diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index eebd19f..6872c6a 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -176,7 +176,7 @@ } table inet nat { chain prerouting { - iifname wan meta l4proto { udp, tcp } th dport domain redirect to :5353 + ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} } chain postrouting { ip saddr ${lib.my.colony.prefixes.all.v4} masquerade diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index d5636cc..acc1512 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -13,14 +13,14 @@ let pdns-file-record = pkgs.writeShellApplication { name = "pdns-file-record"; - runtimeInputs = [ pkgs.gnused ]; + runtimeInputs = with pkgs; [ gnused pdns ]; text = '' die() { echo "$@" >&2 exit 1 } usage() { - die "usage: $0 [content]" + die "usage: $0 [content]" } add() { @@ -47,11 +47,14 @@ let dir=/run/pdns/file-records mkdir -p "$dir" - if [ $# -lt 1 ]; then + if [ $# -lt 2 ]; then usage fi + zone="$1" + shift cmd="$1" shift + case "$cmd" in add) add "$@";; @@ -60,11 +63,48 @@ let *) usage;; esac + + # TODO: This feels pretty hacky? + zDat=/var/lib/pdns/bind-zones/"$zone".dat + # shellcheck disable=SC1090 + source "$zDat" + ((serial++)) + sed -i "s/^serial=.*$/serial=$serial/g" "$zDat" + sed "s/@@SERIAL@@/$serial/g" < /etc/pdns/bind-zones/"$zone".zone > /run/pdns/bind-zones/"$zone".zone + pdns_control bind-reload-now "$zone" ''; }; in { config = { + users = { + users = { + "pdns-file-records" = + let + script = pkgs.writeShellScript "pdns-file-records-ssh.sh" '' + read -r -a args <<< "$SSH_ORIGINAL_COMMAND" + exec ${pdns-file-record}/bin/pdns-file-record "''${args[@]}" + ''; + in + { + group = "pdns"; + isSystemUser = true; + shell = pkgs.bashInteractive; + openssh.authorizedKeys.keys = [ + ''command="${script}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSvcgbEesOgvKJLt3FLXPaLOcCIuOUYtZXXtEv6k4Yd'' + ]; + }; + }; + }; + + systemd = { + services = { + pdns.preStart = '' + install -d -m 775 /run/pdns/file-records + ''; + }; + }; + services.pdns-recursor = { enable = true; dns = { @@ -164,7 +204,7 @@ in wildcardPtr6Z = wildcardPtr6 ptrDots6; fileRecScript = pkgs.writeText "file-record.lua" '' - local path = "/run/pdns/file-records/" .. qname:toStringNoDot() .. ".txt" + local path = "/run/pdns/file-records/" .. string.lower(qname:toStringNoDot()) .. ".txt" if not os.execute("test -e " .. path) then return {} end @@ -195,8 +235,10 @@ in @ IN ALIAS ${config.networking.fqdn}. + $TTL 3 _acme-challenge IN LUA TXT ${fileRecVal} + $TTL 60 ${intRecords} ''; }; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix index a727a16..d03f6ee 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix @@ -16,7 +16,7 @@ }; }; - configuration = { lib, config, assignments, allAssignments, ... }: + configuration = { lib, pkgs, config, assignments, allAssignments, ... }: let inherit (lib) mkMerge mkIf; inherit (lib.my) networkdAssignment; @@ -29,7 +29,13 @@ secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; - files."dhparams.pem" = {}; + files = { + "dhparams.pem" = {}; + "pdns-file-records.key" = { + owner = "acme"; + group = "acme"; + }; + }; }; firewall = { @@ -44,6 +50,51 @@ network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; }; + security = { + acme = { + acceptTerms = true; + defaults = { + email = "dev@nul.ie"; + server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + reloadServices = [ "nginx" ]; + dnsResolver = "8.8.8.8"; + }; + + certs = { + "${config.networking.domain}" = { + extraDomainNames = [ + "*.${config.networking.domain}" + ]; + dnsProvider = "exec"; + credentialsFile = + let + script = pkgs.writeShellScript "lego-update-int.sh" '' + case "$1" in + present) + cmd=add;; + cleanup) + cmd=del;; + *) + exit 1;; + esac + + echo "$@" + exec ${pkgs.openssh}/bin/ssh \ + -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ + -i ${config.age.secrets."pdns-file-records.key".path} \ + pdns-file-records@estuary-vm "${config.networking.domain}" "$cmd" "$2" "$3" + ''; + in + pkgs.writeText "lego-exec-vars.conf" '' + EXEC_PROPAGATION_TIMEOUT=60 + EXEC_POLLING_INTERVAL=2 + EXEC_PATH=${script} + ''; + }; + }; + }; + }; + services = { nginx = { enable = true; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 1f1ca66..49cb193 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -128,11 +128,10 @@ in table inet nat { chain prerouting { - type nat hook prerouting priority 0; + type nat hook prerouting priority dstnat; } - chain postrouting { - type nat hook postrouting priority 100; + type nat hook postrouting priority srcnat; } } diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix index 809fb35..ac477d7 100644 --- a/nixos/modules/pdns.nix +++ b/nixos/modules/pdns.nix @@ -156,6 +156,9 @@ in mkdir -p /var/lib/pdns/bind-zones loadZones start ''; + postStart = '' + chmod -R g+w /run/pdns /var/lib/pdns + ''; # pdns reloads existing zones, so the only trigger will be if the zone files themselves change. If any new zones # are added or removed, named.conf will change, in turn changing the overall pdns settings and causing pdns to diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index b0d6b93..5440e42 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -225,6 +225,16 @@ in my.tmproot.persistence.config.files = concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys; }) + (mkIf (config.security.acme.certs != { }) { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/lib/acme"; + mode = "0750"; + user = "acme"; + group = "acme"; + } + ]; + }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age index 49d2a75..0dde440 100644 Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age new file mode 100644 index 0000000..8faa5cf Binary files /dev/null and b/secrets/pdns-file-records.key.age differ diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index 17e0909..d05c3bd 100644 Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index e729478..9fc3560 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,9 +1,12 @@ age-encryption.org/v1 --> ssh-ed25519 Lqn0Yw 8O/4DNOBVj9N2QBh4iAcpQPFYKK884dVYBGii6QvMFs -enBLaFlBILu61uFQwV6v8PyWG0M0JkmSfpk/tztrLls --> X25519 6X2M/VOMrMTIdgg9dRlVQmF2LWq5W53rNLzZ8UAJWVM -xFEKeZD+w68RyK+jlyFB82oQ6a6+FCBmYcjvc/8Wg9M --> uVBC-grease -70cjnfhD0khuuiGtBG7MwE2CSEgmClW9/wQeZhAdOQ4 ---- hykfNiGB0dkhlbOabguSHtVFYtAtlFK6ld7GU8E3+WI -L;s5M%u ӆ3#%5#1gujtc79r^OȸߥɗbcobvÊN郑`R ;6?ʱ!' \ No newline at end of file +-> ssh-ed25519 Lqn0Yw ybVbnUjgm3QGOZPv9A/q6zPXjZbuYe4krqe+qjrkziw +SIEEGlziouUT3pzxw+C7p2IO2sDJ3xmaTrHaDGFgLOs +-> X25519 bq/2lRh9a3BwhwR6o9TXeuXA5AGdtlrQm8/JOyAzUEU +I5xRPDb6rUcNBXqOXefFkO2HvlYIJAG+OFkZygywkqg +-> 0g#WDK-grease .DWBEk* +Vf8DHmVCY3bfTT+CPPm5dELSid+aZJquOxjEccmkZXVKtefHlwLRx6Dh3HT5IZqR +Pl2j/4SQvVf1MrPjtbkMwBhxh9zPZa7WQIBGeF6oB2kl9vyc65lXpaxRSMs2eVsv + +--- /eCT0Rqu+we6CXUSP3dpd+blpQxwOG0t5rDiGfffXPs +F +f~"[%?}1P~ҋ$Nrnh*y _Ʌ!*h\MߑxsFd3u/$9  Р&iv \ No newline at end of file