From 7da7458a345db546928692a04314a57cfc7fb0d7 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Mon, 6 Jun 2022 00:18:24 +0100 Subject: [PATCH] nixos: Working ACME certs --- nixos/boxes/colony/vms/estuary/default.nix | 2 +- nixos/boxes/colony/vms/estuary/dns.nix | 50 ++++++++++++++-- .../colony/vms/shill/containers/middleman.nix | 55 +++++++++++++++++- nixos/modules/firewall.nix | 5 +- nixos/modules/pdns.nix | 3 + nixos/modules/tmproot.nix | 10 ++++ secrets/dhparams.pem.age | Bin 1119 -> 1127 bytes secrets/pdns-file-records.key.age | Bin 0 -> 876 bytes secrets/user-passwd.txt.age | Bin 987 -> 902 bytes secrets/vaultwarden.env.age | 19 +++--- 10 files changed, 126 insertions(+), 18 deletions(-) create mode 100644 secrets/pdns-file-records.key.age diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index eebd19f..6872c6a 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -176,7 +176,7 @@ } table inet nat { chain prerouting { - iifname wan meta l4proto { udp, tcp } th dport domain redirect to :5353 + ${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"} } chain postrouting { ip saddr ${lib.my.colony.prefixes.all.v4} masquerade diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index d5636cc..acc1512 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -13,14 +13,14 @@ let pdns-file-record = pkgs.writeShellApplication { name = "pdns-file-record"; - runtimeInputs = [ pkgs.gnused ]; + runtimeInputs = with pkgs; [ gnused pdns ]; text = '' die() { echo "$@" >&2 exit 1 } usage() { - die "usage: $0 [content]" + die "usage: $0 [content]" } add() { @@ -47,11 +47,14 @@ let dir=/run/pdns/file-records mkdir -p "$dir" - if [ $# -lt 1 ]; then + if [ $# -lt 2 ]; then usage fi + zone="$1" + shift cmd="$1" shift + case "$cmd" in add) add "$@";; @@ -60,11 +63,48 @@ let *) usage;; esac + + # TODO: This feels pretty hacky? + zDat=/var/lib/pdns/bind-zones/"$zone".dat + # shellcheck disable=SC1090 + source "$zDat" + ((serial++)) + sed -i "s/^serial=.*$/serial=$serial/g" "$zDat" + sed "s/@@SERIAL@@/$serial/g" < /etc/pdns/bind-zones/"$zone".zone > /run/pdns/bind-zones/"$zone".zone + pdns_control bind-reload-now "$zone" ''; }; in { config = { + users = { + users = { + "pdns-file-records" = + let + script = pkgs.writeShellScript "pdns-file-records-ssh.sh" '' + read -r -a args <<< "$SSH_ORIGINAL_COMMAND" + exec ${pdns-file-record}/bin/pdns-file-record "''${args[@]}" + ''; + in + { + group = "pdns"; + isSystemUser = true; + shell = pkgs.bashInteractive; + openssh.authorizedKeys.keys = [ + ''command="${script}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSvcgbEesOgvKJLt3FLXPaLOcCIuOUYtZXXtEv6k4Yd'' + ]; + }; + }; + }; + + systemd = { + services = { + pdns.preStart = '' + install -d -m 775 /run/pdns/file-records + ''; + }; + }; + services.pdns-recursor = { enable = true; dns = { @@ -164,7 +204,7 @@ in wildcardPtr6Z = wildcardPtr6 ptrDots6; fileRecScript = pkgs.writeText "file-record.lua" '' - local path = "/run/pdns/file-records/" .. qname:toStringNoDot() .. ".txt" + local path = "/run/pdns/file-records/" .. string.lower(qname:toStringNoDot()) .. ".txt" if not os.execute("test -e " .. path) then return {} end @@ -195,8 +235,10 @@ in @ IN ALIAS ${config.networking.fqdn}. + $TTL 3 _acme-challenge IN LUA TXT ${fileRecVal} + $TTL 60 ${intRecords} ''; }; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix index a727a16..d03f6ee 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix @@ -16,7 +16,7 @@ }; }; - configuration = { lib, config, assignments, allAssignments, ... }: + configuration = { lib, pkgs, config, assignments, allAssignments, ... }: let inherit (lib) mkMerge mkIf; inherit (lib.my) networkdAssignment; @@ -29,7 +29,13 @@ secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; - files."dhparams.pem" = {}; + files = { + "dhparams.pem" = {}; + "pdns-file-records.key" = { + owner = "acme"; + group = "acme"; + }; + }; }; firewall = { @@ -44,6 +50,51 @@ network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; }; + security = { + acme = { + acceptTerms = true; + defaults = { + email = "dev@nul.ie"; + server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + reloadServices = [ "nginx" ]; + dnsResolver = "8.8.8.8"; + }; + + certs = { + "${config.networking.domain}" = { + extraDomainNames = [ + "*.${config.networking.domain}" + ]; + dnsProvider = "exec"; + credentialsFile = + let + script = pkgs.writeShellScript "lego-update-int.sh" '' + case "$1" in + present) + cmd=add;; + cleanup) + cmd=del;; + *) + exit 1;; + esac + + echo "$@" + exec ${pkgs.openssh}/bin/ssh \ + -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ + -i ${config.age.secrets."pdns-file-records.key".path} \ + pdns-file-records@estuary-vm "${config.networking.domain}" "$cmd" "$2" "$3" + ''; + in + pkgs.writeText "lego-exec-vars.conf" '' + EXEC_PROPAGATION_TIMEOUT=60 + EXEC_POLLING_INTERVAL=2 + EXEC_PATH=${script} + ''; + }; + }; + }; + }; + services = { nginx = { enable = true; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 1f1ca66..49cb193 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -128,11 +128,10 @@ in table inet nat { chain prerouting { - type nat hook prerouting priority 0; + type nat hook prerouting priority dstnat; } - chain postrouting { - type nat hook postrouting priority 100; + type nat hook postrouting priority srcnat; } } diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix index 809fb35..ac477d7 100644 --- a/nixos/modules/pdns.nix +++ b/nixos/modules/pdns.nix @@ -156,6 +156,9 @@ in mkdir -p /var/lib/pdns/bind-zones loadZones start ''; + postStart = '' + chmod -R g+w /run/pdns /var/lib/pdns + ''; # pdns reloads existing zones, so the only trigger will be if the zone files themselves change. If any new zones # are added or removed, named.conf will change, in turn changing the overall pdns settings and causing pdns to diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index b0d6b93..5440e42 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -225,6 +225,16 @@ in my.tmproot.persistence.config.files = concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys; }) + (mkIf (config.security.acme.certs != { }) { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/lib/acme"; + mode = "0750"; + user = "acme"; + group = "acme"; + } + ]; + }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age index 49d2a75ea1487441748d8fbe7db16256f96b6b28..0dde440a963fb5ef6a95bd21f93c9a188beedafb 100644 GIT binary patch delta 1098 zcmcc5@tk9VPJOAlVRlAxm|>P#NwKL#l%;uTQf5+tSwMK2Uu85MVWLqsm#<5@ zfn#o(dv1AIg}3|wQ9zM-Qeu82$O>=!LQP{A-Snc= z#Nt#11E1Pdg<35?PaB17O+7DlMTI1d0^f8lgVOSB&vY(bU0nsgFrToL2(KWwg6vXv zuR{0w02iOc$gp6`U;~2)Z>P$XF#lwiv|NJ{H;-a2wS||ysXCM{^RFiMva`Lb~vp{!y39ddmHJ5|8JI*tqHW z{MfXt`lRhAOT!+XGpvD}nQCf(X2iv{&go70*v24UuY5m8+#vKxgPZN7ho^Qtt-E+X z`bn9jqW*&^8qHl6Ydx!P3%SQm=9$rc@w-6qE2Dbh=Ot2SgA9*M@q2ZB-_^}i%`>tk zo9w^eo%Y>EAx8G{-p7{K-!i9V{A-)H(fAF2=k5bH`z^V5-03oHKjr_$bY{F$UxVwk zfQn0{meG+m`YY>O6PnC^ylqQU=0WS8+wu=KHK~7kHPd-{!KT@QvQyW`tar#%R$lO0_UP=~I zTtX`Te_y#@O7Gz9-)tWq?bt8gT%o$I+)1CYLqFn}_>^NC6I`l4Pp?;MTG(as@LrQ< zbQO15^1FxAXHLC2r)H}7+O2Pb16aDMPj2GLT2{33Tc@|x@@uP8+8oZ+Ouo3|Y?o|m z?Jlj|)%nuG0P z4QrR)7W$caS2f>o!=^jYHBrB})vtZ#a>@C`?6b*nlC@kbD@!Z3D8?SRY@ni0b@7(N z%?Ue=c8hlZ05uk|v>Y?;|OPkovqOTMJ@txrxee;@B)XOV^HxNB$jxLt;xqlM`3xogqf*zle~(K9 E0FE;CbN~PV delta 1090 zcmaFPai3#?PJLBsdZwwLcS%XAWomGyc49_OmZM2fNTgYCS$2?DzM)&NM_IaWdYDIr z0he)xi=km@mPJ*jOR%wVYN=yTgn3X{N=j6*dqA#pfPSuLmVZQ6hEJMBF_*5LLWGg2 zsiCEUyHS<4hrfw`PE>|hl5s>}sdkB@cV$3ScyXwKVZFPPk)dg>OQwmLN2p^lS5--N zq<>+unRbw)fp27(yO)28rB9T%OO$bHgr{GSMR-VNXmM~_q)&J@$chvfP3wq2-Snc= z#Nt$i8ZU($1sz9=JYNMpo%FDhIv*~7w@5BsU0sF9!c14AGLsx{Z_fb7Qg_Q>M_=<2 zXOp1%qyl5@jM6;q)WE`GuhPJjsKiLF9TQIG+;Z9f{GsS7+wZr!wOzE&O3ZgwS9X?N?(f^j7rtc%|GNpxEG+NMjqlu3IQx*c)}kuQyO-S7 zJF9YQUr4eSs*n7+QOjp1`|PRpIaPTp?QXB>UHiYN+oWDg`iPDy=OuTyP9L?`Ei>;t znSbz=nd#rd8Q#(#zm^0wPCWBhSFis26svjH^n8s;(cu6g4V8SrjZ+ z`MR-`tMD9~>T7N1`p0MZ63=E%3s9arck%Rp6Yp>Fl?pyyv*MI`hi|aAa?qaCSw{q! z47974MpQS2PK|cClKp#o$gHK$esv{kmq$>55;nnaM@r zmvnwfA3OJX;jFZn!xz{NzmohD+id;e?*{3929rRAlzGoLPg!EWSMk-+dX>tq%O6!4 z4a$!sooO+9B)0C*MBb~bs*nHp_4coYCHM1{`d_cdnpSK!l@>1wGTqsJ$Rggns$G}; z&UPbl{=PgFPp(U6j_7uDY-*ATJL8_d$s~3DW6N31C6VhE1y`(Jd0*7LK`mbxPl-^=~KXFOPm8Z+%Lx%(m^Bgi&u-`u|61HL8#A wJqY6V)T>C|&3oVIbn{Qmm2YC^Ni|KA2<&3ui_Y9NM`nS?%$a64PCCs10O+dhEdT%j diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age new file mode 100644 index 0000000000000000000000000000000000000000..8faa5cf9e6ad365e1227c4eb989c4fce085c7fd4 GIT binary patch literal 876 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlFf=pD2~bSW$-3`#do&Tw>0_Rx>Y3C#?w2zT}Nb1`?1Of)bH3FXpv(lFDb+@ zAk5z&RNKtUBsrkCJgF?bG9P4vS&n|WZhBE_VsWZMiIXvxS5l~@o4a2|i9tv}Wp!>sv|l<^=iwx-&J=bNTzOz(%32Sv_TbS4>x=Coa|Y`PFh`a+>4Q zbf0wzN^`VDY99ul>tYo68gkHvmBWA82Il#~e~l(wlDxNs)obTV9l;$XQ7_0dTU7UYRvEt0K=bke^+*FdzuZq>0rfT-$%#?j|vu9|ZY9ArII0?*%UJaujDgXFmYS)n+i2Zy$5S^6JWQ~tU5&RyO` zPe1007~h<_AnwfV{e65s>z=Au*z!D<y*JgX?9$h$niEVHsIDmN@W$-KHGS9Ta!zd&&olDnFp}06h zH#Nn`)YQ;Y!O7BFKO#^e+o(L(Ik7Ow&&f(?m-?=!P*%C zk&z{3xhdgUrAbcV9^paB;btX%hRz-qi7EP}fu5C?CZUmBk@?~J=6MmNF2!y^1s-Wt z2I&sp&oYYF2l@sDy9ZU7dX@V)RfKp17!@VE z8yb6tmIYQhX&YqZgu4_*M!A(a8|ImC`Q_=GWTcx~h6jb1>04Ol1)FDTrw3Z(c<5K; z1%#P~T9kzOm}gZL76pcaVjuz%`0l|a&gp3t5v7i9sZp*`nFc|wRc@x{0gl05>BaS- zSzg|S8A%oX;qJcfCR_oA#>xIU-j(^O$tEckMTyS2`fibaN!h`HneK+h5k`fDKBMd6N^*1EK|eM-93wp3~~(%okP8{jf-=moYHaZ|DK4Ngb!rNx!5<@Bv{q6vmaZ*a$So>uF~=6<;MQvmicV@528+|z5Ktz zzGwQXgA12zc_wBZm?3t&TrP5L8>io0%g`46+Xm%KPKA2@+ZY@E9bpnXUjN_XiK@;f ph0s?0Pv#-<=UD&t_?`YX@n~38W$2@4qV@Vc-`uQZJW7w60sw=n8`=N> delta 899 zcmZo;zs){Dr{1(Q&)?6&JgYp)&@nwf!zVK|FvBP{C&IGK%O|9)sKDK%C@Co-KQW>r zlq;v)AUim-xWp}6J0d+eKd>x3*UQJp!#pjj%&XYMTi?UXBr4pc$iv;$l}p!7p}06h zH#Nn`)YQ;Y!O7BFKO#`UFQ7CtH$5^S$kgAmz%nAx->oW7zc{U|JlM_B+`GiXHzV84 z&CtL#-!d!!Xm;Ki|SN#4*Du*RU`zAXUFS(#Jp3tun{F$}2Lz!oVQgv?|MS z;z#lD!mKr}5&k9ej?BEJN z_k5?alKc`wfB%5sg7PHK%*xX2ysV6njG~m_qyT?U_q2#AXMKao@r>f(rjDK&9vIaa!IrTMxQmu3`H>3f?wdj$mrmb;du=jS*XgnAU` z82g)snuX|B78{m3ni!RXVjuz%_?fA0dHF%Er77lyxn%)aX|DMmMTL%D&Y5M}8Rhk* ziAm{EiAJfx;RQiC>0H`LneIuhWtkOWE*UPa&W`$3j=q&SiGI$-roQDaB?eKx>FEV- zA!b2go**ldYLs&ljO}&Pi&7JdQx&SB6*ANOoE0=O6l2+VvV$UBJ(JBUj58~USIupf`SnjiY>C=iBX%T15O1)=$g2H9)da9JT#7}a&`o_?){PJv ssh-ed25519 Lqn0Yw 8O/4DNOBVj9N2QBh4iAcpQPFYKK884dVYBGii6QvMFs -enBLaFlBILu61uFQwV6v8PyWG0M0JkmSfpk/tztrLls --> X25519 6X2M/VOMrMTIdgg9dRlVQmF2LWq5W53rNLzZ8UAJWVM -xFEKeZD+w68RyK+jlyFB82oQ6a6+FCBmYcjvc/8Wg9M --> uVBC-grease -70cjnfhD0khuuiGtBG7MwE2CSEgmClW9/wQeZhAdOQ4 ---- hykfNiGB0dkhlbOabguSHtVFYtAtlFK6ld7GU8E3+WI -L;s5M%u ӆ3#%5#1gujtc79r^OȸߥɗbcobvÊN郑`R ;6?ʱ!' \ No newline at end of file +-> ssh-ed25519 Lqn0Yw ybVbnUjgm3QGOZPv9A/q6zPXjZbuYe4krqe+qjrkziw +SIEEGlziouUT3pzxw+C7p2IO2sDJ3xmaTrHaDGFgLOs +-> X25519 bq/2lRh9a3BwhwR6o9TXeuXA5AGdtlrQm8/JOyAzUEU +I5xRPDb6rUcNBXqOXefFkO2HvlYIJAG+OFkZygywkqg +-> 0g#WDK-grease .DWBEk* +Vf8DHmVCY3bfTT+CPPm5dELSid+aZJquOxjEccmkZXVKtefHlwLRx6Dh3HT5IZqR +Pl2j/4SQvVf1MrPjtbkMwBhxh9zPZa7WQIBGeF6oB2kl9vyc65lXpaxRSMs2eVsv + +--- /eCT0Rqu+we6CXUSP3dpd+blpQxwOG0t5rDiGfffXPs +F +f~"[%?}1P~ҋ$Nrnh*y _Ʌ!*h\MߑxsFd3u/$9  Р&iv \ No newline at end of file