diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 16:32:21 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-05-15 16:32:21 +0200 |
commit | 97a05b0837e27e8d73d3a16185fb07169de65d7b (patch) | |
tree | 947e9a97b05f99d65b7f2253e7b6db937bc239d2 /hosts/surtr | |
parent | 355b6d4ec02ad535b93ce314dd5734e8c6028dbc (diff) | |
download | nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.gz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.bz2 nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.tar.xz nixos-97a05b0837e27e8d73d3a16185fb07169de65d7b.zip |
surtr: ...
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/dns/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 8 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 24 | ||||
-rw-r--r-- | hosts/surtr/tls/tsig_keys/spm.bouncy.email | 26 |
5 files changed, 83 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index d665714d..5b439a8f 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -184,7 +184,7 @@ in { | |||
184 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; | 184 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; |
185 | } | 185 | } |
186 | { domain = "bouncy.email"; | 186 | { domain = "bouncy.email"; |
187 | acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "bouncy.email"]; | 187 | acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "bouncy.email"]; |
188 | } | 188 | } |
189 | ]} | 189 | ]} |
190 | ''; | 190 | ''; |
diff --git a/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml new file mode 100644 index 00000000..abddfb7c --- /dev/null +++ b/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:I8Fc6jr7yq63KQNKP1LlnZFX/AXC15HK9+3hMHFvTrqpCOZ/Pg+N5Vw+QUy2MP4F4CTE7m7yPSrejqwHiMT7OUVvEbxywgwbT9JBN8YUVhorp5FcAMXoSWDFOxgzpQ3YRR+2FcRO7M6VbCFzp7yCQY9I7/OLWShUPZv9oEBI1LRtx9Zko4yMPRF895wvIqR50KHmvL4YQhPubIt4dozYi3yJSAKLLgBDVF64I+YactydP1LLpkq+JGb8DIYRwyGxFCxM3U+1wrkbSioR3Ut+Xw==,iv:46KiDfXa3eVewPDouUYOz7PenuwaRbOgbuSDmMTVBXs=,tag:DZphA+jv7FpYhW+spnFnIA==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-15T13:16:43Z", | ||
10 | "mac": "ENC[AES256_GCM,data:ctSwR9AUO7jcAto8H+qic4bZ14Zu3Vh/yH/TANLLDomEOcpfUjGneLO2mv5J4RM0O+G0mMULseqMXYWPYPAaXLz91ynkROoX76q/H+yf+mDBl7bfO/tzg8XmAZvQjtBCv7ctLY1OXe144uOoxeYfrM4Tv72K1dehEI/eJPCNIak=,iv:bwhXaEOJte0LmpKS0pQ4nLgrCrcmUNIqCdcrm6c/7b0=,tag:pzCYdGnYC8cPUL/h9V5z9w==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-15T13:16:43Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA8Qw/R0Q22h6YqOt3yLHzFH8ef5tc6oBNx+1lGtxOi3Qw\nEJko8z7Lv5DScheFgECls03rlt9HH7cmPnkQhUnqmfbyzYuosLVM+G0bswpu01ot\n0l4BNBsavoLAa68LFtJGBViM1kojb/UteeYC1cvq2TeXLNaQ90QmGnC6GJHZvzpi\n/u7Rl0DdGoagHrTtVKnNGtvOdwFYeG6iPRHl8Ko9D0HTkgW7dkJ77tw2Wqt0POjs\n=BhzO\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-15T13:16:43Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFp33Ruo0AivhV6jjRzoZQvtexS5WEkeoKf4xjRjmKB8w\nRCCCUGiwg8+sz9q+T89QeV26yIQBFQR3kvoamPltW+VZfGuh3oPjl6NbL0MpGsr5\n0l4BDJgG7sIJRZokW0/pwdAJ0PZrKlPxtUoaorM//pLGd0eNbIUGlNT2Jcvsc3Z9\nIkMISOK4wcTj/KvCXfPsN0KiedEKYEj4pq80h1hIWu2910yicSKVNjfL7lARUgTk\n=qTBm\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 77ac7064..77acee8b 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022050600 ; serial | 4 | 2022051500 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -57,3 +57,9 @@ _acme-challenge.imap IN NS ns.yggdrasil.li. | |||
57 | 57 | ||
58 | _imaps._tcp IN SRV 5 0 993 imap.bouncy.email. | 58 | _imaps._tcp IN SRV 5 0 993 imap.bouncy.email. |
59 | _sieve._tcp IN SRV 5 0 4190 imap.bouncy.email. | 59 | _sieve._tcp IN SRV 5 0 4190 imap.bouncy.email. |
60 | |||
61 | spm IN A 202.61.241.61 | ||
62 | spm IN AAAA 2a03:4000:52:ada:: | ||
63 | spm IN MX 0 mailin.bouncy.email. | ||
64 | spm IN TXT "v=spf1 redirect=bouncy.email" | ||
65 | _acme-challenge.spm IN NS ns.yggdrasil.li. | ||
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 57883864..404e9e4b 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -19,6 +19,8 @@ let | |||
19 | done | 19 | done |
20 | ''; | 20 | ''; |
21 | }; | 21 | }; |
22 | |||
23 | spmDomains = ["bouncy.email"]; | ||
22 | in { | 24 | in { |
23 | config = { | 25 | config = { |
24 | nixpkgs.overlays = [ | 26 | nixpkgs.overlays = [ |
@@ -567,7 +569,7 @@ in { | |||
567 | "mailsub.bouncy.email" = {}; | 569 | "mailsub.bouncy.email" = {}; |
568 | "imap.bouncy.email" = {}; | 570 | "imap.bouncy.email" = {}; |
569 | "surtr.yggdrasil.li" = {}; | 571 | "surtr.yggdrasil.li" = {}; |
570 | }; | 572 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); |
571 | 573 | ||
572 | systemd.services.postfix = { | 574 | systemd.services.postfix = { |
573 | serviceConfig.LoadCredential = [ | 575 | serviceConfig.LoadCredential = [ |
@@ -597,5 +599,25 @@ in { | |||
597 | ]; | 599 | ]; |
598 | }; | 600 | }; |
599 | }; | 601 | }; |
602 | |||
603 | services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" { | ||
604 | forceSSL = true; | ||
605 | sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem"; | ||
606 | sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem"; | ||
607 | extraConfig = '' | ||
608 | ssl_stapling off; | ||
609 | ssl_verify_client on; | ||
610 | ssl_client_certificate ${toString ./ca/ca.crt}; | ||
611 | ''; | ||
612 | locations."/".extraConfig = '' | ||
613 | default_type text/plain; | ||
614 | return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}"; | ||
615 | ''; | ||
616 | }) spmDomains); | ||
617 | |||
618 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ | ||
619 | "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem" | ||
620 | "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem" | ||
621 | ]) spmDomains; | ||
600 | }; | 622 | }; |
601 | } | 623 | } |
diff --git a/hosts/surtr/tls/tsig_keys/spm.bouncy.email b/hosts/surtr/tls/tsig_keys/spm.bouncy.email new file mode 100644 index 00000000..46756f68 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/spm.bouncy.email | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:FAmXBSqf90a4TtxaZMjoEf/uflHc5KlzsfaVovYfg4hKLhzlsz9Skt0AATFa,iv:abl3DpIVLPk9sP0G3h/VLT8dtYBuAHP7ojo4me5OnN8=,tag:TFo3ynEetXEV5rkC5uaWaQ==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-15T13:17:01Z", | ||
10 | "mac": "ENC[AES256_GCM,data:/iqvcLW489vCFnTyVldH9IniRZ1cSavzoAqpkTtVT12ur9vIC9H38psHypgMRqSCrMTciispQM/gLTHFkUxMEFlm44zEbcsI2krJaB+PV+LGy+1gpJksD7JLQp+o5jCHB3CcY8pEk1NaCLMxekJbOj2Kd3LYnMHXk87LOdI9cfk=,iv:m20mpovM6sjDYeuCdRSCEUDz0/orhLlKYLsenxshl6g=,tag:3XaAxA4B2rN3ugLUTlA6tA==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-15T13:17:01Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAVKePqPnN7JgcDtSPrtJw+1Zdkf/fQwzxfq4WC+lPzhEw\nSJSOsfh2jv3z2SmbYPCpi+T2Gu12C5rBwP6FeB3s8IZpNs/+8oxflG2gH2xtAPmd\n0lwB1gaDej+yLf1GmVLI3e6aSa5WsWEmDgj8jcsjUqp2Ws2LYlTcyDZvhyd1G4RN\n2G6k8TjdKnTsrXHVqwTKdYtND6U8Bh6wqXFhFWNvqFc8wtrXcz8Nfx//gbQGdA==\n=vu0v\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-15T13:17:01Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAaeTRfIyydnIVadNeupg2ZyNyS+j6wuvaIrhLgFyNui0w\ntGLO4P7iVXgyWQXRfowRzJPBrDvfE2P8mLTwH4nXVtpILZuZsoASMdmy5Fasc3eh\n0lwBIiucRLpz24kquPzeS0mN8gQ63Cfk5jmc3lI65g2yxmVNhkdNH7V8tk/h0lHZ\nPASmxnPxNfPTBJYYQki+vBWOgqLm0S5W24nRDAUrHWdPprj1Umej7/vg6Edx5A==\n=N8cz\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||