summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-07-10 12:19:09 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-07-10 12:19:09 +0200
commitbd0de692664cd608bedac7dc2bd7b113df82989c (patch)
tree9b1c8835d4d0a0d46e9f44f5e853453be69e56ae
parentffac1727b92167ca6847b7ae3adc71f091d8048f (diff)
downloadnixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.gz
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.bz2
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.tar.xz
nixos-bd0de692664cd608bedac7dc2bd7b113df82989c.zip
surtr: mta-sts & dane
-rw-r--r--hosts/surtr/dns/zones/email.bouncy.soa11
-rw-r--r--hosts/surtr/email/default.nix37
2 files changed, 37 insertions, 11 deletions
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 271a061e..e69c4eb4 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1$ORIGIN bouncy.email. 1$ORIGIN bouncy.email.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022071000 ; serial 4 2022071001 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -13,7 +13,7 @@ $TTL 3600
13 IN NS ns3.inwx.eu. 13 IN NS ns3.inwx.eu.
14 14
15@ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" 15@ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
16@ IN CAA 128 iodef "mailto:caa@yggdrasil.li" 16@ IN CAA 128 iodef "mailto:hostmaster@bouncy.email"
17 17
18@ IN A 202.61.241.61 18@ IN A 202.61.241.61
19@ IN AAAA 2a03:4000:52:ada:: 19@ IN AAAA 2a03:4000:52:ada::
@@ -21,7 +21,7 @@ $TTL 3600
21@ IN TXT "v=spf1 a:mailout.bouncy.email -all" 21@ IN TXT "v=spf1 a:mailout.bouncy.email -all"
22 22
23surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. 23surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.
24_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li" 24_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email"
25 25
26_acme-challenge IN NS ns.yggdrasil.li. 26_acme-challenge IN NS ns.yggdrasil.li.
27 27
@@ -41,6 +41,11 @@ mailin IN MX 0 mailin.bouncy.email.
41mailin IN TXT "v=spf1 redirect=bouncy.email" 41mailin IN TXT "v=spf1 redirect=bouncy.email"
42_acme-challenge.mailin IN NS ns.yggdrasil.li. 42_acme-challenge.mailin IN NS ns.yggdrasil.li.
43 43
44_25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
45_25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
46_25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
47_25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
48
44mailsub IN A 202.61.241.61 49mailsub IN A 202.61.241.61
45mailsub IN AAAA 2a03:4000:52:ada:: 50mailsub IN AAAA 2a03:4000:52:ada::
46mailsub IN MX 0 mailin.bouncy.email. 51mailsub IN MX 0 mailin.bouncy.email.
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index e3437a6b..357ee668 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -640,15 +640,35 @@ in {
640 }; 640 };
641 }) spmDomains) // { 641 }) spmDomains) // {
642 "mta-sts.bouncy.email" = { 642 "mta-sts.bouncy.email" = {
643 locations."/".root = pkgs.runCommand "mta-sts" {} '' 643 forceSSL = true;
644 mkdir -p $out/.well-known 644 sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem";
645 cp ${pkgs.writeText "mta-sts.txt" '' 645 sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem";
646 version: STSv1 646 sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem";
647 mode: testing 647
648 mx: mailin.bouncy.email 648 extraConfig = ''
649 max_age: 604800 649 add_header Strict-Transport-Security "max-age=63072000" always;
650 ''} $out/.well-known/mta-sts.txt 650
651 add_header Access-Control-Allow-Origin '*';
652 add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
653 add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
654 add_header Access-Control-Max-Age 7200;
651 ''; 655 '';
656
657 locations."/" = {
658 extraConfig = ''
659 charset utf-8;
660 source_charset utf-8;
661 '';
662 root = pkgs.runCommand "mta-sts" {} ''
663 mkdir -p $out/.well-known
664 cp ${pkgs.writeText "mta-sts.txt" ''
665 version: STSv1
666 mode: testing
667 mx: mailin.bouncy.email
668 max_age: 604800
669 ''} $out/.well-known/mta-sts.txt
670 '';
671 };
652 }; 672 };
653 }; 673 };
654 }; 674 };
@@ -659,6 +679,7 @@ in {
659 ]) spmDomains ++ [ 679 ]) spmDomains ++ [
660 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" 680 "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
661 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" 681 "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
682 "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
662 ]; 683 ];
663 684
664 systemd.services.spm = { 685 systemd.services.spm = {