My unified nix flake for all configuration management.
  • Nix 80.5%
  • Shell 9.5%
  • TypeScript 4%
  • CSS 2.5%
  • Python 2.3%
  • Other 1%
Find a file
Daniel Flanagan baf194d48e
Some checks are pending
/ check-format (push) Waiting to run
/ build (push) Waiting to run
feat(beefcake/dns): scope caddy ACME TSIG key to _acme-challenge TXT (M3)
caddy's DNS-01 client reused the whole-zone `beefcake-h` update key, whose
knot ACL is unrestricted `action: update` — a caddy compromise could rewrite
ANY lyte.dev record (MX/NS/SPF/DKIM/A), not just the `_acme-challenge` TXT it
needs. Mint a dedicated least-privilege key instead:

- New sops secret `tsig-caddy-acme` (group knot; caddy reads it via the sops
  template, knot injects it server-side — both derive from the one secret so
  they always agree).
- New knot ACL `acl-update-caddy-acme` scoped with knot's update-owner /
  update-owner-match / update-owner-name / update-type: owner pattern
  `_acme-challenge.*`, type TXT only. Extend lib/modules/nixos/dns-server.nix
  to render those four ACL keys.
- Point caddy at `caddy-acme`; `beefcake-h` stays whole-zone for dns-updater.

Also investigated the 1984 AXFR ACL (item #2): 1984's FreeDNS secondary
authenticates the master by source IP only (no TSIG field in their UI/docs),
so the existing-but-unused `secondary-1984` sops key has nothing to pair with.
Documented that in acl-xfr-1984 + the tsigKeys entry and left the transfer ACL
IP-only (residual risk low: AXFR is TCP, payload is public zone data).

Verified: `nix build .#nixosConfigurations.beefcake...toplevel` clean; rendered
knot ACL/key blocks confirmed via `knotc conf-check`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015Ua6iQkZHsuYxGFtFpXXLx
2026-07-01 11:38:27 -05:00
.claude fix: address PR review feedback 2025-12-06 11:53:41 -06:00
.forgejo/workflows ci: gate the build skip on the default branch, not hardcoded "main" 2026-06-26 16:05:31 -05:00
.helix Format 2025-02-14 13:31:18 -06:00
dotfiles refactor(claude): drop herdr notification glue — herdr surfaces agent state natively 2026-07-01 00:25:39 -05:00
issues docs(issues): file offsite append-only restic immutability follow-up 2026-07-01 11:31:16 -05:00
lib feat(beefcake/dns): scope caddy ACME TSIG key to _acme-challenge TXT (M3) 2026-07-01 11:38:27 -05:00
packages feat(beefcake/dns): scope caddy ACME TSIG key to _acme-challenge TXT (M3) 2026-07-01 11:38:27 -05:00
secrets feat(beefcake/dns): scope caddy ACME TSIG key to _acme-challenge TXT (M3) 2026-07-01 11:38:27 -05:00
.envrc Fprintd fixes? 2024-03-24 14:34:44 -05:00
.gitignore feat(helix): indent markdown with spaces for LSP compatibility 2026-05-04 15:12:47 -05:00
.sops.yaml feat(steamdeck): declarative syncthing RetroDECK rom+save sync 2026-06-25 08:10:24 -05:00
AGENTS.md docs(deploy): warn agents never to deploy rollbacks; flesh out blue/green issue 2026-06-29 11:20:56 -05:00
CLAUDE.md refactor: make CLAUDE.md a symlink to AGENTS.md 2026-03-23 17:14:34 -05:00
flake.lock feat(shell): add herdr as a flake input and default package 2026-06-30 21:18:21 -05:00
flake.nix feat(shell): cut over from zellij to herdr 2026-07-01 00:25:39 -05:00
In-Memory fix: grant daniel oauth2 admin access for Kanidm 2026-03-20 15:31:23 -05:00
readme.md chore: update readme 2026-01-12 18:04:31 -06:00
run-claude-sandbox.sh feat: add n8n 2025-11-20 21:15:27 -06:00