [ "188.34.196.104" "2a01:4f8:1c1c:1d38::1" ]; + } + ]; + + remotes = [ { + id = "all"; + remote = [ "ns.spaceboyz.net" "ns0.q-ix.net" /*"ns1.supersandro.de"*/ ]; + } ]; + + server = { + answer-rotation = true; + automatic-acl = true; + identity = "ns1.supersandro.de"; + tcp-fastopen = true; + version = null; + }; + + template = [ { + id = "default"; + # dnssec-signing = true; ??? + file = "%s.zone"; + global-module = [ "mod-stats" ]; + journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads + module = "mod-stats/default"; + semantic-checks = true; + serial-policy = "dateserial"; + storage = "/var/lib/knot/zones"; + zonefile-load = "difference-no-serial"; + } ]; + + zone = map (zone: { + inherit (zone) domain; + template = "default"; + notify = [ "all" ]; + }) [ + { domain = "c3dd.de"; } + { domain = "c3d2.de"; } + { domain = "hq.c3d2.de"; } + { domain = "dyn.hq.c3d2.de"; } + # TODO: consolidate + { domain = "inbert.c3d2.de"; } + { domain = "c3d2.ffdd"; } + { domain = "c3d2.space"; } + { domain = "c3d2.social"; } + { domain = "cccdd.de"; } + { domain = "dresden.ccc.de"; } + { domain = "datenspuren.de"; } + { domain = "netzbiotop.org"; } + { domain = "pentamedia.org"; } + { domain = "zentralwerk.ffdd"; } + + { domain = "0.4.2.2.0.0.4.1.c.7.6.0.1.0.0.2.ip6.arpa."; } + { domain = "99.22.172.in-addr.arpa"; } + ]; + }; + }; + + security.sudo.extraRules = [ { + users = [ "knot" ]; + commands = [ { + command = "/etc/profiles/per-user/knot/bin/reload-knot"; + options = [ "NOPASSWD" ]; + } ]; + } ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "knot/keyFile".owner = "knot"; + "ssh-keys/knot/private" = { + owner = "knot"; + path = "${config.users.users.knot.home}/.ssh/id_ed25519"; + }; + "ssh-keys/knot/public" = { + owner = "knot"; + path = "${config.users.users.knot.home}/.ssh/id_ed25519.pub"; + }; + }; + }; + + system.stateVersion = "23.11"; + + users.users.knot = { + home = "/var/lib/knot/zones/"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2" + ]; + packages = [ + (pkgs.writeScriptBin "reload-knot" '' + knotc reload + '') + ]; + useDefaultShell = true; + }; +} diff --git a/hosts/bind/secrets.yaml b/hosts/knot/secrets.yaml similarity index 86% rename from hosts/bind/secrets.yaml rename to hosts/knot/secrets.yaml index 2b7e1a94..657750ee 100644 --- a/hosts/bind/secrets.yaml +++ b/hosts/knot/secrets.yaml @@ -1,7 +1,9 @@ +knot: + keyFile: ENC[AES256_GCM,data:abZvm9g13J8yQ22OVkFQey9XGG4hl09qWUzqFJNNS8afEcT4vAbxZCLbrRSnCCI8uZn28/PgRMVPmKhV2l1VEBaiNt8Is2cWT0bf5CQK4P4P3f+/FY2LF6SzVEGpGkEioNM=,iv:x42ABoG+3qwj6K2l/SLySCQW3t2vgdMfazxwqWrQU9w=,tag:tovVGK6gJny8XR5bFo4QPg==,type:str] ssh-keys: - c3d2-dns: - public: ENC[AES256_GCM,data:I+gaK6an/zSCAh4FDH0udy1CYbuSHWdQ5LMV2x80TbRTV7xb8Zvq9ziSqVx/u2A9UtTQTdpU75g/kWOi64GokE38NgUOjhPYwQ4P9FRqRnYEHWLQHLPah7fluy52Mg==,iv:UWSne9LMRwWJEVffAWn8PxRy1/Kqp8ncPbLCso7zHFA=,tag:SHPaVkS1M65Zmsp2To1Pbg==,type:str] - private: ENC[AES256_GCM,data:rQ0VrunyA85O0MarBjN8u7GVtjielMcIzPpsR8utrOkhlLBjkg0zt+uFWhBOGu3cNibqgag63j+xTJ+U/BUSVAOSW7lNm53I8fUKfvh3h1XP2WkcOqBFGl6ai2N0RG5lD5/LcxWb3esmRPHdoD4hmDb522uAzXxe/ayqKr1JUTKO3pElMx3Yh55pKjy5z4LFEps+3AH2yEcpQg5kl4uj6SohcZbQBhXgvcu+6O9f9uKj6k36cYZw1ZOxtqfcfKimil03WeY5MmjwD5JyR1ERTy2t7wfZYmbgph/ZwMMLzMnBZObmrhUkMZeRr4Mm1LLKfgjOUKfqQu3SXg/UVYfVWjuERoHTwWdcrVoTfR5pRjwvOflPfOfou1P73jrOEdC4s539xttdU3pUbPuUChQN+rHHqtUb3b47Ogd6I8A1YYFTXk4Ha7MHFBOUc+hlAXR5aM6ngDECDmOHIBf32e5YC8H9KGJYva/cUmwS4XTCWiqXzv1paCldZQzi3bYzvIswzR5RBwzJj51CxKdXvZsA,iv:AdUU5x5cGh471+aTeqljkC3/6wSXWIFNACd772AQjpg=,tag:pdZSG63OwHt0AMDv3NhMsA==,type:str] + knot: + public: ENC[AES256_GCM,data:LxJqnVOjC7PD6Muup96Ep83/7MvhyIbE8iBB7Yxd2MkCIWZVuHhVcNgVBP9IaMs8cj4RPNq8NUJSP3AjRM0U+EDDXyRwend0GzpIERGoNEJOoqbCF1Ts9wVx4EEWrQ==,iv:RD8WYJURlTktuHP4CMo6KxS8N/H7adTt7pPttSEFuHM=,tag:e6JLyGvKJi+Nt1yP9gT2wA==,type:str] + private: ENC[AES256_GCM,data:609QcNk4i7ASGgAmXp4O75Hg/A1j/xmWTDPHPxywBgTe4pW6RBGakzxgKlfqsbTvZKJxDaORJuDb2HMA2cYc5raDMNr6yzquruDHTNu6YgY+0/mOJIOccLk1WSnK9JKLJ/vPRXs30+mZooD2UK8v6FuODGxWcxx7UJXbhCeN8HXqg71D7EaJvpKxfUZDgw4XsOeBGT8MyjZHE7w+k29HZluhYF9Rz3odTdzMFsrWKdWwTlGHxNsRkCUMcHl1P4A/vVEoINBHkjnHRNLFC1SyGUhoiUKikqExLIqbwMk0VuwThNAcwcfX+IWubieySVDtn1zBrvZ2vC+sfwQGibrCqXCWaIP2mRM7YSj79GRwkBLCJZRQwT3c6vyUGPMP27NnEkdIqm/fH/Icd1pQS3ktCnvSFnLJPMH/mRX4VWcuqRyOxaQhXWDsskMcOUkBfmOFdDqFCHqqolwy2D82NxKqHKOXlsQIB7vSQr2XrRnLG2MjasRahGNRolp0vbtK8ygpzlzDmV5N3cXYIpwNpV1r,iv:uwy3u/GMLBnkfRDS4LUfS7A64DWlMjY4BujPC6tZPcI=,tag:PHRZD5I9ftzce2tek/YVdQ==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +28,8 @@ sops: RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7 fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-23T20:33:02Z" - mac: ENC[AES256_GCM,data:wGBfQRtmPZypEIHrImQ5U/N4QGCkdz8x7WC8UY/Z65oDt8OQUv0W0sTglANM7JlZHmnQejJuUa6olJoZDamYNenC+prkcyRej+tgFrEhoaOlpVH/+2OwRyIouQpVAyD328rcgu+tcLw+TmJEeF1LywgowSvlK7owm7GlqSPiK6U=,iv:wtnGIMNSOyNTot6cPxb7dT7IkAKrLP9ln3XYi8w/Fxg=,tag:b81yMYeTTXj29ITkJqrgFw==,type:str] + lastmodified: "2024-01-28T00:01:53Z" + mac: ENC[AES256_GCM,data:h0KiAAn9uNCvcbhwlAl53SVZnG5q8JvC2OWinoC3Q0+U1HXePLynl2Hn1sV87KCig+KlcokbgmFot7NyA0pzOuvbRWcjwJr8FEsb3wRvjxipF+B9z+yLwZ/RXaDgnYoa6pdPkA6eoAA33PO43tlSpaLf+/yRW6Ya/1l3wE/GY20=,iv:A/7PmpYq09vhsPosxITkHBPJnQkCo7EVcu+biOF0yiQ=,tag:YevwhNkWvqCf/JNz7Wrdlw==,type:str] pgp: - created_at: "2023-08-08T22:43:21Z" enc: | @@ -167,4 +169,4 @@ sops: -----END PGP MESSAGE----- fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1