diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-10 12:19:09 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-10 12:19:09 +0200 |
commit | bd0de692664cd608bedac7dc2bd7b113df82989c (patch) | |
tree | 9b1c8835d4d0a0d46e9f44f5e853453be69e56ae | |
parent | ffac1727b92167ca6847b7ae3adc71f091d8048f (diff) | |
download | nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.gz nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.bz2 nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.xz nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.zip |
surtr: mta-sts & dane
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 11 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 37 |
2 files changed, 37 insertions, 11 deletions
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 271a061e..e69c4eb4 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022071000 ; serial | 4 | 2022071001 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -13,7 +13,7 @@ $TTL 3600 | |||
13 | IN NS ns3.inwx.eu. | 13 | IN NS ns3.inwx.eu. |
14 | 14 | ||
15 | @ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" | 15 | @ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" |
16 | @ IN CAA 128 iodef "mailto:caa@yggdrasil.li" | 16 | @ IN CAA 128 iodef "mailto:hostmaster@bouncy.email" |
17 | 17 | ||
18 | @ IN A 202.61.241.61 | 18 | @ IN A 202.61.241.61 |
19 | @ IN AAAA 2a03:4000:52:ada:: | 19 | @ IN AAAA 2a03:4000:52:ada:: |
@@ -21,7 +21,7 @@ $TTL 3600 | |||
21 | @ IN TXT "v=spf1 a:mailout.bouncy.email -all" | 21 | @ IN TXT "v=spf1 a:mailout.bouncy.email -all" |
22 | 22 | ||
23 | surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. | 23 | surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. |
24 | _dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li" | 24 | _dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email" |
25 | 25 | ||
26 | _acme-challenge IN NS ns.yggdrasil.li. | 26 | _acme-challenge IN NS ns.yggdrasil.li. |
27 | 27 | ||
@@ -41,6 +41,11 @@ mailin IN MX 0 mailin.bouncy.email. | |||
41 | mailin IN TXT "v=spf1 redirect=bouncy.email" | 41 | mailin IN TXT "v=spf1 redirect=bouncy.email" |
42 | _acme-challenge.mailin IN NS ns.yggdrasil.li. | 42 | _acme-challenge.mailin IN NS ns.yggdrasil.li. |
43 | 43 | ||
44 | _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 | ||
45 | _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 | ||
46 | _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d | ||
47 | _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 | ||
48 | |||
44 | mailsub IN A 202.61.241.61 | 49 | mailsub IN A 202.61.241.61 |
45 | mailsub IN AAAA 2a03:4000:52:ada:: | 50 | mailsub IN AAAA 2a03:4000:52:ada:: |
46 | mailsub IN MX 0 mailin.bouncy.email. | 51 | mailsub IN MX 0 mailin.bouncy.email. |
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index e3437a6b..357ee668 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -640,15 +640,35 @@ in { | |||
640 | }; | 640 | }; |
641 | }) spmDomains) // { | 641 | }) spmDomains) // { |
642 | "mta-sts.bouncy.email" = { | 642 | "mta-sts.bouncy.email" = { |
643 | locations."/".root = pkgs.runCommand "mta-sts" {} '' | 643 | forceSSL = true; |
644 | mkdir -p $out/.well-known | 644 | sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem"; |
645 | cp ${pkgs.writeText "mta-sts.txt" '' | 645 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem"; |
646 | version: STSv1 | 646 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem"; |
647 | mode: testing | 647 | |
648 | mx: mailin.bouncy.email | 648 | extraConfig = '' |
649 | max_age: 604800 | 649 | add_header Strict-Transport-Security "max-age=63072000" always; |
650 | ''} $out/.well-known/mta-sts.txt | 650 | |
651 | add_header Access-Control-Allow-Origin '*'; | ||
652 | add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS'; | ||
653 | add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization'; | ||
654 | add_header Access-Control-Max-Age 7200; | ||
651 | ''; | 655 | ''; |
656 | |||
657 | locations."/" = { | ||
658 | extraConfig = '' | ||
659 | charset utf-8; | ||
660 | source_charset utf-8; | ||
661 | ''; | ||
662 | root = pkgs.runCommand "mta-sts" {} '' | ||
663 | mkdir -p $out/.well-known | ||
664 | cp ${pkgs.writeText "mta-sts.txt" '' | ||
665 | version: STSv1 | ||
666 | mode: testing | ||
667 | mx: mailin.bouncy.email | ||
668 | max_age: 604800 | ||
669 | ''} $out/.well-known/mta-sts.txt | ||
670 | ''; | ||
671 | }; | ||
652 | }; | 672 | }; |
653 | }; | 673 | }; |
654 | }; | 674 | }; |
@@ -659,6 +679,7 @@ in { | |||
659 | ]) spmDomains ++ [ | 679 | ]) spmDomains ++ [ |
660 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" | 680 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" |
661 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" | 681 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" |
682 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" | ||
662 | ]; | 683 | ]; |
663 | 684 | ||
664 | systemd.services.spm = { | 685 | systemd.services.spm = { |