Add dnssec

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-10 10:44:24 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-12 00:24:46 +0200
commit: 97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree: 4b7ea0d889a4c2c27bfec351693995f1fcba2bbb
parent: 450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
download: Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip
15 files changed, 350 insertions, 75 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 5cdf632..99a99c0 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
+        "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=",
        "path": "../flakes",
        "type": "path"
      },
@@ -2894,7 +2894,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2912,7 +2912,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2930,7 +2930,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2948,7 +2948,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -3832,7 +3832,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=",
+        "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
        "path": "../systems/backup-2",
        "type": "path"
      },
@@ -3855,7 +3855,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=",
+        "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
        "path": "../systems/dilion",
        "type": "path"
      },
@@ -3903,7 +3903,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
+        "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3929,7 +3929,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=",
+        "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
        "path": "../systems/monitoring-1",
        "type": "path"
      },
@@ -3954,7 +3954,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=",
+        "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
        "path": "../systems/quatresaisons",
        "type": "path"
      },
@@ -7541,7 +7541,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -8412,7 +8412,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "./private/monitoring",
        "type": "path"
      },
diff --git a/flake.lock b/flake.lock
index 6cc709e..e6b10be 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
+        "narHash": "sha256-s6HoAgXQrELPNK0BwuMRmJiuAmNN8VvNhhS0K9hYmh4=",
        "path": "./flakes",
        "type": "path"
      },
@@ -2910,7 +2910,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2928,7 +2928,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2946,7 +2946,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2964,7 +2964,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -3848,7 +3848,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=",
+        "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
        "path": "../systems/backup-2",
        "type": "path"
      },
@@ -3871,7 +3871,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=",
+        "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
        "path": "../systems/dilion",
        "type": "path"
      },
@@ -3919,7 +3919,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
+        "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3945,7 +3945,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=",
+        "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
        "path": "../systems/monitoring-1",
        "type": "path"
      },
@@ -3970,7 +3970,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=",
+        "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
        "path": "../systems/quatresaisons",
        "type": "path"
      },
@@ -7557,7 +7557,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -8428,7 +8428,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "./private/monitoring",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 751316c..090ef48 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -2815,7 +2815,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2833,7 +2833,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2851,7 +2851,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2869,7 +2869,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -3753,7 +3753,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=",
+        "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
        "path": "../systems/backup-2",
        "type": "path"
      },
@@ -3776,7 +3776,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=",
+        "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
        "path": "../systems/dilion",
        "type": "path"
      },
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
+        "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3850,7 +3850,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=",
+        "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
        "path": "../systems/monitoring-1",
        "type": "path"
      },
@@ -3875,7 +3875,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=",
+        "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
        "path": "../systems/quatresaisons",
        "type": "path"
      },
@@ -7384,7 +7384,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -8294,7 +8294,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "./private/monitoring",
        "type": "path"
      },
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix
index 35730bb..f76f2c1 100644
--- a/flakes/private/monitoring/myplugins.nix
+++ b/flakes/private/monitoring/myplugins.nix
@@ -69,8 +69,31 @@ in
  dns = {
    commands = {
      check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
+      check_dns_soa = "$USER2$/check_dns_soa -H $ARG1$ -z $ARG2$ -M $ARG3$";
+      check_dnssec = "$USER2$/check_dnssec -z $ARG1$";
      check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
    };
+    chunk = let
+      soa_plugin = pkgs.fetchurl {
+        name = "check_dns_soa";
+        url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1429&cf_id=24";
+        sha256 = "sha256-Yy4XO19Fb7WdHZZmhUfyyAGBnxJyFWwc7U3HiWyE8wc=";
+      };
+    in ''
+      cp ${./plugins}/check_dnssec $out/
+      patchShebangs $out/check_dnssec
+      wrapProgram $out/check_dnssec --prefix PATH : ${lib.makeBinPath [
+        pkgs.bind.dnsutils pkgs.gnugrep pkgs.gawk pkgs.which pkgs.coreutils
+      ]}
+      cp ${soa_plugin} $out/check_dns_soa
+      chmod +xw $out/check_dns_soa
+      patchShebangs $out/check_dns_soa
+      sed -i -e 's/^use utils qw.*$/my %ERRORS = ("OK" => 0, "WARNING" => 1, "CRITICAL" => 2, "UNKNOWN" => 3);my $TIMEOUT = 10;/' -e '/^use lib /d' $out/check_dns_soa
+      wrapProgram $out/check_dns_soa --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
+        pkgs.perlPackages.NetDNS
+      ]}
+    '';
  };
  mdadm = {
    commands = {
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec
new file mode 100755
index 0000000..a6e408d
--- /dev/null
+++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
+#!/usr/bin/env bash
+# check_dnssec_expiry.sh
+#
+# Copyright 2017 by Mario Rimann <mario@rimann.org>
+# Licensed under the permissive MIT license, see LICENSE.md
+#
+# Development of this script was partially sponsored by my
+# employer internezzo, see http://www.internezzo.ch
+#
+# If this script helps you to make your work easier, please consider
+# to give feedback or do something good, see https://rimann.org/support
+usage() {
+        cat - >&2 << _EOT_
+usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
+        -z <zone>
+                specify zone to check
+        -w <critical %>
+                warning time left percentage
+        -c <critical %>
+                critical time left percentage
+        -r <resolver>
+                specify which resolver to use.
+        -f <always failing domain>
+                specify a domain that will always fail DNSSEC.
+                used to test if DNSSEC is supported in used tools.
+        -t <DNS record type to check>
+                specify a DNS record type for calculating the remaining lifetime.
+                For example SOA, A, etc.
+_EOT_
+        exit 255
+}
+# Parse the input options
+while getopts ":z:w:c:r:f:h:t:" opt; do
+  case $opt in
+    z)
+      zone=$OPTARG
+      ;;
+    w)
+      warning=$OPTARG
+      ;;
+    c)
+      critical=$OPTARG
+      ;;
+    r)
+      resolver=$OPTARG
+      ;;
+    f)
+      alwaysFailingDomain=$OPTARG
+      ;;
+    t)
+      recordType=$OPTARG
+      ;;
+    h)
+      usage ;;
+  esac
+done
+# Check if dig is available at all - fail hard if not
+pathToDig=$( which dig )
+if [[ ! -e $pathToDig ]]; then
+        echo "No executable of dig found, cannot proceed without dig. Sorry!"
+        exit 1
+fi
+# Check if we got a zone to validate - fail hard if not
+if [[ -z $zone ]]; then
+        echo "Missing zone to test - please provide a zone via the -z parameter."
+        usage
+        exit 3
+fi
+# Check if we got warning/critical percentage values, use defaults if not
+if [[ -z $warning ]]; then
+        warning=20
+fi
+if [[ -z $critical ]]; then
+        critical=10
+fi
+# Use Google's 8.8.8.8 resolver as fallback if none is provided
+if [[ -z $resolver ]]; then
+        resolver="8.8.8.8"
+fi
+if [[ -z $alwaysFailingDomain ]]; then
+        alwaysFailingDomain="dnssec-failed.org"
+fi
+# Use SOA record type as fallback
+if [[ -z $recordType ]]; then
+        recordType="SOA"
+fi
+# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
+checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
+if [[ -z $checkResolverDoesDnssecValidation ]]; then
+        echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
+        exit 1
+fi
+# Check if the resolver delivers an answer for the domain to test
+checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
+if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
+        checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
+        if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
+                echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
+                exit 2
+        else
+                echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
+                exit 2
+        fi
+fi
+# Check if the domain is DNSSEC signed at all
+# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
+checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
+if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
+        echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
+        exit 1
+fi
+# Check if there are multiple RRSIG responses and check them one after the other
+now=$(date +"%s")
+rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
+if [[ -z $rrsigEntries ]]; then
+        echo "CRITICAL: There is no RRSIG for the SOA of your zone."
+        exit 2
+else
+        while read -r rrsig; do
+                # Get the RRSIG entry and extract the date out of it
+                expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
+                checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfExpirationTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
+                checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfInceptionTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
+                expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
+                expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
+                fi
+                inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
+                inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
+                fi
+                # calculate the remaining lifetime of the signature
+                totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
+                remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
+                remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
+                # store the result of this single RRSIG's check
+                if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
+                        maxRemainingLifetime=$remainingLifetimeOfSignature
+                        maxRemainingPercentage=$remainingPercentage
+                fi
+        done <<< "$rrsigEntries"
+fi
+# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
+if [[ $maxRemainingPercentage -lt $critical ]]; then
+        echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 2
+elif [[ $remainingPercentage -lt $warning ]]; then
+        echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 1
+else
+        echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 0
+fi
diff --git a/systems/backup-2/flake.lock b/systems/backup-2/flake.lock
index 919a027..3ca1baf 100644
--- a/systems/backup-2/flake.lock
+++ b/systems/backup-2/flake.lock
@@ -389,7 +389,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock
index b6aef70..bd3cdd9 100644
--- a/systems/dilion/flake.lock
+++ b/systems/dilion/flake.lock
@@ -207,7 +207,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
diff --git a/systems/eldiron/dns.nix b/systems/eldiron/dns.nix
index 486fcc1..7645b69 100644
--- a/systems/eldiron/dns.nix
+++ b/systems/eldiron/dns.nix
@@ -1,4 +1,18 @@
 { lib, pkgs, config, dns-nix, ... }:
+let
+  zonesWithDNSSec = lib.filterAttrs (k: v: v.dnssec.enable) config.myServices.dns.zones;
+  zoneToFile = name: v: pkgs.runCommand "${name}.zone" {
+    text = v;
+    passAsFile = [ "text" ];
+    # Automatically change the increment when relevant change
+    # happened (both serial and mta-sts)
+  } ''
+    mv "$textPath" $out
+    increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 ))
+    sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
+    sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
+  '';
+in
 {
  options.myServices.dns = {
    enable = lib.mkEnableOption "enable DNS resolver";
@@ -11,7 +25,10 @@
        servers = config.myEnv.servers;
        ips = i: { A = i.ip4; AAAA = i.ip6; };
        letsencrypt = [ { tag = "issue"; value = "letsencrypt.org"; issuerCritical = false; } ];
-        toKV = a: builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${n}=${v}") a));
+        toKV = a: let
+          removeOrder = n: lib.last (builtins.split "__" n);
+        in
+          builtins.concatStringsSep ";" (builtins.attrValues (builtins.mapAttrs (n: v: "${removeOrder n}=${v}") a));
        mailMX = {
          hasEmail = true;
          subdomains = let
@@ -24,10 +41,10 @@
          SOA = {
            # yyyymmdd?? (increment ?? at each change)
            serial = 2022121902; # Don't change this value, it is replaced automatically!
-            refresh = 10800;
+            refresh = 3*60*60;
-            retry = 3600;
+            retry = 60*60;
-            expire = 604800;
+            expire = 14*24*60*60;
-            minimum = 10800; # negative cache ttl
+            minimum = 3*60*60; # negative cache ttl
            adminEmail = "hostmaster@immae.eu"; #email-address s/@/./
            nameServer = "ns1.immae.eu.";
          };
@@ -42,7 +59,7 @@
            (toKV config.myEnv.mail.dkim.immae_eu.public)
          ];
        };
-        mailCommon = name: {
+        mailCommon = name: quarantine: {
          MX = let
            mxes = lib.filterAttrs (n: v: v ? mx && v.mx.enable) servers;
          in
@@ -65,16 +82,17 @@
            # MTA-STS
            # https://blog.delouw.ch/2018/12/16/using-mta-sts-to-enhance-email-transport-security-and-privacy/
            # https://support.google.com/a/answer/9261504
-            _mta-sts.TXT = [ (toKV { v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically!
+            _mta-sts.TXT = [ (toKV { _00__v = "STSv1"; id = "20200109150200Z"; }) ]; # Don't change this value, it is updated automatically!
-            _tls.subdomains._smtp.TXT = [ (toKV { v = "TLSRPTv1"; "rua" = "mailto:postmaster+mta-sts@immae.eu"; }) ];
+            _tls.subdomains._smtp.TXT = [ (toKV { _00__v = "TLSRPTv1"; rua = "mailto:postmaster+mta-sts@immae.eu"; }) ];
            mta-sts = ips servers.eldiron.ips.main;
            # DMARC
-            _dmarc.TXT = [ (toKV { v = "DMARC1"; p = "none"; adkim = "r"; aspf = "r"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ];
+            # p needs to be the first tag
+            _dmarc.TXT = [ (toKV { _00__v = "DMARC1"; _01__p = if quarantine then "quarantine" else "none"; adkim = "s"; aspf = "s"; fo = "1"; rua = "mailto:postmaster+rua@immae.eu"; ruf = "mailto:postmaster+ruf@immae.eu"; }) ];
          };
          # SPF
-          TXT = [ (toKV { v = "spf1 mx ~all"; }) ];
+          TXT = [ (toKV { _00__v = "spf1 mx ~all"; }) ];
        };
      };
    };
@@ -83,6 +101,14 @@
        dns-nix.lib.types.zone.getSubModules ++ [
          ({ name, ... }: {
            options = {
+              dnssec = lib.mkOption {
+                default.enable = false;
+                type = lib.types.submodule {
+                  options = {
+                    enable = lib.mkEnableOption "Configure dnssec for this domain";
+                  };
+                };
+              };
              hasEmail = lib.mkEnableOption "This domain has e-mails configuration";
              emailPolicies = lib.mkOption {
                default = {};
@@ -154,12 +180,18 @@
        zoneHeader
        (ips servers.eldiron.ips.main)
        {
-          ns = [ "immae" ];
+          dnssec.enable = true;
+          ns = [ "immae" "raito" ];
          CAA = letsencrypt;
+          extraConfig = ''
+            notify yes;
+          '';
+          slaves = [ "raito" ];
        }
      ];
      "immae.dev" = lib.mkMerge [
        {
+          dnssec.enable = true;
          extraConfig = ''
            notify yes;
          '';
@@ -174,6 +206,7 @@
      ];
      "immae.eu" = lib.mkMerge [
        {
+          dnssec.enable = true;
          extraConfig = ''
            notify yes;
          '';
@@ -182,7 +215,10 @@
        zoneHeader
        (ips servers.eldiron.ips.production)
        {
-          ns = [ "immae" "raito" ];
+          ns = [ "immae" ];
+          # Cannot put ns2.immae.eu as glue record as it takes ages to propagate.
+          # And gandi only accepts NS records with glues in their interface
+          NS = [ "kurisu.dual.lahfa.xyz." ];
          CAA = letsencrypt;
          # ns1 has glue records in gandi.net
@@ -194,9 +230,9 @@
        {
          # Machines local users
          emailPolicies.localhost.receive = false;
-          subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu") mailSend ];
+          subdomains.localhost = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
          emailPolicies.eldiron.receive = true;
-          subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu") mailSend ];
+          subdomains.eldiron = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
        }
        {
          # For each server "server" and each server ip group "ipgroup",
@@ -248,23 +284,24 @@
      zones =
        builtins.mapAttrs (name: v: {
          master = true;
-          extraConfig = v.extraConfig;
+          extraConfig = v.extraConfig + lib.optionalString v.dnssec.enable ''
+            key-directory "/var/lib/named/dnssec_keys";
+            dnssec-policy default;
+            inline-signing yes;
+          '';
          masters = [];
          slaves =
            lib.flatten (map (n: builtins.attrValues config.myEnv.dns.ns.${n}) v.slaves);
-          file = pkgs.runCommand "${name}.zone" {
+          file = if v.dnssec.enable then "/var/run/named/dnssec-${name}.zone" else zoneToFile name v;
-            text = v;
-            passAsFile = [ "text" ];
-            # Automatically change the increment when relevant change
-            # happened (both serial and mta-sts)
-          } ''
-            mv "$textPath" $out
-            increment=$(( 100*($(date -u +%-H) * 60 + $(date -u +%-M))/1440 ))
-            sed -i -e "s/2022121902/$(date -u +%Y%m%d)$increment/g" $out
-            sed -i -e "s/20200109150200Z/$(date -u +%Y%m%d%H%M%SZ)/g" $out
-          '';
        }) config.myServices.dns.zones;
    };
+    systemd.services.bind.serviceConfig.StateDirectory = "named";
+    systemd.services.bind.preStart = lib.mkAfter
+      (builtins.concatStringsSep "\n" (lib.mapAttrsToList (name: v: ''
+        install -m444 ${zoneToFile name v} /var/run/named/dnssec-${name}.zone
+      '') zonesWithDNSSec) + ''
+        install -dm755 -o named /var/lib/named/dnssec_keys
+      '');
    myServices.monitoring.fromMasterActivatedPlugins = [ "dns" ];
    myServices.monitoring.fromMasterObjects.service = lib.mkMerge (lib.mapAttrsToList (name: z:
      lib.optional (builtins.elem "immae" z.ns) {
@@ -276,14 +313,34 @@
        servicegroups = "webstatus-dns";
        _webstatus_name = name;
      } ++
-      lib.optional (builtins.elem "raito" z.ns) {
+      lib.optionals (builtins.elem "raito" z.ns) [
-        service_description = "raito dns is active and authoritative for ${name}";
+        {
+          service_description = "raito dns is active and authoritative for ${name}";
+          host_name = config.hostEnv.fqdn;
+          use = "dns-service";
+          check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"];
+          servicegroups = "webstatus-dns";
+          _webstatus_name = "${name} (Secondary DNS Raito)";
+        }
+        {
+          service_description = "raito dns is up to date for ${name}";
+          host_name = config.hostEnv.fqdn;
+          use = "dns-service";
+          check_command = ["check_dns_soa" "kurisu.dual.lahfa.xyz" name config.hostEnv.fqdn];
+          servicegroups = "webstatus-dns";
+          _webstatus_name = "${name} (Secondary DNS Raito up to date)";
+        }
+      ] ++
+      lib.optional z.dnssec.enable {
+        service_description = "DNSSEC is active and not expired for ${name}";
        host_name = config.hostEnv.fqdn;
        use = "dns-service";
-        check_command = ["check_external_dns" "kurisu.dual.lahfa.xyz" name "-A"];
+        check_command = ["check_dnssec" name];
        servicegroups = "webstatus-dns";
-        _webstatus_name = "${name} (Secondary DNS Raito)";
+        _webstatus_name = "${name} (DNSSEC)";
      }
    ) config.myServices.dns.zones);
  };
diff --git a/systems/eldiron/ejabberd/default.nix b/systems/eldiron/ejabberd/default.nix
index 5268516..463d255 100644
--- a/systems/eldiron/ejabberd/default.nix
+++ b/systems/eldiron/ejabberd/default.nix
@@ -25,7 +25,7 @@ in
        }
        zoneHeader
        mailMX
-        (mailCommon "immae.fr")
+        (mailCommon "immae.fr" true)
        (ips servers.eldiron.ips.main)
        {
          ns = [ "immae" "raito" ];
diff --git a/systems/eldiron/flake.lock b/systems/eldiron/flake.lock
index c52dd61..5a60dab 100644
--- a/systems/eldiron/flake.lock
+++ b/systems/eldiron/flake.lock
@@ -2038,7 +2038,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
diff --git a/systems/eldiron/mail/postfix.nix b/systems/eldiron/mail/postfix.nix
index f95ee1b..93d1e1e 100644
--- a/systems/eldiron/mail/postfix.nix
+++ b/systems/eldiron/mail/postfix.nix
@@ -12,7 +12,7 @@ in
  config = lib.mkIf config.myServices.mail.enable {
    myServices.dns.zones."immae.eu" = with config.myServices.dns.helpers; lib.mkMerge [
      mailMX
-      (mailCommon "immae.eu")
+      (mailCommon "immae.eu" true)
      mailSend
      {
        # Virtual forwards and mailboxes for real users
@@ -22,7 +22,7 @@ in
        # system virtual mailboxes:
        #     devnull, printer, testconnect
        emailPolicies."".receive = true;
-        subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu") mailSend ];
+        subdomains.mail = lib.mkMerge [ (mailCommon "immae.eu" true) mailSend ];
        subdomains.smtp = ips servers.eldiron.ips.main;
        # DMARC reports
diff --git a/systems/eldiron/mail/sympa.nix b/systems/eldiron/mail/sympa.nix
index 8e801dd..07175e8 100644
--- a/systems/eldiron/mail/sympa.nix
+++ b/systems/eldiron/mail/sympa.nix
@@ -9,7 +9,7 @@ in
    myServices.dns.zones."immae.eu".subdomains.lists =
      with config.myServices.dns.helpers; lib.mkMerge [
        (ips servers.eldiron.ips.main)
-        (mailCommon "immae.eu")
+        (mailCommon "immae.eu" false)
        mailSend
      ];
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 397b644..338ed0b 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -91,7 +91,7 @@ in {
      {
        outils = ips servers.eldiron.ips.main;
        tools  = lib.mkMerge [
-          (mailCommon "immae.eu")
+          (mailCommon "immae.eu" true)
          mailSend
          (ips servers.eldiron.ips.main)
        ];
diff --git a/systems/monitoring-1/flake.lock b/systems/monitoring-1/flake.lock
index 6758db3..ec29221 100644
--- a/systems/monitoring-1/flake.lock
+++ b/systems/monitoring-1/flake.lock
@@ -277,7 +277,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
diff --git a/systems/quatresaisons/flake.lock b/systems/quatresaisons/flake.lock
index 653ce9c..e23bbde 100644
--- a/systems/quatresaisons/flake.lock
+++ b/systems/quatresaisons/flake.lock
@@ -239,7 +239,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-10 10:44:24 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-12 00:24:46 +0200
commit	97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree	4b7ea0d889a4c2c27bfec351693995f1fcba2bbb
parent	450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
download	Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip