diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-10 10:44:24 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-12 00:24:46 +0200 |
commit | 97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch) | |
tree | 4b7ea0d889a4c2c27bfec351693995f1fcba2bbb | |
parent | 450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff) | |
download | Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip |
Add dnssec
-rw-r--r-- | deploy/flake.lock | 24 | ||||
-rw-r--r-- | flake.lock | 24 | ||||
-rw-r--r-- | flakes/flake.lock | 22 | ||||
-rw-r--r-- | flakes/private/monitoring/myplugins.nix | 23 | ||||
-rwxr-xr-x | flakes/private/monitoring/plugins/check_dnssec | 195 | ||||
-rw-r--r-- | systems/backup-2/flake.lock | 2 | ||||
-rw-r--r-- | systems/dilion/flake.lock | 2 | ||||
-rw-r--r-- | systems/eldiron/dns.nix | 117 | ||||
-rw-r--r-- | systems/eldiron/ejabberd/default.nix | 2 | ||||
-rw-r--r-- | systems/eldiron/flake.lock | 2 | ||||
-rw-r--r-- | systems/eldiron/mail/postfix.nix | 4 | ||||
-rw-r--r-- | systems/eldiron/mail/sympa.nix | 2 | ||||
-rw-r--r-- | systems/eldiron/websites/tools/default.nix | 2 | ||||
-rw-r--r-- | systems/monitoring-1/flake.lock | 2 | ||||
-rw-r--r-- | systems/quatresaisons/flake.lock | 2 |
15 files changed, 350 insertions, 75 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock index 5cdf632..99a99c0 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock | |||
@@ -2783,7 +2783,7 @@ | |||
2783 | }, | 2783 | }, |
2784 | "locked": { | 2784 | "locked": { |
2785 | "lastModified": 1, | 2785 | "lastModified": 1, |
2786 | "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", | 2786 | "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=", |
2787 | "path": "../flakes", | 2787 | "path": "../flakes", |
2788 | "type": "path" | 2788 | "type": "path" |
2789 | }, | 2789 | }, |
@@ -2894,7 +2894,7 @@ | |||
2894 | }, | 2894 | }, |
2895 | "locked": { | 2895 | "locked": { |
2896 | "lastModified": 1, | 2896 | "lastModified": 1, |
2897 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2897 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2898 | "path": "../../flakes/private/monitoring", | 2898 | "path": "../../flakes/private/monitoring", |
2899 | "type": "path" | 2899 | "type": "path" |
2900 | }, | 2900 | }, |
@@ -2912,7 +2912,7 @@ | |||
2912 | }, | 2912 | }, |
2913 | "locked": { | 2913 | "locked": { |
2914 | "lastModified": 1, | 2914 | "lastModified": 1, |
2915 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2915 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2916 | "path": "../../flakes/private/monitoring", | 2916 | "path": "../../flakes/private/monitoring", |
2917 | "type": "path" | 2917 | "type": "path" |
2918 | }, | 2918 | }, |
@@ -2930,7 +2930,7 @@ | |||
2930 | }, | 2930 | }, |
2931 | "locked": { | 2931 | "locked": { |
2932 | "lastModified": 1, | 2932 | "lastModified": 1, |
2933 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2933 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2934 | "path": "../../flakes/private/monitoring", | 2934 | "path": "../../flakes/private/monitoring", |
2935 | "type": "path" | 2935 | "type": "path" |
2936 | }, | 2936 | }, |
@@ -2948,7 +2948,7 @@ | |||
2948 | }, | 2948 | }, |
2949 | "locked": { | 2949 | "locked": { |
2950 | "lastModified": 1, | 2950 | "lastModified": 1, |
2951 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2951 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2952 | "path": "../../flakes/private/monitoring", | 2952 | "path": "../../flakes/private/monitoring", |
2953 | "type": "path" | 2953 | "type": "path" |
2954 | }, | 2954 | }, |
@@ -3832,7 +3832,7 @@ | |||
3832 | }, | 3832 | }, |
3833 | "locked": { | 3833 | "locked": { |
3834 | "lastModified": 1, | 3834 | "lastModified": 1, |
3835 | "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", | 3835 | "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=", |
3836 | "path": "../systems/backup-2", | 3836 | "path": "../systems/backup-2", |
3837 | "type": "path" | 3837 | "type": "path" |
3838 | }, | 3838 | }, |
@@ -3855,7 +3855,7 @@ | |||
3855 | }, | 3855 | }, |
3856 | "locked": { | 3856 | "locked": { |
3857 | "lastModified": 1, | 3857 | "lastModified": 1, |
3858 | "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", | 3858 | "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=", |
3859 | "path": "../systems/dilion", | 3859 | "path": "../systems/dilion", |
3860 | "type": "path" | 3860 | "type": "path" |
3861 | }, | 3861 | }, |
@@ -3903,7 +3903,7 @@ | |||
3903 | }, | 3903 | }, |
3904 | "locked": { | 3904 | "locked": { |
3905 | "lastModified": 1, | 3905 | "lastModified": 1, |
3906 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", | 3906 | "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=", |
3907 | "path": "../systems/eldiron", | 3907 | "path": "../systems/eldiron", |
3908 | "type": "path" | 3908 | "type": "path" |
3909 | }, | 3909 | }, |
@@ -3929,7 +3929,7 @@ | |||
3929 | }, | 3929 | }, |
3930 | "locked": { | 3930 | "locked": { |
3931 | "lastModified": 1, | 3931 | "lastModified": 1, |
3932 | "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", | 3932 | "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=", |
3933 | "path": "../systems/monitoring-1", | 3933 | "path": "../systems/monitoring-1", |
3934 | "type": "path" | 3934 | "type": "path" |
3935 | }, | 3935 | }, |
@@ -3954,7 +3954,7 @@ | |||
3954 | }, | 3954 | }, |
3955 | "locked": { | 3955 | "locked": { |
3956 | "lastModified": 1, | 3956 | "lastModified": 1, |
3957 | "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", | 3957 | "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=", |
3958 | "path": "../systems/quatresaisons", | 3958 | "path": "../systems/quatresaisons", |
3959 | "type": "path" | 3959 | "type": "path" |
3960 | }, | 3960 | }, |
@@ -7541,7 +7541,7 @@ | |||
7541 | }, | 7541 | }, |
7542 | "locked": { | 7542 | "locked": { |
7543 | "lastModified": 1, | 7543 | "lastModified": 1, |
7544 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 7544 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
7545 | "path": "../../flakes/private/monitoring", | 7545 | "path": "../../flakes/private/monitoring", |
7546 | "type": "path" | 7546 | "type": "path" |
7547 | }, | 7547 | }, |
@@ -8412,7 +8412,7 @@ | |||
8412 | }, | 8412 | }, |
8413 | "locked": { | 8413 | "locked": { |
8414 | "lastModified": 1, | 8414 | "lastModified": 1, |
8415 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 8415 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
8416 | "path": "./private/monitoring", | 8416 | "path": "./private/monitoring", |
8417 | "type": "path" | 8417 | "type": "path" |
8418 | }, | 8418 | }, |
@@ -2664,7 +2664,7 @@ | |||
2664 | }, | 2664 | }, |
2665 | "locked": { | 2665 | "locked": { |
2666 | "lastModified": 1, | 2666 | "lastModified": 1, |
2667 | "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=", | 2667 | "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=", |
2668 | "path": "./flakes", | 2668 | "path": "./flakes", |
2669 | "type": "path" | 2669 | "type": "path" |
2670 | }, | 2670 | }, |
@@ -2910,7 +2910,7 @@ | |||
2910 | }, | 2910 | }, |
2911 | "locked": { | 2911 | "locked": { |
2912 | "lastModified": 1, | 2912 | "lastModified": 1, |
2913 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2913 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2914 | "path": "../../flakes/private/monitoring", | 2914 | "path": "../../flakes/private/monitoring", |
2915 | "type": "path" | 2915 | "type": "path" |
2916 | }, | 2916 | }, |
@@ -2928,7 +2928,7 @@ | |||
2928 | }, | 2928 | }, |
2929 | "locked": { | 2929 | "locked": { |
2930 | "lastModified": 1, | 2930 | "lastModified": 1, |
2931 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2931 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2932 | "path": "../../flakes/private/monitoring", | 2932 | "path": "../../flakes/private/monitoring", |
2933 | "type": "path" | 2933 | "type": "path" |
2934 | }, | 2934 | }, |
@@ -2946,7 +2946,7 @@ | |||
2946 | }, | 2946 | }, |
2947 | "locked": { | 2947 | "locked": { |
2948 | "lastModified": 1, | 2948 | "lastModified": 1, |
2949 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2949 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2950 | "path": "../../flakes/private/monitoring", | 2950 | "path": "../../flakes/private/monitoring", |
2951 | "type": "path" | 2951 | "type": "path" |
2952 | }, | 2952 | }, |
@@ -2964,7 +2964,7 @@ | |||
2964 | }, | 2964 | }, |
2965 | "locked": { | 2965 | "locked": { |
2966 | "lastModified": 1, | 2966 | "lastModified": 1, |
2967 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2967 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2968 | "path": "../../flakes/private/monitoring", | 2968 | "path": "../../flakes/private/monitoring", |
2969 | "type": "path" | 2969 | "type": "path" |
2970 | }, | 2970 | }, |
@@ -3848,7 +3848,7 @@ | |||
3848 | }, | 3848 | }, |
3849 | "locked": { | 3849 | "locked": { |
3850 | "lastModified": 1, | 3850 | "lastModified": 1, |
3851 | "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", | 3851 | "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=", |
3852 | "path": "../systems/backup-2", | 3852 | "path": "../systems/backup-2", |
3853 | "type": "path" | 3853 | "type": "path" |
3854 | }, | 3854 | }, |
@@ -3871,7 +3871,7 @@ | |||
3871 | }, | 3871 | }, |
3872 | "locked": { | 3872 | "locked": { |
3873 | "lastModified": 1, | 3873 | "lastModified": 1, |
3874 | "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", | 3874 | "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=", |
3875 | "path": "../systems/dilion", | 3875 | "path": "../systems/dilion", |
3876 | "type": "path" | 3876 | "type": "path" |
3877 | }, | 3877 | }, |
@@ -3919,7 +3919,7 @@ | |||
3919 | }, | 3919 | }, |
3920 | "locked": { | 3920 | "locked": { |
3921 | "lastModified": 1, | 3921 | "lastModified": 1, |
3922 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", | 3922 | "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=", |
3923 | "path": "../systems/eldiron", | 3923 | "path": "../systems/eldiron", |
3924 | "type": "path" | 3924 | "type": "path" |
3925 | }, | 3925 | }, |
@@ -3945,7 +3945,7 @@ | |||
3945 | }, | 3945 | }, |
3946 | "locked": { | 3946 | "locked": { |
3947 | "lastModified": 1, | 3947 | "lastModified": 1, |
3948 | "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", | 3948 | "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=", |
3949 | "path": "../systems/monitoring-1", | 3949 | "path": "../systems/monitoring-1", |
3950 | "type": "path" | 3950 | "type": "path" |
3951 | }, | 3951 | }, |
@@ -3970,7 +3970,7 @@ | |||
3970 | }, | 3970 | }, |
3971 | "locked": { | 3971 | "locked": { |
3972 | "lastModified": 1, | 3972 | "lastModified": 1, |
3973 | "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", | 3973 | "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=", |
3974 | "path": "../systems/quatresaisons", | 3974 | "path": "../systems/quatresaisons", |
3975 | "type": "path" | 3975 | "type": "path" |
3976 | }, | 3976 | }, |
@@ -7557,7 +7557,7 @@ | |||
7557 | }, | 7557 | }, |
7558 | "locked": { | 7558 | "locked": { |
7559 | "lastModified": 1, | 7559 | "lastModified": 1, |
7560 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 7560 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
7561 | "path": "../../flakes/private/monitoring", | 7561 | "path": "../../flakes/private/monitoring", |
7562 | "type": "path" | 7562 | "type": "path" |
7563 | }, | 7563 | }, |
@@ -8428,7 +8428,7 @@ | |||
8428 | }, | 8428 | }, |
8429 | "locked": { | 8429 | "locked": { |
8430 | "lastModified": 1, | 8430 | "lastModified": 1, |
8431 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 8431 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
8432 | "path": "./private/monitoring", | 8432 | "path": "./private/monitoring", |
8433 | "type": "path" | 8433 | "type": "path" |
8434 | }, | 8434 | }, |
diff --git a/flakes/flake.lock b/flakes/flake.lock index 751316c..090ef48 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock | |||
@@ -2815,7 +2815,7 @@ | |||
2815 | }, | 2815 | }, |
2816 | "locked": { | 2816 | "locked": { |
2817 | "lastModified": 1, | 2817 | "lastModified": 1, |
2818 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2818 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2819 | "path": "../../flakes/private/monitoring", | 2819 | "path": "../../flakes/private/monitoring", |
2820 | "type": "path" | 2820 | "type": "path" |
2821 | }, | 2821 | }, |
@@ -2833,7 +2833,7 @@ | |||
2833 | }, | 2833 | }, |
2834 | "locked": { | 2834 | "locked": { |
2835 | "lastModified": 1, | 2835 | "lastModified": 1, |
2836 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2836 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2837 | "path": "../../flakes/private/monitoring", | 2837 | "path": "../../flakes/private/monitoring", |
2838 | "type": "path" | 2838 | "type": "path" |
2839 | }, | 2839 | }, |
@@ -2851,7 +2851,7 @@ | |||
2851 | }, | 2851 | }, |
2852 | "locked": { | 2852 | "locked": { |
2853 | "lastModified": 1, | 2853 | "lastModified": 1, |
2854 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2854 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2855 | "path": "../../flakes/private/monitoring", | 2855 | "path": "../../flakes/private/monitoring", |
2856 | "type": "path" | 2856 | "type": "path" |
2857 | }, | 2857 | }, |
@@ -2869,7 +2869,7 @@ | |||
2869 | }, | 2869 | }, |
2870 | "locked": { | 2870 | "locked": { |
2871 | "lastModified": 1, | 2871 | "lastModified": 1, |
2872 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2872 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2873 | "path": "../../flakes/private/monitoring", | 2873 | "path": "../../flakes/private/monitoring", |
2874 | "type": "path" | 2874 | "type": "path" |
2875 | }, | 2875 | }, |
@@ -3753,7 +3753,7 @@ | |||
3753 | }, | 3753 | }, |
3754 | "locked": { | 3754 | "locked": { |
3755 | "lastModified": 1, | 3755 | "lastModified": 1, |
3756 | "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=", | 3756 | "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=", |
3757 | "path": "../systems/backup-2", | 3757 | "path": "../systems/backup-2", |
3758 | "type": "path" | 3758 | "type": "path" |
3759 | }, | 3759 | }, |
@@ -3776,7 +3776,7 @@ | |||
3776 | }, | 3776 | }, |
3777 | "locked": { | 3777 | "locked": { |
3778 | "lastModified": 1, | 3778 | "lastModified": 1, |
3779 | "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=", | 3779 | "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=", |
3780 | "path": "../systems/dilion", | 3780 | "path": "../systems/dilion", |
3781 | "type": "path" | 3781 | "type": "path" |
3782 | }, | 3782 | }, |
@@ -3824,7 +3824,7 @@ | |||
3824 | }, | 3824 | }, |
3825 | "locked": { | 3825 | "locked": { |
3826 | "lastModified": 1, | 3826 | "lastModified": 1, |
3827 | "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=", | 3827 | "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=", |
3828 | "path": "../systems/eldiron", | 3828 | "path": "../systems/eldiron", |
3829 | "type": "path" | 3829 | "type": "path" |
3830 | }, | 3830 | }, |
@@ -3850,7 +3850,7 @@ | |||
3850 | }, | 3850 | }, |
3851 | "locked": { | 3851 | "locked": { |
3852 | "lastModified": 1, | 3852 | "lastModified": 1, |
3853 | "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=", | 3853 | "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=", |
3854 | "path": "../systems/monitoring-1", | 3854 | "path": "../systems/monitoring-1", |
3855 | "type": "path" | 3855 | "type": "path" |
3856 | }, | 3856 | }, |
@@ -3875,7 +3875,7 @@ | |||
3875 | }, | 3875 | }, |
3876 | "locked": { | 3876 | "locked": { |
3877 | "lastModified": 1, | 3877 | "lastModified": 1, |
3878 | "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=", | 3878 | "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=", |
3879 | "path": "../systems/quatresaisons", | 3879 | "path": "../systems/quatresaisons", |
3880 | "type": "path" | 3880 | "type": "path" |
3881 | }, | 3881 | }, |
@@ -7384,7 +7384,7 @@ | |||
7384 | }, | 7384 | }, |
7385 | "locked": { | 7385 | "locked": { |
7386 | "lastModified": 1, | 7386 | "lastModified": 1, |
7387 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 7387 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
7388 | "path": "../../flakes/private/monitoring", | 7388 | "path": "../../flakes/private/monitoring", |
7389 | "type": "path" | 7389 | "type": "path" |
7390 | }, | 7390 | }, |
@@ -8294,7 +8294,7 @@ | |||
8294 | }, | 8294 | }, |
8295 | "locked": { | 8295 | "locked": { |
8296 | "lastModified": 1, | 8296 | "lastModified": 1, |
8297 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 8297 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
8298 | "path": "./private/monitoring", | 8298 | "path": "./private/monitoring", |
8299 | "type": "path" | 8299 | "type": "path" |
8300 | }, | 8300 | }, |
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix index 35730bb..f76f2c1 100644 --- a/flakes/private/monitoring/myplugins.nix +++ b/flakes/private/monitoring/myplugins.nix | |||
@@ -69,8 +69,31 @@ in | |||
69 | dns = { | 69 | dns = { |
70 | commands = { | 70 | commands = { |
71 | check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; | 71 | check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$"; |
72 | check_dns_soa = "$USER2$/check_dns_soa -H $ARG1$ -z $ARG2$ -M $ARG3$"; | ||
73 | check_dnssec = "$USER2$/check_dnssec -z $ARG1$"; | ||
72 | check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; | 74 | check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$"; |
73 | }; | 75 | }; |
76 | chunk = let | ||
77 | soa_plugin = pkgs.fetchurl { | ||
78 | name = "check_dns_soa"; | ||
79 | url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1429&cf_id=24"; | ||
80 | sha256 = "sha256-Yy4XO19Fb7WdHZZmhUfyyAGBnxJyFWwc7U3HiWyE8wc="; | ||
81 | }; | ||
82 | in '' | ||
83 | cp ${./plugins}/check_dnssec $out/ | ||
84 | patchShebangs $out/check_dnssec | ||
85 | wrapProgram $out/check_dnssec --prefix PATH : ${lib.makeBinPath [ | ||
86 | pkgs.bind.dnsutils pkgs.gnugrep pkgs.gawk pkgs.which pkgs.coreutils | ||
87 | ]} | ||
88 | |||
89 | cp ${soa_plugin} $out/check_dns_soa | ||
90 | chmod +xw $out/check_dns_soa | ||
91 | patchShebangs $out/check_dns_soa | ||
92 | sed -i -e 's/^use utils qw.*$/my %ERRORS = ("OK" => 0, "WARNING" => 1, "CRITICAL" => 2, "UNKNOWN" => 3);my $TIMEOUT = 10;/' -e '/^use lib /d' $out/check_dns_soa | ||
93 | wrapProgram $out/check_dns_soa --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [ | ||
94 | pkgs.perlPackages.NetDNS | ||
95 | ]} | ||
96 | ''; | ||
74 | }; | 97 | }; |
75 | mdadm = { | 98 | mdadm = { |
76 | commands = { | 99 | commands = { |
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec new file mode 100755 index 0000000..a6e408d --- /dev/null +++ b/flakes/private/monitoring/plugins/check_dnssec | |||
@@ -0,0 +1,195 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | # check_dnssec_expiry.sh | ||
4 | # | ||
5 | # Copyright 2017 by Mario Rimann <mario@rimann.org> | ||
6 | # Licensed under the permissive MIT license, see LICENSE.md | ||
7 | # | ||
8 | # Development of this script was partially sponsored by my | ||
9 | # employer internezzo, see http://www.internezzo.ch | ||
10 | # | ||
11 | # If this script helps you to make your work easier, please consider | ||
12 | # to give feedback or do something good, see https://rimann.org/support | ||
13 | |||
14 | usage() { | ||
15 | cat - >&2 << _EOT_ | ||
16 | usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>] | ||
17 | |||
18 | -z <zone> | ||
19 | specify zone to check | ||
20 | -w <critical %> | ||
21 | warning time left percentage | ||
22 | -c <critical %> | ||
23 | critical time left percentage | ||
24 | -r <resolver> | ||
25 | specify which resolver to use. | ||
26 | -f <always failing domain> | ||
27 | specify a domain that will always fail DNSSEC. | ||
28 | used to test if DNSSEC is supported in used tools. | ||
29 | -t <DNS record type to check> | ||
30 | specify a DNS record type for calculating the remaining lifetime. | ||
31 | For example SOA, A, etc. | ||
32 | _EOT_ | ||
33 | exit 255 | ||
34 | } | ||
35 | |||
36 | # Parse the input options | ||
37 | while getopts ":z:w:c:r:f:h:t:" opt; do | ||
38 | case $opt in | ||
39 | z) | ||
40 | zone=$OPTARG | ||
41 | ;; | ||
42 | w) | ||
43 | warning=$OPTARG | ||
44 | ;; | ||
45 | c) | ||
46 | critical=$OPTARG | ||
47 | ;; | ||
48 | r) | ||
49 | resolver=$OPTARG | ||
50 | ;; | ||
51 | f) | ||
52 | alwaysFailingDomain=$OPTARG | ||
53 | ;; | ||
54 | t) | ||
55 | recordType=$OPTARG | ||
56 | ;; | ||
57 | h) | ||
58 | usage ;; | ||
59 | esac | ||
60 | done | ||
61 | |||
62 | |||
63 | # Check if dig is available at all - fail hard if not | ||
64 | pathToDig=$( which dig ) | ||
65 | if [[ ! -e $pathToDig ]]; then | ||
66 | echo "No executable of dig found, cannot proceed without dig. Sorry!" | ||
67 | exit 1 | ||
68 | fi | ||
69 | |||
70 | # Check if we got a zone to validate - fail hard if not | ||
71 | if [[ -z $zone ]]; then | ||
72 | echo "Missing zone to test - please provide a zone via the -z parameter." | ||
73 | usage | ||
74 | exit 3 | ||
75 | fi | ||
76 | |||
77 | # Check if we got warning/critical percentage values, use defaults if not | ||
78 | if [[ -z $warning ]]; then | ||
79 | warning=20 | ||
80 | fi | ||
81 | if [[ -z $critical ]]; then | ||
82 | critical=10 | ||
83 | fi | ||
84 | |||
85 | |||
86 | # Use Google's 8.8.8.8 resolver as fallback if none is provided | ||
87 | if [[ -z $resolver ]]; then | ||
88 | resolver="8.8.8.8" | ||
89 | fi | ||
90 | |||
91 | if [[ -z $alwaysFailingDomain ]]; then | ||
92 | alwaysFailingDomain="dnssec-failed.org" | ||
93 | fi | ||
94 | |||
95 | # Use SOA record type as fallback | ||
96 | if [[ -z $recordType ]]; then | ||
97 | recordType="SOA" | ||
98 | fi | ||
99 | |||
100 | # Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith) | ||
101 | checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL") | ||
102 | if [[ -z $checkResolverDoesDnssecValidation ]]; then | ||
103 | echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now." | ||
104 | exit 1 | ||
105 | fi | ||
106 | |||
107 | # Check if the resolver delivers an answer for the domain to test | ||
108 | checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone) | ||
109 | if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then | ||
110 | |||
111 | checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd) | ||
112 | |||
113 | if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then | ||
114 | echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC." | ||
115 | exit 2 | ||
116 | else | ||
117 | echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active." | ||
118 | exit 2 | ||
119 | fi | ||
120 | fi | ||
121 | |||
122 | # Check if the domain is DNSSEC signed at all | ||
123 | # (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone) | ||
124 | checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short ) | ||
125 | if [[ -z $checkZoneItselfIsSignedAtAll ]]; then | ||
126 | echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)" | ||
127 | exit 1 | ||
128 | fi | ||
129 | |||
130 | |||
131 | # Check if there are multiple RRSIG responses and check them one after the other | ||
132 | now=$(date +"%s") | ||
133 | rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG ) | ||
134 | if [[ -z $rrsigEntries ]]; then | ||
135 | echo "CRITICAL: There is no RRSIG for the SOA of your zone." | ||
136 | exit 2 | ||
137 | else | ||
138 | while read -r rrsig; do | ||
139 | # Get the RRSIG entry and extract the date out of it | ||
140 | expiryDateOfSignature=$( echo $rrsig | awk '{print $9}') | ||
141 | checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}') | ||
142 | if [[ -z $checkValidityOfExpirationTimestamp ]]; then | ||
143 | echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please". | ||
144 | exit 3 | ||
145 | fi | ||
146 | |||
147 | inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}') | ||
148 | checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}') | ||
149 | if [[ -z $checkValidityOfInceptionTimestamp ]]; then | ||
150 | echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please". | ||
151 | exit 3 | ||
152 | fi | ||
153 | |||
154 | # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards | ||
155 | expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00" | ||
156 | expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null ) | ||
157 | if [[ $? -ne 0 ]]; then | ||
158 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | ||
159 | expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" ) | ||
160 | fi | ||
161 | inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00" | ||
162 | inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null ) | ||
163 | if [[ $? -ne 0 ]]; then | ||
164 | # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic... | ||
165 | inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" ) | ||
166 | fi | ||
167 | |||
168 | |||
169 | # calculate the remaining lifetime of the signature | ||
170 | totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime) | ||
171 | remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now) | ||
172 | remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime) | ||
173 | |||
174 | # store the result of this single RRSIG's check | ||
175 | if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then | ||
176 | maxRemainingLifetime=$remainingLifetimeOfSignature | ||
177 | maxRemainingPercentage=$remainingPercentage | ||
178 | fi | ||
179 | done <<< "$rrsigEntries" | ||
180 | fi | ||
181 | |||
182 | |||
183 | |||
184 | |||
185 | # determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided | ||
186 | if [[ $maxRemainingPercentage -lt $critical ]]; then | ||
187 | echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
188 | exit 2 | ||
189 | elif [[ $remainingPercentage -lt $warning ]]; then | ||
190 | echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
191 | exit 1 | ||
192 | else | ||
193 | echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical" | ||
194 | exit 0 | ||
195 | fi | ||
diff --git a/systems/backup-2/flake.lock b/systems/backup-2/flake.lock index 919a027..3ca1baf 100644 --- a/systems/backup-2/flake.lock +++ b/systems/backup-2/flake.lock | |||
@@ -389,7 +389,7 @@ | |||
389 | }, | 389 | }, |
390 | "locked": { | 390 | "locked": { |
391 | "lastModified": 1, | 391 | "lastModified": 1, |
392 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 392 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
393 | "path": "../../flakes/private/monitoring", | 393 | "path": "../../flakes/private/monitoring", |
394 | "type": "path" | 394 | "type": "path" |
395 | }, | 395 | }, |
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock index b6aef70..bd3cdd9 100644 --- a/systems/dilion/flake.lock +++ b/systems/dilion/flake.lock | |||
@@ -207,7 +207,7 @@ | |||
207 | }, | 207 | }, |
208 | "locked": { | 208 | "locked": { |
209 | "lastModified": 1, | 209 | "lastModified": 1, |
210 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 210 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
211 | "path": "../../flakes/private/monitoring", | 211 | "path": "../../flakes/private/monitoring", |
212 | "type": "path" | 212 | "type": "path" |
213 | }, | 213 | }, |
diff --git a/systems/eldiron/dns.nix b/systems/eldiron/dns.nix index 486fcc1..7645b69 100644 --- a/systems/eldiron/dns.nix +++ b/systems/eldiron/dns.nix | |||
@@ -1,4 +1,18 @@ | |||
1 | { lib, pkgs, config, dns-nix, ... }: | 1 | { lib, pkgs, config, dns-nix, ... }: |
2 | let | ||
3 | zonesWithDNSSec = lib.filterAttrs (k: v: v.dnssec.enable) config.myServices.dns.zones; | ||
4 | zoneToFile = name: v: pkgs.runCommand "${name}.zone" { | ||
5 | text = v; | ||
6 | passAsFile = [ "text" ]; | ||
7 | # Automatically change the increment when relevant change | ||
8 | # happened (both serial and mta-sts) | ||
9 | } '' | ||
10 | mv "$textPath" $out | ||
11 | increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 )) | ||
12 | sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out | ||
13 | sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out | ||
14 | ''; | ||
15 | in | ||
2 | { | 16 | { |
3 | options.myServices.dns = { | 17 | options.myServices.dns = { |
4 | enable = lib.mkEnableOption "enable DNS resolver"; | 18 | enable = lib.mkEnableOption "enable DNS resolver"; |
@@ -11,7 +25,10 @@ | |||
11 | servers = config.myEnv.servers; | 25 | servers = config.myEnv.servers; |
12 | ips = i: { A = i.ip4; AAAA = i.ip6; }; | 26 | ips = i: { A = i.ip4; AAAA = i.ip6; }; |
13 | letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ]; | 27 | letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ]; |
14 | toKV = a: builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${n}=${v}") a)); | 28 | toKV = a: let |
29 | removeOrder = n: lib.last (builtins.split "__" n); | ||
30 | in | ||
31 | builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${removeOrder n}=${v}") a)); | ||
15 | mailMX = { | 32 | mailMX = { |
16 | hasEmail = true; | 33 | hasEmail = true; |
17 | subdomains = let | 34 | subdomains = let |
@@ -24,10 +41,10 @@ | |||
24 | SOA = { | 41 | SOA = { |
25 | # yyyymmdd?? (increment ?? at each change) | 42 | # yyyymmdd?? (increment ?? at each change) |
26 | serial = 2022121902; # Don't change this value, it is replaced automatically! | 43 | serial = 2022121902; # Don't change this value, it is replaced automatically! |
27 | refresh = 10800; | 44 | refresh = 3*60*60; |
28 | retry = 3600; | 45 | retry = 60*60; |
29 | expire = 604800; | 46 | expire = 14*24*60*60; |
30 | minimum = 10800; # negative cache ttl | 47 | minimum = 3*60*60; # negative cache ttl |
31 | adminEmail = "hostmaster@immae.eu"; #email-address s/@/./ | 48 | adminEmail = "hostmaster@immae.eu"; #email-address s/@/./ |
32 | nameServer = "ns1.immae.eu."; | 49 | nameServer = "ns1.immae.eu."; |
33 | }; | 50 | }; |
@@ -42,7 +59,7 @@ | |||
42 | (toKV config.myEnv.mail.dkim.immae_eu.public) | 59 | (toKV config.myEnv.mail.dkim.immae_eu.public) |
43 | ]; | 60 | ]; |
44 | }; | 61 | }; |
45 | mailCommon = name: { | 62 | mailCommon = name: quarantine: { |
46 | MX = let | 63 | MX = let |
47 | mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers; | 64 | mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers; |
48 | in | 65 | in |
@@ -65,16 +82,17 @@ | |||
65 | # MTA-STS | 82 | # MTA-STS |
66 | # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/ | 83 | # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/ |
67 | # https://support.google.com/a/answer/9261504 | 84 | # https://support.google.com/a/answer/9261504 |
68 | _mta-sts.TXT = [ (toKV { v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically! | 85 | _mta-sts.TXT = [ (toKV { _00__v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically! |
69 | _tls.subdomains._smtp.TXT = [ (toKV { v = "TLSRPTv1"; "rua" = "mailto:postmaster+mta-sts@immae.eu"; }) ]; | 86 | _tls.subdomains._smtp.TXT = [ (toKV { _00__v = "TLSRPTv1"; rua = "mailto:postmaster+mta-sts@immae.eu"; }) ]; |
70 | mta-sts = ips servers.eldiron.ips.main; | 87 | mta-sts = ips servers.eldiron.ips.main; |
71 | 88 | ||
72 | # DMARC | 89 | # DMARC |
73 | _dmarc.TXT = [ (toKV { v = "DMARC1"; p = "none"; adkim = "r"; aspf = "r"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ]; | 90 | # p needs to be the first tag |
91 | _dmarc.TXT = [ (toKV { _00__v = "DMARC1"; _01__p = if quarantine then "quarantine" else "none"; adkim = "s"; aspf = "s"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ]; | ||
74 | }; | 92 | }; |
75 | 93 | ||
76 | # SPF | 94 | # SPF |
77 | TXT = [ (toKV { v = "spf1 mx ~all"; }) ]; | 95 | TXT = [ (toKV { _00__v = "spf1 mx ~all"; }) ]; |
78 | }; | 96 | }; |
79 | }; | 97 | }; |
80 | }; | 98 | }; |
@@ -83,6 +101,14 @@ | |||
83 | dns-nix.lib.types.zone.getSubModules ++ [ | 101 | dns-nix.lib.types.zone.getSubModules ++ [ |
84 | ({ name, ... }: { | 102 | ({ name, ... }: { |
85 | options = { | 103 | options = { |
104 | dnssec = lib.mkOption { | ||
105 | default.enable = false; | ||
106 | type = lib.types.submodule { | ||
107 | options = { | ||
108 | enable = lib.mkEnableOption "Configure dnssec for this domain"; | ||
109 | }; | ||
110 | }; | ||
111 | }; | ||
86 | hasEmail = lib.mkEnableOption "This domain has e-mails configuration"; | 112 | hasEmail = lib.mkEnableOption "This domain has e-mails configuration"; |
87 | emailPolicies = lib.mkOption { | 113 | emailPolicies = lib.mkOption { |
88 | default = {}; | 114 | default = {}; |
@@ -154,12 +180,18 @@ | |||
154 | zoneHeader | 180 | zoneHeader |
155 | (ips servers.eldiron.ips.main) | 181 | (ips servers.eldiron.ips.main) |
156 | { | 182 | { |
157 | ns = [ "immae" ]; | 183 | dnssec.enable = true; |
184 | ns = [ "immae" "raito" ]; | ||
158 | CAA = letsencrypt; | 185 | CAA = letsencrypt; |
186 | extraConfig = '' | ||
187 | notify yes; | ||
188 | ''; | ||
189 | slaves = [ "raito" ]; | ||
159 | } | 190 | } |
160 | ]; | 191 | ]; |
161 | "immae.dev" = lib.mkMerge [ | 192 | "immae.dev" = lib.mkMerge [ |
162 | { | 193 | { |
194 | dnssec.enable = true; | ||
163 | extraConfig = '' | 195 | extraConfig = '' |
164 | notify yes; | 196 | notify yes; |
165 | ''; | 197 | ''; |
@@ -174,6 +206,7 @@ | |||
174 | ]; | 206 | ]; |
175 | "immae.eu" = lib.mkMerge [ | 207 | "immae.eu" = lib.mkMerge [ |
176 | { | 208 | { |
209 | dnssec.enable = true; | ||
177 | extraConfig = '' | 210 | extraConfig = '' |
178 | notify yes; | 211 | notify yes; |
179 | ''; | 212 | ''; |
@@ -182,7 +215,10 @@ | |||
182 | zoneHeader | 215 | zoneHeader |
183 | (ips servers.eldiron.ips.production) | 216 | (ips servers.eldiron.ips.production) |
184 | { | 217 | { |
185 | ns = [ "immae" "raito" ]; | 218 | ns = [ "immae" ]; |
219 | # Cannot put ns2.immae.eu as glue record as it takes ages to propagate. | ||
220 | # And gandi only accepts NS records with glues in their interface | ||
221 | NS = [ "kurisu.dual.lahfa.xyz." ]; | ||
186 | CAA = letsencrypt; | 222 | CAA = letsencrypt; |
187 | 223 | ||
188 | # ns1 has glue records in gandi.net | 224 | # ns1 has glue records in gandi.net |
@@ -194,9 +230,9 @@ | |||
194 | { | 230 | { |
195 | # Machines local users | 231 | # Machines local users |
196 | emailPolicies.localhost.receive = false; | 232 | emailPolicies.localhost.receive = false; |
197 | subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; | 233 | subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ]; |
198 | emailPolicies.eldiron.receive = true; | 234 | emailPolicies.eldiron.receive = true; |
199 | subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; | 235 | subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ]; |
200 | } | 236 | } |
201 | { | 237 | { |
202 | # For each server "server" and each server ip group "ipgroup", | 238 | # For each server "server" and each server ip group "ipgroup", |
@@ -248,23 +284,24 @@ | |||
248 | zones = | 284 | zones = |
249 | builtins.mapAttrs (name: v: { | 285 | builtins.mapAttrs (name: v: { |
250 | master = true; | 286 | master = true; |
251 | extraConfig = v.extraConfig; | 287 | extraConfig = v.extraConfig + lib.optionalString v.dnssec.enable '' |
288 | key-directory "/var/lib/named/dnssec_keys"; | ||
289 | dnssec-policy default; | ||
290 | inline-signing yes; | ||
291 | ''; | ||
252 | masters = []; | 292 | masters = []; |
253 | slaves = | 293 | slaves = |
254 | lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves); | 294 | lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves); |
255 | file = pkgs.runCommand "${name}.zone" { | 295 | file = if v.dnssec.enable then "/var/run/named/dnssec-${name}.zone" else zoneToFile name v; |
256 | text = v; | ||
257 | passAsFile = [ "text" ]; | ||
258 | # Automatically change the increment when relevant change | ||
259 | # happened (both serial and mta-sts) | ||
260 | } '' | ||
261 | mv "$textPath" $out | ||
262 | increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 )) | ||
263 | sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out | ||
264 | sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out | ||
265 | ''; | ||
266 | }) config.myServices.dns.zones; | 296 | }) config.myServices.dns.zones; |
267 | }; | 297 | }; |
298 | systemd.services.bind.serviceConfig.StateDirectory = "named"; | ||
299 | systemd.services.bind.preStart = lib.mkAfter | ||
300 | (builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: v: '' | ||
301 | install -m444 ${zoneToFile name v} /var/run/named/dnssec-${name}.zone | ||
302 | '') zonesWithDNSSec) + '' | ||
303 | install -dm755 -o named /var/lib/named/dnssec_keys | ||
304 | ''); | ||
268 | myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ]; | 305 | myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ]; |
269 | myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z: | 306 | myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z: |
270 | lib.optional (builtins.elem "immae" z.ns) { | 307 | lib.optional (builtins.elem "immae" z.ns) { |
@@ -276,14 +313,34 @@ | |||
276 | servicegroups = "webstatus-dns"; | 313 | servicegroups = "webstatus-dns"; |
277 | _webstatus_name = name; | 314 | _webstatus_name = name; |
278 | } ++ | 315 | } ++ |
279 | lib.optional (builtins.elem "raito" z.ns) { | 316 | lib.optionals (builtins.elem "raito" z.ns) [ |
280 | service_description = "raito dns is active and authoritative for ${name}"; | 317 | { |
318 | service_description = "raito dns is active and authoritative for ${name}"; | ||
319 | host_name = config.hostEnv.fqdn; | ||
320 | use = "dns-service"; | ||
321 | check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"]; | ||
322 | |||
323 | servicegroups = "webstatus-dns"; | ||
324 | _webstatus_name = "${name} (Secondary DNS Raito)"; | ||
325 | } | ||
326 | { | ||
327 | service_description = "raito dns is up to date for ${name}"; | ||
328 | host_name = config.hostEnv.fqdn; | ||
329 | use = "dns-service"; | ||
330 | check_command = ["check_dns_soa" "kurisu.dual.lahfa.xyz" name config.hostEnv.fqdn]; | ||
331 | |||
332 | servicegroups = "webstatus-dns"; | ||
333 | _webstatus_name = "${name} (Secondary DNS Raito up to date)"; | ||
334 | } | ||
335 | ] ++ | ||
336 | lib.optional z.dnssec.enable { | ||
337 | service_description = "DNSSEC is active and not expired for ${name}"; | ||
281 | host_name = config.hostEnv.fqdn; | 338 | host_name = config.hostEnv.fqdn; |
282 | use = "dns-service"; | 339 | use = "dns-service"; |
283 | check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"]; | 340 | check_command = ["check_dnssec" name]; |
284 | 341 | ||
285 | servicegroups = "webstatus-dns"; | 342 | servicegroups = "webstatus-dns"; |
286 | _webstatus_name = "${name} (Secondary DNS Raito)"; | 343 | _webstatus_name = "${name} (DNSSEC)"; |
287 | } | 344 | } |
288 | ) config.myServices.dns.zones); | 345 | ) config.myServices.dns.zones); |
289 | }; | 346 | }; |
diff --git a/systems/eldiron/ejabberd/default.nix b/systems/eldiron/ejabberd/default.nix index 5268516..463d255 100644 --- a/systems/eldiron/ejabberd/default.nix +++ b/systems/eldiron/ejabberd/default.nix | |||
@@ -25,7 +25,7 @@ in | |||
25 | } | 25 | } |
26 | zoneHeader | 26 | zoneHeader |
27 | mailMX | 27 | mailMX |
28 | (mailCommon "immae.fr") | 28 | (mailCommon "immae.fr" true) |
29 | (ips servers.eldiron.ips.main) | 29 | (ips servers.eldiron.ips.main) |
30 | { | 30 | { |
31 | ns = [ "immae" "raito" ]; | 31 | ns = [ "immae" "raito" ]; |
diff --git a/systems/eldiron/flake.lock b/systems/eldiron/flake.lock index c52dd61..5a60dab 100644 --- a/systems/eldiron/flake.lock +++ b/systems/eldiron/flake.lock | |||
@@ -2038,7 +2038,7 @@ | |||
2038 | }, | 2038 | }, |
2039 | "locked": { | 2039 | "locked": { |
2040 | "lastModified": 1, | 2040 | "lastModified": 1, |
2041 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 2041 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
2042 | "path": "../../flakes/private/monitoring", | 2042 | "path": "../../flakes/private/monitoring", |
2043 | "type": "path" | 2043 | "type": "path" |
2044 | }, | 2044 | }, |
diff --git a/systems/eldiron/mail/postfix.nix b/systems/eldiron/mail/postfix.nix index f95ee1b..93d1e1e 100644 --- a/systems/eldiron/mail/postfix.nix +++ b/systems/eldiron/mail/postfix.nix | |||
@@ -12,7 +12,7 @@ in | |||
12 | config = lib.mkIf config.myServices.mail.enable { | 12 | config = lib.mkIf config.myServices.mail.enable { |
13 | myServices.dns.zones."immae.eu" = with config.myServices.dns.helpers; lib.mkMerge [ | 13 | myServices.dns.zones."immae.eu" = with config.myServices.dns.helpers; lib.mkMerge [ |
14 | mailMX | 14 | mailMX |
15 | (mailCommon "immae.eu") | 15 | (mailCommon "immae.eu" true) |
16 | mailSend | 16 | mailSend |
17 | { | 17 | { |
18 | # Virtual forwards and mailboxes for real users | 18 | # Virtual forwards and mailboxes for real users |
@@ -22,7 +22,7 @@ in | |||
22 | # system virtual mailboxes: | 22 | # system virtual mailboxes: |
23 | # devnull, printer, testconnect | 23 | # devnull, printer, testconnect |
24 | emailPolicies."".receive = true; | 24 | emailPolicies."".receive = true; |
25 | subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu") mailSend ]; | 25 | subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ]; |
26 | subdomains.smtp = ips servers.eldiron.ips.main; | 26 | subdomains.smtp = ips servers.eldiron.ips.main; |
27 | 27 | ||
28 | # DMARC reports | 28 | # DMARC reports |
diff --git a/systems/eldiron/mail/sympa.nix b/systems/eldiron/mail/sympa.nix index 8e801dd..07175e8 100644 --- a/systems/eldiron/mail/sympa.nix +++ b/systems/eldiron/mail/sympa.nix | |||
@@ -9,7 +9,7 @@ in | |||
9 | myServices.dns.zones."immae.eu".subdomains.lists = | 9 | myServices.dns.zones."immae.eu".subdomains.lists = |
10 | with config.myServices.dns.helpers; lib.mkMerge [ | 10 | with config.myServices.dns.helpers; lib.mkMerge [ |
11 | (ips servers.eldiron.ips.main) | 11 | (ips servers.eldiron.ips.main) |
12 | (mailCommon "immae.eu") | 12 | (mailCommon "immae.eu" false) |
13 | mailSend | 13 | mailSend |
14 | ]; | 14 | ]; |
15 | 15 | ||
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix index 397b644..338ed0b 100644 --- a/systems/eldiron/websites/tools/default.nix +++ b/systems/eldiron/websites/tools/default.nix | |||
@@ -91,7 +91,7 @@ in { | |||
91 | { | 91 | { |
92 | outils = ips servers.eldiron.ips.main; | 92 | outils = ips servers.eldiron.ips.main; |
93 | tools = lib.mkMerge [ | 93 | tools = lib.mkMerge [ |
94 | (mailCommon "immae.eu") | 94 | (mailCommon "immae.eu" true) |
95 | mailSend | 95 | mailSend |
96 | (ips servers.eldiron.ips.main) | 96 | (ips servers.eldiron.ips.main) |
97 | ]; | 97 | ]; |
diff --git a/systems/monitoring-1/flake.lock b/systems/monitoring-1/flake.lock index 6758db3..ec29221 100644 --- a/systems/monitoring-1/flake.lock +++ b/systems/monitoring-1/flake.lock | |||
@@ -277,7 +277,7 @@ | |||
277 | }, | 277 | }, |
278 | "locked": { | 278 | "locked": { |
279 | "lastModified": 1, | 279 | "lastModified": 1, |
280 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 280 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
281 | "path": "../../flakes/private/monitoring", | 281 | "path": "../../flakes/private/monitoring", |
282 | "type": "path" | 282 | "type": "path" |
283 | }, | 283 | }, |
diff --git a/systems/quatresaisons/flake.lock b/systems/quatresaisons/flake.lock index 653ce9c..e23bbde 100644 --- a/systems/quatresaisons/flake.lock +++ b/systems/quatresaisons/flake.lock | |||
@@ -239,7 +239,7 @@ | |||
239 | }, | 239 | }, |
240 | "locked": { | 240 | "locked": { |
241 | "lastModified": 1, | 241 | "lastModified": 1, |
242 | "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=", | 242 | "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=", |
243 | "path": "../../flakes/private/monitoring", | 243 | "path": "../../flakes/private/monitoring", |
244 | "type": "path" | 244 | "type": "path" |
245 | }, | 245 | }, |