B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow ACME DNS-01 dynamic updates on ns1

Browse Source 
Add a dedicated acme_ddns TSIG key (scoped to ns1 only) and an acl_acme rule
that limits it to TXT updates at or under _acme-challenge.<zone>. An external
ACME client can now write challenge records via RFC 2136; Knot signs them and
transfers to ns2, which never holds the key.
This commit is contained in:
Berwn
2026-06-14 17:12:17 +07:00
parent 8330eaa8ce
commit a3482face5
1 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
machines/ns1/configuration.nix
+36 -2
View File
@@ -1,4 +1,4 @@
{ ... }: { config, pkgs, ... }:
let let
domains = import ../../modules/dns/domains.nix; domains = import ../../modules/dns/domains.nix;
in in
@@ -10,6 +10,40 @@ in
time.timeZone = "Etc/GMT-1"; # UTC+1 (fixed offset, no DST) time.timeZone = "Etc/GMT-1"; # UTC+1 (fixed offset, no DST)
services.timesyncd.enable = true; services.timesyncd.enable = true;
# ACME DNS-01 (RFC 2136): a dedicated TSIG key, scoped to ns1 only, that an
# external ACME client uses to write _acme-challenge TXT records. acl_acme
# (referenced by each zone below) limits the key to TXT updates at or under
# _acme-challenge.<zone>; Knot then signs the record and transfers it to ns2,
# which never needs this key. Retrieve the secret for the client with:
# clan vars get ns1 dns-acme-tsig/acme.conf
clan.core.vars.generators.dns-acme-tsig = {
files."acme.conf" = {
secret = true;
owner = "knot";
group = "knot";
};
runtimeInputs = [ pkgs.knot-dns ];
script = ''
keymgr -t acme_ddns hmac-sha256 > "$out"/acme.conf
'';
};
services.knot.keyFiles = [
config.clan.core.vars.generators.dns-acme-tsig.files."acme.conf".path
];
services.knot.settings.acl = [
{
id = "acl_acme";
key = "acme_ddns";
action = [ "update" ];
"update-type" = [ "TXT" ];
"update-owner" = "name";
"update-owner-match" = "sub-or-equal";
"update-owner-name" = [ "_acme-challenge" ];
}
];
# Automatic DNSSEC signing policy (primary only). ECDSA P-256/SHA-256 with # Automatic DNSSEC signing policy (primary only). ECDSA P-256/SHA-256 with
# Knot's default key management: the ZSK auto-rolls and the KSK is kept stable, # Knot's default key management: the ZSK auto-rolls and the KSK is kept stable,
# so the DS at the registrar only changes on a manual KSK rollover. # so the DS at the registrar only changes on a manual KSK rollover.
@@ -34,6 +68,6 @@ in
"dnssec-signing" = true; "dnssec-signing" = true;
"dnssec-policy" = "cnx"; "dnssec-policy" = "cnx";
notify = [ "ns2" ]; notify = [ "ns2" ];
acl = [ "acl_ns2" ]; acl = [ "acl_ns2" "acl_acme" ]; # ns2 transfers; acme_ddns key does DNS-01 updates
}) domains; }) domains;
} }