WIP: feat(dns): enable DNS-01 challenges #817

Draft
ecoppens wants to merge 3 commits from feat/dns-01 into main
Owner
No description provided.
feat(dns): enable ACME challenge CNAME records to validation.dgnum.eu zone
All checks were successful
Show derivation diffs / geo02 (pull_request) Successful in 1m15s
Build all the nodes / rescue01 (pull_request) Successful in 1m19s
Build all the nodes / web02 (pull_request) Successful in 1m18s
Build all the nodes / web01 (pull_request) Successful in 1m22s
Build all the nodes / web03 (pull_request) Successful in 1m22s
Build all the nodes / vault01 (pull_request) Successful in 1m24s
Build all the nodes / vault03 (pull_request) Successful in 1m24s
Show derivation diffs / hypervisors0 (pull_request) Successful in 1m39s
Build all the nodes / vault02 (pull_request) Successful in 1m45s
Show derivation diffs / hypervisors1 (pull_request) Successful in 1m51s
Show derivation diffs / AP-montrouge (pull_request) Successful in 3m52s
Show derivation diffs / iso (pull_request) Successful in 1m46s
Show derivation diffs / jeux02 (pull_request) Successful in 1m23s
Show derivation diffs / optic-loop (pull_request) Successful in 1m8s
Show derivation diffs / krz01 (pull_request) Successful in 1m42s
Show derivation diffs / lab-router01 (pull_request) Successful in 1m45s
Show derivation diffs / AP-pantheon (pull_request) Successful in 4m49s
Show derivation diffs / sw-Montrouge (pull_request) Successful in 1m25s
Show derivation diffs / sw-Jourdan (pull_request) Successful in 1m30s
Show derivation diffs / storage01 (pull_request) Successful in 1m47s
Show derivation diffs / rescue01 (pull_request) Successful in 2m18s
Show derivation diffs / sw-Pantheon (pull_request) Successful in 1m25s
Show derivation diffs / tower01 (pull_request) Successful in 1m45s
Run pre-commit on all files / pre-commit (pull_request) Successful in 35s
Show derivation diffs / web02 (pull_request) Successful in 1m6s
Show derivation diffs / web03 (pull_request) Successful in 57s
Show derivation diffs / vault01 (pull_request) Successful in 2m11s
Show derivation diffs / vault02 (pull_request) Successful in 2m13s
Show derivation diffs / web01 (pull_request) Successful in 1m32s
Show derivation diffs / vault03 (pull_request) Successful in 1m43s
0e009bb627
feat(dns): add ACLs and keys for ACME challenges
All checks were successful
Build all the nodes / compute01 (pull_request) Successful in 1m22s
Build all the nodes / AP-pantheon (pull_request) Successful in 1m36s
Show derivation diffs / cof02 (pull_request) Successful in 1m24s
Show derivation diffs / geo01 (pull_request) Successful in 42s
Show derivation diffs / geo02 (pull_request) Successful in 41s
Show derivation diffs / external01 (pull_request) Successful in 48s
Show derivation diffs / compute01 (pull_request) Successful in 1m12s
Show derivation diffs / AP-jourdan (pull_request) Successful in 2m31s
Show derivation diffs / hypervisors0 (pull_request) Successful in 57s
Show derivation diffs / jeux02 (pull_request) Successful in 39s
Show derivation diffs / hypervisors1 (pull_request) Successful in 55s
Show derivation diffs / optic-loop (pull_request) Successful in 18s
Show derivation diffs / iso (pull_request) Successful in 58s
Show derivation diffs / sw-Jourdan (pull_request) Successful in 15s
Show derivation diffs / sw-Montrouge (pull_request) Successful in 15s
Show derivation diffs / lab-router01 (pull_request) Successful in 41s
Show derivation diffs / krz01 (pull_request) Successful in 58s
Show derivation diffs / sw-Pantheon (pull_request) Successful in 20s
Show derivation diffs / AP-montrouge (pull_request) Successful in 3m37s
Show derivation diffs / storage01 (pull_request) Successful in 52s
Show derivation diffs / tower01 (pull_request) Successful in 36s
Show derivation diffs / rescue01 (pull_request) Successful in 1m15s
Run pre-commit on all files / pre-commit (pull_request) Successful in 20s
Show derivation diffs / web02 (pull_request) Successful in 40s
Show derivation diffs / vault01 (pull_request) Successful in 1m17s
Show derivation diffs / AP-pantheon (pull_request) Successful in 4m36s
Show derivation diffs / vault02 (pull_request) Successful in 1m20s
Show derivation diffs / web03 (pull_request) Successful in 48s
Show derivation diffs / web01 (pull_request) Successful in 1m12s
Show derivation diffs / vault03 (pull_request) Successful in 1m24s
3c8e1dddff
feat(acme): add options to nginx to enable DNS-01 challenge
Some checks failed
Build all the nodes / vault01 (pull_request) Successful in 1m41s
Build all the nodes / vault03 (pull_request) Successful in 1m39s
Build all the nodes / vault02 (pull_request) Successful in 1m40s
Show derivation diffs / geo01 (pull_request) Successful in 47s
Show derivation diffs / external01 (pull_request) Successful in 52s
Show derivation diffs / geo02 (pull_request) Successful in 46s
Show derivation diffs / compute01 (pull_request) Failing after 1m3s
Show derivation diffs / hypervisors0 (pull_request) Successful in 1m3s
Show derivation diffs / AP-jourdan (pull_request) Successful in 2m26s
Show derivation diffs / jeux02 (pull_request) Successful in 44s
Show derivation diffs / optic-loop (pull_request) Successful in 19s
Show derivation diffs / hypervisors1 (pull_request) Successful in 54s
Show derivation diffs / iso (pull_request) Successful in 56s
Show derivation diffs / krz01 (pull_request) Successful in 1m2s
Show derivation diffs / lab-router01 (pull_request) Successful in 47s
Show derivation diffs / sw-Jourdan (pull_request) Successful in 15s
Show derivation diffs / sw-Montrouge (pull_request) Successful in 15s
Show derivation diffs / sw-Pantheon (pull_request) Successful in 20s
Show derivation diffs / storage01 (pull_request) Successful in 54s
Show derivation diffs / AP-montrouge (pull_request) Successful in 3m43s
Show derivation diffs / tower01 (pull_request) Successful in 41s
Show derivation diffs / rescue01 (pull_request) Successful in 1m21s
Show derivation diffs / AP-pantheon (pull_request) Successful in 4m10s
Run pre-commit on all files / pre-commit (pull_request) Successful in 19s
Show derivation diffs / web02 (pull_request) Successful in 41s
Show derivation diffs / web03 (pull_request) Successful in 47s
Show derivation diffs / web01 (pull_request) Successful in 1m12s
Show derivation diffs / vault01 (pull_request) Successful in 2m25s
Show derivation diffs / vault02 (pull_request) Successful in 2m47s
Show derivation diffs / vault03 (pull_request) Successful in 2m33s
a1675297e9
mdebray left a comment

Principalement:

  • acl scopée par domaine
  • rendre dns01 moins dans les défauts et plus opt-in
  • clean des trucs en utilisant bien les settings de knot + nit
Principalement: - acl scopée par domaine - rendre dns01 moins dans les défauts et plus opt-in - clean des trucs en utilisant bien les settings de knot + nit
@ -53,2 +52,2 @@
notify = attrNames dgnumSecondaries;
});
# Regular domains
"validation.dgnum.eu"
Owner

Pourquoi transférer la zone aux secondaires ? On ne réduit pas la robustesse du setup si on transfère pas

Pourquoi transférer la zone aux secondaires ? On ne réduit pas la robustesse du setup si on transfère pas
Author
Owner

Je comprends pas: notify c'est pour dire qu'il a eu un changement dans la zone pour qu'ils soient au courant rapidement? Et comme j'inherit le NS des autres zones, ça me paraît cohérent

Et je ne vois pas les désavantages de faire ça?

Je comprends pas: notify c'est pour dire qu'il a eu un changement dans la zone pour qu'ils soient au courant rapidement? Et comme j'inherit le NS des autres zones, ça me paraît cohérent Et je ne vois pas les désavantages de faire ça?
Owner

Juste c'est pas nécessaire de partager la zone entre 3 DNS pour les challenges. On a pas besoin de la redondance. Effectivement il faut virer les NS et les notify

Juste c'est pas nécessaire de partager la zone entre 3 DNS pour les challenges. On a pas besoin de la redondance. Effectivement il faut virer les NS et les notify
@ -55,0 +59,4 @@
)
{
"validation.dgnum.eu" = {
acl = mapAttrsToList (domain: _: "dns-01_${domain}") (
Owner

Une seule règle d'acl nécessaire, cf 0lus bas

Une seule règle d'acl nécessaire, cf 0lus bas
@ -55,0 +62,4 @@
acl = mapAttrsToList (domain: _: "dns-01_${domain}") (
filterAttrs (_: zone: zone.enableACME) meta.dns
);
file = "/var/lib/knot/zones/validation.dgnum.eu";
Owner

Je doute de la pertinence du setup. Il me semble on veut plutot https://www.knot-dns.cz/docs/latest/html/operation.html#example-2 avec un script d'init run une fois ou https://www.knot-dns.cz/docs/latest/html/operation.html#example-5

Je doute de la pertinence du setup. Il me semble on veut plutot https://www.knot-dns.cz/docs/latest/html/operation.html#example-2 avec un script d'init run une fois ou https://www.knot-dns.cz/docs/latest/html/operation.html#example-5
@ -86,0 +99,4 @@
acl = mapAttrsToList (domain: _: {
id = "dns-01_${domain}";
key = "dns-01_${domain}_key";
action = "update";
Owner

Ce serait cool d'avoir des acls plus fines via update-type et update-owner (je pense match la tsig identity sur le domaine est le plus pertinent, l'attr key au dessus sera une liste). Il faudra aussi avoir un cname différent pour chaque domaine.

Ce serait cool d'avoir des acls plus fines via update-type et update-owner (je pense match la tsig identity sur le domaine est le plus pertinent, l'attr key au dessus sera une liste). Il faudra aussi avoir un cname différent pour chaque domaine.
@ -13,0 +24,4 @@
enableACME = mkEnableOption "Enable ACME CNAME records" // {
default = defaultACME;
};
subdomains = mkOption { type = attrsOf (acmeSubdomainType config.enableACME); };
Owner

Pourquoi récursif ? A priori dns01 sera enable sur un nombre restreint de domaines

Pourquoi récursif ? A priori dns01 sera enable sur un nombre restreint de domaines
Author
Owner

Comment ça on veut avoir DNS-01 que sur quelques domaines? https://letsencrypt.org/docs/challenge-types/ DNS-01 me paraît meilleur quand même; et puis ça sert à rien d'écrire une abstraction pour quelques domaines hein, autant le faire à la main, c'est 5-6 lignes

Comment ça on veut avoir DNS-01 que sur quelques domaines? https://letsencrypt.org/docs/challenge-types/ DNS-01 me paraît meilleur quand même; et puis ça sert à rien d'écrire une abstraction pour quelques domaines hein, autant le faire à la main, c'est 5-6 lignes
Owner

DNS-01 demande de provision des secrets entre le serveur dns et le serveur, ce qui demande un redéploiement chaque fois que tu veux créer un domaine. ça peut être chiant si tu est pas root*. J'arrive pas à voir quels sont les avantages de DNS-01 qui font qu'on le veut à plein d'endroits. HTTP-01 me semble plus polyvalent. En particulier DNS-01 est nécessaire pour:

  • radius.dgnum.eu car pas de webserver
  • cdn.dgnum.eu et s3.dgnum.eu car on veut des wildcard
  • Certaines vm de lab

Une abstraction / un code un peu générique est utile pour ne pas avoir à réinventer la roue à chaque fois mais peut-être juste un attrs similaire à hosted (meta/dgnum-dns.nix#L74) suffit ? (on perd la partie "générique pour le lab" dans ce cas)

DNS-01 demande de provision des secrets entre le serveur dns et le serveur, ce qui demande un redéploiement chaque fois que tu veux créer un domaine. ça peut être chiant si tu est pas root*. J'arrive pas à voir quels sont les avantages de DNS-01 qui font qu'on le veut à plein d'endroits. HTTP-01 me semble plus polyvalent. En particulier DNS-01 est nécessaire pour: - radius.dgnum.eu car pas de webserver - cdn.dgnum.eu et s3.dgnum.eu car on veut des wildcard - Certaines vm de lab Une abstraction / un code un peu générique est utile pour ne pas avoir à réinventer la roue à chaque fois mais peut-être juste un attrs similaire à `hosted` (meta/dgnum-dns.nix#L74) suffit ? (on perd la partie "générique pour le lab" dans ce cas)
@ -13,0 +28,4 @@
};
config = mkIf (config.enableACME && !hasPrefix "*" name && name != "_acme-challenge") {
subdomains._acme-challenge = {
CNAME = [ "validation.dgnum.eu" ];
Owner

Peut-on avoir un cname diffèrent par domaine de sorte à pouvoir appliquer des acls ?

Peut-on avoir un cname diffèrent par domaine de sorte à pouvoir appliquer des acls ?
@ -0,0 +27,4 @@
default = true;
};
services.nginx.virtualHosts = mkOption {
Owner

Perso j'aime pas trop cette abstraction, je préfère qu'on laisse le fait de mettre à nulle le ACMERoot à l'utilisateur

Perso j'aime pas trop cette abstraction, je préfère qu'on laisse le fait de mettre à nulle le ACMERoot à l'utilisateur
Author
Owner

Je trouve ça moins descriptif acmeRoot = null
Genre si tu lis l'infra et que tu vois soit acmeRoot = null ou acmeChallenge = "DNS-01", tu comprendras mieux le deuxième

Je trouve ça moins descriptif `acmeRoot = null` Genre si tu lis l'infra et que tu vois soit `acmeRoot = null` ou `acmeChallenge = "DNS-01"`, tu comprendras mieux le deuxième
@ -0,0 +49,4 @@
config = mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults = {
Owner

Perso bof le default avec la meme clef pour tout. Perso je préfèrerais dgn-acme.dns01.<name>.tsigKey = clef;

Perso bof le default avec la meme clef pour tout. Perso je préfèrerais `dgn-acme.dns01.<name>.tsigKey = clef; `
@ -0,0 +53,4 @@
email = "acme@dgnum.eu";
dnsProvider = "rfc2136";
environmentFile = pkgs.writeText "acme-dns-01-env" ''
RFC2136_TSIG_FILE=${config.age.secrets."acme-tsig_file".path}
Owner

security.acme.certs..credentialFiles est plus adapté. Il utilise loadcredentials sous le capot

security.acme.certs.<name>.credentialFiles est plus adapté. Il utilise loadcredentials sous le capot
@ -152,6 +152,7 @@ in
http2 = false;
enableACME = true;
forceSSL = true;
acmeChallenge = "DNS-01";
Owner

On peut pas juste set security.acme.certs ?

On peut pas juste set security.acme.certs ?
Author
Owner

euh, bah tu devras set un tas de trucs dans nginx à la main si tu fais ça

euh, bah tu devras set un tas de trucs dans nginx à la main si tu fais ça
Author
Owner

ah non tu veux dire virer le nginx et mettre ça que pour radius, ouais peut-être

ah non tu veux dire virer le nginx et mettre ça que pour radius, ouais peut-être
Owner

Oui

Oui
Some checks failed
Check workflows / check_workflows (pull_request) Successful in 11s
Required
Details
Check meta / check_meta (pull_request) Successful in 15s
Required
Details
Build all the nodes / optic-loop (pull_request) Successful in 43s
Required
Details
Build all the nodes / compute01 (pull_request) Failing after 48s
Required
Details
Build all the nodes / sw-Montrouge (pull_request) Successful in 47s
Required
Details
Build all the nodes / AP-test (pull_request) Successful in 52s
Required
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m0s
Required
Details
Build all the nodes / sw-Jourdan (pull_request) Successful in 58s
Required
Details
Build the shell / build-shell (pull_request) Successful in 45s
Required
Details
Build all the nodes / build01 (pull_request) Successful in 1m0s
Required
Details
Run pre-commit on all files / pre-commit (push) Successful in 1m1s
Required
Details
Build all the nodes / sw-Pantheon (pull_request) Successful in 59s
Required
Details
Build all the nodes / geo02 (pull_request) Successful in 1m1s
Required
Details
Build all the nodes / jeux02 (pull_request) Successful in 1m1s
Required
Details
Build all the nodes / geo01 (pull_request) Successful in 1m1s
Required
Details
Show derivation diffs / AP-test (pull_request) Successful in 1m3s
Build all the nodes / cof02 (pull_request) Successful in 1m6s
Required
Details
Build all the nodes / lab-router01 (pull_request) Successful in 1m6s
Required
Details
Build all the nodes / AP-jourdan (pull_request) Successful in 1m8s
Required
Details
Show derivation diffs / bridge01 (pull_request) Successful in 1m6s
Build all the nodes / iso (pull_request) Successful in 1m7s
Required
Details
Build all the nodes / external01 (pull_request) Successful in 1m10s
Required
Details
Build all the nodes / tower01 (pull_request) Successful in 1m7s
Required
Details
Build all the nodes / hypervisors0 (pull_request) Successful in 1m9s
Required
Details
Build all the nodes / hypervisors1 (pull_request) Successful in 1m9s
Required
Details
Build all the nodes / krz01 (pull_request) Successful in 1m10s
Required
Details
Build all the nodes / web02 (pull_request) Successful in 59s
Required
Details
Show derivation diffs / build01 (pull_request) Successful in 1m10s
Build all the nodes / storage01 (pull_request) Successful in 1m10s
Required
Details
Show derivation diffs / cof02 (pull_request) Successful in 1m10s
Build all the nodes / web03 (pull_request) Successful in 1m2s
Required
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m15s
Required
Details
Build all the nodes / web01 (pull_request) Successful in 1m9s
Required
Details
Build all the nodes / AP-montrouge (pull_request) Successful in 1m29s
Required
Details
Build all the nodes / AP-pantheon (pull_request) Successful in 1m39s
Required
Details
Build all the nodes / vault01 (pull_request) Successful in 1m41s
Required
Details
Build all the nodes / vault03 (pull_request) Successful in 1m39s
Required
Details
Build all the nodes / vault02 (pull_request) Successful in 1m40s
Required
Details
Show derivation diffs / geo01 (pull_request) Successful in 47s
Show derivation diffs / external01 (pull_request) Successful in 52s
Show derivation diffs / geo02 (pull_request) Successful in 46s
Show derivation diffs / compute01 (pull_request) Failing after 1m3s
Show derivation diffs / hypervisors0 (pull_request) Successful in 1m3s
Show derivation diffs / AP-jourdan (pull_request) Successful in 2m26s
Show derivation diffs / jeux02 (pull_request) Successful in 44s
Show derivation diffs / optic-loop (pull_request) Successful in 19s
Show derivation diffs / hypervisors1 (pull_request) Successful in 54s
Show derivation diffs / iso (pull_request) Successful in 56s
Show derivation diffs / krz01 (pull_request) Successful in 1m2s
Show derivation diffs / lab-router01 (pull_request) Successful in 47s
Show derivation diffs / sw-Jourdan (pull_request) Successful in 15s
Show derivation diffs / sw-Montrouge (pull_request) Successful in 15s
Show derivation diffs / sw-Pantheon (pull_request) Successful in 20s
Show derivation diffs / storage01 (pull_request) Successful in 54s
Show derivation diffs / AP-montrouge (pull_request) Successful in 3m43s
Show derivation diffs / tower01 (pull_request) Successful in 41s
Show derivation diffs / rescue01 (pull_request) Successful in 1m21s
Show derivation diffs / AP-pantheon (pull_request) Successful in 4m10s
Run pre-commit on all files / pre-commit (pull_request) Successful in 19s
Required
Details
Show derivation diffs / web02 (pull_request) Successful in 41s
Show derivation diffs / web03 (pull_request) Successful in 47s
Show derivation diffs / web01 (pull_request) Successful in 1m12s
Show derivation diffs / vault01 (pull_request) Successful in 2m25s
Show derivation diffs / vault02 (pull_request) Successful in 2m47s
Show derivation diffs / vault03 (pull_request) Successful in 2m33s
This pull request is marked as a work in progress.
This branch is out-of-date with the base branch
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/dns-01:feat/dns-01
git switch feat/dns-01
Sign in to join this conversation.
No description provided.