summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/dns/default.nix2
-rw-r--r--hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml26
-rw-r--r--hosts/surtr/dns/zones/email.bouncy.soa8
-rw-r--r--hosts/surtr/email/default.nix24
-rw-r--r--hosts/surtr/tls/tsig_keys/spm.bouncy.email26
5 files changed, 83 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index d665714d..5b439a8f 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -184,7 +184,7 @@ in {
184 addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; 184 addACLs = { "rheperire.org" = ["ymir_acme_acl"]; };
185 } 185 }
186 { domain = "bouncy.email"; 186 { domain = "bouncy.email";
187 acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "bouncy.email"]; 187 acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "bouncy.email"];
188 } 188 }
189 ]} 189 ]}
190 ''; 190 '';
diff --git a/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml
new file mode 100644
index 00000000..abddfb7c
--- /dev/null
+++ b/hosts/surtr/dns/keys/spm.bouncy.email_acme.yaml
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:I8Fc6jr7yq63KQNKP1LlnZFX/AXC15HK9+3hMHFvTrqpCOZ/Pg+N5Vw+QUy2MP4F4CTE7m7yPSrejqwHiMT7OUVvEbxywgwbT9JBN8YUVhorp5FcAMXoSWDFOxgzpQ3YRR+2FcRO7M6VbCFzp7yCQY9I7/OLWShUPZv9oEBI1LRtx9Zko4yMPRF895wvIqR50KHmvL4YQhPubIt4dozYi3yJSAKLLgBDVF64I+YactydP1LLpkq+JGb8DIYRwyGxFCxM3U+1wrkbSioR3Ut+Xw==,iv:46KiDfXa3eVewPDouUYOz7PenuwaRbOgbuSDmMTVBXs=,tag:DZphA+jv7FpYhW+spnFnIA==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-05-15T13:16:43Z",
10 "mac": "ENC[AES256_GCM,data:ctSwR9AUO7jcAto8H+qic4bZ14Zu3Vh/yH/TANLLDomEOcpfUjGneLO2mv5J4RM0O+G0mMULseqMXYWPYPAaXLz91ynkROoX76q/H+yf+mDBl7bfO/tzg8XmAZvQjtBCv7ctLY1OXe144uOoxeYfrM4Tv72K1dehEI/eJPCNIak=,iv:bwhXaEOJte0LmpKS0pQ4nLgrCrcmUNIqCdcrm6c/7b0=,tag:pzCYdGnYC8cPUL/h9V5z9w==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-05-15T13:16:43Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA8Qw/R0Q22h6YqOt3yLHzFH8ef5tc6oBNx+1lGtxOi3Qw\nEJko8z7Lv5DScheFgECls03rlt9HH7cmPnkQhUnqmfbyzYuosLVM+G0bswpu01ot\n0l4BNBsavoLAa68LFtJGBViM1kojb/UteeYC1cvq2TeXLNaQ90QmGnC6GJHZvzpi\n/u7Rl0DdGoagHrTtVKnNGtvOdwFYeG6iPRHl8Ko9D0HTkgW7dkJ77tw2Wqt0POjs\n=BhzO\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-05-15T13:16:43Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFp33Ruo0AivhV6jjRzoZQvtexS5WEkeoKf4xjRjmKB8w\nRCCCUGiwg8+sz9q+T89QeV26yIQBFQR3kvoamPltW+VZfGuh3oPjl6NbL0MpGsr5\n0l4BDJgG7sIJRZokW0/pwdAJ0PZrKlPxtUoaorM//pLGd0eNbIUGlNT2Jcvsc3Z9\nIkMISOK4wcTj/KvCXfPsN0KiedEKYEj4pq80h1hIWu2910yicSKVNjfL7lARUgTk\n=qTBm\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.2"
25 }
26} \ No newline at end of file
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 77ac7064..77acee8b 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1$ORIGIN bouncy.email. 1$ORIGIN bouncy.email.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022050600 ; serial 4 2022051500 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -57,3 +57,9 @@ _acme-challenge.imap IN NS ns.yggdrasil.li.
57 57
58_imaps._tcp IN SRV 5 0 993 imap.bouncy.email. 58_imaps._tcp IN SRV 5 0 993 imap.bouncy.email.
59_sieve._tcp IN SRV 5 0 4190 imap.bouncy.email. 59_sieve._tcp IN SRV 5 0 4190 imap.bouncy.email.
60
61spm IN A 202.61.241.61
62spm IN AAAA 2a03:4000:52:ada::
63spm IN MX 0 mailin.bouncy.email.
64spm IN TXT "v=spf1 redirect=bouncy.email"
65_acme-challenge.spm IN NS ns.yggdrasil.li.
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 57883864..404e9e4b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -19,6 +19,8 @@ let
19 done 19 done
20 ''; 20 '';
21 }; 21 };
22
23 spmDomains = ["bouncy.email"];
22in { 24in {
23 config = { 25 config = {
24 nixpkgs.overlays = [ 26 nixpkgs.overlays = [
@@ -567,7 +569,7 @@ in {
567 "mailsub.bouncy.email" = {}; 569 "mailsub.bouncy.email" = {};
568 "imap.bouncy.email" = {}; 570 "imap.bouncy.email" = {};
569 "surtr.yggdrasil.li" = {}; 571 "surtr.yggdrasil.li" = {};
570 }; 572 } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
571 573
572 systemd.services.postfix = { 574 systemd.services.postfix = {
573 serviceConfig.LoadCredential = [ 575 serviceConfig.LoadCredential = [
@@ -597,5 +599,25 @@ in {
597 ]; 599 ];
598 }; 600 };
599 }; 601 };
602
603 services.nginx.virtualHosts = listToAttrs (map (domain: nameValuePair "spm.${domain}" {
604 forceSSL = true;
605 sslCertificate = "/run/credentials/nginx.service/spm.${domain}.pem";
606 sslCertificateKey = "/run/credentials/nginx.service/spm.${domain}.key.pem";
607 extraConfig = ''
608 ssl_stapling off;
609 ssl_verify_client on;
610 ssl_client_certificate ${toString ./ca/ca.crt};
611 '';
612 locations."/".extraConfig = ''
613 default_type text/plain;
614 return 200 "$ssl_client_verify $ssl_client_s_dn ${domain}";
615 '';
616 }) spmDomains);
617
618 systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
619 "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
620 "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
621 ]) spmDomains;
600 }; 622 };
601} 623}
diff --git a/hosts/surtr/tls/tsig_keys/spm.bouncy.email b/hosts/surtr/tls/tsig_keys/spm.bouncy.email
new file mode 100644
index 00000000..46756f68
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/spm.bouncy.email
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:FAmXBSqf90a4TtxaZMjoEf/uflHc5KlzsfaVovYfg4hKLhzlsz9Skt0AATFa,iv:abl3DpIVLPk9sP0G3h/VLT8dtYBuAHP7ojo4me5OnN8=,tag:TFo3ynEetXEV5rkC5uaWaQ==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2022-05-15T13:17:01Z",
10 "mac": "ENC[AES256_GCM,data:/iqvcLW489vCFnTyVldH9IniRZ1cSavzoAqpkTtVT12ur9vIC9H38psHypgMRqSCrMTciispQM/gLTHFkUxMEFlm44zEbcsI2krJaB+PV+LGy+1gpJksD7JLQp+o5jCHB3CcY8pEk1NaCLMxekJbOj2Kd3LYnMHXk87LOdI9cfk=,iv:m20mpovM6sjDYeuCdRSCEUDz0/orhLlKYLsenxshl6g=,tag:3XaAxA4B2rN3ugLUTlA6tA==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2022-05-15T13:17:01Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAVKePqPnN7JgcDtSPrtJw+1Zdkf/fQwzxfq4WC+lPzhEw\nSJSOsfh2jv3z2SmbYPCpi+T2Gu12C5rBwP6FeB3s8IZpNs/+8oxflG2gH2xtAPmd\n0lwB1gaDej+yLf1GmVLI3e6aSa5WsWEmDgj8jcsjUqp2Ws2LYlTcyDZvhyd1G4RN\n2G6k8TjdKnTsrXHVqwTKdYtND6U8Bh6wqXFhFWNvqFc8wtrXcz8Nfx//gbQGdA==\n=vu0v\n-----END PGP MESSAGE-----\n",
15 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
16 },
17 {
18 "created_at": "2022-05-15T13:17:01Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAaeTRfIyydnIVadNeupg2ZyNyS+j6wuvaIrhLgFyNui0w\ntGLO4P7iVXgyWQXRfowRzJPBrDvfE2P8mLTwH4nXVtpILZuZsoASMdmy5Fasc3eh\n0lwBIiucRLpz24kquPzeS0mN8gQ63Cfk5jmc3lI65g2yxmVNhkdNH7V8tk/h0lHZ\nPASmxnPxNfPTBJYYQki+vBWOgqLm0S5W24nRDAUrHWdPprj1Umej7/vg6Edx5A==\n=N8cz\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.2"
25 }
26} \ No newline at end of file