My unified nix flake for all configuration management.
- Nix 80.5%
- Shell 9.5%
- TypeScript 4%
- CSS 2.5%
- Python 2.3%
- Other 1%
caddy's DNS-01 client reused the whole-zone `beefcake-h` update key, whose knot ACL is unrestricted `action: update` — a caddy compromise could rewrite ANY lyte.dev record (MX/NS/SPF/DKIM/A), not just the `_acme-challenge` TXT it needs. Mint a dedicated least-privilege key instead: - New sops secret `tsig-caddy-acme` (group knot; caddy reads it via the sops template, knot injects it server-side — both derive from the one secret so they always agree). - New knot ACL `acl-update-caddy-acme` scoped with knot's update-owner / update-owner-match / update-owner-name / update-type: owner pattern `_acme-challenge.*`, type TXT only. Extend lib/modules/nixos/dns-server.nix to render those four ACL keys. - Point caddy at `caddy-acme`; `beefcake-h` stays whole-zone for dns-updater. Also investigated the 1984 AXFR ACL (item #2): 1984's FreeDNS secondary authenticates the master by source IP only (no TSIG field in their UI/docs), so the existing-but-unused `secondary-1984` sops key has nothing to pair with. Documented that in acl-xfr-1984 + the tsigKeys entry and left the transfer ACL IP-only (residual risk low: AXFR is TCP, payload is public zone data). Verified: `nix build .#nixosConfigurations.beefcake...toplevel` clean; rendered knot ACL/key blocks confirmed via `knotc conf-check`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015Ua6iQkZHsuYxGFtFpXXLx |
||
|---|---|---|
| .claude | ||
| .forgejo/workflows | ||
| .helix | ||
| dotfiles | ||
| issues | ||
| lib | ||
| packages | ||
| secrets | ||
| .envrc | ||
| .gitignore | ||
| .sops.yaml | ||
| AGENTS.md | ||
| CLAUDE.md | ||
| flake.lock | ||
| flake.nix | ||
| In-Memory | ||
| readme.md | ||
| run-claude-sandbox.sh | ||