losurdo: add creds

[sourcephile-nix.git] / hosts / mermet / knot / sourcephile.fr.nix
diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix

index 8b945b7f8f861154f64c35204f4a079040367997..489005ce8f4303d79d176ef350485b2bc52e8e50 100644 (file)
--- a/hosts/mermet/knot/sourcephile.fr.nix
+++ b/hosts/mermet/knot/sourcephile.fr.nix
@@ -1,9 +1,8 @@
-{ inputs, pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hostName, hosts, ... }:
  let
    domain = "sourcephile.fr";
    domainID = lib.replaceStrings ["."] ["_"] domain;
    inherit (config) networking;
-  inherit (config.security) gnupg;
    inherit (config.services) knot;
    inherit (config.users) users;
  in
@@ -28,12 +27,12 @@ services.knot.zones."${domain}" = {
          update-owner-match: equal
          update-owner-name: [_acme-challenge]
          update-type: [TXT]
-      - id: acl_tsig_bureau1_${domainID}
-        key: bureau1_${domainID}
+      - id: acl_tsig_losurdo_${domainID}
+        key: losurdo_${domainID}
          action: update
          update-owner: name
          update-owner-match: equal
-        update-owner-name: [bureau1, lan.losurdo]
+        update-owner-name: [losurdo, lan.losurdo]
          update-type: [A, AAAA]
  
      mod-dnsproxy:
@@ -50,7 +49,7 @@ services.knot.zones."${domain}" = {
          acl: acl_gandi
          acl: acl_localhost_acme_${domainID}
          acl: acl_tsig_acme_${domainID}
-        acl: acl_tsig_bureau1_${domainID}
+        acl: acl_tsig_losurdo_${domainID}
          dnssec-signing: on
          dnssec-policy: rsa
  
@@ -131,7 +130,6 @@ services.knot.zones."${domain}" = {
      miniflux      A ${hosts.mermet._module.args.ipv4}
  
      ; CNAME (Canonical Name)
-    losurdo          CNAME bureau1
      openconcerto     CNAME losurdo
      xmpp             CNAME mermet
      tmp              CNAME mermet
@@ -182,33 +180,34 @@ services.knot.zones."${domain}" = {
      @ CAA 128 issue "letsencrypt.org"
    '';
  };
-users.groups.keys.members = [ users.knot.name ];
  services.knot = {
    keyFiles = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".path
-    gnupg.secrets."knot/tsig/${domain}/bureau1.conf".path
+    "/run/credentials/knot.service/${domain}.acme.conf"
+    # Generated with: keymgr -t losurdo_${domainID}
+    "/run/credentials/knot.service/losurdo.conf"
    ];
  };
-security.gnupg.secrets = {
-  "knot/tsig/${domain}/acme.conf" = {
-    # Generated with: keymgr -t acme_${domainID}
-    user = users.knot.name;
-  };
-  "knot/tsig/${domain}/bureau1.conf" = {
-    # Generated with: keymgr -t bureau1_${domainID}
-    user = users.knot.name;
-  };
-};
  systemd.services.knot = {
-  after = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".service
-    gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
-  ];
-  wants = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".service
-    gnupg.secrets."knot/tsig/${domain}/bureau1.conf".service
-  ];
+  serviceConfig = {
+    LoadCredentialEncrypted = [
+      "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
+      "losurdo.conf:${inputs.self}/hosts/${hostName}/${domain}/losurdo.conf.cred"
+    ];
+  };
  };
+networking.nftables.ruleset = ''
+  table inet filter {
+    # Gandi DNS
+    set output-net-knot-ipv4 {
+      type ipv4_addr
+      elements = { 217.70.177.40 }
+    }
+    set output-net-knot-ipv6 {
+      type ipv6_addr
+      elements = { 2001:4b98:d:1::40 }
+    }
+  }
+'';
  /* Useless since the zone is public
  services.unbound.settings = {
    stub-zone = {