diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/dns/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml | 26 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/email.bouncy.soa | 9 | ||||
-rw-r--r-- | hosts/surtr/dns/zones/li.yggdrasil.soa | 8 | ||||
-rw-r--r-- | hosts/surtr/email/ca/.gitignore | 3 | ||||
-rw-r--r-- | hosts/surtr/email/ca/ca.crt | 11 | ||||
-rw-r--r-- | hosts/surtr/email/default.nix | 230 | ||||
-rw-r--r-- | hosts/surtr/tls/tsig_keys/imap.bouncy.email | 26 | ||||
-rw-r--r-- | hosts/surtr/tls/tsig_keys/mailin.bouncy.email | 26 | ||||
-rw-r--r-- | hosts/surtr/tls/tsig_keys/mailsub.bouncy.email | 26 | ||||
-rw-r--r-- | hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li | 26 |
15 files changed, 466 insertions, 7 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index ca51d4fb..cb452df3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -2,7 +2,7 @@ | |||
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | qemu-guest openssh rebuild-machines zfs | 4 | qemu-guest openssh rebuild-machines zfs |
5 | ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus | 5 | ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus ./email |
6 | ]; | 6 | ]; |
7 | 7 | ||
8 | config = { | 8 | config = { |
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index aff6e6f3..d665714d 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -156,6 +156,7 @@ in { | |||
156 | ${concatMapStringsSep "\n" mkZone [ | 156 | ${concatMapStringsSep "\n" mkZone [ |
157 | { domain = "yggdrasil.li"; | 157 | { domain = "yggdrasil.li"; |
158 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; | 158 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; |
159 | acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li"]; | ||
159 | } | 160 | } |
160 | { domain = "nights.email"; | 161 | { domain = "nights.email"; |
161 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; | 162 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; |
@@ -183,6 +184,7 @@ in { | |||
183 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; | 184 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; |
184 | } | 185 | } |
185 | { domain = "bouncy.email"; | 186 | { domain = "bouncy.email"; |
187 | acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "bouncy.email"]; | ||
186 | } | 188 | } |
187 | ]} | 189 | ]} |
188 | ''; | 190 | ''; |
diff --git a/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml new file mode 100644 index 00000000..f57a5b9f --- /dev/null +++ b/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:xcDcVLIIZXus19oDIoFvZsyy0XUN26/B2yFQpt/apVBmhxC4qmHf+5SuzXx6KnL+LRCFnh0kxw5NUnLFaADUesUAWSBTCMLyirIT37NMUNAnGcP8ikqmOk2HUHE8/3BSER9Sr/9bXhA4ikzJnWVOWGJ9lT6qkw+DUHihundf+tHKnutxP/CoXM84T0YU4U6Jzw55BhyavaT7hSjm5Pa/CmvzUfu57GK8LBQchULqPXL1/GkcZbm/BJwI2RrYkhZG8CieRiey0WaD16qxsJ4lnhSb,iv:Spb+VtjR0XEj0HldOFNORYFbPDPeS7XgTdqZPi45wuw=,tag:QRQfOTwuh6lWJNrXZkNl0w==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:35Z", | ||
10 | "mac": "ENC[AES256_GCM,data:fQmb4Az33ypsJowyPrwBlkDYDNNtJWev5RzOQdvk3FOXINfeVXqBqRmK/FqYTwonWg+oQ1j7HptvEHXnNBXyHSjLs0eBNUwQAGDVYCQO2zGwmvwnRoyvSfgqESAeSWKMhzHvEA67dAm8l1HZuAXOKpnfMF2y2Z2bD4t6Ipz1FOU=,iv:UzpWjwBiC7te1IxneH/rueVKyRQ8IulRQYAQ9AybueI=,tag:s+FpPWQ0qu187LRcFb+7eg==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:34Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAl2GftHJU72CZwTRupXE9S1Z/w7vwrRQlFrme9woZ2QUw\nvan+u4DvpbWsv8jH4rPERxz7aIHcIUMnnDHMls7Ma8rqwE4GzjBnqJ4afYEgbUyc\n0l4B9IVHcML8hwLMRnox+/+DqMw9QJALjiLshid+6lxQOjiKj7AvLCsMA3llsT7H\ncyGwyhm99BaLO48zsXlSmGgg2/YSTPuiJtddwp9CWv0oeOrySnw5Rk0VqdVTzreK\n=EV9D\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:34Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAHdryYLAJhmbfQOq+tXxuuOYuB2stUUnq8/lRg6/nDyMw\nMeq1lqDPZmqcMGPuz1gaopZ+I30FBdASTaLMt2jPhd09mVccpY0nFuyvjJHHV32R\n0l4B2kHMD+NWtWCxPWGAUYBHI73xggVNMkDbr2FhwJgruN/4WRNGlgEszl6MQ43v\nI98doI69oLocwl7ZmXurspzyJA4btFIayAUgKc0uF28k4ulniTPlB75QxLAvXHNy\n=AQHH\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml new file mode 100644 index 00000000..495af908 --- /dev/null +++ b/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:aRpq+iUmoEQoy7wlDjTorLK0hUQdUE0RrlFAPYzoInAxrtm58xWLWYBb6FSm7oPv+B+uM04hXbTyH9xh4ZIogiV95qva1FaK+OSO9zkhP2i4SyroRyT4IKhs8ajCAj2wRSXCcUgK13UotF45y+2yJyPEOAsIossOaAJceQdi+fbW7L5z93copWyPa5XG3/KUZBNAoGFprTzB0c9luGWp8GmJ0zFZhbI+ZnKFgL9ZDTfh2e8N0VUih748AZw7YzL3uEu68BWPdXhgDo+f/DJARizmH/NyMQ==,iv:AomUPijrVdXiYI3fl8PAbJEjWZIeh7tuIZaDzJOieDk=,tag:AWkWJ+I9m7TrKKBL5cYWVw==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:33Z", | ||
10 | "mac": "ENC[AES256_GCM,data:o2QxYW9SPIbOWP/iQ2Mk1imSUWBwPOkPUTIVub/Y4Yse0RkR6qp1LlRdhB5aOKirInKNulA0iCm5uiDyGS02N52wrmQpnWjeMcFysZ9rzzRPIaEUa31GIWRQAt11amO56hM9JTBZGmq5bhPVRxRBfMT4PSgUT/KrRJSQCVXGyAs=,iv:OWk/08GxYylbjqcOjJnC81L4P+QyUkyxYaJ+qReGzIo=,tag:4r4eVCB5s462uMbb8lrnXg==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:33Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAymwXeFtQyiAgb+/Rm5jxPCnKWG3n7libf3zmYbQw7B0w\ndAmL/pukd3B8n3+lcdHDZodtr3W4LyatgdSXOUG51hRoqEq16b2MmCM43jTUnYQd\n0l4BWTk98DfAZ/6z7ulexqbCmfJSfJzUJGBnLqTBq2dnxeHHWpY/tpGp6BAi2n+p\nxtooPP9PUC2wbXFyf0FB5nGg+JvsNi4FspDwFYljnDKmXBnn1H3IfCmUhy1chWty\n=a8nm\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:33Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA0t4v/UKyR3uWG2NpFqxZRG7Hj05+akMq5ZnU7B/VrgQw\n4WIpnT+nqxM7c+vFNe/AVyO+R82qQrMbTL0QHpD5rUDdszFVw1UH/ELMH3rrcRlz\n0l4Bf8bWylnKOvPqeyklEktiSUXoMWqs0AbD+LuTUgqz/JvuO6AqvgbfPUvm5eOM\npI2DEW11SZeqiUai3N/H34myzQ7kSoVSfJobUfmBazIq69DBSSWz0sksMw98+yWK\n=q0Ui\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml new file mode 100644 index 00000000..63d18e50 --- /dev/null +++ b/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:wjU+ojwNIfiQamoOpB2MVyOB6WCCjpt1xwWO/LYD2YJqXkjl8ko4hf/wC+Q1SPkvvHPFtxxiQh1dzcl+8Wh6Xicb5HNMxiAXUQAr7gMG25nfyv3m0vB9msPDeEcbrE4t7bXOuZUBuOx9iU5UmA5kN9oTOcCT5i/db9ILEjcSvkvysk10WytyXK5CEHu5Y+gwlIJ+tP/eG/zEcXGHbDb/feQSn+Xwt3Jrdef9cau+pZB7zexIpMkvwryG9cpZCJUUDBYOhaHO+iLiO3+IEoDpr5Dabsuk9Nez,iv:ogd5X7Ss0Izl7AuJ0NvO4zKsMDDjsew3JLb0wElFhHE=,tag:f2IWgpCELipQdM+4IrtIVg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:34Z", | ||
10 | "mac": "ENC[AES256_GCM,data:cCqLh/qhAiicPFl1p16icG8JacpQTYjnRByjRVkD1wZ2i+M/4/LXL1O46GZJvNMNlOTN6Be6IIeazGnO7MP6oxo6He2hovD0Ej5WbSruiwL2cuVvZ3vSpFI8psWS22NBgnNXCcxA+giS5b/jlRI7pcTQ2Knwwzh7Y4Xdp/UBAi8=,iv:6wC4JpdL90zwezMsoLeE5XGwxMvUdHGaVnZqfLcd//M=,tag:7peBKCXYlivsVY9hgNojyA==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:34Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAJ2Nl+Jhuqa6LwqsC/EPuYPU9YzPaD11JMhPxyMnk2CMw\nIJWVCeIbXlUWulQF497/yvCX+gpODsk//xTc9J1Uv02uH0HZPYQaVMVs9sqg1NW/\n0l4BpYd98/J0fFwvjhlu/6AB8zrQ2OEegjlOSGDhrAObOBx5xly3IJOF0dObl3fO\nKuauEC3fXJ/s6dugdGDklNhrdRSlfgmigSErUyB0kjo9mF/mAQ8lbzw6b5OXXBwE\n=U3Fx\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:34Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAuAXp4XtRgiQe/Nhs1oBhZxxre6e6R8uBXCUuLgp5IxIw\nUZNOL8NJB94jyqC1yxOr9mILMJw0+cQYFq8CuwSea7Cuz3WOgtVRl1ezKQlpusu5\n0l4BK5ByaesUw7P+wYuXC9VDFnKUCkSn+AA76zikuHHFu9KMd/4p6FcHboQyFz54\nguRNReB6U3y2g9KIwKo/hAk+8NHnuqH9w9Cfb2IIsU5a663AhLv/GKKkCbo0s7Ur\n=jNYe\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml b/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml new file mode 100644 index 00000000..4523b3ba --- /dev/null +++ b/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:4+Pvq42ibLYLxaBBf0Q8gVYglcCdABu8R3M5haawnPSadC53u1+2vx5cujznaUE0vpNJKRDhrHKmctbY6azhgWWvd+PIJ7QtbIEn+9ZhFPsaufrVxXCF/2/wPR505cJiIx0ydeE5G8a8AwsSexLPNg8cBENjkPlImd9LnxIVM3xwpjnNasV7B+OkOnK9twAh51waJLsVYrlS1VOJRh3Q7tuJWlBtQu0YWdImmxvtrz30h2MHg8g03bkL91z5NSf6mbMkLwj6dRZYlXpPMKMi4ZjsXFk=,iv:7bXn7FQwQbLF8gp115OAO+r1eqjlQklar/ADrVJaJOw=,tag:R2NmSMATA1rRQazoV6WfMw==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:30Z", | ||
10 | "mac": "ENC[AES256_GCM,data:fLYGT6nZqQEE71WV6lhmXcX2HpQBwqRqd4j9D7YwXXCQolK2v4vqND8cjn2Ni71eWxoJRqHSVWOcvK39EM+kphcmH/wqLMYhdfjkP+DisYecO8LSF8MC1mhADz/YAQQfSs1Fp73JBEOruWqeyXsCB0uSfuIk5w6P0oihzZEddys=,iv:kdLy5pPPfOhyT4E0PV+cbb/007A5maBtQ90ZaCvUHGM=,tag:QJrlCAoFTosBYTgqfca/SA==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:30Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAO6YzCUEucOdXkrSHAVb7Evv2ouIgsI44bvG39sM9mTcw\nExiQR9nGBTrVUIRX7Gcb6GbDOHfYiSXhIi6CVzF7gRwe1iJGM1T6fheA30VuJ4uk\n0l4B3F4m/Pqvgp9NaBGQQDQOaCTD5NjwK/2lZtuMckQMUi9df4nEA9khJHsw8nx5\nSGU8QZquE4Kyi//pEFycoQ2q0QvKqg8JoT2m7TG5EBFXea1xfbZOZNIANUB8LnOW\n=vaJN\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:30Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAgqn8CAAZu2yB5YUfmQtMxMNJr3D40jzBH1oVmV862lYw\nlEAvxqlzV7xj/pLLfcQm/fxVu6c1tQlD4nA00VceQVZN8bm0kOzwbl+MnCYBiHps\n0l4Bcus9lKpaEpz/SB2no38/VCeM2mFnWPkUuyaLN0+xlosq4/laLhLe4NzXW8BX\nQKv8FLX0GxywRzonaLBf4p9Za8EXKXv9xMf5iYst4vG0epj4MCCxp6IH/uNDJwFt\n=yguK\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index d6fdab9b..2123c0bf 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN bouncy.email. | 1 | $ORIGIN bouncy.email. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022050501 ; serial | 4 | 2022050503 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -20,6 +20,8 @@ $TTL 3600 | |||
20 | @ IN MX 0 mailin.bouncy.email. | 20 | @ IN MX 0 mailin.bouncy.email. |
21 | @ IN TXT "v=spf1 a:mailout.bouncy.email -all" | 21 | @ IN TXT "v=spf1 a:mailout.bouncy.email -all" |
22 | 22 | ||
23 | _acme-challenge IN NS ns.yggdrasil.li. | ||
24 | |||
23 | * IN A 202.61.241.61 | 25 | * IN A 202.61.241.61 |
24 | * IN AAAA 2a03:4000:52:ada:: | 26 | * IN AAAA 2a03:4000:52:ada:: |
25 | * IN MX 0 mailin.bouncy.email. | 27 | * IN MX 0 mailin.bouncy.email. |
@@ -34,11 +36,13 @@ mailin IN A 202.61.241.61 | |||
34 | mailin IN AAAA 2a03:4000:52:ada:: | 36 | mailin IN AAAA 2a03:4000:52:ada:: |
35 | mailin IN MX 0 mailin.bouncy.email. | 37 | mailin IN MX 0 mailin.bouncy.email. |
36 | mailin IN TXT "v=spf1 redirect=bouncy.email" | 38 | mailin IN TXT "v=spf1 redirect=bouncy.email" |
39 | _acme-challenge.mailin IN NS ns.yggdrasil.li. | ||
37 | 40 | ||
38 | mailsub IN A 202.61.241.61 | 41 | mailsub IN A 202.61.241.61 |
39 | mailsub IN AAAA 2a03:4000:52:ada:: | 42 | mailsub IN AAAA 2a03:4000:52:ada:: |
40 | mailsub IN MX 0 mailin.bouncy.email. | 43 | mailsub IN MX 0 mailin.bouncy.email. |
41 | mailsub IN TXT "v=spf1 redirect=bouncy.email" | 44 | mailsub IN TXT "v=spf1 redirect=bouncy.email" |
45 | _acme-challenge.mailsub IN NS ns.yggdrasil.li. | ||
42 | 46 | ||
43 | _submissions._tcp IN SRV 5 0 465 mailsub.bouncy.email. | 47 | _submissions._tcp IN SRV 5 0 465 mailsub.bouncy.email. |
44 | 48 | ||
@@ -46,7 +50,6 @@ imap IN A 202.61.241.61 | |||
46 | imap IN AAAA 2a03:4000:52:ada:: | 50 | imap IN AAAA 2a03:4000:52:ada:: |
47 | imap IN MX 0 mailin.bouncy.email. | 51 | imap IN MX 0 mailin.bouncy.email. |
48 | imap IN TXT "v=spf1 redirect=bouncy.email" | 52 | imap IN TXT "v=spf1 redirect=bouncy.email" |
53 | _acme-challenge.imap IN NS ns.yggdrasil.li. | ||
49 | 54 | ||
50 | _imaps._tcp IN SRV 5 0 993 imap.bouncy.email. | 55 | _imaps._tcp IN SRV 5 0 993 imap.bouncy.email. |
51 | |||
52 | _acme-challenge IN NS ns.yggdrasil.li. | ||
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 74b7170e..c43f7b0d 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa | |||
@@ -1,7 +1,7 @@ | |||
1 | $ORIGIN yggdrasil.li. | 1 | $ORIGIN yggdrasil.li. |
2 | $TTL 3600 | 2 | $TTL 3600 |
3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( | 3 | @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( |
4 | 2022040800 ; serial | 4 | 2022050501 ; serial |
5 | 10800 ; refresh | 5 | 10800 ; refresh |
6 | 3600 ; retry | 6 | 3600 ; retry |
7 | 604800 ; expire | 7 | 604800 ; expire |
@@ -37,8 +37,10 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li" | |||
37 | 37 | ||
38 | surtr IN A 202.61.241.61 | 38 | surtr IN A 202.61.241.61 |
39 | surtr IN AAAA 2a03:4000:52:ada:: | 39 | surtr IN AAAA 2a03:4000:52:ada:: |
40 | surtr IN MX 0 ymir.yggdrasil.li | 40 | surtr IN MX 0 surtr.yggdrasil.li |
41 | surtr IN TXT "v=spf1 redirect=yggdrasil.li" | 41 | surtr IN TXT "v=spf1 a:surtr.yggdrasil.li -all" |
42 | |||
43 | _acme-challenge.surtr IN NS ns.yggdrasil.li. | ||
42 | 44 | ||
43 | prometheus.surtr IN CNAME surtr.yggdrasil.li. | 45 | prometheus.surtr IN CNAME surtr.yggdrasil.li. |
44 | 46 | ||
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore new file mode 100644 index 00000000..7c894574 --- /dev/null +++ b/hosts/surtr/email/ca/.gitignore | |||
@@ -0,0 +1,3 @@ | |||
1 | ca.key | ||
2 | ca.cnf | ||
3 | *.old \ No newline at end of file | ||
diff --git a/hosts/surtr/email/ca/ca.crt b/hosts/surtr/email/ca/ca.crt new file mode 100644 index 00000000..a4a46000 --- /dev/null +++ b/hosts/surtr/email/ca/ca.crt | |||
@@ -0,0 +1,11 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIBmjCCAUygAwIBAgIUb0fWK0YOiuanuqOsKemfDMb+LlUwBQYDK2VwMBcxFTAT | ||
3 | BgNVBAMMDHlnZ2RyYXNpbC5saTAgFw0yMjA1MDUxMTMxMzZaGA8yMDkwMDUyMzEx | ||
4 | MzEzNlowFzEVMBMGA1UEAwwMeWdnZHJhc2lsLmxpMCowBQYDK2VwAyEAuven1BCF | ||
5 | gNJtOa5Uga4opO6CD6anTdLHMYEgax6bFbejgacwgaQwHQYDVR0OBBYEFO+nGZ+J | ||
6 | ea3aQyWPNG53isOP91OVMFIGA1UdIwRLMEmAFO+nGZ+Jea3aQyWPNG53isOP91OV | ||
7 | oRukGTAXMRUwEwYDVQQDDAx5Z2dkcmFzaWwubGmCFG9H1itGDormp7qjrCnpnwzG | ||
8 | /i5VMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE | ||
9 | AwICBDAFBgMrZXADQQD9C+L1EUIARdzeEvzGkBhcgggQQC4DKlLt0mpuUuGLxdfS | ||
10 | xwAHTGd6PLER3DMTMob4olsGkl09g6fqj9iJRrkM | ||
11 | -----END CERTIFICATE----- | ||
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix new file mode 100644 index 00000000..49f156eb --- /dev/null +++ b/hosts/surtr/email/default.nix | |||
@@ -0,0 +1,230 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | postfix_map = tableType: tableName: "${tableType}:/run/postfix/maps/${tableName}"; | ||
7 | postfix_hash = postfix_map "hash"; | ||
8 | in { | ||
9 | options = { | ||
10 | services.postfix.mapFilesRun = mkOption { | ||
11 | type = types.attrsOf (types.either types.path (types.submodule { | ||
12 | options = { | ||
13 | type = mkOption { | ||
14 | type = types.str; | ||
15 | default = "hash"; | ||
16 | }; | ||
17 | |||
18 | path = mkOption { | ||
19 | type = types.nullOr types.path; | ||
20 | default = null; | ||
21 | }; | ||
22 | |||
23 | text = mkOption { | ||
24 | type = types.nullOr types.lines; | ||
25 | default = null; | ||
26 | }; | ||
27 | }; | ||
28 | })); | ||
29 | default = {}; | ||
30 | }; | ||
31 | }; | ||
32 | |||
33 | config = { | ||
34 | services.postfix = { | ||
35 | enable = true; | ||
36 | hostname = "surtr.yggdrasil.li"; | ||
37 | recipientDelimiter = "+"; | ||
38 | setSendmail = true; | ||
39 | postmasterAlias = ""; rootAlias = ""; extraAliases = ""; | ||
40 | destination = []; | ||
41 | sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; | ||
42 | sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; | ||
43 | networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; | ||
44 | mapFilesRun = { | ||
45 | "relay_ccert" = { text = ""; }; | ||
46 | "sni" = { text = '' | ||
47 | bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem | ||
48 | mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem | ||
49 | mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem | ||
50 | .bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem | ||
51 | '';}; | ||
52 | "esmtp_access" = { type = "cidr"; text = '' | ||
53 | # Allow DSN requests from local subnet only | ||
54 | 192.168.0.0/16 silent-discard | ||
55 | 172.16.0.0/12 silent-discard | ||
56 | 10.0.0.0/8 silent-discard | ||
57 | 0.0.0.0/0 silent-discard, dsn | ||
58 | fd00::/8 silent-discard | ||
59 | ::/0 silent-discard, dsn | ||
60 | '';}; | ||
61 | }; | ||
62 | config = { | ||
63 | #the dh params | ||
64 | smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; | ||
65 | smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; | ||
66 | #enable ECDH | ||
67 | smtpd_tls_eecdh_grade = "strong"; | ||
68 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 | ||
69 | smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | ||
70 | smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; | ||
71 | #allowed ciphers for smtpd_tls_security_level=encrypt | ||
72 | smtpd_tls_mandatory_ciphers = "high"; | ||
73 | #allowed ciphers for smtpd_tls_security_level=may | ||
74 | #smtpd_tls_ciphers = high | ||
75 | #enforce the server cipher preference | ||
76 | tls_preempt_cipherlist = true; | ||
77 | #disable following ciphers for smtpd_tls_security_level=encrypt | ||
78 | smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; | ||
79 | #disable following ciphers for smtpd_tls_security_level=may | ||
80 | smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; | ||
81 | #enable TLS logging to see the ciphers for inbound connections | ||
82 | smtpd_tls_loglevel = "1"; | ||
83 | #enable TLS logging to see the ciphers for outbound connections | ||
84 | smtp_tls_loglevel = "1"; | ||
85 | |||
86 | smtpd_tls_ask_ccert = true; | ||
87 | smtpd_tls_CAfile = toString ./ca/ca.crt; | ||
88 | |||
89 | smtp_tls_security_level = "dane"; | ||
90 | smtp_dns_support_level = "dnssec"; | ||
91 | |||
92 | tls_server_sni_maps = postfix_hash "sni"; | ||
93 | |||
94 | local_recipient_maps = ""; | ||
95 | |||
96 | # 10 GiB | ||
97 | message_size_limit = "10737418240"; | ||
98 | # 10 GiB | ||
99 | mailbox_size_limit = "10737418240"; | ||
100 | |||
101 | smtpd_delay_reject = true; | ||
102 | smtpd_helo_required = true; | ||
103 | smtpd_helo_restrictions = "permit"; | ||
104 | |||
105 | smtpd_recipient_restrictions = [ | ||
106 | "reject_unauth_pipelining" | ||
107 | "reject_non_fqdn_recipient" | ||
108 | "reject_unknown_recipient_domain" | ||
109 | "permit_mynetworks" | ||
110 | "check_ccert_access ${postfix_hash "relay_ccert"}" | ||
111 | "reject_non_fqdn_helo_hostname" | ||
112 | "reject_invalid_helo_hostname" | ||
113 | "reject_unauth_destination" | ||
114 | "reject_unknown_recipient_domain" | ||
115 | "reject_unverified_recipient" | ||
116 | ]; | ||
117 | |||
118 | smtpd_relay_restrictions = [ | ||
119 | "permit_mynetworks" | ||
120 | "check_ccert_access ${postfix_hash "relay_ccert"}" | ||
121 | "reject_unauth_destination" | ||
122 | ]; | ||
123 | |||
124 | propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; | ||
125 | smtpd_authorized_verp_clients = "$authorized_verp_clients"; | ||
126 | authorized_verp_clients = "$mynetworks"; | ||
127 | |||
128 | milter_default_action = "accept"; | ||
129 | smtpd_milters = [config.services.opendkim.socket]; | ||
130 | non_smtpd_milters = [config.services.opendkim.socket]; | ||
131 | |||
132 | alias_maps = ""; | ||
133 | |||
134 | queue_run_delay = "10s"; | ||
135 | minimal_backoff_time = "1m"; | ||
136 | maximal_backoff_time = "10m"; | ||
137 | maximal_queue_lifetime = "100m"; | ||
138 | bounce_queue_lifetime = "20m"; | ||
139 | |||
140 | smtpd_discard_ehlo_keyword_address_maps = postfix_map "cidr" "esmtp_access"; | ||
141 | |||
142 | sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}"; | ||
143 | sender_canonical_classes = "envelope_sender"; | ||
144 | recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}"; | ||
145 | recipient_canonical_classes = ["envelope_recipient" "header_recipient"]; | ||
146 | }; | ||
147 | masterConfig = { | ||
148 | smtps = { | ||
149 | type = "inet"; | ||
150 | command = "smtpd"; | ||
151 | args = [ | ||
152 | "-o" "smtpd_tls_wrappermode=yes" | ||
153 | "-o" "smtpd_tls_req_ccert=yes" | ||
154 | "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" | ||
155 | "-o" "smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_all_clientcerts,reject" | ||
156 | ]; | ||
157 | }; | ||
158 | }; | ||
159 | }; | ||
160 | |||
161 | services.postsrsd = { | ||
162 | enable = true; | ||
163 | domain = "srs.surtr.yggdrasil.li"; | ||
164 | separator = "+"; | ||
165 | excludeDomains = [ "surtr.yggdrasil.li" | ||
166 | ".bouncy.email" "bouncy.email" | ||
167 | ]; | ||
168 | }; | ||
169 | |||
170 | services.opendkim = { | ||
171 | enable = true; | ||
172 | # user = "postfix"; group = "postfix"; | ||
173 | # socket = "local:/run/opendkim/opendkim.sock"; | ||
174 | domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}''; | ||
175 | selector = "surtr"; | ||
176 | configFile = builtins.toFile "opendkim.conf" '' | ||
177 | Syslog true | ||
178 | MTACommand ${config.security.wrapperDir}/sendmail | ||
179 | LogResults true | ||
180 | ''; | ||
181 | }; | ||
182 | |||
183 | security.dhparams = { | ||
184 | params = { | ||
185 | "postfix-512".bits = 512; | ||
186 | "postfix-1024".bits = 2048; | ||
187 | }; | ||
188 | }; | ||
189 | |||
190 | security.acme.domains = let | ||
191 | mkSNI = '' | ||
192 | cat key.pem full.pem > sni.pem | ||
193 | ''; | ||
194 | in { | ||
195 | "bouncy.email" = { | ||
196 | certCfg.postRun = mkSNI; | ||
197 | }; | ||
198 | "mailin.bouncy.email" = { | ||
199 | certCfg.postRun = mkSNI; | ||
200 | }; | ||
201 | "mailsub.bouncy.email" = { | ||
202 | certCfg.postRun = mkSNI; | ||
203 | }; | ||
204 | "surtr.yggdrasil.li" = {}; | ||
205 | }; | ||
206 | |||
207 | systemd.services.postfix = { | ||
208 | preStart = concatStringsSep "\n" (mapAttrsToList (to: from: let | ||
209 | cont = {type, path, text}: assert !(isNull path && isNull text); let | ||
210 | path' = if isNull path then pkgs.writeText to text else path; | ||
211 | in '' | ||
212 | ln -sf ${path'} /run/postfix/maps/${to} | ||
213 | postmap ${type}:/run/postfix/maps/${to} | ||
214 | ''; | ||
215 | in if builtins.isPath from then cont { path = from; } else cont from | ||
216 | ) config.services.postfix.mapFilesRun); | ||
217 | |||
218 | serviceConfig = { | ||
219 | RuntimeDirectory = ["postfix/maps"]; | ||
220 | LoadCredential = [ | ||
221 | "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" | ||
222 | "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" | ||
223 | "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" | ||
224 | "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" | ||
225 | "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" | ||
226 | ]; | ||
227 | }; | ||
228 | }; | ||
229 | }; | ||
230 | } | ||
diff --git a/hosts/surtr/tls/tsig_keys/imap.bouncy.email b/hosts/surtr/tls/tsig_keys/imap.bouncy.email new file mode 100644 index 00000000..d3f86b23 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/imap.bouncy.email | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:V3upBG5uxBdr9mfEyRqJMhcPJ/zjLXACJObpjAm/zl8hPQMnLBID74+e6kap,iv:1qnlvtXKbSUGiMR5wE2XWM5L+COTzzaMlu0w8gPaiGA=,tag:xpMWaiuFAeKfhyYKdW+tmQ==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:35Z", | ||
10 | "mac": "ENC[AES256_GCM,data:C8C327hR+CdEZjqkQUoPNCXXmUbNSl2oHChLQuz0MOSvU0laN7rLcdJ2Mb/WodVgHdVNXtzAzLdOluXi5ikW6pZH4ZAkV1Dsr5E/WLR3TuSr0ULJx3+ZQnT6XJkzKn0MSS5/u/ctUpGoFki+xG2S4yQiGqArqXUktEF2XAROBSw=,iv:Sp22bqbXBBWX3wLWBqHuZaQ4ki3PNx7BFKb16uHHU7U=,tag:OxVOI2K0Tliven8sPXnzlw==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:35Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAg+bD8OFCZiufY4QRUyLA3K0UMJS9rEbyE7vCExAazhUw\nYLPtQLtH3MFfS+HoDqrOtTy/1FadBbSBO8YC6bEeBpTksLpH5o3dqYCOPEzYWTKN\n0l4B66Bq+BgNuR+Ld4A+TdzNOfsmjIsEtVh2AKyfKFsg4+29MH5ImX11Wd4ek/5R\n1qD8evoz8DT+1sE2mX7gpGZj24x4A8CzhOPU/zQBaD7tf8omw6okERIi03jCpfml\n=C4Vt\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:35Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2g2y4txmaQ1pjMKcRqwjqCSzdOeyxqgaO7hNzVzRvwgw\nXggd7yj7dSW+JZ1/SOmeMDR2aL28B6lB89q2IdGDORBaa8/m6mSSnP/aNiMtj71M\n0l4BgV6lelcYvGJfqb9TDZFZVsCYAiONBzhOjJ4y31H09BTFrFEnTOK+iipiqjti\nlM4ejpSuKPrSwx16+7B/Pa/OEMWfRWn7tIIoRC8rEdWKCm1utKLlOoqpR4OA+5mT\n=VcqH\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/mailin.bouncy.email b/hosts/surtr/tls/tsig_keys/mailin.bouncy.email new file mode 100644 index 00000000..b7dbe8b9 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailin.bouncy.email | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:nvMkj1Mqz8/QCN2n1m4hMGDCMIM7OcX81yS4N3+ZsGWc/p6RtwogKp53ypd5,iv:UB70UEDF0znqZpA3Ov+EGQkH/ix0A6I6JwpHAFEcNqU=,tag:lJJ7AtVa35TJVdNIEPXu3Q==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:34Z", | ||
10 | "mac": "ENC[AES256_GCM,data:bIjM+KaKivOu3xy4+p+zXaQtzRGO5wQ/tZXCgEBA9TEjkTli+ypzUlaf8gtjPOED2nCie9+GX+6kKhopP+P28/PoIGVmTpMLtRgInpNh8/APlTN2TQoVyCld2zEJDi+Cqa+nMBispyQF06bB3UGeOdGnlZwgW2IlYH5wUcgGBng=,iv:SMJMogMoLmCFaBqMjgB2P+pVhC8JVZS3BzZyEjqhDM8=,tag:07SSpA0HP3oIpTzyUExr+Q==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:33Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfNwDDkgU3oYgQQzWu808G0xd8wwbDdRPzAvZpSW4ZUAw\nGKXrug34UAsJoCezXIArCbAXq8DGnsejkca90qS8JQAw94QxW/EVwjXXG1aUs2+2\n0l4B1WxA5Lt2/nQyeJjTOBcbTz07SPBlkdG5tZQEmJvoP33CTUUHNMQ9D1n3BFwZ\nOuWzFDBTXLqOzseL6PYCdjHMaU5fIll+GCIBufG9lZuqfP1YTyqLhgPLNpaO5kCX\n=4dC9\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:33Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActPNakdiaMdVMhHlp0L77VgtR6x7NZmJ2RU1pKcqCnsw\n4hJbSauDdaUXirG6ircfJeKfwSOobdDjFmrVfkhpV2JKRc8XQyKm9nx8B3nHLPRb\n0l4BY8LfKmiH4lSocO/3thKurtZKOCmk5kfvCTVC96aWOFab6+YapJvRIqvgupap\nM+bRH+xEqS5rmooQBwsFFya5kykVVODiwAkh9dIV0EdGhqJgChjd+LHetch08iyw\n=KnpG\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email b/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email new file mode 100644 index 00000000..ec2fa339 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:tJbGR8t8/CWyY8TnOtY+5Na+RuphkrMqm1qYnuF40AH84mjyVELH2Jskx5Cx,iv:i8uEr7cltXRubU7vXr+NSL4qnCbN/foyjobM9XyhiN8=,tag:zDpagteTiEpq29pN9byWOg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:34Z", | ||
10 | "mac": "ENC[AES256_GCM,data:4RGSNI/aLfDMTH2r95uo+5bYNj1oIaKTSIuLu+a9jnihnoJgh1BIpi6q7ayTV25J31WvpqUdYtHmAqp0cgsgPnxleCA0rmL4KupMPPTx4RNmMDzPfHb+mez6iFwepkLpPSqLMs2hPvc9PuSJDY7r7gkGvRfxqT5U+1+d2m/31LM=,iv:5fEkvnz9HzUAV/Nxd0Y0OYUdNiqEkMwPkgQ+wA5u6nE=,tag:/LyrsMWedbpLOifj0/k9Ug==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:34Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwar8wbCJkkIsCWa4ADR82XxMQ9uywWi+1kOv0Hz3cSAw\nk4KuWWFjXhuRPGN+ueRrWaZbL2035RL9qjz6AzTf7dYd06q9uY/StQ4iwFGTrSWk\n0l4BSx9tzJ17BfrmDc8gHi7iJJzVWrSQS2BEkjQBvOqOz1RUFnyboe/whdBe3GLD\nTKN0tMUts9wliS2w1qtMrZJhHS4vNRICKlNcmVlShH42En4T9hlcIjwcdeX3Abjb\n=0DrA\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:34Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAkd4osWJcn0o+iwi+92bCRf5PvZ++tKLOgUmzZ6AUIQ8w\nRRLkK9U03T6UFMeWvBv5oHLJIgtaseqQJ7P8YG3fhFFdKYkjpoFSvz0ofcdPpORE\n0l4BqBwoLFoVNF9vmjdm7Ggb3JeSRlp5dvn4ihppN5sMOVNMP9iVjFGZr4lHO6m3\n0sInfK2Gz1HZ+u74RaR+urMzr5kfD5ZAFymE93Ae9QASBBj98qM462w6vT2izVgV\n=ZDDP\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li b/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li new file mode 100644 index 00000000..6b3648e0 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:OJbgB/u+4bo4mKVUGuULGeObTMsd83l1Q6nFiWAT5CN+jrX78g+iVR5QotOt,iv:Zoyn2dGBrXrAnKtGGW/r8WJDfbILOczQGQLgRlc0Xts=,tag:x5wrx92umguadfj6ARfsGg==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2022-05-05T11:44:33Z", | ||
10 | "mac": "ENC[AES256_GCM,data:LffMGjgzNp1gQQPBF+hUDh1YvgZqRYnS5521s0P1I0/1QlXj/iLYhNwIaTdBxYWFoeBcmvdkOXJV4YcTNqCmw8XaV9bNfezQTRlbskvAKZ1NPU6RRx6horWpguSWONnCMoFk5eaqeQA2Nr5rJ4kn8MSo46TMmHfR9Aj0fctuY1Q=,iv:E6Hu/jyY8WV+lm1AzRHVhI2Mdj2vDDwZcdR+KhM6gkc=,tag:I3F4gAQ3Eo86KL3fdeBz3g==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2022-05-05T11:44:33Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA37udf4bGP58tefZPCe6GXJMyu+cCzmVwUh0Y78MZ4BEw\nC0kHrjRb/2EZHrWPiFrEuTipIw3GVe5THmQfQwA6AJnmYtIZywCB07SFF+myS1Qz\n0l4BY2H6MsZEhPUxEK/ek83XMzLdcm0uLbIoEZFjL6lM47v3C8/MipxE2+zqzzUr\n7KWtpZekshX3kc5Qgj+Brs+X+Vz35PheGgHs6mX1rOFbHGxcOcNlu1UK3n8p3W9i\n=B4Qz\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2022-05-05T11:44:33Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdALq2tsHKjoVkxuF2LubirDKj1mXBL8D9gEtBAgUL+e1Ew\nCircY5+tjUj067L94tbr59tyqVdbXhEXZWfk+yqarIErIlwW7VKYM4RMc+0ePUjA\n0l4BYQIILqERGv4uJG7nZhDVu4YMatMR9ALgED47OhXwjnVG40Ncwt669YpRqmcF\nlxCgqbcBcCc1MfRn+C7Q7hYmruqc9cIBRYlssZmMC10CCETRASxTgeNcDve24AVo\n=z5ML\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.2" | ||
25 | } | ||
26 | } \ No newline at end of file | ||