trying grafana1
This commit is contained in:
parent
6b795bd6f4
commit
98816538d2
5
data.nix
5
data.nix
|
|
@ -91,5 +91,10 @@ rec {
|
||||||
_acme-challenge.grafana 600 CNAME _acme-endpoint.grafana
|
_acme-challenge.grafana 600 CNAME _acme-endpoint.grafana
|
||||||
_acme-endpoint.grafana 600 NS ns._acme-endpoint.grafana
|
_acme-endpoint.grafana 600 NS ns._acme-endpoint.grafana
|
||||||
ns._acme-endpoint.grafana 600 A ${vno1}
|
ns._acme-endpoint.grafana 600 A ${vno1}
|
||||||
|
|
||||||
|
grafana1 600 A ${hosts."vno1-oh2.servers.jakst".jakstIP}
|
||||||
|
_acme-challenge.grafana1 600 CNAME _acme-endpoint.grafana1
|
||||||
|
_acme-endpoint.grafana1 600 NS ns._acme-endpoint.grafana1
|
||||||
|
ns._acme-endpoint.grafana1 600 A ${vno1}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@
|
||||||
|
|
||||||
nsd-acme = {
|
nsd-acme = {
|
||||||
enable = true;
|
enable = true;
|
||||||
zones."grafana.jakstys.lt" = {
|
zones."grafana1.jakstys.lt" = {
|
||||||
accountKey = config.age.secrets.letsencrypt-account-key.path;
|
accountKey = config.age.secrets.letsencrypt-account-key.path;
|
||||||
staging = true;
|
staging = true;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -7,22 +7,14 @@
|
||||||
mkHook = zone: let
|
mkHook = zone: let
|
||||||
rc = config.services.nsd.remoteControl;
|
rc = config.services.nsd.remoteControl;
|
||||||
fullZone = "_acme-endpoint.${zone}";
|
fullZone = "_acme-endpoint.${zone}";
|
||||||
nsdconf = ''"$RUNTIME_DIRECTORY"/nsd.conf'';
|
|
||||||
in
|
in
|
||||||
pkgs.writeShellScript "nsd-acme-hook" ''
|
pkgs.writeShellScript "nsd-acme-hook" ''
|
||||||
set -euo pipefail
|
set -xeuo pipefail
|
||||||
METHOD=$1
|
METHOD=$1
|
||||||
TYPE=$2
|
TYPE=$2
|
||||||
AUTH=$5
|
AUTH=$5
|
||||||
NOW=$(date +%y%m%d%H%M)
|
NOW=$(date +%y%m%d%H%M)
|
||||||
DIR="/var/lib/nsd/zones"
|
DIR="/var/lib/nsd/acmezones"
|
||||||
|
|
||||||
sed \
|
|
||||||
-e "s~${rc.controlKeyFile}~$CREDENTIALS_DIRECTORY/nsd_control.key~" \
|
|
||||||
-e "s~${rc.controlCertFile}~$CREDENTIALS_DIRECTORY/nsd_control.pem~" \
|
|
||||||
-e "s~${rc.serverKeyFile}~$CREDENTIALS_DIRECTORY/nsd_server.key~" \
|
|
||||||
-e "s~${rc.serverCertFile}~$CREDENTIALS_DIRECTORY/nsd_server.pem~" \
|
|
||||||
/etc/nsd/nsd.conf > ${nsdconf}
|
|
||||||
|
|
||||||
[ "$TYPE" != "dns-01" ] && { echo "Skipping $TYPE"; exit 1; }
|
[ "$TYPE" != "dns-01" ] && { echo "Skipping $TYPE"; exit 1; }
|
||||||
|
|
||||||
|
|
@ -37,25 +29,27 @@
|
||||||
|
|
||||||
cleanup() {
|
cleanup() {
|
||||||
nsd-control delzone ${fullZone}
|
nsd-control delzone ${fullZone}
|
||||||
rm -f "$DIR/${fullZone}.acme"
|
rm -f "$DIR/${fullZone}.zone"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mkdir -p "$DIR"
|
||||||
|
|
||||||
case "$METHOD" in
|
case "$METHOD" in
|
||||||
begin)
|
begin)
|
||||||
echo "Deleting previous ${fullZone} if exists ..."
|
echo "Deleting previous ${fullZone} if exists ..."
|
||||||
nsd-control -c ${nsdconf} delzone ${fullZone} || :
|
nsd-control delzone ${fullZone} || :
|
||||||
write_zone > "$DIR/${fullZone}.acme"
|
write_zone > "$DIR/${fullZone}.zone"
|
||||||
|
|
||||||
echo "Activating ${fullZone}"
|
echo "Activating ${fullZone}"
|
||||||
nsd-control -c ${nsdconf} addzone ${fullZone} acme
|
nsd-control addzone ${fullZone} acme
|
||||||
;;
|
;;
|
||||||
done)
|
done)
|
||||||
echo "ACME request successful, cleaning up"
|
echo "ACME request successful, cleaning up"
|
||||||
cleanup
|
cleanup
|
||||||
;;
|
;;
|
||||||
failed)
|
failed)
|
||||||
echo "ACME request failed, cleaning up"
|
echo "ACME request failed, not cleaning up"
|
||||||
cleanup
|
#cleanup
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
'';
|
'';
|
||||||
|
|
@ -89,9 +83,13 @@ in {
|
||||||
services.nsd.extraConfig = ''
|
services.nsd.extraConfig = ''
|
||||||
pattern:
|
pattern:
|
||||||
name: "acme"
|
name: "acme"
|
||||||
zonefile: "/var/lib/nsd/zones/%s.acme"
|
zonefile: "/var/lib/nsd/acmezones/%s.zone"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /var/lib/nsd/acmezones 0755 nsd nsd -"
|
||||||
|
];
|
||||||
|
|
||||||
systemd.services =
|
systemd.services =
|
||||||
{
|
{
|
||||||
nsd-control-setup = {
|
nsd-control-setup = {
|
||||||
|
|
@ -108,8 +106,11 @@ in {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
UMask = 0077;
|
UMask = 0077;
|
||||||
ExecStart = "${pkgs.nsd}/bin/nsd-control-setup";
|
|
||||||
};
|
};
|
||||||
|
script = ''
|
||||||
|
${pkgs.nsd}/bin/nsd-control-setup
|
||||||
|
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
|
||||||
|
'';
|
||||||
path = [pkgs.openssl];
|
path = [pkgs.openssl];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
@ -122,9 +123,9 @@ in {
|
||||||
description = "dns-01 acme update for ${zone}";
|
description = "dns-01 acme update for ${zone}";
|
||||||
path = [pkgs.openssh pkgs.nsd];
|
path = [pkgs.openssh pkgs.nsd];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
mkdir -p "$STATE_DIRECTORY/private"
|
mkdir -p "$STATE_DIRECTORY/${sanitized}/private"
|
||||||
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
|
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
|
||||||
"$STATE_DIRECTORY/private/key.pem"
|
"$STATE_DIRECTORY/${sanitized}/private/key.pem"
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = let
|
ExecStart = let
|
||||||
|
|
@ -134,18 +135,50 @@ in {
|
||||||
if cfg.staging
|
if cfg.staging
|
||||||
then "--staging"
|
then "--staging"
|
||||||
else "";
|
else "";
|
||||||
in "${pkgs.uacme}/bin/uacme -c \"$STATE_DIRECTORY\" --verbose --days ${days} --hook ${hook} ${staging} issue ${zone}";
|
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${staging} issue ${zone}";
|
||||||
DynamicUser = "yes";
|
|
||||||
|
UMask = "0022";
|
||||||
|
User = "nsd";
|
||||||
|
Group = "nsd";
|
||||||
StateDirectory = "nsd-acme/${sanitized}";
|
StateDirectory = "nsd-acme/${sanitized}";
|
||||||
RuntimeDirectory = "nsd-acme/${sanitized}";
|
LoadCredential = ["letsencrypt-account-key:${cfg.accountKey}"];
|
||||||
LoadCredential = let
|
ReadWritePaths = ["/var/lib/nsd/acmezones"];
|
||||||
rc = config.services.nsd.remoteControl;
|
|
||||||
in [
|
# from nixos/modules/security/acme/default.nix
|
||||||
"nsd_control.key:${rc.controlKeyFile}"
|
ProtectSystem = "strict";
|
||||||
"nsd_control.pem:${rc.controlCertFile}"
|
PrivateTmp = true;
|
||||||
"nsd_server.key:${rc.serverKeyFile}"
|
CapabilityBoundingSet = [""];
|
||||||
"nsd_server.pem:${rc.serverCertFile}"
|
DevicePolicy = "closed";
|
||||||
"letsencrypt-account-key:${cfg.accountKey}"
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProcSubset = "pid";
|
||||||
|
RemoveIPC = true;
|
||||||
|
# "cannot get devices"
|
||||||
|
#RestrictAddressFamilies = [
|
||||||
|
# "AF_INET"
|
||||||
|
# "AF_INET6"
|
||||||
|
#];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [
|
||||||
|
# 1. allow a reasonable set of syscalls
|
||||||
|
"@system-service @resources"
|
||||||
|
# 2. and deny unreasonable ones
|
||||||
|
"~@privileged"
|
||||||
|
# 3. then allow the required subset within denied groups
|
||||||
|
"@chown"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue