Migrate bind to knot
This commit is contained in:
parent
b7fc760059
commit
59180b6691
16
.sops.yaml
16
.sops.yaml
|
@ -18,9 +18,8 @@ keys:
|
||||||
|
|
||||||
# Generate AGE keys from SSH keys with:
|
# Generate AGE keys from SSH keys with:
|
||||||
# nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
# nix-shell -p ssh-to-age --run 'ssh some.serv.zentralwerk.org cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||||
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
|
||||||
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
|
- &activity-relay age1a8k72egc2vg4jn445wwcr0a68y9xu5ft68s2xwehugs5sjawpv4q5nnrmy
|
||||||
- &bind age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
|
- &auth age1y7lxpxskqclwqluft2ct2c3u8weehus6t8evwk7cdnpakxzgcquspn827x
|
||||||
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
- &blogs age1lccjvj9z8de4hfrdeumm9eu7awef4d9jygv3w7zdash3fhv6e53quy53wz
|
||||||
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
- &broker age1dj0d0339f4law7qvuzcv2fs6sf8why63s3l8tja0f8vsj7wefcds9drvte
|
||||||
- &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
|
- &buzzrelay age1j2euh5qt4a7cvx0t93uj4n9t8y8tkv9h3nefszc6g2q7t7gvngxswhrve0
|
||||||
|
@ -39,6 +38,7 @@ keys:
|
||||||
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
|
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
|
||||||
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
||||||
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
||||||
|
- &knot age1hfzpctkk5tz0ddc86ul9t0nf8c37jtngawepvgxk5rxlvv938vusx4kuc6
|
||||||
- &mailtngbert age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj
|
- &mailtngbert age1jr5mc4ekmjf4uk2ue4xcuy0yl202phlu2t6c544qfj45ahzag56s4d0kzj
|
||||||
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
|
- &mastodon age1dcpd6u4psq3hehjyjrt3s7kzmnvxd20vsc8urjcdv6anr5v7ky2sq9rhtt
|
||||||
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
|
- &matemat age15vmz2evhnkn26fyt4vqvgztfrsr2s8qavd2m6zfjmkh84q2g75csnc5kr6
|
||||||
|
@ -51,20 +51,20 @@ keys:
|
||||||
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
|
- &oparl age14aq8fscrwkgmu5yv86vj7p7kmxclzs6dp7fpvdhvrnmce83ztphqc4mr9q
|
||||||
- &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
|
- &owncast age1cp9gsuyfu52exk0hr3fvj404v5njhahakzwlugwtneyrs4vgdyaq0sg92f
|
||||||
- &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
|
- &pretalx age1u6xeayzwfdj9l0mg3f4xvjd8e9nemz5psqavauvacjgp2nku95yqc4f29s
|
||||||
|
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
|
||||||
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
|
- &public-access-proxy age1xcj6peyaf5xvj2673vl9j0z7supwtw7hzuk782zk7gt69k2ykytqe65mg5
|
||||||
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
|
- &pulsebert age12hdk2stter0cjexxwx3sqn9wx3vmptkxszvx7knq9zgm9uqzjs7suvkcqu
|
||||||
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
|
- &radiobert age1lga6hjmxa95fmtdn3frlmy64ej3hyswxrcuz25qvw0kfsxkqeugs8gjw8q
|
||||||
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
|
- &riscbert age148d87gqw59lmst5jv3vynhsu3tv4t4sj49s4lktvnplfcrjq2y5sjcwsu8
|
||||||
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
|
- &scrape age1p60rg45qrzpv2hcfzxl8d8k9afkk7dtrhr98cngeyuhlega83ynssmtx5k
|
||||||
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
|
- &sdrweb age1makkpv2t74lxmw0nk6m89nespva7j700pmt83pl5a4ldtj2k8fzqakw8h7
|
||||||
|
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
|
||||||
- &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
|
- &server8 age12jcu0jtw7m96evxnd0vu6lvsm8uswslrdhxd2u655vjrwhljmqdsptry37
|
||||||
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
|
- &server9 age15vrlmtckjf4j242juw7l5e0s6eunn67ejr9acaztnl3tmvwpufrsevntva
|
||||||
- &server10 age15qj8latetnrmgzd7krq02y65kn7lhq2pcwv8cvzej2783u5a9scqs79nmf
|
|
||||||
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
|
- &spaceapi age125k9uyqw5ae5jqkfsak4d6c6rcx9q63ywuusk62pmxdnhwzqxgqq2jsau7
|
||||||
- &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g
|
|
||||||
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
|
- &storage-ng age1qjvds58pedjdk9rj0yqfvad4xhpteapr9chvfucwcgwrsr8n7axqyhg2vu
|
||||||
|
- &stream age14h2npkt6m40ewkkaee7zx49redew5rjsjpm70qhka8cwkekmspqqpspy4g
|
||||||
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
|
- &ticker age1kdrpaqsy7gdnf80fpq6qrrc98nqjuzzlqx955uk2pkky3xcxky8sw9cdjl
|
||||||
- &prometheus age13xhxqulvswuckmpkmy2fgeqd5jx0ar8e2hst33leljt69r6hsvnsrdw63k
|
|
||||||
- &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
|
- &vaultwarden age1xs22728ltpl3yh8hzvwt4g3gk8uc32lg8cqh86fp5d8c2jlvp3gshmejun
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
|
@ -112,7 +112,6 @@ creation_rules:
|
||||||
age:
|
age:
|
||||||
- *polygon-snowflake
|
- *polygon-snowflake
|
||||||
- *auth
|
- *auth
|
||||||
- *bind
|
|
||||||
- *blogs
|
- *blogs
|
||||||
- *broker
|
- *broker
|
||||||
- *buzzrelay
|
- *buzzrelay
|
||||||
|
@ -128,6 +127,7 @@ creation_rules:
|
||||||
- *hedgedoc
|
- *hedgedoc
|
||||||
- *hydra
|
- *hydra
|
||||||
- *jabber
|
- *jabber
|
||||||
|
- *knot
|
||||||
- *mailtngbert
|
- *mailtngbert
|
||||||
- *mastodon
|
- *mastodon
|
||||||
- *matemat
|
- *matemat
|
||||||
|
@ -167,11 +167,11 @@ creation_rules:
|
||||||
- *auth
|
- *auth
|
||||||
- *polygon-snowflake
|
- *polygon-snowflake
|
||||||
|
|
||||||
- path_regex: hosts/bind/secrets\.yaml$
|
- path_regex: hosts/knot/secrets\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp: *admins
|
- pgp: *admins
|
||||||
age:
|
age:
|
||||||
- *bind
|
- *knot
|
||||||
- *polygon-snowflake
|
- *polygon-snowflake
|
||||||
|
|
||||||
- path_regex: hosts/blogs/secrets\.yaml$
|
- path_regex: hosts/blogs/secrets\.yaml$
|
||||||
|
|
14
flake.nix
14
flake.nix
|
@ -279,13 +279,6 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
bind = nixosSystem' {
|
|
||||||
modules = [
|
|
||||||
self.nixosModules.microvm
|
|
||||||
./hosts/bind
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
blogs = nixosSystem' {
|
blogs = nixosSystem' {
|
||||||
modules = [
|
modules = [
|
||||||
self.nixosModules.microvm
|
self.nixosModules.microvm
|
||||||
|
@ -345,6 +338,13 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
knot = nixosSystem' {
|
||||||
|
modules = [
|
||||||
|
self.nixosModules.microvm
|
||||||
|
./hosts/knot
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
drone = nixosSystem' {
|
drone = nixosSystem' {
|
||||||
modules = [
|
modules = [
|
||||||
self.nixosModules.microvm
|
self.nixosModules.microvm
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
{ zentralwerk, config, pkgs, ... }:
|
|
||||||
let
|
|
||||||
# wrap reload in freeze/thaw so that zones are reloaded that had
|
|
||||||
# been updated by dyndns
|
|
||||||
reloadCommand = with pkgs; writeScriptBin "reload-bind" ''
|
|
||||||
#!${runtimeShell}
|
|
||||||
|
|
||||||
rndc() {
|
|
||||||
${bind}/sbin/rndc -k /etc/bind/rndc.key $@
|
|
||||||
}
|
|
||||||
|
|
||||||
chmod a+rwx /var/lib/c3d2-dns/zones
|
|
||||||
rndc freeze
|
|
||||||
rndc reload
|
|
||||||
rndc thaw
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
c3d2 = {
|
|
||||||
hq.statistics.enable = true;
|
|
||||||
deployment.server = "server10";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
etc.gitconfig.text = ''
|
|
||||||
[url "gitea@gitea.c3d2.de:"]
|
|
||||||
insteadOf = https://gitea.c3d2.de/
|
|
||||||
'';
|
|
||||||
systemPackages = with pkgs; [
|
|
||||||
rsync # used in drone CI
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
hostName = "bind";
|
|
||||||
firewall = {
|
|
||||||
allowedTCPPorts = [
|
|
||||||
# DNS
|
|
||||||
53
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
# DNS
|
|
||||||
53
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Privileged commands triggered by deploy-c3d2-dns
|
|
||||||
security.sudo.extraRules = [ {
|
|
||||||
users = [ "c3d2-dns" ];
|
|
||||||
commands = [ {
|
|
||||||
command = "/etc/profiles/per-user/c3d2-dns/bin/reload-bind";
|
|
||||||
options = [ "NOPASSWD" ];
|
|
||||||
} ];
|
|
||||||
} ];
|
|
||||||
|
|
||||||
# DNS server
|
|
||||||
services.bind = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
|
||||||
include "${config.users.users.c3d2-dns.home}/zones.conf";
|
|
||||||
include "${zentralwerk.packages.${pkgs.system}.dns-slaves}";
|
|
||||||
|
|
||||||
# for collectd
|
|
||||||
statistics-channels {
|
|
||||||
inet 127.0.0.1 port 8053;
|
|
||||||
};
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# BIND statistics in Grafana
|
|
||||||
services.collectd.plugins.bind = ''
|
|
||||||
URL "http://127.0.0.1:8053/";
|
|
||||||
ParseTime false
|
|
||||||
OpCodes true
|
|
||||||
QTypes true
|
|
||||||
ServerStats true
|
|
||||||
ZoneMaintStats true
|
|
||||||
ResolverStats false
|
|
||||||
MemoryStats true
|
|
||||||
'';
|
|
||||||
|
|
||||||
sops = {
|
|
||||||
defaultSopsFile = ./secrets.yaml;
|
|
||||||
secrets = {
|
|
||||||
"ssh-keys/c3d2-dns/private" = {
|
|
||||||
owner = "c3d2-dns";
|
|
||||||
path = "/var/lib/c3d2-dns/.ssh/id_ed25519";
|
|
||||||
};
|
|
||||||
"ssh-keys/c3d2-dns/public" = {
|
|
||||||
owner = "c3d2-dns";
|
|
||||||
path = "/var/lib/c3d2-dns/.ssh/id_ed25519.pub";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "22.05";
|
|
||||||
|
|
||||||
systemd.services.bind.serviceConfig = {
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "5s";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${config.users.users.c3d2-dns.home} 0755 c3d2-dns ${config.users.users.c3d2-dns.group} - -"
|
|
||||||
"d /var/lib/bind/slave 0755 named nogroup - -"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Build user
|
|
||||||
users.groups.c3d2-dns = {};
|
|
||||||
users.users.c3d2-dns = {
|
|
||||||
isNormalUser = true;
|
|
||||||
group = "c3d2-dns";
|
|
||||||
home = "/var/lib/c3d2-dns";
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
|
|
||||||
];
|
|
||||||
packages = [ reloadCommand ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -0,0 +1,165 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
c3d2 = {
|
||||||
|
hq.statistics.enable = true;
|
||||||
|
deployment.server = "server10";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
etc.gitconfig.text = /* gitconfig */ ''
|
||||||
|
[url "gitea@gitea.c3d2.de:"]
|
||||||
|
insteadOf = https://gitea.c3d2.de/
|
||||||
|
'';
|
||||||
|
systemPackages = with pkgs; [
|
||||||
|
rsync # used in drone CI
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# changes in knot config cause a rebuild because tools like keymgr are wrapped with the config file *and* contain the man pages
|
||||||
|
documentation.man.generateCaches = false;
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
hostName = "knot";
|
||||||
|
firewall = {
|
||||||
|
allowedTCPPorts = [
|
||||||
|
# DNS
|
||||||
|
53
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
# DNS
|
||||||
|
53
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.knot = {
|
||||||
|
enable = true;
|
||||||
|
keyFiles = [ config.sops.secrets."knot/keyFile".path ];
|
||||||
|
settings = {
|
||||||
|
acl = [
|
||||||
|
{
|
||||||
|
id = "jabber";
|
||||||
|
key = "jabber";
|
||||||
|
action = "update";
|
||||||
|
update-owner = "name";
|
||||||
|
update-owner-match = "sub-or-equal";
|
||||||
|
update-owner-name = [ "jabber.c3d2.de." ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
log = [ {
|
||||||
|
target = "syslog";
|
||||||
|
any = "info";
|
||||||
|
} ];
|
||||||
|
|
||||||
|
mod-stats = [ {
|
||||||
|
id = "default";
|
||||||
|
query-type = "on";
|
||||||
|
} ];
|
||||||
|
|
||||||
|
remote = [
|
||||||
|
{
|
||||||
|
id = "ns.spaceboyz.net";
|
||||||
|
address = [ "95.217.229.209" "2a01:4f9:4b:39ec::4" ];
|
||||||
|
} {
|
||||||
|
# TODO: drop
|
||||||
|
id = "ns0.q-ix.net";
|
||||||
|
address = [ "217.115.12.65" "2a00:1328:e101:b01::1" ];
|
||||||
|
} {
|
||||||
|
id = "ns1.supersandro.de";
|
||||||
|
address = [ "188.34.196.104" "2a01:4f8:1c1c:1d38::1" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
remotes = [ {
|
||||||
|
id = "all";
|
||||||
|
remote = [ "ns.spaceboyz.net" "ns0.q-ix.net" /*"ns1.supersandro.de"*/ ];
|
||||||
|
} ];
|
||||||
|
|
||||||
|
server = {
|
||||||
|
answer-rotation = true;
|
||||||
|
automatic-acl = true;
|
||||||
|
identity = "ns1.supersandro.de";
|
||||||
|
tcp-fastopen = true;
|
||||||
|
version = null;
|
||||||
|
};
|
||||||
|
|
||||||
|
template = [ {
|
||||||
|
id = "default";
|
||||||
|
# dnssec-signing = true; ???
|
||||||
|
file = "%s.zone";
|
||||||
|
global-module = [ "mod-stats" ];
|
||||||
|
journal-content = "all"; # required for zonefile-load=difference-no-serial and makes cold starts like zone reloads
|
||||||
|
module = "mod-stats/default";
|
||||||
|
semantic-checks = true;
|
||||||
|
serial-policy = "dateserial";
|
||||||
|
storage = "/var/lib/knot/zones";
|
||||||
|
zonefile-load = "difference-no-serial";
|
||||||
|
} ];
|
||||||
|
|
||||||
|
zone = map (zone: {
|
||||||
|
inherit (zone) domain;
|
||||||
|
template = "default";
|
||||||
|
notify = [ "all" ];
|
||||||
|
}) [
|
||||||
|
{ domain = "c3dd.de"; }
|
||||||
|
{ domain = "c3d2.de"; }
|
||||||
|
{ domain = "hq.c3d2.de"; }
|
||||||
|
{ domain = "dyn.hq.c3d2.de"; }
|
||||||
|
# TODO: consolidate
|
||||||
|
{ domain = "inbert.c3d2.de"; }
|
||||||
|
{ domain = "c3d2.ffdd"; }
|
||||||
|
{ domain = "c3d2.space"; }
|
||||||
|
{ domain = "c3d2.social"; }
|
||||||
|
{ domain = "cccdd.de"; }
|
||||||
|
{ domain = "dresden.ccc.de"; }
|
||||||
|
{ domain = "datenspuren.de"; }
|
||||||
|
{ domain = "netzbiotop.org"; }
|
||||||
|
{ domain = "pentamedia.org"; }
|
||||||
|
{ domain = "zentralwerk.ffdd"; }
|
||||||
|
|
||||||
|
{ domain = "0.4.2.2.0.0.4.1.c.7.6.0.1.0.0.2.ip6.arpa."; }
|
||||||
|
{ domain = "99.22.172.in-addr.arpa"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.extraRules = [ {
|
||||||
|
users = [ "knot" ];
|
||||||
|
commands = [ {
|
||||||
|
command = "/etc/profiles/per-user/knot/bin/reload-knot";
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
secrets = {
|
||||||
|
"knot/keyFile".owner = "knot";
|
||||||
|
"ssh-keys/knot/private" = {
|
||||||
|
owner = "knot";
|
||||||
|
path = "${config.users.users.knot.home}/.ssh/id_ed25519";
|
||||||
|
};
|
||||||
|
"ssh-keys/knot/public" = {
|
||||||
|
owner = "knot";
|
||||||
|
path = "${config.users.users.knot.home}/.ssh/id_ed25519.pub";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
|
||||||
|
users.users.knot = {
|
||||||
|
home = "/var/lib/knot/zones/";
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHIkIN1gi5cX2wV2WuNph/QzVK7vvYkvqnR/P69s36mZ drone@c3d2"
|
||||||
|
];
|
||||||
|
packages = [
|
||||||
|
(pkgs.writeScriptBin "reload-knot" ''
|
||||||
|
knotc reload
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
useDefaultShell = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +1,9 @@
|
||||||
|
knot:
|
||||||
|
keyFile: ENC[AES256_GCM,data:abZvm9g13J8yQ22OVkFQey9XGG4hl09qWUzqFJNNS8afEcT4vAbxZCLbrRSnCCI8uZn28/PgRMVPmKhV2l1VEBaiNt8Is2cWT0bf5CQK4P4P3f+/FY2LF6SzVEGpGkEioNM=,iv:x42ABoG+3qwj6K2l/SLySCQW3t2vgdMfazxwqWrQU9w=,tag:tovVGK6gJny8XR5bFo4QPg==,type:str]
|
||||||
ssh-keys:
|
ssh-keys:
|
||||||
c3d2-dns:
|
knot:
|
||||||
public: ENC[AES256_GCM,data:I+gaK6an/zSCAh4FDH0udy1CYbuSHWdQ5LMV2x80TbRTV7xb8Zvq9ziSqVx/u2A9UtTQTdpU75g/kWOi64GokE38NgUOjhPYwQ4P9FRqRnYEHWLQHLPah7fluy52Mg==,iv:UWSne9LMRwWJEVffAWn8PxRy1/Kqp8ncPbLCso7zHFA=,tag:SHPaVkS1M65Zmsp2To1Pbg==,type:str]
|
public: ENC[AES256_GCM,data:LxJqnVOjC7PD6Muup96Ep83/7MvhyIbE8iBB7Yxd2MkCIWZVuHhVcNgVBP9IaMs8cj4RPNq8NUJSP3AjRM0U+EDDXyRwend0GzpIERGoNEJOoqbCF1Ts9wVx4EEWrQ==,iv:RD8WYJURlTktuHP4CMo6KxS8N/H7adTt7pPttSEFuHM=,tag:e6JLyGvKJi+Nt1yP9gT2wA==,type:str]
|
||||||
private: ENC[AES256_GCM,data:rQ0VrunyA85O0MarBjN8u7GVtjielMcIzPpsR8utrOkhlLBjkg0zt+uFWhBOGu3cNibqgag63j+xTJ+U/BUSVAOSW7lNm53I8fUKfvh3h1XP2WkcOqBFGl6ai2N0RG5lD5/LcxWb3esmRPHdoD4hmDb522uAzXxe/ayqKr1JUTKO3pElMx3Yh55pKjy5z4LFEps+3AH2yEcpQg5kl4uj6SohcZbQBhXgvcu+6O9f9uKj6k36cYZw1ZOxtqfcfKimil03WeY5MmjwD5JyR1ERTy2t7wfZYmbgph/ZwMMLzMnBZObmrhUkMZeRr4Mm1LLKfgjOUKfqQu3SXg/UVYfVWjuERoHTwWdcrVoTfR5pRjwvOflPfOfou1P73jrOEdC4s539xttdU3pUbPuUChQN+rHHqtUb3b47Ogd6I8A1YYFTXk4Ha7MHFBOUc+hlAXR5aM6ngDECDmOHIBf32e5YC8H9KGJYva/cUmwS4XTCWiqXzv1paCldZQzi3bYzvIswzR5RBwzJj51CxKdXvZsA,iv:AdUU5x5cGh471+aTeqljkC3/6wSXWIFNACd772AQjpg=,tag:pdZSG63OwHt0AMDv3NhMsA==,type:str]
|
private: ENC[AES256_GCM,data:609QcNk4i7ASGgAmXp4O75Hg/A1j/xmWTDPHPxywBgTe4pW6RBGakzxgKlfqsbTvZKJxDaORJuDb2HMA2cYc5raDMNr6yzquruDHTNu6YgY+0/mOJIOccLk1WSnK9JKLJ/vPRXs30+mZooD2UK8v6FuODGxWcxx7UJXbhCeN8HXqg71D7EaJvpKxfUZDgw4XsOeBGT8MyjZHE7w+k29HZluhYF9Rz3odTdzMFsrWKdWwTlGHxNsRkCUMcHl1P4A/vVEoINBHkjnHRNLFC1SyGUhoiUKikqExLIqbwMk0VuwThNAcwcfX+IWubieySVDtn1zBrvZ2vC+sfwQGibrCqXCWaIP2mRM7YSj79GRwkBLCJZRQwT3c6vyUGPMP27NnEkdIqm/fH/Icd1pQS3ktCnvSFnLJPMH/mRX4VWcuqRyOxaQhXWDsskMcOUkBfmOFdDqFCHqqolwy2D82NxKqHKOXlsQIB7vSQr2XrRnLG2MjasRahGNRolp0vbtK8ygpzlzDmV5N3cXYIpwNpV1r,iv:uwy3u/GMLBnkfRDS4LUfS7A64DWlMjY4BujPC6tZPcI=,tag:PHRZD5I9ftzce2tek/YVdQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -26,8 +28,8 @@ sops:
|
||||||
RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7
|
RyswT3E2Rnh2aTZMdXI0QnJRQVFNYVUKu9yv8wZ7X6mmFc3wj/4cOL9mZrP0Q6F7
|
||||||
fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg==
|
fXtdZr93TmTK9cG5EuBYuGDvOooFsPeSLSjP6BFRG+2+X+QxK7nSFg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-03-23T20:33:02Z"
|
lastmodified: "2024-01-28T00:01:53Z"
|
||||||
mac: ENC[AES256_GCM,data:wGBfQRtmPZypEIHrImQ5U/N4QGCkdz8x7WC8UY/Z65oDt8OQUv0W0sTglANM7JlZHmnQejJuUa6olJoZDamYNenC+prkcyRej+tgFrEhoaOlpVH/+2OwRyIouQpVAyD328rcgu+tcLw+TmJEeF1LywgowSvlK7owm7GlqSPiK6U=,iv:wtnGIMNSOyNTot6cPxb7dT7IkAKrLP9ln3XYi8w/Fxg=,tag:b81yMYeTTXj29ITkJqrgFw==,type:str]
|
mac: ENC[AES256_GCM,data:h0KiAAn9uNCvcbhwlAl53SVZnG5q8JvC2OWinoC3Q0+U1HXePLynl2Hn1sV87KCig+KlcokbgmFot7NyA0pzOuvbRWcjwJr8FEsb3wRvjxipF+B9z+yLwZ/RXaDgnYoa6pdPkA6eoAA33PO43tlSpaLf+/yRW6Ya/1l3wE/GY20=,iv:A/7PmpYq09vhsPosxITkHBPJnQkCo7EVcu+biOF0yiQ=,tag:YevwhNkWvqCf/JNz7Wrdlw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-08-08T22:43:21Z"
|
- created_at: "2023-08-08T22:43:21Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
@ -167,4 +169,4 @@ sops:
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.8.1
|
Loading…
Reference in New Issue