1 files changed, 39 insertions, 68 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 22790fbb..a2e93e32 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -42,6 +42,7 @@ let
  };
  spmDomains = ["bouncy.email"];
+  emailDomains = spmDomains ++ ["kleen.consulting"];
 in {
  config = {
    nixpkgs.overlays = [
@@ -107,17 +108,12 @@ in {
        smtp_tls_connection_reuse = true;
-        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ''
+        tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
-          bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
+          concatMapStringsSep "\n\n" (domain:
-          mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
+            concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${subdomain}.full.pem")
-          mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem
+              [domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
-          .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
+          ) emailDomains
+        )}'';
-          kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
-          mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem
-          mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem
-          .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
-        ''}'';
        smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
@@ -282,16 +278,14 @@ in {
      domain = "surtr.yggdrasil.li";
      separator = "+";
      excludeDomains = [ "surtr.yggdrasil.li"
-                         ".bouncy.email" "bouncy.email"
+                       ] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
-                         ".kleen.consulting" "kleen.consulting"
-                       ];
    };
    services.opendkim = {
      enable = true;
      user = "postfix"; group = "postfix";
      socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}'';
+      domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
      selector = "surtr";
      configFile = builtins.toFile "opendkim.conf" ''
        Syslog true
@@ -429,23 +423,14 @@ in {
        first_valid_gid = ${toString config.users.groups.dovecot2.gid}
        last_valid_gid = ${toString config.users.groups.dovecot2.gid}
-        local_name imap.bouncy.email {
+        ${concatMapStringsSep "\n\n" (domain:
-          ssl_cert = </run/credentials/dovecot2.service/imap.bouncy.email.pem
+          concatMapStringsSep "\n" (subdomain: ''
-          ssl_key = </run/credentials/dovecot2.service/imap.bouncy.email.key.pem
+            local_name ${subdomain} {
-        }
+              ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
-        local_name bouncy.email {
+              ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
-          ssl_cert = </run/credentials/dovecot2.service/bouncy.email.pem
+            }
-          ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem
+          '') ["imap.${domain}" domain]
-        }
+        ) emailDomains}
-        local_name imap.kleen.consulting {
-          ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem
-          ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem
-        }
-        local_name kleen.consulting {
-          ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem
-          ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem
-        }
        ssl_require_crl = no
        ssl_verify_client_cert = yes
@@ -667,29 +652,20 @@ in {
    security.acme.domains = {
      "surtr.yggdrasil.li" = {};
-      "bouncy.email" = {};
+    } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains)
-      "mailin.bouncy.email" = {};
+    // listToAttrs (concatMap (domain:
-      "mailsub.bouncy.email" = {};
+      map (subdomain: nameValuePair subdomain {})
-      "imap.bouncy.email" = {};
+        [domain "mailin.${domain}" "mailsub.${domain}" "imap.${domain}" "mta-sts.${domain}"]
-      "mta-sts.bouncy.email" = {};
+    ) emailDomains);
-      "kleen.consulting" = {};
-      "mailin.kleen.consulting" = {};
-      "mailsub.kleen.consulting" = {};
-      "imap.kleen.consulting" = {};
-      "mta-sts.kleen.consulting" = {};
-    } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
    systemd.services.postfix = {
      serviceConfig.LoadCredential = [
        "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
        "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-        "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem"
+      ] ++ concatMap (domain:
-        "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem"
+        map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
-        "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem"
+          [domain "mailin.${domain}" "mailsub.${domain}"]
-        "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem"
+      ) emailDomains;
-        "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem"
-        "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem"
-      ];
    };
    systemd.services.dovecot2 = {
@@ -703,15 +679,13 @@ in {
        LoadCredential = [
          "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
          "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-          "bouncy.email.key.pem:${config.security.acme.certs."bouncy.email".directory}/key.pem"
+        ] ++ concatMap (domain:
-          "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem"
+          concatMap (subdomain: [
-          "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem"
+            "${subdomain}.key.pem:${config.security.acme.certs.${subdomain}.directory}/key.pem"
-          "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem"
+            "${subdomain}.pem:${config.security.acme.certs.${subdomain}.directory}/fullchain.pem"
-          "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem"
+          ])
-          "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem"
+            [domain "imap.${domain}"]
-          "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem"
+        ) emailDomains;
-          "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem"
-        ];
      };
    };
@@ -770,20 +744,17 @@ in {
              ''} $out/.well-known/mta-sts.txt
            '';
          };
-      }) ["bouncy.email" "kleen.consulting"]);
+      }) emailDomains);
    };
    systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
      "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
      "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
-    ]) spmDomains ++ [
+    ]) spmDomains ++ concatMap (domain: [
-      "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
+      "mta-sts.${domain}.key.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/key.pem"
-      "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
+      "mta-sts.${domain}.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/fullchain.pem"
-      "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
+      "mta-sts.${domain}.chain.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/chain.pem"
-      "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem"
+    ]) emailDomains;
-      "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem"
-      "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem"
-    ];
    systemd.services.spm = {
      serviceConfig = {

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 22790fbb..a2e93e32 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -42,6 +42,7 @@ let
42	};	42	};
43		43
44	spmDomains = ["bouncy.email"];	44	spmDomains = ["bouncy.email"];
		45	emailDomains = spmDomains ++ ["kleen.consulting"];
45	in {	46	in {
46	config = {	47	config = {
47	nixpkgs.overlays = [	48	nixpkgs.overlays = [
@@ -107,17 +108,12 @@ in {
107		108
108	smtp_tls_connection_reuse = true;	109	smtp_tls_connection_reuse = true;
109		110
110	tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ''	111	tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" (
111	bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem	112	concatMapStringsSep "\n\n" (domain:
112	mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem	113	concatMapStringsSep "\n" (subdomain: "${subdomain} /run/credentials/postfix.service/${subdomain}.full.pem")
113	mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem	114	[domain "mailin.${domain}" "mailsub.${domain}" ".${domain}"]
114	.bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem	115	) emailDomains
115		116	)}'';
116	kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
117	mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem
118	mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem
119	.kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
120	''}'';
121		117
122	smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";	118	smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
123		119
@@ -282,16 +278,14 @@ in {
282	domain = "surtr.yggdrasil.li";	278	domain = "surtr.yggdrasil.li";
283	separator = "+";	279	separator = "+";
284	excludeDomains = [ "surtr.yggdrasil.li"	280	excludeDomains = [ "surtr.yggdrasil.li"
285	".bouncy.email" "bouncy.email"	281	] ++ concatMap (domain: [".${domain}" domain]) emailDomains;
286	".kleen.consulting" "kleen.consulting"
287	];
288	};	282	};
289		283
290	services.opendkim = {	284	services.opendkim = {
291	enable = true;	285	enable = true;
292	user = "postfix"; group = "postfix";	286	user = "postfix"; group = "postfix";
293	socket = "local:/run/opendkim/opendkim.sock";	287	socket = "local:/run/opendkim/opendkim.sock";
294	domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}'';	288	domains = ''csl:${concatStringsSep "," (["surtr.yggdrasil.li"] ++ emailDomains)}'';
295	selector = "surtr";	289	selector = "surtr";
296	configFile = builtins.toFile "opendkim.conf" ''	290	configFile = builtins.toFile "opendkim.conf" ''
297	Syslog true	291	Syslog true
@@ -429,23 +423,14 @@ in {
429	first_valid_gid = ${toString config.users.groups.dovecot2.gid}	423	first_valid_gid = ${toString config.users.groups.dovecot2.gid}
430	last_valid_gid = ${toString config.users.groups.dovecot2.gid}	424	last_valid_gid = ${toString config.users.groups.dovecot2.gid}
431		425
432	local_name imap.bouncy.email {	426	${concatMapStringsSep "\n\n" (domain:
433	ssl_cert = </run/credentials/dovecot2.service/imap.bouncy.email.pem	427	concatMapStringsSep "\n" (subdomain: ''
434	ssl_key = </run/credentials/dovecot2.service/imap.bouncy.email.key.pem	428	local_name ${subdomain} {
435	}	429	ssl_cert = </run/credentials/dovecot2.service/${subdomain}.pem
436	local_name bouncy.email {	430	ssl_key = </run/credentials/dovecot2.service/${subdomain}.key.pem
437	ssl_cert = </run/credentials/dovecot2.service/bouncy.email.pem	431	}
438	ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem	432	'') ["imap.${domain}" domain]
439	}	433	) emailDomains}
440
441	local_name imap.kleen.consulting {
442	ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem
443	ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem
444	}
445	local_name kleen.consulting {
446	ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem
447	ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem
448	}
449		434
450	ssl_require_crl = no	435	ssl_require_crl = no
451	ssl_verify_client_cert = yes	436	ssl_verify_client_cert = yes
@@ -667,29 +652,20 @@ in {
667		652
668	security.acme.domains = {	653	security.acme.domains = {
669	"surtr.yggdrasil.li" = {};	654	"surtr.yggdrasil.li" = {};
670	"bouncy.email" = {};	655	} // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains)
671	"mailin.bouncy.email" = {};	656	// listToAttrs (concatMap (domain:
672	"mailsub.bouncy.email" = {};	657	map (subdomain: nameValuePair subdomain {})
673	"imap.bouncy.email" = {};	658	[domain "mailin.${domain}" "mailsub.${domain}" "imap.${domain}" "mta-sts.${domain}"]
674	"mta-sts.bouncy.email" = {};	659	) emailDomains);
675	"kleen.consulting" = {};
676	"mailin.kleen.consulting" = {};
677	"mailsub.kleen.consulting" = {};
678	"imap.kleen.consulting" = {};
679	"mta-sts.kleen.consulting" = {};
680	} // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
681		660
682	systemd.services.postfix = {	661	systemd.services.postfix = {
683	serviceConfig.LoadCredential = [	662	serviceConfig.LoadCredential = [
684	"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"	663	"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
685	"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"	664	"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
686	"bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem"	665	] ++ concatMap (domain:
687	"mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem"	666	map (subdomain: "${subdomain}.full.pem:${config.security.acme.certs.${subdomain}.directory}/full.pem")
688	"mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem"	667	[domain "mailin.${domain}" "mailsub.${domain}"]
689	"kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem"	668	) emailDomains;
690	"mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem"
691	"mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem"
692	];
693	};	669	};
694		670
695	systemd.services.dovecot2 = {	671	systemd.services.dovecot2 = {
@@ -703,15 +679,13 @@ in {
703	LoadCredential = [	679	LoadCredential = [
704	"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"	680	"surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
705	"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"	681	"surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
706	"bouncy.email.key.pem:${config.security.acme.certs."bouncy.email".directory}/key.pem"	682	] ++ concatMap (domain:
707	"bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem"	683	concatMap (subdomain: [
708	"imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem"	684	"${subdomain}.key.pem:${config.security.acme.certs.${subdomain}.directory}/key.pem"
709	"imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem"	685	"${subdomain}.pem:${config.security.acme.certs.${subdomain}.directory}/fullchain.pem"
710	"kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem"	686	])
711	"kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem"	687	[domain "imap.${domain}"]
712	"imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem"	688	) emailDomains;
713	"imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem"
714	];
715	};	689	};
716	};	690	};
717		691
@@ -770,20 +744,17 @@ in {
770	''} $out/.well-known/mta-sts.txt	744	''} $out/.well-known/mta-sts.txt
771	'';	745	'';
772	};	746	};
773	}) ["bouncy.email" "kleen.consulting"]);	747	}) emailDomains);
774	};	748	};
775		749
776	systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [	750	systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
777	"spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"	751	"spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
778	"spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"	752	"spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
779	]) spmDomains ++ [	753	]) spmDomains ++ concatMap (domain: [
780	"mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"	754	"mta-sts.${domain}.key.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/key.pem"
781	"mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"	755	"mta-sts.${domain}.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/fullchain.pem"
782	"mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"	756	"mta-sts.${domain}.chain.pem:${config.security.acme.certs."mta-sts.${domain}".directory}/chain.pem"
783	"mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem"	757	]) emailDomains;
784	"mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem"
785	"mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem"
786	];
787		758
788	systemd.services.spm = {	759	systemd.services.spm = {
789	serviceConfig = {	760	serviceConfig = {