...

author: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 15:43:47 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2026-03-21 15:43:47 +0100
commit: 8b1ac25da8313861252e6015f3827d752d9dd8d9 (patch)
tree: 6e06d32c7cb703f6b677a467aece0c1f00581031 /hosts/surtr
parent: 9d3e0c1757ec4e787ef3d679f69de91846d16bfb (diff)
download: nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar
nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.gz
nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.bz2
nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.xz
nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.zip
9 files changed, 28 insertions, 28 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 14d6efd6..c210cb2d 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -46,7 +46,12 @@ in {
    systemd.services.knot = {
      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
-      serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
+      serviceConfig = {
+        LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
+        BindPaths = let
+          dkimBindPath = domain: "/var/lib/rspamd/dkim/${domain}.txt:/var/lib/dkim/${domain}.txt";
+        in map dkimBindPath ["yggdrasil.li" "141.li" "kleen.li" "praseodym.org" "kleen.consulting" "bouncy.email"];
+      };
    };
    services.knot = {
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa
index 0fa920f7..99a88c7b 100644
--- a/hosts/surtr/dns/zones/consulting.kleen.soa
+++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -1,7 +1,7 @@
 $ORIGIN kleen.consulting.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2026031400 ; serial
+  2026032100 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -21,12 +21,7 @@ $TTL 3600
 @                       IN      MX      0 mailin.kleen.consulting.
 @                       IN      TXT     "v=spf1 a:mailout.kleen.consulting -all"
-surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
+$INCLUDE /var/lib/dkim/kleen.consulting.txt
-mail._domainkey         IN      TXT     ( "v=DKIM1; k=rsa; "
-        "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAye6l3utyz6pfRGsW9l49UjNCSkHSUYMAodLBFlHqPJ3VaBdxcsceEZ+J0NHZKWc+s8UYuV+ppXg/WD21RGr2KhxUKa4PZqB8h0YN7+XvwGAgQCIPnHOr73KImmxI5ZH9H1QsEcK3xeb+1VKR8dUXsPSG0UHne6wnsYCMhBJfFnjRnc+kGxiRl7fBPusxR3m9C0LgH17epXOOEGVo3"
-        "bO6CmPjYbrMqjbRCk8dcfRSLSizEek4ojgLAqx5Hn59dqsl7fg9TNaEKTgg3QO8Yq3AoJYotV7nap+U/XruTv8w9LRmoS+jQJ0pqQ8UHWOeX8JEl7D5WOSLFVidSpYiYzhz8bSuNxqWIganr6uGX6UrnhYMfEpnAWwPcd6L1pu1MsIBJGKLwmhXVUsYSpPlFkL2OrxKPbiz1CmyWeThALyOsbvMatE/ojmj9TUoTuEdcunpOetfir7eyWK9Yx"
-        "k+z6pSzH0jTO8JLIND8X8rdOpEeSPyMowAsZsbo9uXdcH6j2MUmh7nlqsCM3pjXIwwCnO4OxCQ3O89s/Xe/j1qLtdT3biDpAvoJehzO8UAy69aFTyjZESqTXQt/gUqPFm5prLWp8djWEUBAZxBZHxjwvDZdJ6VEDOZtKfjIHmxSzwtMrzLRm5BYurGYjYl+6sW1Ax5VZ4SENuWAZ2jKvRSmLdCWrMCAwEAAQ=="
-)
 _dmarc                  IN      TXT     "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting"
 _acme-challenge         IN      NS      ns.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 4c0c286c..208a89e4 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
 $ORIGIN bouncy.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2026031402 ; serial
+  2026032100 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -20,12 +20,7 @@ $TTL 3600
 @                       IN      MX      0 mailin.bouncy.email.
 @                       IN      TXT     "v=spf1 a:mailout.bouncy.email -all"
-surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
+$INCLUDE /var/lib/dkim/bouncy.email.txt
-mail._domainkey         IN      TXT     ( "v=DKIM1; k=rsa; "
-        "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAva2iS93SC+SjKdaJYWGf2wEsKxf1MTn6gKK/Gvg+9rnlCaothnaB5PfZj8TpWHFaFLnoOSQ73HwSM6+MjCNnGjcyEHa2dTFljvVAp4xLzFChps5r5dXZX+qarfzqvTjBr7B57PR2L+i/pl+OL+aYl7yM+mLH4VtrS5oxAQRPaIccYXuWqhtL4t51O4rUL2nRHcDAGs6W4O5ns+6tc"
-        "TXsZC9HBMLbOnr+vhY12aWC4cvZeRYSa1cf7NcRQYgDK+d1tOPZgJPc5nG3mZHx0DjjY9FwBxy3FeJI43aM+q5EW4PdNylqxVPUrajG11O7OZ/gVo1jBr1wQDw+Pluj+RnPTNMrIwL7sYcsPeXcFelQMzyubMChB72HnDOwVnEzGReUOx2OiKfFnukvA2V9Svv4YR6p4rLYGvPVr7+0HCk8ygVkt4p/cDcE7/gjZd8UcCVBCq6pamQFkGIZYg"
-        "hJFos6UgDdF+2W8FS2u3sAP0q7hhjMcmF/hJfOj1TdZizeNJE1x5xoq6fbn9j2+zgUiTYCQOOu02dWOZnQTGtQhhwllZ0qYgJrn6ZzANvCfoWKbw8ylfj9bg15QYlJAunaz4V3PnPz6uQvBj2yut08835M64vBcPspuOp49d5t4Y/59IdtsojDf4XN1RmDu4d/Zdt9hR4tHQVmdfYkUFjBp7KO3O8CAwEAAQ=="
-)
 _dmarc                  IN      TXT     "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email"
 _acme-challenge         IN      NS      ns.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 78d137bb..bf650a27 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
 $ORIGIN 141.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025060701 ; serial
+  2026032101 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -46,7 +46,7 @@ ymir                    IN      MX      0 ymir.yggdrasil.li
 ymir                    IN      TXT     "v=spf1 redirect=ymir.yggdrasil.li"
 ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
-surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
+$INCLUDE /var/lib/dkim/141.li.txt
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
index 5dd3e697..cfaaa1f1 100644
--- a/hosts/surtr/dns/zones/li.kleen.soa
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -1,7 +1,7 @@
 $ORIGIN kleen.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025060701 ; serial
+  2026032101 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -28,7 +28,7 @@ $TTL 3600
 _acme-challenge         IN      NS      ns.yggdrasil.li.
 ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
-surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
+$INCLUDE /var/lib/dkim/kleen.li.txt
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
index 69479895..e69f764a 100644
--- a/hosts/surtr/dns/zones/li.yggdrasil.soa
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2026010100 ; serial
+  2026032105 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -46,7 +46,7 @@ surtr                   IN      TXT     "v=spf1 a:surtr.yggdrasil.li -all"
 vpn                     IN      A       185.243.10.86
 vpn                     IN      AAAA    2a03:4000:20:259::
-surtr._domainkey.surtr  IN      CNAME   surtr._domainkey.yggdrasil.li.
+mail._domainkey.surtr   IN      CNAME   mail._domainkey.yggdrasil.li.
 _dmarc.surtr            IN      TXT     "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li"
 _acme-challenge.surtr   IN      NS      ns.yggdrasil.li.
@@ -141,10 +141,7 @@ ymir._domainkey	        IN	TXT	(
  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
 )
+$INCLUDE /var/lib/dkim/yggdrasil.li.txt
-surtr._domainkey        IN      TXT     ( "v=DKIM1;k=rsa;"
-          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEspNBXjTjPpCqSMkcBUJnSThqMcHwvDP3mOnv8wpDrGTN+1eJ1fzso5GHooGNt0kWHOpcoVwsMDIk81SR3zzNKYWqM40KvQ2ElNJqS5VDIfnxppiG9H5Nu3M7In5jv7OTSKsEi5eDzWqqvaHn6YjNQuKHQsJsAB1zUKoR1gqpvwJlV3tnhfQEl1O3qt0tG1c6JvgZ8R8szrk9"
-          "uNZzu90PDQY9UH4K1nu+INwlMgz9hzgJHIoNJOdB+1gmvnsI4MgmT/otxwKia/UoddN3Gcu7DO1gjFi5cwOA+zOgMnzzWUbys0Q3loCKp9EYgWUJQ9CCh5U4x4/GpV2VeEJ/0GYQIDAQAB" )
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
index 2b97ca19..5bd627a4 100644
--- a/hosts/surtr/dns/zones/org.praseodym.soa
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
 $ORIGIN praseodym.org.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2025060701 ; serial
+  2026032103 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -33,7 +33,7 @@ surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=yggdrasil.li"
 ymir._domainkey         IN      CNAME   ymir._domainkey.yggdrasil.li.
-surtr._domainkey        IN      CNAME   surtr._domainkey.yggdrasil.li.
+$INCLUDE /var/lib/dkim/praseodym.org.txt
 _xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
 _xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
diff --git a/hosts/surtr/email/ccert-policy-server/pyproject.toml b/hosts/surtr/email/ccert-policy-server/pyproject.toml
index e93c910e..518bd4f9 100644
--- a/hosts/surtr/email/ccert-policy-server/pyproject.toml
+++ b/hosts/surtr/email/ccert-policy-server/pyproject.toml
@@ -27,4 +27,4 @@ build-backend = "uv_build"
 [tool.uv.build-backend]
 module-root = "."
-module-name = []
+module-name = ["ccert_policy_server"]
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 4c7af0c3..4243366c 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -454,6 +454,8 @@ in {
            milter = yes;
            timeout = 120s;
+            client_ca_name = "yggdrasil.li";
            upstream "local" {
              default = yes;
              self_scan = yes;
@@ -491,6 +493,9 @@ in {
          servers = "${config.services.redis.servers.rspamd.unixSocket}";
        '';
        "dkim_signing.conf".text = ''
+          enabled = true;
+          allow_username_mismatch = true;
          path = "/var/lib/rspamd/dkim/$domain.key";
          selector = "mail";
        '';
@@ -514,6 +519,9 @@ in {
              spam = true;
          }
        '';
+        "logging.inc".text = ''
+          debug_modules = ["milter", "dkim_signing"];
+        '';
        # "redirectors.inc".text = ''
        #   visit.creeper.host
        # '';
author	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 15:43:47 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2026-03-21 15:43:47 +0100
commit	8b1ac25da8313861252e6015f3827d752d9dd8d9 (patch)
tree	6e06d32c7cb703f6b677a467aece0c1f00581031 /hosts/surtr
parent	9d3e0c1757ec4e787ef3d679f69de91846d16bfb (diff)
download	nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.gz nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.bz2 nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.tar.xz nixos-8b1ac25da8313861252e6015f3827d752d9dd8d9.zip

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 14d6efd6..c210cb2d 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix
@@ -46,7 +46,12 @@ in {
46		46
47	systemd.services.knot = {	47	systemd.services.knot = {
48	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];	48	unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
49	serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;	49	serviceConfig = {
		50	LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys;
		51	BindPaths = let
		52	dkimBindPath = domain: "/var/lib/rspamd/dkim/${domain}.txt:/var/lib/dkim/${domain}.txt";
		53	in map dkimBindPath ["yggdrasil.li" "141.li" "kleen.li" "praseodym.org" "kleen.consulting" "bouncy.email"];
		54	};
50	};	55	};
51		56
52	services.knot = {	57	services.knot = {


diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa index 0fa920f7..99a88c7b 100644 --- a/hosts/surtr/dns/zones/consulting.kleen.soa +++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -1,7 +1,7 @@
1	$ORIGIN kleen.consulting.	1	$ORIGIN kleen.consulting.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2026031400 ; serial	4	2026032100 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -21,12 +21,7 @@ $TTL 3600
21	@ IN MX 0 mailin.kleen.consulting.	21	@ IN MX 0 mailin.kleen.consulting.
22	@ IN TXT "v=spf1 a:mailout.kleen.consulting -all"	22	@ IN TXT "v=spf1 a:mailout.kleen.consulting -all"
23		23
24	surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.	24	$INCLUDE /var/lib/dkim/kleen.consulting.txt
25	mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
26	"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAye6l3utyz6pfRGsW9l49UjNCSkHSUYMAodLBFlHqPJ3VaBdxcsceEZ+J0NHZKWc+s8UYuV+ppXg/WD21RGr2KhxUKa4PZqB8h0YN7+XvwGAgQCIPnHOr73KImmxI5ZH9H1QsEcK3xeb+1VKR8dUXsPSG0UHne6wnsYCMhBJfFnjRnc+kGxiRl7fBPusxR3m9C0LgH17epXOOEGVo3"
27	"bO6CmPjYbrMqjbRCk8dcfRSLSizEek4ojgLAqx5Hn59dqsl7fg9TNaEKTgg3QO8Yq3AoJYotV7nap+U/XruTv8w9LRmoS+jQJ0pqQ8UHWOeX8JEl7D5WOSLFVidSpYiYzhz8bSuNxqWIganr6uGX6UrnhYMfEpnAWwPcd6L1pu1MsIBJGKLwmhXVUsYSpPlFkL2OrxKPbiz1CmyWeThALyOsbvMatE/ojmj9TUoTuEdcunpOetfir7eyWK9Yx"
28	"k+z6pSzH0jTO8JLIND8X8rdOpEeSPyMowAsZsbo9uXdcH6j2MUmh7nlqsCM3pjXIwwCnO4OxCQ3O89s/Xe/j1qLtdT3biDpAvoJehzO8UAy69aFTyjZESqTXQt/gUqPFm5prLWp8djWEUBAZxBZHxjwvDZdJ6VEDOZtKfjIHmxSzwtMrzLRm5BYurGYjYl+6sW1Ax5VZ4SENuWAZ2jKvRSmLdCWrMCAwEAAQ=="
29	)
30	_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting"	25	_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting"
31		26
32	_acme-challenge IN NS ns.yggdrasil.li.	27	_acme-challenge IN NS ns.yggdrasil.li.


diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 4c0c286c..208a89e4 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1	$ORIGIN bouncy.email.	1	$ORIGIN bouncy.email.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2026031402 ; serial	4	2026032100 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -20,12 +20,7 @@ $TTL 3600
20	@ IN MX 0 mailin.bouncy.email.	20	@ IN MX 0 mailin.bouncy.email.
21	@ IN TXT "v=spf1 a:mailout.bouncy.email -all"	21	@ IN TXT "v=spf1 a:mailout.bouncy.email -all"
22		22
23	surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.	23	$INCLUDE /var/lib/dkim/bouncy.email.txt
24	mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
25	"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAva2iS93SC+SjKdaJYWGf2wEsKxf1MTn6gKK/Gvg+9rnlCaothnaB5PfZj8TpWHFaFLnoOSQ73HwSM6+MjCNnGjcyEHa2dTFljvVAp4xLzFChps5r5dXZX+qarfzqvTjBr7B57PR2L+i/pl+OL+aYl7yM+mLH4VtrS5oxAQRPaIccYXuWqhtL4t51O4rUL2nRHcDAGs6W4O5ns+6tc"
26	"TXsZC9HBMLbOnr+vhY12aWC4cvZeRYSa1cf7NcRQYgDK+d1tOPZgJPc5nG3mZHx0DjjY9FwBxy3FeJI43aM+q5EW4PdNylqxVPUrajG11O7OZ/gVo1jBr1wQDw+Pluj+RnPTNMrIwL7sYcsPeXcFelQMzyubMChB72HnDOwVnEzGReUOx2OiKfFnukvA2V9Svv4YR6p4rLYGvPVr7+0HCk8ygVkt4p/cDcE7/gjZd8UcCVBCq6pamQFkGIZYg"
27	"hJFos6UgDdF+2W8FS2u3sAP0q7hhjMcmF/hJfOj1TdZizeNJE1x5xoq6fbn9j2+zgUiTYCQOOu02dWOZnQTGtQhhwllZ0qYgJrn6ZzANvCfoWKbw8ylfj9bg15QYlJAunaz4V3PnPz6uQvBj2yut08835M64vBcPspuOp49d5t4Y/59IdtsojDf4XN1RmDu4d/Zdt9hR4tHQVmdfYkUFjBp7KO3O8CAwEAAQ=="
28	)
29	_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email"	24	_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email"
30		25
31	_acme-challenge IN NS ns.yggdrasil.li.	26	_acme-challenge IN NS ns.yggdrasil.li.


diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 78d137bb..bf650a27 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1	$ORIGIN 141.li.	1	$ORIGIN 141.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025060701 ; serial	4	2026032101 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -46,7 +46,7 @@ ymir IN MX 0 ymir.yggdrasil.li
46	ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li"	46	ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li"
47		47
48	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.	48	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.
49	surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.	49	$INCLUDE /var/lib/dkim/141.li.txt
50		50
51	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.	51	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
52	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.	52	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.


diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa index 5dd3e697..cfaaa1f1 100644 --- a/hosts/surtr/dns/zones/li.kleen.soa +++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -1,7 +1,7 @@
1	$ORIGIN kleen.li.	1	$ORIGIN kleen.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025060701 ; serial	4	2026032101 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -28,7 +28,7 @@ $TTL 3600
28	_acme-challenge IN NS ns.yggdrasil.li.	28	_acme-challenge IN NS ns.yggdrasil.li.
29		29
30	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.	30	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.
31	surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.	31	$INCLUDE /var/lib/dkim/kleen.li.txt
32		32
33	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.	33	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
34	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.	34	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.


diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 69479895..e69f764a 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -1,7 +1,7 @@
1	$ORIGIN yggdrasil.li.	1	$ORIGIN yggdrasil.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2026010100 ; serial	4	2026032105 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -46,7 +46,7 @@ surtr IN TXT "v=spf1 a:surtr.yggdrasil.li -all"
46	vpn IN A 185.243.10.86	46	vpn IN A 185.243.10.86
47	vpn IN AAAA 2a03:4000:20:259::	47	vpn IN AAAA 2a03:4000:20:259::
48		48
49	surtr._domainkey.surtr IN CNAME surtr._domainkey.yggdrasil.li.	49	mail._domainkey.surtr IN CNAME mail._domainkey.yggdrasil.li.
50	_dmarc.surtr IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li"	50	_dmarc.surtr IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li"
51		51
52	_acme-challenge.surtr IN NS ns.yggdrasil.li.	52	_acme-challenge.surtr IN NS ns.yggdrasil.li.
@@ -141,10 +141,7 @@ ymir._domainkey IN TXT (
141	"qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"	141	"qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
142	"7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="	142	"7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
143	)	143	)
144		144	$INCLUDE /var/lib/dkim/yggdrasil.li.txt
145	surtr._domainkey IN TXT ( "v=DKIM1;k=rsa;"
146	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEspNBXjTjPpCqSMkcBUJnSThqMcHwvDP3mOnv8wpDrGTN+1eJ1fzso5GHooGNt0kWHOpcoVwsMDIk81SR3zzNKYWqM40KvQ2ElNJqS5VDIfnxppiG9H5Nu3M7In5jv7OTSKsEi5eDzWqqvaHn6YjNQuKHQsJsAB1zUKoR1gqpvwJlV3tnhfQEl1O3qt0tG1c6JvgZ8R8szrk9"
147	"uNZzu90PDQY9UH4K1nu+INwlMgz9hzgJHIoNJOdB+1gmvnsI4MgmT/otxwKia/UoddN3Gcu7DO1gjFi5cwOA+zOgMnzzWUbys0Q3loCKp9EYgWUJQ9CCh5U4x4/GpV2VeEJ/0GYQIDAQAB" )
148		145
149	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.	146	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
150	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.	147	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.


diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa index 2b97ca19..5bd627a4 100644 --- a/hosts/surtr/dns/zones/org.praseodym.soa +++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -1,7 +1,7 @@
1	$ORIGIN praseodym.org.	1	$ORIGIN praseodym.org.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (	3	@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4	2025060701 ; serial	4	2026032103 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -33,7 +33,7 @@ surtr IN MX 0 ymir.yggdrasil.li
33	surtr IN TXT "v=spf1 redirect=yggdrasil.li"	33	surtr IN TXT "v=spf1 redirect=yggdrasil.li"
34		34
35	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.	35	ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li.
36	surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li.	36	$INCLUDE /var/lib/dkim/praseodym.org.txt
37		37
38	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.	38	_xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li.
39	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.	39	_xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li.


diff --git a/hosts/surtr/email/ccert-policy-server/pyproject.toml b/hosts/surtr/email/ccert-policy-server/pyproject.toml index e93c910e..518bd4f9 100644 --- a/hosts/surtr/email/ccert-policy-server/pyproject.toml +++ b/hosts/surtr/email/ccert-policy-server/pyproject.toml
@@ -27,4 +27,4 @@ build-backend = "uv_build"
27		27
28	[tool.uv.build-backend]	28	[tool.uv.build-backend]
29	module-root = "."	29	module-root = "."
30	module-name = []	30	module-name = ["ccert_policy_server"]


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 4c7af0c3..4243366c 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -454,6 +454,8 @@ in {
454	milter = yes;	454	milter = yes;
455	timeout = 120s;	455	timeout = 120s;
456		456
		457	client_ca_name = "yggdrasil.li";
		458
457	upstream "local" {	459	upstream "local" {
458	default = yes;	460	default = yes;
459	self_scan = yes;	461	self_scan = yes;
@@ -491,6 +493,9 @@ in {
491	servers = "${config.services.redis.servers.rspamd.unixSocket}";	493	servers = "${config.services.redis.servers.rspamd.unixSocket}";
492	'';	494	'';
493	"dkim_signing.conf".text = ''	495	"dkim_signing.conf".text = ''
		496	enabled = true;
		497	allow_username_mismatch = true;
		498
494	path = "/var/lib/rspamd/dkim/$domain.key";	499	path = "/var/lib/rspamd/dkim/$domain.key";
495	selector = "mail";	500	selector = "mail";
496	'';	501	'';
@@ -514,6 +519,9 @@ in {
514	spam = true;	519	spam = true;
515	}	520	}
516	'';	521	'';
		522	"logging.inc".text = ''
		523	debug_modules = ["milter", "dkim_signing"];
		524	'';
517	# "redirectors.inc".text = ''	525	# "redirectors.inc".text = ''
518	# visit.creeper.host	526	# visit.creeper.host
519	# '';	527	# '';