diff options
| -rw-r--r-- | hosts/surtr/dns/default.nix | 3 | ||||
| -rw-r--r-- | hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml | 26 | ||||
| -rw-r--r-- | hosts/surtr/dns/keys/kleen.consulting_acme.yaml | 26 | ||||
| -rw-r--r-- | hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml | 26 | ||||
| -rw-r--r-- | hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml | 26 | ||||
| -rw-r--r-- | hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml | 26 | ||||
| -rw-r--r-- | hosts/surtr/dns/zones/consulting.kleen.soa | 73 | ||||
| -rw-r--r-- | hosts/surtr/email/default.nix | 52 | ||||
| -rw-r--r-- | hosts/surtr/http/default.nix | 17 | ||||
| -rw-r--r-- | hosts/surtr/http/webdav/default.nix | 29 | ||||
| -rw-r--r-- | hosts/surtr/tls/default.nix | 2 | ||||
| -rw-r--r-- | hosts/surtr/tls/tsig_keys/imap.kleen.consulting | 26 | ||||
| -rw-r--r-- | hosts/surtr/tls/tsig_keys/kleen.consulting | 26 | ||||
| -rw-r--r-- | hosts/surtr/tls/tsig_keys/mailin.kleen.consulting | 26 | ||||
| -rw-r--r-- | hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting | 26 | ||||
| -rw-r--r-- | hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting | 26 |
16 files changed, 401 insertions, 35 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index e0637b3b..fbfec256 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -189,6 +189,9 @@ in { | |||
| 189 | { domain = "bouncy.email"; | 189 | { domain = "bouncy.email"; |
| 190 | acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "mta-sts.bouncy.email" "bouncy.email"]; | 190 | acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "mta-sts.bouncy.email" "bouncy.email"]; |
| 191 | } | 191 | } |
| 192 | { domain = "kleen.consulting"; | ||
| 193 | acmeDomains = ["mailin.kleen.consulting" "mailsub.kleen.consulting" "imap.kleen.consulting" "mta-sts.kleen.consulting" "kleen.consulting"]; | ||
| 194 | } | ||
| 192 | ]} | 195 | ]} |
| 193 | ''; | 196 | ''; |
| 194 | }; | 197 | }; |
diff --git a/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml new file mode 100644 index 00000000..37a94693 --- /dev/null +++ b/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:t7xEYLesuzkfihA3sVd7Q+0QxZDsJd3qrIHmoqGsYuXO19Ae1pyEJyMfEYe09bxCaFStah1OMoL0ZdalzDBztfPj1f8Rn2270Yft+1i5qLOawKeTG7NUD00DPUfAxtwjxxr/fpxPLryI32hRwJ7lTTibZDVGN2dLTgsYCHiZcaWTTi9ZW2W1WGGEF3EMYsId2AIa00e1aX8xxauemoCtnEoyHzfJHiTBhJwQE10YzmY0yvTGtJySfNVRFqYnoJWaBS7Qt1FbpUcv2Pd9ZqU3immYZJY0og2+Mts=,iv:IuOgRaV8qm7vRg27psvKvUYaaYtecOo2WW74G5+6Ddg=,tag:sWZ0Qyk21mSg0Ze8ZisS1A==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:03Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:EE1byrlNG3y+62hcdTlC2R5s1Q9FJvzpbT8yVIZfaXpK8V/0BUZo3oNfiv43qGeSXBda58XQ0a+WEhoW0PETHZEKwqDMcOwkB/39JRInIIjy4AO73gq+8Q2f0Uz4vFWJszPbuc1Sx/2zPcqjN8r53pG8dAnAtpIxJHBmDBlRp78=,iv:SZOzFjdRdhGKDkg10lM5EeF/1LzVbVL78PCg6+x0nvo=,tag:m4yyLcjMz6yuTEU1HQyzcw==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:03Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAzgKPZSReVLFxDv5FrRDVvrN/KuaJtilnbXiunrbjj0Qw\nJrhb9u9CEfSbw2Awr893DssCEmBsmcgJsu2tO+WYJLLl9EMqiv/a3BUxP7EdSi4A\n0l4B6dplMxktqE9CTSxO/H2WNYobng32PxfIHtQUfdg/E66QJuKR6pj6ExmITTOV\nlkBfyTOoPreKI5+cdy8hBGH4/5Mfga88UTrB+lk0kXog6s/QaXPz2HDlPDw3gTZq\n=h4Vw\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:03Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdABNXiiUHXBlVqB/44Z7CkjkJ8BJrp3XfsdFKCU4EClTww\n6kNZVhi3zk5WJo2Rs5FL/8tyAXzzwGF/9nGiN/91Rk+KUW3poXO/ENkxoEacyXqT\n0l4B+4VSajdP7MDVw0x48xr/D6qobx4rsBVrT1YX/YtSWymF3/ytddgVxqAyysWC\nQONCydTfRn0jBAjyLu3+e10zZ961WYxe1Nq5hJZR+BiJ0m/FjU1Z4ukebyOG1ks+\n=MyJj\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/kleen.consulting_acme.yaml new file mode 100644 index 00000000..443533ca --- /dev/null +++ b/hosts/surtr/dns/keys/kleen.consulting_acme.yaml | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:hve7CwUKajPdbRYUnd58j4+MkJWk3Vr2cNxmFJ+E1cUtRlQF3UeOBaZ2a+yDXJrTwtw4tw7+by+ZQ8HUJ0Z7LTE7mx/EQ/FMMyQEopvPgaBjDk9xmWVe4JJsO6w31Hpl1Niu49TQyCakptvgTHs3cFUYFBTNTJeYAZuDq3BvZ5Hagr8UKiGcyu3jCaohPYqFZuRhhasnpF5kLQ5m8oP78iyKx+kuqUoryrP0atkveB9VGH2obVlRRrMQkE7VTlM3UNGl1TjmV6W+XPcWnQp2BQ==,iv:eiYnWiBCgGzDCXgREDg1sHzQhKpel8zb8MMQUOGSLFU=,tag:VKowaUlQ8zxR1OVHwAa8Zw==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:22:55Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:7HS406wQjJAkjJ/nessmXyYjSZUvvt3c+rh6g1DGY5Qx4OiMjsqtPdKqwyd8GflaHOwveXYl+l3Ws3hqvVItIWUscrA8YRVuvvLiXNHTOJ35I1xpfOfrJR6R4GjncZ3NLn/uXmT88Rd+5wyVzxG/NSajEX6vRFfJMH1YIZzvJIY=,iv:camTYTuw/huEsNkPudN7ZZPb36rRdIdqVvqhqwVY9y8=,tag:lzAjBUzyok6W7rWxKARs5g==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:22:54Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAjPnl2v4+xAwAupY8EA94bLsHr0TxTrzos3xpUWzsMy4w\n2D0uNr0+NPuOqMD0psr+Mv/WfDW1SMhHcK9sa5Y0JEmdLg3jBUFrUInyqdYGj8j5\n0lwBcsyp7uvsMDbQHYzrX7Zz3Fo5NInZtgwyAAVoLZTzXTOj7U/mGpl0WFf+7t+6\nfPkp4b1DeORFrgkggciZy9fGqac7eLLn2fcqdXqDFcE2TIk7Ahtf52Y8TbHMRQ==\n=/D9Q\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:22:54Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdApyLDGhMx8Ie5VncLqBa6qOed4Fq9gGXZN+/Y1nlRQBgw\n+8PmRdb+7xggzDcyzdOB9cYfYB1XBj9x7JhjK3O2U1Pclcr0d9G4/AsMm5CJa8cm\n0lwBxpCBkK5GQTNJ8SHEaY+EEmDnTWf+9Fe8yU+bMumq8FX03E2MVj3TX9TIXfpi\nFwF/nlov3ecpG7IYT1tsd5AsXvZcA3l1//o0Xr24ck8qDaWvuEu/y1dvUzTUQQ==\n=EUFK\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml new file mode 100644 index 00000000..13bfe96e --- /dev/null +++ b/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:6oOxLQ4chP/DRzs7DImi/kx4R86JLrjgtCyqSPn75HJMxVntcxkJDYIkDtIbvqdvCGDoYsMD0RfZy8hRTO+t76R0WPW160Z5XHuKFvLl5to/xgfb4fHZKby7paYdGScPho8kszQnFKEaM78JpkVWxqYq3sl620unkw4H6QZR4fMmEzaZWKAu2tjTn0Ytl+9fj9mwmWZRJXtqby2MQP3xbVhFuLgLWI/15S1wygbX7ORlnmZvWunKpH/D6m109Xxo8IRfpApPwYlnZw79rMse/4QYUDT/ekeeE/4RTAwC,iv:uqz5Yp7BpxQFg14swjNS5yvW2xH4HUFbZwKGoTVXrIE=,tag:RiBW3FbSsy1D2JYyK5kTIg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:02Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:Hm7dawU5Gw9Fm2ERSfaX97q6ia6iw999qofUIWAznEQSqeat8n6cGxiVsXU2scG1LYHUvtyGowFZ9KIbRBXSr1DootH5BzHYqP7Fh3/kKIgk2VToKqr2fUTcjQz0vSxJq9gdIeUpX68qLBptJJYbMtnk0tZUVMcXExiqIHB/9hA=,iv:W4WX0J0jXzixLFBnzvEv/p7Ockv5O7hf/x6WgoIRNTw=,tag:N6zfewA0bIIR3UVqRlUOqA==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:02Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAxGlaM4KVKBdUNjCIY1uBXJgRJhPBOoZTjZ1fntNXwU4w\nu82oB1vDeIzdDtRqvA6iv5QHV7MOAgv9hVtQemiDAjzrhUlzGkw/TGzmmbfhKbtB\n0l4B+HNbxNOqimYxBNHeJeeTAgPU3lu1AI8bDbQqpIyp7WXJ5nuxPKWxFgSEPgqX\nXRdNgardnV4XElgascQdvN7aGgb9qTXu/5lp/4btQ2PdO1at9io7RsE7tvJWKno0\n=lMzD\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:02Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAs4KR4Eed6EPThcPa8ngRTwuj048jtx4o7Bpg18SF/iIw\nih5u3V1RtclZeee/q4fsckoJeenIUGp0YzUUqligWALbxTwyPwJzHQX9yovTtkbR\n0l4BHtPvjbTmb3agauGVPS/xrBJDLu408mrQ6jTE61XwMVeNYwHGo5+FVvNq6xpl\nlRtgKHHrjJ35+1BBZ4tKKrnx3OskdAE9f/ZpNfF2/jPVtJystjOp01sGhpfMD4Nz\n=XbgW\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml new file mode 100644 index 00000000..5c5fe95f --- /dev/null +++ b/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:ef1zV1ci2IDU/lo+EzyyFknDTvGt1z8XYbdaY2zu0H5FxXk5IfKZdnM51zKgHLUy3Rx70tAgNYvWFaeaxCLT+MpTKAZqvf9bfcVweWy3lzSpva5NRRFxHppLfUt+PPyD/6DpxtHh1K61qfdWUb84Hz9X87urzJKLVWjj/4Djy96gjv9AlfOuUVMd/rpzL6zPxaISBMuG7IQMoEQBoRruMkjZFf0ZYX2S1b43h+IYjzO6ax6wHUgdDK/OBEKC6nnhp/+AcDgpDq0wpdcsTDxL2QeqJSvBoFXdJy3XVAtF2+U=,iv:PYokWslsh62z/A0ovueEKmp4Ft7zczPlUsTbHaP3464=,tag:9tf3gtmo9ps/TR6RWwAIhg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:02Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:e9KCj4IT+JozPfGGI+6h9l2XzIp+X4GWd2eJaJtvkh1AwrGeMHrOsODSed7VrXvEphWdp6lpur6RLjRpOjfjYx2pLvSmwlzEmPMNEdXsqUOZ9TBcfvr0GNS9jjqODigZdkV9xk4ewTHUu/mHI+E1YaVvvmxdtY5J5OxPSfp3v1k=,iv:nMU/9cksmCYI3gDqajZgrOJiK/XUMnj/xbxpceHQSVc=,tag:fDnEQC8LGvwQkK3yT/j93A==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:02Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAKR2IFELTa7fiOCfmNK/LQpubb6nfsckcjRI3SkCCTzAw\nEXQlE3uffl5nS5asRHClbAlqMjJ8VUu6rRFn5CA9WE4WRhMwyb43OGjfbq/XZ3Qd\n0l4Bt8aFVuG9qABrJz0Af0fxbMkudvAYfrOYC3xBRRXplfT9C1nsequ8iB3p6P4U\nHPOa8C+x2Nxcdj3LQb5Y9wZPxPFe83FOeZsc4NU8Owyg2JHd4+WZwb/GlsEoyzPd\n=++pf\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:02Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAQA9FxCaP4DlenocEO1QjHxHml29D3Z4Z+kc+j8y8czYw\nLgPW/609sH8154aQ9RetBTKExT6rfztU+mz51lTDt+26Ob5ubTQkupiJW6jLjQ0l\n0l4BNKCAh3wbq8UZrSAAGlAIND2sdln/AgCW1u6Is79kbTOiio3lTz0ANpeex34Q\nmgdAnT4cjMmFUND4DUBjY132VZAO6Mm8hUq/cwLPq30Hw96ziqqKA7QvV/DJTrTy\n=voja\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml new file mode 100644 index 00000000..fb11861d --- /dev/null +++ b/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:23qTQLFAPxPZoyZTzWRO7FUiaJqX4OqPibgo7vwf8xMHxY4+f40CJIsPzqxY++2ibJTOdazIHrA4qc5DYXU+CQyaUgLOJR1TDlqYvOh0b3OW44dJxKrFN2SAHHLOrOlYl5lG8wJBfY6Wlimu5lPAwVLe3T3J9sjVsyC5cq2x3UZHXN0sQuo8D1xuQKW+Mnjk7Ps63XC6dmhT3T6lsZiYgaZD15MNCVrhyHZIJ0gVJiqbwF/JFWN9fngpzYjoP+P2p5X3L8ny8+wPQ8Asfx49FF6ulMr1TXrDAn4ulGSmQUU=,iv:PGSTIaRbBfd9HDN9GY/rpCwByJ3hWohDs4TC3BApSB0=,tag:eOSnZBplKoNXbuinQ7SOjw==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:03Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:5pc74n2LKOcmkEam04IsaoXsbihL9GeT37N51OH8tL7kBKARebdp4U+/ZALnCWlmlnTwvW1mqIxIamQlITITfPXIfa+oKjB8ywNnvG0EMYSYSfnebjstpz7GqyFJfNMh7nDXm9VdoJktsnzzLDD+iwfIpsfFSkqyJkY92gThuds=,iv:nO4XyZACLjj6V2URqbOBRYlHPuKFlI+B07xq5SPgaIo=,tag:s/4D5K8+SiLCACTwG1Woxg==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:03Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAPNnBI8+RdSV2BArAqqBQZ2AEjkrvKtl9KA/ZUyEqJyEw\nykVNwIOFa/LkWGojkbuozkvAaZnLaHVq90dAtGmeapfshTwocHWQrwYUpsDKpg86\n0l4BmfY8MR35TAzi8PLN/twTwKJGeuqaelNF8pYA6cLTqfMOCwTBqzq/GxvtLmOC\nfGG0WfktIVqJ2dsg/GSUaef86R4coq4RbzSZ48+9wCqM0M2PXz/ZjoTesmNSpGJU\n=WW0d\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:03Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAysI9J0A1cdISPE6qONk2wGbgmub7Kc5an4XVWUj0vUow\nZW3RIBQXwTDyrcWjGDeoxK4k/2uWCuDWcUUKtiNtitQioaq1RLPrHACKRbfJQrX8\n0l4BzrBvz6FmTFVCgrK9+knE+VxOCkYRKR9qE6OI5I8gLGTeF2HOkxQCtC3ibbEX\nTmvUh88riy613MWe8RbgNgpLINOkBa7ifkUenoDuDbZ5FvcKNzNSv25lYewPFbaz\n=rds+\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa new file mode 100644 index 00000000..605924b4 --- /dev/null +++ b/hosts/surtr/dns/zones/consulting.kleen.soa | |||
| @@ -0,0 +1,73 @@ | |||
| 1 | $ORIGIN kleen.consulting. | ||
| 2 | $TTL 3600 | ||
| 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | ||
| 4 | 2022122701 ; serial | ||
| 5 | 10800 ; refresh | ||
| 6 | 3600 ; retry | ||
| 7 | 604800 ; expire | ||
| 8 | 3600 ; min TTL | ||
| 9 | ) | ||
| 10 | |||
| 11 | IN NS ns.yggdrasil.li. | ||
| 12 | IN NS ns.inwx.de. | ||
| 13 | IN NS ns2.inwx.de. | ||
| 14 | IN NS ns3.inwx.eu. | ||
| 15 | |||
| 16 | @ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" | ||
| 17 | @ IN CAA 128 iodef "mailto:hostmaster@kleen.consulting" | ||
| 18 | |||
| 19 | @ IN A 202.61.241.61 | ||
| 20 | @ IN AAAA 2a03:4000:52:ada:: | ||
| 21 | @ IN MX 0 mailin.kleen.consulting. | ||
| 22 | @ IN TXT "v=spf1 a:mailout.kleen.consulting -all" | ||
| 23 | |||
| 24 | surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. | ||
| 25 | _dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting" | ||
| 26 | |||
| 27 | _acme-challenge IN NS ns.yggdrasil.li. | ||
| 28 | |||
| 29 | * IN A 202.61.241.61 | ||
| 30 | * IN AAAA 2a03:4000:52:ada:: | ||
| 31 | * IN MX 0 mailin.kleen.consulting. | ||
| 32 | * IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 33 | |||
| 34 | mailout IN A 202.61.241.61 | ||
| 35 | mailout IN AAAA 2a03:4000:52:ada:: | ||
| 36 | mailout IN MX 0 mailin.kleen.consulting. | ||
| 37 | mailout IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 38 | |||
| 39 | mailin IN A 202.61.241.61 | ||
| 40 | mailin IN AAAA 2a03:4000:52:ada:: | ||
| 41 | mailin IN MX 0 mailin.kleen.consulting. | ||
| 42 | mailin IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 43 | _acme-challenge.mailin IN NS ns.yggdrasil.li. | ||
| 44 | |||
| 45 | ; _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 | ||
| 46 | ; _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 | ||
| 47 | ; _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d | ||
| 48 | ; _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 | ||
| 49 | |||
| 50 | mailsub IN A 202.61.241.61 | ||
| 51 | mailsub IN AAAA 2a03:4000:52:ada:: | ||
| 52 | mailsub IN MX 0 mailin.kleen.consulting. | ||
| 53 | mailsub IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 54 | _acme-challenge.mailsub IN NS ns.yggdrasil.li. | ||
| 55 | |||
| 56 | _submissions._tcp IN SRV 5 0 465 mailsub.kleen.consulting. | ||
| 57 | |||
| 58 | imap IN A 202.61.241.61 | ||
| 59 | imap IN AAAA 2a03:4000:52:ada:: | ||
| 60 | imap IN MX 0 mailin.kleen.consulting. | ||
| 61 | imap IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 62 | _acme-challenge.imap IN NS ns.yggdrasil.li. | ||
| 63 | |||
| 64 | _imaps._tcp IN SRV 5 0 993 imap.kleen.consulting. | ||
| 65 | _sieve._tcp IN SRV 5 0 4190 imap.kleen.consulting. | ||
| 66 | |||
| 67 | _mta-sts IN TXT "v=STSv1; id=2022100600" | ||
| 68 | _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@kleen.consulting" | ||
| 69 | mta-sts IN A 202.61.241.61 | ||
| 70 | mta-sts IN AAAA 2a03:4000:52:ada:: | ||
| 71 | mta-sts IN MX 0 mailin.kleen.consulting. | ||
| 72 | mta-sts IN TXT "v=spf1 redirect=kleen.consulting" | ||
| 73 | _acme-challenge.mta-sts IN NS ns.yggdrasil.li. | ||
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 80611c3c..22790fbb 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -112,6 +112,11 @@ in { | |||
| 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem | 112 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem |
| 113 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem | 113 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem |
| 114 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem | 114 | .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem |
| 115 | |||
| 116 | kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
| 117 | mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem | ||
| 118 | mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem | ||
| 119 | .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem | ||
| 115 | ''}''; | 120 | ''}''; |
| 116 | 121 | ||
| 117 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; | 122 | smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix"; |
| @@ -278,6 +283,7 @@ in { | |||
| 278 | separator = "+"; | 283 | separator = "+"; |
| 279 | excludeDomains = [ "surtr.yggdrasil.li" | 284 | excludeDomains = [ "surtr.yggdrasil.li" |
| 280 | ".bouncy.email" "bouncy.email" | 285 | ".bouncy.email" "bouncy.email" |
| 286 | ".kleen.consulting" "kleen.consulting" | ||
| 281 | ]; | 287 | ]; |
| 282 | }; | 288 | }; |
| 283 | 289 | ||
| @@ -285,7 +291,7 @@ in { | |||
| 285 | enable = true; | 291 | enable = true; |
| 286 | user = "postfix"; group = "postfix"; | 292 | user = "postfix"; group = "postfix"; |
| 287 | socket = "local:/run/opendkim/opendkim.sock"; | 293 | socket = "local:/run/opendkim/opendkim.sock"; |
| 288 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}''; | 294 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}''; |
| 289 | selector = "surtr"; | 295 | selector = "surtr"; |
| 290 | configFile = builtins.toFile "opendkim.conf" '' | 296 | configFile = builtins.toFile "opendkim.conf" '' |
| 291 | Syslog true | 297 | Syslog true |
| @@ -432,6 +438,15 @@ in { | |||
| 432 | ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem | 438 | ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem |
| 433 | } | 439 | } |
| 434 | 440 | ||
| 441 | local_name imap.kleen.consulting { | ||
| 442 | ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem | ||
| 443 | ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem | ||
| 444 | } | ||
| 445 | local_name kleen.consulting { | ||
| 446 | ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem | ||
| 447 | ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem | ||
| 448 | } | ||
| 449 | |||
| 435 | ssl_require_crl = no | 450 | ssl_require_crl = no |
| 436 | ssl_verify_client_cert = yes | 451 | ssl_verify_client_cert = yes |
| 437 | 452 | ||
| @@ -651,12 +666,17 @@ in { | |||
| 651 | }; | 666 | }; |
| 652 | 667 | ||
| 653 | security.acme.domains = { | 668 | security.acme.domains = { |
| 669 | "surtr.yggdrasil.li" = {}; | ||
| 654 | "bouncy.email" = {}; | 670 | "bouncy.email" = {}; |
| 655 | "mailin.bouncy.email" = {}; | 671 | "mailin.bouncy.email" = {}; |
| 656 | "mailsub.bouncy.email" = {}; | 672 | "mailsub.bouncy.email" = {}; |
| 657 | "imap.bouncy.email" = {}; | 673 | "imap.bouncy.email" = {}; |
| 658 | "mta-sts.bouncy.email" = {}; | 674 | "mta-sts.bouncy.email" = {}; |
| 659 | "surtr.yggdrasil.li" = {}; | 675 | "kleen.consulting" = {}; |
| 676 | "mailin.kleen.consulting" = {}; | ||
| 677 | "mailsub.kleen.consulting" = {}; | ||
| 678 | "imap.kleen.consulting" = {}; | ||
| 679 | "mta-sts.kleen.consulting" = {}; | ||
| 660 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); | 680 | } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains); |
| 661 | 681 | ||
| 662 | systemd.services.postfix = { | 682 | systemd.services.postfix = { |
| @@ -666,6 +686,9 @@ in { | |||
| 666 | "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" | 686 | "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem" |
| 667 | "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" | 687 | "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem" |
| 668 | "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" | 688 | "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem" |
| 689 | "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem" | ||
| 690 | "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem" | ||
| 691 | "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem" | ||
| 669 | ]; | 692 | ]; |
| 670 | }; | 693 | }; |
| 671 | 694 | ||
| @@ -684,6 +707,10 @@ in { | |||
| 684 | "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" | 707 | "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem" |
| 685 | "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" | 708 | "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem" |
| 686 | "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" | 709 | "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem" |
| 710 | "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem" | ||
| 711 | "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem" | ||
| 712 | "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem" | ||
| 713 | "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem" | ||
| 687 | ]; | 714 | ]; |
| 688 | }; | 715 | }; |
| 689 | }; | 716 | }; |
| @@ -713,12 +740,11 @@ in { | |||
| 713 | proxy_set_header SPM-DOMAIN "${domain}"; | 740 | proxy_set_header SPM-DOMAIN "${domain}"; |
| 714 | ''; | 741 | ''; |
| 715 | }; | 742 | }; |
| 716 | }) spmDomains) // { | 743 | }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" { |
| 717 | "mta-sts.bouncy.email" = { | ||
| 718 | forceSSL = true; | 744 | forceSSL = true; |
| 719 | sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem"; | 745 | sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem"; |
| 720 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem"; | 746 | sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem"; |
| 721 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem"; | 747 | sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem"; |
| 722 | 748 | ||
| 723 | extraConfig = '' | 749 | extraConfig = '' |
| 724 | add_header Strict-Transport-Security "max-age=63072000" always; | 750 | add_header Strict-Transport-Security "max-age=63072000" always; |
| @@ -734,18 +760,17 @@ in { | |||
| 734 | charset utf-8; | 760 | charset utf-8; |
| 735 | source_charset utf-8; | 761 | source_charset utf-8; |
| 736 | ''; | 762 | ''; |
| 737 | root = pkgs.runCommand "mta-sts" {} '' | 763 | root = pkgs.runCommand "mta-sts.${domain}" {} '' |
| 738 | mkdir -p $out/.well-known | 764 | mkdir -p $out/.well-known |
| 739 | cp ${pkgs.writeText "mta-sts.txt" '' | 765 | cp ${pkgs.writeText "mta-sts.${domain}.txt" '' |
| 740 | version: STSv1 | 766 | version: STSv1 |
| 741 | mode: enforce | 767 | mode: enforce |
| 742 | max_age: 2419200 | 768 | max_age: 2419200 |
| 743 | mx: mailin.bouncy.email | 769 | mx: mailin.${domain} |
| 744 | ''} $out/.well-known/mta-sts.txt | 770 | ''} $out/.well-known/mta-sts.txt |
| 745 | ''; | 771 | ''; |
| 746 | }; | 772 | }; |
| 747 | }; | 773 | }) ["bouncy.email" "kleen.consulting"]); |
| 748 | }; | ||
| 749 | }; | 774 | }; |
| 750 | 775 | ||
| 751 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ | 776 | systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [ |
| @@ -755,6 +780,9 @@ in { | |||
| 755 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" | 780 | "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" |
| 756 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" | 781 | "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" |
| 757 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" | 782 | "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" |
| 783 | "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem" | ||
| 784 | "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem" | ||
| 785 | "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem" | ||
| 758 | ]; | 786 | ]; |
| 759 | 787 | ||
| 760 | systemd.services.spm = { | 788 | systemd.services.spm = { |
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 920f939c..3d7f3ebf 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
| @@ -35,23 +35,6 @@ | |||
| 35 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 35 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
| 36 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; | 36 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; |
| 37 | RuntimeDirectoryMode = "0750"; | 37 | RuntimeDirectoryMode = "0750"; |
| 38 | |||
| 39 | NoNewPrivileges = lib.mkForce false; | ||
| 40 | PrivateDevices = lib.mkForce false; | ||
| 41 | ProtectHostname = lib.mkForce false; | ||
| 42 | ProtectKernelTunables = lib.mkForce false; | ||
| 43 | ProtectKernelModules = lib.mkForce false; | ||
| 44 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
| 45 | LockPersonality = lib.mkForce false; | ||
| 46 | MemoryDenyWriteExecute = lib.mkForce false; | ||
| 47 | RestrictRealtime = lib.mkForce false; | ||
| 48 | RestrictSUIDSGID = lib.mkForce false; | ||
| 49 | SystemCallArchitectures = lib.mkForce ""; | ||
| 50 | ProtectClock = lib.mkForce false; | ||
| 51 | ProtectKernelLogs = lib.mkForce false; | ||
| 52 | RestrictNamespaces = lib.mkForce false; | ||
| 53 | SystemCallFilter = lib.mkForce ""; | ||
| 54 | ReadWritePaths = [ "/srv/files" ]; | ||
| 55 | }; | 38 | }; |
| 56 | }; | 39 | }; |
| 57 | 40 | ||
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index 1da411d3..0443bc97 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
| @@ -76,11 +76,30 @@ in { | |||
| 76 | }; | 76 | }; |
| 77 | }; | 77 | }; |
| 78 | 78 | ||
| 79 | systemd.services.nginx.serviceConfig.LoadCredential = [ | 79 | systemd.services.nginx.serviceConfig = { |
| 80 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" | 80 | LoadCredential = [ |
| 81 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" | 81 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" |
| 82 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" | 82 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" |
| 83 | ]; | 83 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" |
| 84 | ]; | ||
| 85 | |||
| 86 | NoNewPrivileges = lib.mkForce false; | ||
| 87 | PrivateDevices = lib.mkForce false; | ||
| 88 | ProtectHostname = lib.mkForce false; | ||
| 89 | ProtectKernelTunables = lib.mkForce false; | ||
| 90 | ProtectKernelModules = lib.mkForce false; | ||
| 91 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
| 92 | LockPersonality = lib.mkForce false; | ||
| 93 | MemoryDenyWriteExecute = lib.mkForce false; | ||
| 94 | RestrictRealtime = lib.mkForce false; | ||
| 95 | RestrictSUIDSGID = lib.mkForce false; | ||
| 96 | SystemCallArchitectures = lib.mkForce ""; | ||
| 97 | ProtectClock = lib.mkForce false; | ||
| 98 | ProtectKernelLogs = lib.mkForce false; | ||
| 99 | RestrictNamespaces = lib.mkForce false; | ||
| 100 | SystemCallFilter = lib.mkForce ""; | ||
| 101 | ReadWritePaths = [ "/srv/files" ]; | ||
| 102 | }; | ||
| 84 | 103 | ||
| 85 | 104 | ||
| 86 | # services.uwsgi.instance.vassals.webdav = { | 105 | # services.uwsgi.instance.vassals.webdav = { |
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 0a3024d2..4e60a3f9 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
| @@ -36,7 +36,7 @@ in { | |||
| 36 | }; | 36 | }; |
| 37 | 37 | ||
| 38 | config = { | 38 | config = { |
| 39 | security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; }); | 39 | security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email" "kleen.consulting"] (domain: { wildcard = true; }); |
| 40 | 40 | ||
| 41 | fileSystems."/var/lib/acme" = | 41 | fileSystems."/var/lib/acme" = |
| 42 | { device = "surtr/safe/var-lib-acme"; | 42 | { device = "surtr/safe/var-lib-acme"; |
diff --git a/hosts/surtr/tls/tsig_keys/imap.kleen.consulting b/hosts/surtr/tls/tsig_keys/imap.kleen.consulting new file mode 100644 index 00000000..4274b6c1 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/imap.kleen.consulting | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:Bj5DPnwGwY10vX35NbsWUawEjx5RoUe5tyQUhERD2VLRrnoyho3YI0c/3pIP,iv:6Mwcp8orH4sQGubV9FeSWqFgT4pyK57MWSKbDaijfvY=,tag:zQZLCavwRDIOz419pMrjbQ==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:03Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:A89e988MUk4M0hYPjt+rkidTT9G2t/pMvDWbA1pLp6ejuaDKOyqt8+4Z1ijA+ZWotam/+PS4OwiLYPWUv5yQYRZXEgIC4X+9zUqTzrk4YfHNzz5CxHv3xVRXDAv+THAuAZqpFcJHZsfwlrkJ8oT7aBM0QzGEYhRd6DqXrDm74Ec=,iv:rMrjW/5doBtymJipRPfS2HrAVOXmNLSESAmGfGrfRtM=,tag:hnnZaRoAajlaSs94Y1VF9Q==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:03Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1Z/0PugoNJs50gvZpRdFzp5vykDq3WiLr5TpMMOcrm0w\nwzLloHyQzuZixmbhj0zJ8JEW38kaSwjiJhkifIYI81ab49SJKzrJk0/+QhFQwgQQ\n0l4BwWaAGzxg+VCvWVasXpFrxD3XTIa2d1PntLTNkrnLO0W75rWBuAOrKR74BS8y\nnKPFtG+jRW36ziESeqyPF+Grb+lMiVhqEBe/W1eeeUtCL8HVVfTBnNSBrWockDnj\n=FOND\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:03Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAuAdDkZ/i0CzkC8BtxDVRKXRYIPagMBUTue4T9hrfZjow\n2hCdSqXoiO9Nafl4p6hr+z/+hgvtd7+Vi6Vsx/hYEYyQGGMj4kBjtrCLaIXrNwzk\n0l4BWzYVis9DReZ4b9dQjqOqFOFXTNjjdDvKT2XvB6UC7Ak92Urp0aASQr6cOOa5\nr5k3j1AYlhMeYpSmz7uzWjLcIAqH84KFBAEvsm644ymmKkM0o6lZfzYN2TsoEjnP\n=CXUK\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/kleen.consulting b/hosts/surtr/tls/tsig_keys/kleen.consulting new file mode 100644 index 00000000..48b6e4b4 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/kleen.consulting | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:hLR+WPUazhZzM+YIR6IMMFjKcupbhZ/Gnu2kv873FW9cnV6pPz5is+eX/Qh6,iv:FAuop9mU4RxBMr/9+cpQDnrRoTaIk7rFh1u2kdLTJ2g=,tag:swtnoDGWisJjGkv4/xE2nw==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:01Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:zDAuZdupb97yeKlS8j1J0SkP3xHMi62SVOgc4NAyqiQgSRnRVhO0uxf3Ms3nVhijqFOS0IeaHsEQM6cCcfq5Hf5/073XHV9/QTcCQsQxPqabwHLvO3Tkzc+lcWicwm0PUt3Plh4QybXwKSaYKJr8RZzlgltOl6CJN7fERIyNayY=,iv:G2te52MStm0o7+qjzIHs335x/PQHdcfiIrnF534+0sA=,tag:FwZRHR8vQiyhls04Ic97Aw==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:01Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAVnsoiamZ0mwkgB/VDWMxCME/uxGYqZc50h332nFBGSQw\nhPTkYSghPXdCPzBAcFglpBnhTiluREUp0oWJuCoimJAkOmECLM6wACZPjit3cvSw\n0lwB0zzKGtRNsnIwy5pM70am1Yu54JAkcqdOGJZFEH24m3gNdJVWnnMcbXNNfxnN\nIgQDDmL8gw68lpw8wKOwGi5XIfwQwwSBm7cesLa2X4a6UKLgBRSYkwtkEkskJw==\n=bhXe\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:01Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA44YcVmRcpMqRAdiZrtA/cXds6gPgRFbu1QokzhovUTIw\ni1bumXheuSh1EwgV+ds/eP03LRwWjkRWApzl1h7D2SS3R+1U2e43kzIORyi33Cwb\n0lwB5GGeLSRPirj1WSMe1WEXCizl330mEwgNYGs2HT1r9tHESTIO9CRnPzed3EXP\nhfH92t4HMCwIzWI7D78ExR/uNHiHhOhBs0Jz3V6HSOmKpPReLtb2sVNMjO6fKA==\n=ak0g\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting b/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting new file mode 100644 index 00000000..70fe6f95 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:iWIbjv56LHaOza+6l/5EwyOxrslupEjhyMJbe9hTYEeeqyxRkt2mQUXOjDYD,iv:CVUMbqzYGsgPA3wXHfi/XqR0NMDR+hEmYRQOUHUNhWw=,tag:YbMEErHIJL5tKaqWpXjs5A==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:02Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:e4oe95ZDgKZv6/Zy4P4r4u/fWHHLTsL1ieB1ut6Ktg4B2L/DPxuxEO0b5ajXFr8tkmA9/DL1Bfv5TT2145v/Kyy1NeXYGUGbg/BtrTYlUSekYVbHIHtNBYLgOQzNL5tlrhyFXsVHx8a0BZKVEmqMocNiz4kIjU4JJ1ORHxS5M4w=,iv:vN/y8TXg6RSxi7OyioIVA0NoiaPpIZU94tLEOCgvXHI=,tag:uAf7psK/HZ1cs621Y3LOoA==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:02Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdADTdcU/shxjYVUAxYWJKSM3oRDpYCCJ9al76z3glcNQYw\nmIlrpVfT3O+lOSgr1s07giFe/WEJb/A4ctYE7UUSpnowZbOHn8bia0JG/t58791I\n0l4BV7zeiWadAGJHDIRHZb2BRev/b4ho/UYnHG+LTaGnAa9phfeOlRn7k6+sw8Ad\nDUBe1MPbsnBD7hT5IACxNZ4neXDaSJ9mOe5CP9u6SuDwFlMicW8XV3INXBcRQKZY\n=7Uw6\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:02Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAgQrdU3Dqlv5ZuGkbBdroYvAFRbKdKTzG4gCkRR85DgUw\n8vPKNv3d93sWLqrvw1VqMKvmIfVGLujqM4j9ZuecHodUPiMuSgLmbzsGS5HpiubB\n0l4By0O/oVeNWAmFNYRMyfZ5CH+YYyOZ8u8tBTR/6eHjOp7wlKpCqcFVg8UILkbn\nrRvpNEM1PDh+oZJ4nMA7pQkm7297H0+uyTioGxHq9DLAODepnlfz2ofCKd/jEO1+\n=Fh1g\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting b/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting new file mode 100644 index 00000000..23da47b2 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:afqmlv3igzgTf1ezNK68FPOCEgxx1dhvpU7bLax+3kVIT1Be+/SIqMMKBbQj,iv:keoYQnGhTh46xKy/ARXInRl2BT6B/U1eqROQHNrybXY=,tag:/LHTlj1yxBVk5szKpFqXOw==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:03Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:Un195JsFhtA99AEx89SGdZflAYOa/AHbcDxyQaMPiBI01ic7/EsYe6M6olv4E/PS1/+5b6ki6IeObl66Fv0ikKa36q6op8bJK/S3Mvza80FKcC6YKjmZp8R46MqxlntpIEtl1SaxeWlOf6XFSGS0HMfnCfnZ6+R/MXGM4ZHTofM=,iv:CP9JM+uSmKSskwD7SHEQGp/p8NwPu+c2eg+s7XKn+YU=,tag:LnhFimxAvhCCxYztRhjfgw==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:02Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwJ0Di7OfQ+O1k/D/tA3AzQAmwl/+8mN0kdLD/hAHyVMw\nSetR3yQECXHycm8uw24INYUg1gmVgSg8uunM06F9in15qC89nTBXyTwI37dvSRjM\n0l4BcfRGOenwU+XCRacm10eqZUtVTkgcD43Fz/wjghN6G6j4IGap6tJq6lnA21vb\nIM+qaaR1s8Abdd2CEqsvmB0vF4lacmr7yu1hr9c8C9ooe+pP6MTb4SOpoOjVIqqW\n=r9Oo\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:02Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2xewM1PTAgVs4hggZclYUf3cElF/X1N/sDEsygP54UYw\nTby6Gv+iooRsVmE7FJbvFAVBYEHbNquHdyuSVs8KujoeunEB3xVqeARktC83dKaF\n0l4BzqnrEbTH9R3bnPKOiN8kGiOXS6UjmQZYfrFNphVGGOf/YcTOuGjUISsKd9K6\nDi3zyFY6NiY85Fb0U4LUtAlqz7mbqmjBho1kNezEFvmwLf12XdKE4SXmnnJMoruf\n=bZIq\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting b/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting new file mode 100644 index 00000000..6f146483 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:32WD88YaqLsJO//uygFzPLknns8FR/19E7FeB2fyFXnTI2lscJWILD5NwKLJ,iv:gdR4hfH/ahbOwgsVjxmv3qldr/LHxmi59WiRwGKWo/Y=,tag:mmw+bVqiRnRExy8lJXdb3Q==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": null, | ||
| 9 | "lastmodified": "2022-12-27T14:23:04Z", | ||
| 10 | "mac": "ENC[AES256_GCM,data:8EPTej63BLWSW1h6bGPBymbmxn/MTAYGlQXfNAZYOG7bvOT/OJEepZGM+GpwbTDT5adDC9BIwjIaIuvN2YxyQxamC0v2kt64JIfOJqNcL2YDkKF6GgQkdo86T+5N/xq/gma6JIrl1ZHromiUJIU/nTgkU4ouaX+syXQ+H3TgxFE=,iv:nUNYWMXB4QHKT70B01AQiw4utByAMCSY54Zo5XJ6C3E=,tag:NsEyfxPfgCIQZsKIFQTuiw==,type:str]", | ||
| 11 | "pgp": [ | ||
| 12 | { | ||
| 13 | "created_at": "2022-12-27T14:23:04Z", | ||
| 14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAeGtiVx4eUHTbjv3xB+wVYZawZIS/a2EmY47xxDX8O2gw\njMHI7vF4bQGlWbwnJLMXIfxtK5gUontCZgTHneqClXPF78hibtCUBuhvAvsu5DCs\n0l4ByzrIpQSjo51JYx0mmaPifSN30EvYbgtYRgExQ+b0FAUAzh7DyNvb++3kz1DI\nOUJ5Fwt6nwVdBZlgAPHIJaCF91DNhav833U/tY8DA9IzigAA5dVhB4pR0OMMsLND\n=nJtD\n-----END PGP MESSAGE-----\n", | ||
| 15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
| 16 | }, | ||
| 17 | { | ||
| 18 | "created_at": "2022-12-27T14:23:04Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAUE75g5kvTpMz2+wm0CKP2P0AfSMADGKQ/GW5kz4Rkmkw\nqUIe0vaLueUkbvAzgHvoNC+og+CUQo9qhSozK/vJLfxmKZ0gNbc2H56w3IKexoZs\n0l4BWF9JMxJPysnr19GW9kEstGT6cLCEzumojbsRqtOkEsISrHhHUjv2IYD1Tvpt\n0s9gdLIrr9ovwJV09LeUZOZZS+a4hBa3tGfFnWw81dAGnuZlXeC0kmTYV3Xn5cH5\n=i4Df\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.3" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||