Add ns1 key

Add ns1 and ns2
2024-03-13 23:24:19 +01:00 · 2024-03-13 23:22:10 +01:00
10 changed files with 224 additions and 19 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,5 +1,6 @@
 keys:
  - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+  - &server_ns1 age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
  - &server_ns3 age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
  - &server_ns4 age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
 creation_rules:
@ -7,6 +8,7 @@ creation_rules:
    key_groups:
      - age:
        - *admin_torjus
+        - *server_ns1
        - *server_ns3
        - *server_ns4
  - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini)
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../template/hardware-configuration.nix
+
+      ../../system
+      ../../services/ns/master-authorative.nix
+      ../../services/ns/resolver.nix
+    ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.hostName = "ns1";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = false;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.5/24"
+    ];
+    routes = [
+      { routeConfig.Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
+
--- a/hosts/ns1/default.nix
+++ b/hosts/ns1/default.nix
@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}
--- a/hosts/ns1/hardware-configuration.nix
+++ b/hosts/ns1/hardware-configuration.nix
@ -0,0 +1,36 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  # boot.kernelModules = [ ];
+  # boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d";
+      fsType = "xfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/BC07-3B7A";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [
+      ../template/hardware-configuration.nix
+
+      ../../system
+      ../../services/ns/secondary-authorative.nix
+      ../../services/ns/resolver.nix
+    ];
+
+  nixpkgs.config.allowUnfree = true;
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.hostName = "ns2";
+  networking.domain = "home.2rjus.net";
+  networking.useNetworkd = true;
+  networking.useDHCP = false;
+  services.resolved.enable = false;
+  networking.nameservers = [
+    "10.69.13.5"
+    "10.69.13.6"
+  ];
+
+  systemd.network.enable = true;
+  systemd.network.networks."ens18" = {
+    matchConfig.Name = "ens18";
+    address = [
+      "10.69.13.6/24"
+    ];
+    routes = [
+      { routeConfig.Gateway = "10.69.13.1"; }
+    ];
+    linkConfig.RequiredForOnline = "routable";
+  };
+  time.timeZone = "Europe/Oslo";
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    git
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
+
--- a/hosts/ns2/default.nix
+++ b/hosts/ns2/default.nix
@ -0,0 +1,5 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+  ];
+}
--- a/hosts/ns2/hardware-configuration.nix
+++ b/hosts/ns2/hardware-configuration.nix
@ -0,0 +1,36 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  # boot.kernelModules = [ ];
+  # boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d";
+      fsType = "xfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/BC07-3B7A";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -9,29 +9,38 @@ sops:
        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNTg4bjgwNUhWUDUwUCti
-            WEEyQit1bkJXU0pFSFZnVnJoZjBqZlZURWxJCnRDTHppMDZhcitDZnEyeG4vNVND
-            d2pxTXY0TXozRm0wY2JKc1ZxVnVMMXMKLS0tIDJ6ZjhjdDhsRXZ2aGVXT2piaDVa
-            VnN2b3R1YlpGQ3BRRXhYbGRtalN3YmsKNQoLS9Ay2RhC6PduwOfZN0oc16C/zxzI
-            d/Xhd+UGtCqexd+IpPT1PAHRYrN2pDVCx7cF+HPBs2HfSV5S91uJWA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRm9md0ljQnliWURlc0Vs
+            UjgzeHc4eUMxWElnajlDNDU2cE5iY1dmc1dnClZQdklpcDVLTVNWMnhycEt2RWNV
+            Ni94VmpsTGR0TlpMRXpKRFRJZVFRUjgKLS0tIFl0c21Cc21PN1lBRWhRU09kQ25x
+            SWZEL0FKZndZK2VtbklEQi9DU3E3MVkKhK1Rn07gwLmML/0br5Lj9tVExtLoj0AW
+            n+ZSSVME69jvN5mV85Pg0ma2IRq0aXmk8mgumqp3bLSVIHH70jux3Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN21uUW9Mam12QlZRMnBM
+            VWhJOUhURFV3dm9iRlNybm94SGd0blFQQmg4CktieCtid1c4S2RKTnBoMmtzNHBI
+            aUora1lERWJaYWtyUW1hOWFvNjNmUmsKLS0tIFFEWTJ2Ri92LzFTNVZxbnRqVWZB
+            VTVhYzI0ZCtSSnhmK28xeGw0WTJIejAKGccsszcGGF2TukY5vVwFknkUNNoApLJx
+            uKr6SfEThXyBXw19fiWRn4v+8HMMtEMFL4K/J7RfUjHGl7RCAGtWLA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WHFkd2ZHT1VGbm5xb0FS
-            R25EeEFocjJrMDhpbHBTQ0JTMlZqUzNOS2lFCnkzWGovSWkrTDFGZlpod2syRExW
-            SXZHaVUvT2tPa1lTckRFdGtNRGlUNEUKLS0tIEVHNnBpN0Y2bE9ROW95L2RpK2p4
-            ejlkZDZQaUVJRTM2OElrdFJXaHpybHcKY3ldigrrcM5HQ3higsJ0CGTKhgILm20P
-            N7MbFw+y97PoWkkq8kd+0rbMxbY1qOIK4w4QFlLLqzTsCZCmCipV/w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweFp5MVlnTlFKRGZOQlFt
+            bklFamdSaGFqMlBRUXFVaHZ3eW11Tzc1TlhVCkFSSmNUTk5RaVV0SkVYeDQ0OVFi
+            MHpFWFluUll1cWkzYVIyRlQrc0MzbjAKLS0tIGNEM1ZrYVhwNXVrV0t4ZFNCeitx
+            QmUxQ1ZGbnFZcEwwN0lvazhWais2YXcKNPk7wAbiHSuHhPE0Mb1la75MSQEjm8Y9
+            3JvDaFBTS4IFJoJPRU+7GaHYm254xQXZhj6EabpQ454ZaxIZ4agYCw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZkZmUHhwYWVSbHhaT2hS
-            NyszRmxCT2xPdSsyOTliLzZob0M1V1JxQWlNCm5lRTNBaGlTaWw5V1dTZmZoRC8w
-            aG9xOWpXeGFwUEF4ZUszbGlYN1VzWTgKLS0tIDYrWFFXd1VsdEVCRnZRQ3FSQytW
-            TnFJZ3V3ZmptbWNzRUNiOWwvTmhLcmMKJuq8OMuzSxEzanZ5jixsmWtdBXzaIMFf
-            2lcU2QdZahxkvIzqgkU+RIv7EcE1zrrmBPNDmCfEVAciUq/POHytSA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbnRSOTRvaFRhOXY3U3pR
+            K1pDOEdWSWtzSXBDVVl2dEdRQ01hS2tiVEdJCkI4K3REWC9ZQnkrYk1kK1lvWk5K
+            QVAwNjF0Y2d1Vkg0WTBoT2xvRXo1M00KLS0tIEdHemw1UitTSG1OczdNaU9xd1ZF
+            VWJVcUh6VlFRdlIyMUw2dUVoc0drNTAKNm/IMK3ZwbpTCREYVpfak69WBxuFpNw8
+            5MsTtFMQzP6xTgBBXJ32yhMTg3uZYD9txmjWk9OBRA2CF1vU2H4OrQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-03-11T19:25:54Z"
    mac: ENC[AES256_GCM,data:GbbdzjkjicbNPoiKXpeAXzkrmQlgLUg90B0ynYfbB9JX0m4W7hfogVJ4Fcx5t+iUeG2LPkCxq7vYnD1+uFJkND1xF0rc9dGi43SBtz74giQTJck8/mK/iWyDdgDlWxtO78ghHMS5OxyapOvk+K2+Ga9zJ1f3S64lc2xqhyVSFfk=,iv:jRDgu1lSuFRv8VeVbiyx+DfywaLlZJ0Xla++M277SBg=,tag:aV757MJJUNg77//tON7h1A==,type:str]
--- a/services/ns/master-authorative.nix
+++ b/services/ns/master-authorative.nix
@ -24,8 +24,8 @@

    zones = {
      "home.2rjus.net" = {
-        provideXFR = [ "10.69.13.8 xferkey" ];
-        notify = [ "10.69.13.8@8053 xferkey" ];
+        provideXFR = [ "10.69.13.6 xferkey" ];
+        notify = [ "10.69.13.6@8053 xferkey" ];
        data = builtins.readFile ./zones-home-2rjus-net.conf;
      };
    };
--- a/services/ns/secondary-authorative.nix
+++ b/services/ns/secondary-authorative.nix
@ -22,8 +22,8 @@

    zones = {
      "home.2rjus.net" = {
-        allowNotify = [ "10.69.13.7 xferkey" ];
-        requestXFR = [ "AXFR 10.69.13.7@8053 xferkey" ];
+        allowNotify = [ "10.69.13.5 xferkey" ];
+        requestXFR = [ "AXFR 10.69.13.5@8053 xferkey" ];
        data = builtins.readFile ./zones-home-2rjus-net.conf;
      };
    };
Author	SHA1	Message	Date
Torjus Håkestad	50c1177f82	Add ns1 key	2024-03-13 23:24:19 +01:00
Torjus Håkestad	c042dcf8e0	Add ns1 and ns2	2024-03-13 23:22:10 +01:00