From 17d24a633e75592f8b0dd5346c919c261332c90c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 27 Dec 2022 15:28:59 +0100
Subject: kleen.consulting

---
 hosts/surtr/dns/default.nix                        |  3 +
 .../surtr/dns/keys/imap.kleen.consulting_acme.yaml | 26 ++++++++
 hosts/surtr/dns/keys/kleen.consulting_acme.yaml    | 26 ++++++++
 .../dns/keys/mailin.kleen.consulting_acme.yaml     | 26 ++++++++
 .../dns/keys/mailsub.kleen.consulting_acme.yaml    | 26 ++++++++
 .../dns/keys/mta-sts.kleen.consulting_acme.yaml    | 26 ++++++++
 hosts/surtr/dns/zones/consulting.kleen.soa         | 73 ++++++++++++++++++++++
 hosts/surtr/email/default.nix                      | 52 +++++++++++----
 hosts/surtr/http/default.nix                       | 17 -----
 hosts/surtr/http/webdav/default.nix                | 29 +++++++--
 hosts/surtr/tls/default.nix                        |  2 +-
 hosts/surtr/tls/tsig_keys/imap.kleen.consulting    | 26 ++++++++
 hosts/surtr/tls/tsig_keys/kleen.consulting         | 26 ++++++++
 hosts/surtr/tls/tsig_keys/mailin.kleen.consulting  | 26 ++++++++
 hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting | 26 ++++++++
 hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting | 26 ++++++++
 16 files changed, 401 insertions(+), 35 deletions(-)
 create mode 100644 hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml
 create mode 100644 hosts/surtr/dns/keys/kleen.consulting_acme.yaml
 create mode 100644 hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml
 create mode 100644 hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml
 create mode 100644 hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml
 create mode 100644 hosts/surtr/dns/zones/consulting.kleen.soa
 create mode 100644 hosts/surtr/tls/tsig_keys/imap.kleen.consulting
 create mode 100644 hosts/surtr/tls/tsig_keys/kleen.consulting
 create mode 100644 hosts/surtr/tls/tsig_keys/mailin.kleen.consulting
 create mode 100644 hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting
 create mode 100644 hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index e0637b3b..fbfec256 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -189,6 +189,9 @@ in {
           { domain = "bouncy.email";
             acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "mta-sts.bouncy.email" "bouncy.email"];
           }
+          { domain = "kleen.consulting";
+            acmeDomains = ["mailin.kleen.consulting" "mailsub.kleen.consulting" "imap.kleen.consulting" "mta-sts.kleen.consulting" "kleen.consulting"];
+          }
         ]}
       '';
     };
diff --git a/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml
new file mode 100644
index 00000000..37a94693
--- /dev/null
+++ b/hosts/surtr/dns/keys/imap.kleen.consulting_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:t7xEYLesuzkfihA3sVd7Q+0QxZDsJd3qrIHmoqGsYuXO19Ae1pyEJyMfEYe09bxCaFStah1OMoL0ZdalzDBztfPj1f8Rn2270Yft+1i5qLOawKeTG7NUD00DPUfAxtwjxxr/fpxPLryI32hRwJ7lTTibZDVGN2dLTgsYCHiZcaWTTi9ZW2W1WGGEF3EMYsId2AIa00e1aX8xxauemoCtnEoyHzfJHiTBhJwQE10YzmY0yvTGtJySfNVRFqYnoJWaBS7Qt1FbpUcv2Pd9ZqU3immYZJY0og2+Mts=,iv:IuOgRaV8qm7vRg27psvKvUYaaYtecOo2WW74G5+6Ddg=,tag:sWZ0Qyk21mSg0Ze8ZisS1A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:03Z",
+		"mac": "ENC[AES256_GCM,data:EE1byrlNG3y+62hcdTlC2R5s1Q9FJvzpbT8yVIZfaXpK8V/0BUZo3oNfiv43qGeSXBda58XQ0a+WEhoW0PETHZEKwqDMcOwkB/39JRInIIjy4AO73gq+8Q2f0Uz4vFWJszPbuc1Sx/2zPcqjN8r53pG8dAnAtpIxJHBmDBlRp78=,iv:SZOzFjdRdhGKDkg10lM5EeF/1LzVbVL78PCg6+x0nvo=,tag:m4yyLcjMz6yuTEU1HQyzcw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAzgKPZSReVLFxDv5FrRDVvrN/KuaJtilnbXiunrbjj0Qw\nJrhb9u9CEfSbw2Awr893DssCEmBsmcgJsu2tO+WYJLLl9EMqiv/a3BUxP7EdSi4A\n0l4B6dplMxktqE9CTSxO/H2WNYobng32PxfIHtQUfdg/E66QJuKR6pj6ExmITTOV\nlkBfyTOoPreKI5+cdy8hBGH4/5Mfga88UTrB+lk0kXog6s/QaXPz2HDlPDw3gTZq\n=h4Vw\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdABNXiiUHXBlVqB/44Z7CkjkJ8BJrp3XfsdFKCU4EClTww\n6kNZVhi3zk5WJo2Rs5FL/8tyAXzzwGF/9nGiN/91Rk+KUW3poXO/ENkxoEacyXqT\n0l4B+4VSajdP7MDVw0x48xr/D6qobx4rsBVrT1YX/YtSWymF3/ytddgVxqAyysWC\nQONCydTfRn0jBAjyLu3+e10zZ961WYxe1Nq5hJZR+BiJ0m/FjU1Z4ukebyOG1ks+\n=MyJj\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/keys/kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/kleen.consulting_acme.yaml
new file mode 100644
index 00000000..443533ca
--- /dev/null
+++ b/hosts/surtr/dns/keys/kleen.consulting_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:hve7CwUKajPdbRYUnd58j4+MkJWk3Vr2cNxmFJ+E1cUtRlQF3UeOBaZ2a+yDXJrTwtw4tw7+by+ZQ8HUJ0Z7LTE7mx/EQ/FMMyQEopvPgaBjDk9xmWVe4JJsO6w31Hpl1Niu49TQyCakptvgTHs3cFUYFBTNTJeYAZuDq3BvZ5Hagr8UKiGcyu3jCaohPYqFZuRhhasnpF5kLQ5m8oP78iyKx+kuqUoryrP0atkveB9VGH2obVlRRrMQkE7VTlM3UNGl1TjmV6W+XPcWnQp2BQ==,iv:eiYnWiBCgGzDCXgREDg1sHzQhKpel8zb8MMQUOGSLFU=,tag:VKowaUlQ8zxR1OVHwAa8Zw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:22:55Z",
+		"mac": "ENC[AES256_GCM,data:7HS406wQjJAkjJ/nessmXyYjSZUvvt3c+rh6g1DGY5Qx4OiMjsqtPdKqwyd8GflaHOwveXYl+l3Ws3hqvVItIWUscrA8YRVuvvLiXNHTOJ35I1xpfOfrJR6R4GjncZ3NLn/uXmT88Rd+5wyVzxG/NSajEX6vRFfJMH1YIZzvJIY=,iv:camTYTuw/huEsNkPudN7ZZPb36rRdIdqVvqhqwVY9y8=,tag:lzAjBUzyok6W7rWxKARs5g==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:22:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAjPnl2v4+xAwAupY8EA94bLsHr0TxTrzos3xpUWzsMy4w\n2D0uNr0+NPuOqMD0psr+Mv/WfDW1SMhHcK9sa5Y0JEmdLg3jBUFrUInyqdYGj8j5\n0lwBcsyp7uvsMDbQHYzrX7Zz3Fo5NInZtgwyAAVoLZTzXTOj7U/mGpl0WFf+7t+6\nfPkp4b1DeORFrgkggciZy9fGqac7eLLn2fcqdXqDFcE2TIk7Ahtf52Y8TbHMRQ==\n=/D9Q\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:22:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdApyLDGhMx8Ie5VncLqBa6qOed4Fq9gGXZN+/Y1nlRQBgw\n+8PmRdb+7xggzDcyzdOB9cYfYB1XBj9x7JhjK3O2U1Pclcr0d9G4/AsMm5CJa8cm\n0lwBxpCBkK5GQTNJ8SHEaY+EEmDnTWf+9Fe8yU+bMumq8FX03E2MVj3TX9TIXfpi\nFwF/nlov3ecpG7IYT1tsd5AsXvZcA3l1//o0Xr24ck8qDaWvuEu/y1dvUzTUQQ==\n=EUFK\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml
new file mode 100644
index 00000000..13bfe96e
--- /dev/null
+++ b/hosts/surtr/dns/keys/mailin.kleen.consulting_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:6oOxLQ4chP/DRzs7DImi/kx4R86JLrjgtCyqSPn75HJMxVntcxkJDYIkDtIbvqdvCGDoYsMD0RfZy8hRTO+t76R0WPW160Z5XHuKFvLl5to/xgfb4fHZKby7paYdGScPho8kszQnFKEaM78JpkVWxqYq3sl620unkw4H6QZR4fMmEzaZWKAu2tjTn0Ytl+9fj9mwmWZRJXtqby2MQP3xbVhFuLgLWI/15S1wygbX7ORlnmZvWunKpH/D6m109Xxo8IRfpApPwYlnZw79rMse/4QYUDT/ekeeE/4RTAwC,iv:uqz5Yp7BpxQFg14swjNS5yvW2xH4HUFbZwKGoTVXrIE=,tag:RiBW3FbSsy1D2JYyK5kTIg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:02Z",
+		"mac": "ENC[AES256_GCM,data:Hm7dawU5Gw9Fm2ERSfaX97q6ia6iw999qofUIWAznEQSqeat8n6cGxiVsXU2scG1LYHUvtyGowFZ9KIbRBXSr1DootH5BzHYqP7Fh3/kKIgk2VToKqr2fUTcjQz0vSxJq9gdIeUpX68qLBptJJYbMtnk0tZUVMcXExiqIHB/9hA=,iv:W4WX0J0jXzixLFBnzvEv/p7Ockv5O7hf/x6WgoIRNTw=,tag:N6zfewA0bIIR3UVqRlUOqA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAxGlaM4KVKBdUNjCIY1uBXJgRJhPBOoZTjZ1fntNXwU4w\nu82oB1vDeIzdDtRqvA6iv5QHV7MOAgv9hVtQemiDAjzrhUlzGkw/TGzmmbfhKbtB\n0l4B+HNbxNOqimYxBNHeJeeTAgPU3lu1AI8bDbQqpIyp7WXJ5nuxPKWxFgSEPgqX\nXRdNgardnV4XElgascQdvN7aGgb9qTXu/5lp/4btQ2PdO1at9io7RsE7tvJWKno0\n=lMzD\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAs4KR4Eed6EPThcPa8ngRTwuj048jtx4o7Bpg18SF/iIw\nih5u3V1RtclZeee/q4fsckoJeenIUGp0YzUUqligWALbxTwyPwJzHQX9yovTtkbR\n0l4BHtPvjbTmb3agauGVPS/xrBJDLu408mrQ6jTE61XwMVeNYwHGo5+FVvNq6xpl\nlRtgKHHrjJ35+1BBZ4tKKrnx3OskdAE9f/ZpNfF2/jPVtJystjOp01sGhpfMD4Nz\n=XbgW\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml
new file mode 100644
index 00000000..5c5fe95f
--- /dev/null
+++ b/hosts/surtr/dns/keys/mailsub.kleen.consulting_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:ef1zV1ci2IDU/lo+EzyyFknDTvGt1z8XYbdaY2zu0H5FxXk5IfKZdnM51zKgHLUy3Rx70tAgNYvWFaeaxCLT+MpTKAZqvf9bfcVweWy3lzSpva5NRRFxHppLfUt+PPyD/6DpxtHh1K61qfdWUb84Hz9X87urzJKLVWjj/4Djy96gjv9AlfOuUVMd/rpzL6zPxaISBMuG7IQMoEQBoRruMkjZFf0ZYX2S1b43h+IYjzO6ax6wHUgdDK/OBEKC6nnhp/+AcDgpDq0wpdcsTDxL2QeqJSvBoFXdJy3XVAtF2+U=,iv:PYokWslsh62z/A0ovueEKmp4Ft7zczPlUsTbHaP3464=,tag:9tf3gtmo9ps/TR6RWwAIhg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:02Z",
+		"mac": "ENC[AES256_GCM,data:e9KCj4IT+JozPfGGI+6h9l2XzIp+X4GWd2eJaJtvkh1AwrGeMHrOsODSed7VrXvEphWdp6lpur6RLjRpOjfjYx2pLvSmwlzEmPMNEdXsqUOZ9TBcfvr0GNS9jjqODigZdkV9xk4ewTHUu/mHI+E1YaVvvmxdtY5J5OxPSfp3v1k=,iv:nMU/9cksmCYI3gDqajZgrOJiK/XUMnj/xbxpceHQSVc=,tag:fDnEQC8LGvwQkK3yT/j93A==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAKR2IFELTa7fiOCfmNK/LQpubb6nfsckcjRI3SkCCTzAw\nEXQlE3uffl5nS5asRHClbAlqMjJ8VUu6rRFn5CA9WE4WRhMwyb43OGjfbq/XZ3Qd\n0l4Bt8aFVuG9qABrJz0Af0fxbMkudvAYfrOYC3xBRRXplfT9C1nsequ8iB3p6P4U\nHPOa8C+x2Nxcdj3LQb5Y9wZPxPFe83FOeZsc4NU8Owyg2JHd4+WZwb/GlsEoyzPd\n=++pf\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAQA9FxCaP4DlenocEO1QjHxHml29D3Z4Z+kc+j8y8czYw\nLgPW/609sH8154aQ9RetBTKExT6rfztU+mz51lTDt+26Ob5ubTQkupiJW6jLjQ0l\n0l4BNKCAh3wbq8UZrSAAGlAIND2sdln/AgCW1u6Is79kbTOiio3lTz0ANpeex34Q\nmgdAnT4cjMmFUND4DUBjY132VZAO6Mm8hUq/cwLPq30Hw96ziqqKA7QvV/DJTrTy\n=voja\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml b/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml
new file mode 100644
index 00000000..fb11861d
--- /dev/null
+++ b/hosts/surtr/dns/keys/mta-sts.kleen.consulting_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:23qTQLFAPxPZoyZTzWRO7FUiaJqX4OqPibgo7vwf8xMHxY4+f40CJIsPzqxY++2ibJTOdazIHrA4qc5DYXU+CQyaUgLOJR1TDlqYvOh0b3OW44dJxKrFN2SAHHLOrOlYl5lG8wJBfY6Wlimu5lPAwVLe3T3J9sjVsyC5cq2x3UZHXN0sQuo8D1xuQKW+Mnjk7Ps63XC6dmhT3T6lsZiYgaZD15MNCVrhyHZIJ0gVJiqbwF/JFWN9fngpzYjoP+P2p5X3L8ny8+wPQ8Asfx49FF6ulMr1TXrDAn4ulGSmQUU=,iv:PGSTIaRbBfd9HDN9GY/rpCwByJ3hWohDs4TC3BApSB0=,tag:eOSnZBplKoNXbuinQ7SOjw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:03Z",
+		"mac": "ENC[AES256_GCM,data:5pc74n2LKOcmkEam04IsaoXsbihL9GeT37N51OH8tL7kBKARebdp4U+/ZALnCWlmlnTwvW1mqIxIamQlITITfPXIfa+oKjB8ywNnvG0EMYSYSfnebjstpz7GqyFJfNMh7nDXm9VdoJktsnzzLDD+iwfIpsfFSkqyJkY92gThuds=,iv:nO4XyZACLjj6V2URqbOBRYlHPuKFlI+B07xq5SPgaIo=,tag:s/4D5K8+SiLCACTwG1Woxg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAPNnBI8+RdSV2BArAqqBQZ2AEjkrvKtl9KA/ZUyEqJyEw\nykVNwIOFa/LkWGojkbuozkvAaZnLaHVq90dAtGmeapfshTwocHWQrwYUpsDKpg86\n0l4BmfY8MR35TAzi8PLN/twTwKJGeuqaelNF8pYA6cLTqfMOCwTBqzq/GxvtLmOC\nfGG0WfktIVqJ2dsg/GSUaef86R4coq4RbzSZ48+9wCqM0M2PXz/ZjoTesmNSpGJU\n=WW0d\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAysI9J0A1cdISPE6qONk2wGbgmub7Kc5an4XVWUj0vUow\nZW3RIBQXwTDyrcWjGDeoxK4k/2uWCuDWcUUKtiNtitQioaq1RLPrHACKRbfJQrX8\n0l4BzrBvz6FmTFVCgrK9+knE+VxOCkYRKR9qE6OI5I8gLGTeF2HOkxQCtC3ibbEX\nTmvUh88riy613MWe8RbgNgpLINOkBa7ifkUenoDuDbZ5FvcKNzNSv25lYewPFbaz\n=rds+\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa
new file mode 100644
index 00000000..605924b4
--- /dev/null
+++ b/hosts/surtr/dns/zones/consulting.kleen.soa
@@ -0,0 +1,73 @@
+$ORIGIN kleen.consulting.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2022122701 ; serial
+  10800	     ; refresh
+  3600	     ; retry
+  604800     ; expire
+  3600	     ; min TTL
+)
+
+			IN	NS	ns.yggdrasil.li.
+			IN	NS	ns.inwx.de.
+			IN	NS	ns2.inwx.de.
+			IN	NS	ns3.inwx.eu.
+
+@			IN	CAA	128 issue "letsencrypt.org; validationmethods=dns-01"
+@			IN	CAA	128 iodef "mailto:hostmaster@kleen.consulting"
+
+@			IN	A	202.61.241.61
+@			IN	AAAA	2a03:4000:52:ada::
+@			IN	MX	0 mailin.kleen.consulting.
+@			IN	TXT	"v=spf1 a:mailout.kleen.consulting -all"
+
+surtr._domainkey	IN	CNAME	surtr._domainkey.yggdrasil.li.
+_dmarc			IN	TXT	"v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting"
+
+_acme-challenge       	IN	NS	ns.yggdrasil.li.
+
+*			IN	A	202.61.241.61
+*			IN	AAAA	2a03:4000:52:ada::
+*			IN	MX	0 mailin.kleen.consulting.
+*			IN	TXT	"v=spf1 redirect=kleen.consulting"
+
+mailout			IN	A	202.61.241.61
+mailout			IN	AAAA	2a03:4000:52:ada::
+mailout			IN	MX	0 mailin.kleen.consulting.
+mailout			IN	TXT	"v=spf1 redirect=kleen.consulting"
+
+mailin			IN	A	202.61.241.61
+mailin			IN	AAAA	2a03:4000:52:ada::
+mailin			IN	MX	0 mailin.kleen.consulting.
+mailin			IN	TXT	"v=spf1 redirect=kleen.consulting"
+_acme-challenge.mailin	IN	NS	ns.yggdrasil.li.
+
+; _25._tcp.mailin	IN	TLSA	2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
+; _25._tcp.mailin 	IN	TLSA	2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
+; _25._tcp.mailin 	IN	TLSA	2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
+; _25._tcp.mailin 	IN	TLSA	2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
+
+mailsub			IN	A	202.61.241.61
+mailsub			IN	AAAA	2a03:4000:52:ada::
+mailsub			IN	MX	0 mailin.kleen.consulting.
+mailsub			IN	TXT	"v=spf1 redirect=kleen.consulting"
+_acme-challenge.mailsub	IN	NS	ns.yggdrasil.li.
+
+_submissions._tcp	IN	SRV	5 0 465 mailsub.kleen.consulting.
+
+imap			IN	A	202.61.241.61
+imap			IN	AAAA	2a03:4000:52:ada::
+imap			IN	MX	0 mailin.kleen.consulting.
+imap			IN	TXT	"v=spf1 redirect=kleen.consulting"
+_acme-challenge.imap	IN	NS	ns.yggdrasil.li.
+
+_imaps._tcp		IN	SRV	5 0 993 imap.kleen.consulting.
+_sieve._tcp		IN	SRV	5 0 4190 imap.kleen.consulting.
+
+_mta-sts		IN	TXT	"v=STSv1; id=2022100600"
+_smtp._tls		IN	TXT	"v=TLSRPTv1; rua=mailto:postmaster@kleen.consulting"
+mta-sts			IN	A	202.61.241.61
+mta-sts			IN	AAAA	2a03:4000:52:ada::
+mta-sts			IN	MX	0 mailin.kleen.consulting.
+mta-sts			IN	TXT	"v=spf1 redirect=kleen.consulting"
+_acme-challenge.mta-sts	IN	NS	ns.yggdrasil.li.
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 80611c3c..22790fbb 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -112,6 +112,11 @@ in {
           mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
           mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem
           .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
+
+          kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
+          mailin.kleen.consulting /run/credentials/postfix.service/mailin.kleen.consulting.full.pem
+          mailsub.kleen.consulting /run/credentials/postfix.service/mailsub.kleen.consulting.full.pem
+          .kleen.consulting /run/credentials/postfix.service/kleen.consulting.full.pem
         ''}'';
 
         smtp_tls_policy_maps = "socketmap:unix:${config.services.postfix-mta-sts-resolver.settings.path}:postfix";
@@ -278,6 +283,7 @@ in {
       separator = "+";
       excludeDomains = [ "surtr.yggdrasil.li"
                          ".bouncy.email" "bouncy.email"
+                         ".kleen.consulting" "kleen.consulting"
                        ];
     };
 
@@ -285,7 +291,7 @@ in {
       enable = true;
       user = "postfix"; group = "postfix";
       socket = "local:/run/opendkim/opendkim.sock";
-      domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}'';
+      domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email" "kleen.consulting"]}'';
       selector = "surtr";
       configFile = builtins.toFile "opendkim.conf" ''
         Syslog true
@@ -432,6 +438,15 @@ in {
           ssl_key = </run/credentials/dovecot2.service/bouncy.email.key.pem
         }
 
+        local_name imap.kleen.consulting {
+          ssl_cert = </run/credentials/dovecot2.service/imap.kleen.consulting.pem
+          ssl_key = </run/credentials/dovecot2.service/imap.kleen.consulting.key.pem
+        }
+        local_name kleen.consulting {
+          ssl_cert = </run/credentials/dovecot2.service/kleen.consulting.pem
+          ssl_key = </run/credentials/dovecot2.service/kleen.consulting.key.pem
+        }
+
         ssl_require_crl = no
         ssl_verify_client_cert = yes
 
@@ -651,12 +666,17 @@ in {
     };
 
     security.acme.domains = {
+      "surtr.yggdrasil.li" = {};
       "bouncy.email" = {};
       "mailin.bouncy.email" = {};
       "mailsub.bouncy.email" = {};
       "imap.bouncy.email" = {};
       "mta-sts.bouncy.email" = {};
-      "surtr.yggdrasil.li" = {};
+      "kleen.consulting" = {};
+      "mailin.kleen.consulting" = {};
+      "mailsub.kleen.consulting" = {};
+      "imap.kleen.consulting" = {};
+      "mta-sts.kleen.consulting" = {};
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
 
     systemd.services.postfix = {
@@ -666,6 +686,9 @@ in {
         "bouncy.email.full.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem"
         "mailin.bouncy.email.full.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem"
         "mailsub.bouncy.email.full.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem"
+        "kleen.consulting.full.pem:${config.security.acme.certs."kleen.consulting".directory}/full.pem"
+        "mailin.kleen.consulting.full.pem:${config.security.acme.certs."mailin.kleen.consulting".directory}/full.pem"
+        "mailsub.kleen.consulting.full.pem:${config.security.acme.certs."mailsub.kleen.consulting".directory}/full.pem"
       ];
     };
 
@@ -684,6 +707,10 @@ in {
           "bouncy.email.pem:${config.security.acme.certs."bouncy.email".directory}/fullchain.pem"
           "imap.bouncy.email.key.pem:${config.security.acme.certs."imap.bouncy.email".directory}/key.pem"
           "imap.bouncy.email.pem:${config.security.acme.certs."imap.bouncy.email".directory}/fullchain.pem"
+          "kleen.consulting.key.pem:${config.security.acme.certs."kleen.consulting".directory}/key.pem"
+          "kleen.consulting.pem:${config.security.acme.certs."kleen.consulting".directory}/fullchain.pem"
+          "imap.kleen.consulting.key.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/key.pem"
+          "imap.kleen.consulting.pem:${config.security.acme.certs."imap.kleen.consulting".directory}/fullchain.pem"
         ];
       };
     };
@@ -713,12 +740,11 @@ in {
             proxy_set_header SPM-DOMAIN "${domain}";
           '';
         };
-      }) spmDomains) // {
-        "mta-sts.bouncy.email" = {
+      }) spmDomains) // listToAttrs (map (domain: nameValuePair "mta-sts.${domain}" {
           forceSSL = true;
-          sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem";
-          sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem";
-          sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem";
+          sslCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/mta-sts.${domain}.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.${domain}.chain.pem";
 
           extraConfig = ''
             add_header Strict-Transport-Security "max-age=63072000" always;
@@ -734,18 +760,17 @@ in {
               charset utf-8;
               source_charset utf-8;
             '';
-            root = pkgs.runCommand "mta-sts" {} ''
+            root = pkgs.runCommand "mta-sts.${domain}" {} ''
               mkdir -p $out/.well-known
-              cp ${pkgs.writeText "mta-sts.txt" ''
+              cp ${pkgs.writeText "mta-sts.${domain}.txt" ''
                 version: STSv1
                 mode: enforce
                 max_age: 2419200
-                mx: mailin.bouncy.email
+                mx: mailin.${domain}
               ''} $out/.well-known/mta-sts.txt
             '';
           };
-        };
-      };
+      }) ["bouncy.email" "kleen.consulting"]);
     };
 
     systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
@@ -755,6 +780,9 @@ in {
       "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
       "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
       "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem"
+      "mta-sts.kleen.consulting.key.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/key.pem"
+      "mta-sts.kleen.consulting.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/fullchain.pem"
+      "mta-sts.kleen.consulting.chain.pem:${config.security.acme.certs."mta-sts.kleen.consulting".directory}/chain.pem"
     ];
 
     systemd.services.spm = {
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 920f939c..3d7f3ebf 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -35,23 +35,6 @@
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
         RuntimeDirectoryMode = "0750";
-
-        NoNewPrivileges = lib.mkForce false;
-        PrivateDevices = lib.mkForce false;
-        ProtectHostname = lib.mkForce false;
-        ProtectKernelTunables = lib.mkForce false;
-        ProtectKernelModules = lib.mkForce false;
-        RestrictAddressFamilies = lib.mkForce [ ];
-        LockPersonality = lib.mkForce false;
-        MemoryDenyWriteExecute = lib.mkForce false;
-        RestrictRealtime = lib.mkForce false;
-        RestrictSUIDSGID = lib.mkForce false;
-        SystemCallArchitectures = lib.mkForce "";
-        ProtectClock = lib.mkForce false;
-        ProtectKernelLogs = lib.mkForce false;
-        RestrictNamespaces = lib.mkForce false;
-        SystemCallFilter = lib.mkForce "";
-        ReadWritePaths = [ "/srv/files" ];
       };
     };
 
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index 1da411d3..0443bc97 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -76,11 +76,30 @@ in {
       };
     };
 
-    systemd.services.nginx.serviceConfig.LoadCredential = [
-      "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
-      "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
-      "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
-    ];
+    systemd.services.nginx.serviceConfig = {
+      LoadCredential = [
+        "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
+        "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
+        "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
+      ];
+
+      NoNewPrivileges = lib.mkForce false;
+      PrivateDevices = lib.mkForce false;
+      ProtectHostname = lib.mkForce false;
+      ProtectKernelTunables = lib.mkForce false;
+      ProtectKernelModules = lib.mkForce false;
+      RestrictAddressFamilies = lib.mkForce [ ];
+      LockPersonality = lib.mkForce false;
+      MemoryDenyWriteExecute = lib.mkForce false;
+      RestrictRealtime = lib.mkForce false;
+      RestrictSUIDSGID = lib.mkForce false;
+      SystemCallArchitectures = lib.mkForce "";
+      ProtectClock = lib.mkForce false;
+      ProtectKernelLogs = lib.mkForce false;
+      RestrictNamespaces = lib.mkForce false;
+      SystemCallFilter = lib.mkForce "";
+      ReadWritePaths = [ "/srv/files" ];
+    };
 
 
     # services.uwsgi.instance.vassals.webdav = {
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 0a3024d2..4e60a3f9 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -36,7 +36,7 @@ in {
   };
 
   config = {
-    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; });
+    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email" "kleen.consulting"] (domain: { wildcard = true; });
 
     fileSystems."/var/lib/acme" =
       { device = "surtr/safe/var-lib-acme";
diff --git a/hosts/surtr/tls/tsig_keys/imap.kleen.consulting b/hosts/surtr/tls/tsig_keys/imap.kleen.consulting
new file mode 100644
index 00000000..4274b6c1
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/imap.kleen.consulting
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:Bj5DPnwGwY10vX35NbsWUawEjx5RoUe5tyQUhERD2VLRrnoyho3YI0c/3pIP,iv:6Mwcp8orH4sQGubV9FeSWqFgT4pyK57MWSKbDaijfvY=,tag:zQZLCavwRDIOz419pMrjbQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:03Z",
+		"mac": "ENC[AES256_GCM,data:A89e988MUk4M0hYPjt+rkidTT9G2t/pMvDWbA1pLp6ejuaDKOyqt8+4Z1ijA+ZWotam/+PS4OwiLYPWUv5yQYRZXEgIC4X+9zUqTzrk4YfHNzz5CxHv3xVRXDAv+THAuAZqpFcJHZsfwlrkJ8oT7aBM0QzGEYhRd6DqXrDm74Ec=,iv:rMrjW/5doBtymJipRPfS2HrAVOXmNLSESAmGfGrfRtM=,tag:hnnZaRoAajlaSs94Y1VF9Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1Z/0PugoNJs50gvZpRdFzp5vykDq3WiLr5TpMMOcrm0w\nwzLloHyQzuZixmbhj0zJ8JEW38kaSwjiJhkifIYI81ab49SJKzrJk0/+QhFQwgQQ\n0l4BwWaAGzxg+VCvWVasXpFrxD3XTIa2d1PntLTNkrnLO0W75rWBuAOrKR74BS8y\nnKPFtG+jRW36ziESeqyPF+Grb+lMiVhqEBe/W1eeeUtCL8HVVfTBnNSBrWockDnj\n=FOND\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:03Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAuAdDkZ/i0CzkC8BtxDVRKXRYIPagMBUTue4T9hrfZjow\n2hCdSqXoiO9Nafl4p6hr+z/+hgvtd7+Vi6Vsx/hYEYyQGGMj4kBjtrCLaIXrNwzk\n0l4BWzYVis9DReZ4b9dQjqOqFOFXTNjjdDvKT2XvB6UC7Ak92Urp0aASQr6cOOa5\nr5k3j1AYlhMeYpSmz7uzWjLcIAqH84KFBAEvsm644ymmKkM0o6lZfzYN2TsoEjnP\n=CXUK\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/kleen.consulting b/hosts/surtr/tls/tsig_keys/kleen.consulting
new file mode 100644
index 00000000..48b6e4b4
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/kleen.consulting
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:hLR+WPUazhZzM+YIR6IMMFjKcupbhZ/Gnu2kv873FW9cnV6pPz5is+eX/Qh6,iv:FAuop9mU4RxBMr/9+cpQDnrRoTaIk7rFh1u2kdLTJ2g=,tag:swtnoDGWisJjGkv4/xE2nw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:01Z",
+		"mac": "ENC[AES256_GCM,data:zDAuZdupb97yeKlS8j1J0SkP3xHMi62SVOgc4NAyqiQgSRnRVhO0uxf3Ms3nVhijqFOS0IeaHsEQM6cCcfq5Hf5/073XHV9/QTcCQsQxPqabwHLvO3Tkzc+lcWicwm0PUt3Plh4QybXwKSaYKJr8RZzlgltOl6CJN7fERIyNayY=,iv:G2te52MStm0o7+qjzIHs335x/PQHdcfiIrnF534+0sA=,tag:FwZRHR8vQiyhls04Ic97Aw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:01Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAVnsoiamZ0mwkgB/VDWMxCME/uxGYqZc50h332nFBGSQw\nhPTkYSghPXdCPzBAcFglpBnhTiluREUp0oWJuCoimJAkOmECLM6wACZPjit3cvSw\n0lwB0zzKGtRNsnIwy5pM70am1Yu54JAkcqdOGJZFEH24m3gNdJVWnnMcbXNNfxnN\nIgQDDmL8gw68lpw8wKOwGi5XIfwQwwSBm7cesLa2X4a6UKLgBRSYkwtkEkskJw==\n=bhXe\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:01Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA44YcVmRcpMqRAdiZrtA/cXds6gPgRFbu1QokzhovUTIw\ni1bumXheuSh1EwgV+ds/eP03LRwWjkRWApzl1h7D2SS3R+1U2e43kzIORyi33Cwb\n0lwB5GGeLSRPirj1WSMe1WEXCizl330mEwgNYGs2HT1r9tHESTIO9CRnPzed3EXP\nhfH92t4HMCwIzWI7D78ExR/uNHiHhOhBs0Jz3V6HSOmKpPReLtb2sVNMjO6fKA==\n=ak0g\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting b/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting
new file mode 100644
index 00000000..70fe6f95
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/mailin.kleen.consulting
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:iWIbjv56LHaOza+6l/5EwyOxrslupEjhyMJbe9hTYEeeqyxRkt2mQUXOjDYD,iv:CVUMbqzYGsgPA3wXHfi/XqR0NMDR+hEmYRQOUHUNhWw=,tag:YbMEErHIJL5tKaqWpXjs5A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:02Z",
+		"mac": "ENC[AES256_GCM,data:e4oe95ZDgKZv6/Zy4P4r4u/fWHHLTsL1ieB1ut6Ktg4B2L/DPxuxEO0b5ajXFr8tkmA9/DL1Bfv5TT2145v/Kyy1NeXYGUGbg/BtrTYlUSekYVbHIHtNBYLgOQzNL5tlrhyFXsVHx8a0BZKVEmqMocNiz4kIjU4JJ1ORHxS5M4w=,iv:vN/y8TXg6RSxi7OyioIVA0NoiaPpIZU94tLEOCgvXHI=,tag:uAf7psK/HZ1cs621Y3LOoA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdADTdcU/shxjYVUAxYWJKSM3oRDpYCCJ9al76z3glcNQYw\nmIlrpVfT3O+lOSgr1s07giFe/WEJb/A4ctYE7UUSpnowZbOHn8bia0JG/t58791I\n0l4BV7zeiWadAGJHDIRHZb2BRev/b4ho/UYnHG+LTaGnAa9phfeOlRn7k6+sw8Ad\nDUBe1MPbsnBD7hT5IACxNZ4neXDaSJ9mOe5CP9u6SuDwFlMicW8XV3INXBcRQKZY\n=7Uw6\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAgQrdU3Dqlv5ZuGkbBdroYvAFRbKdKTzG4gCkRR85DgUw\n8vPKNv3d93sWLqrvw1VqMKvmIfVGLujqM4j9ZuecHodUPiMuSgLmbzsGS5HpiubB\n0l4By0O/oVeNWAmFNYRMyfZ5CH+YYyOZ8u8tBTR/6eHjOp7wlKpCqcFVg8UILkbn\nrRvpNEM1PDh+oZJ4nMA7pQkm7297H0+uyTioGxHq9DLAODepnlfz2ofCKd/jEO1+\n=Fh1g\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting b/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting
new file mode 100644
index 00000000..23da47b2
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/mailsub.kleen.consulting
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:afqmlv3igzgTf1ezNK68FPOCEgxx1dhvpU7bLax+3kVIT1Be+/SIqMMKBbQj,iv:keoYQnGhTh46xKy/ARXInRl2BT6B/U1eqROQHNrybXY=,tag:/LHTlj1yxBVk5szKpFqXOw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:03Z",
+		"mac": "ENC[AES256_GCM,data:Un195JsFhtA99AEx89SGdZflAYOa/AHbcDxyQaMPiBI01ic7/EsYe6M6olv4E/PS1/+5b6ki6IeObl66Fv0ikKa36q6op8bJK/S3Mvza80FKcC6YKjmZp8R46MqxlntpIEtl1SaxeWlOf6XFSGS0HMfnCfnZ6+R/MXGM4ZHTofM=,iv:CP9JM+uSmKSskwD7SHEQGp/p8NwPu+c2eg+s7XKn+YU=,tag:LnhFimxAvhCCxYztRhjfgw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwJ0Di7OfQ+O1k/D/tA3AzQAmwl/+8mN0kdLD/hAHyVMw\nSetR3yQECXHycm8uw24INYUg1gmVgSg8uunM06F9in15qC89nTBXyTwI37dvSRjM\n0l4BcfRGOenwU+XCRacm10eqZUtVTkgcD43Fz/wjghN6G6j4IGap6tJq6lnA21vb\nIM+qaaR1s8Abdd2CEqsvmB0vF4lacmr7yu1hr9c8C9ooe+pP6MTb4SOpoOjVIqqW\n=r9Oo\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:02Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2xewM1PTAgVs4hggZclYUf3cElF/X1N/sDEsygP54UYw\nTby6Gv+iooRsVmE7FJbvFAVBYEHbNquHdyuSVs8KujoeunEB3xVqeARktC83dKaF\n0l4BzqnrEbTH9R3bnPKOiN8kGiOXS6UjmQZYfrFNphVGGOf/YcTOuGjUISsKd9K6\nDi3zyFY6NiY85Fb0U4LUtAlqz7mbqmjBho1kNezEFvmwLf12XdKE4SXmnnJMoruf\n=bZIq\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting b/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting
new file mode 100644
index 00000000..6f146483
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/mta-sts.kleen.consulting
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:32WD88YaqLsJO//uygFzPLknns8FR/19E7FeB2fyFXnTI2lscJWILD5NwKLJ,iv:gdR4hfH/ahbOwgsVjxmv3qldr/LHxmi59WiRwGKWo/Y=,tag:mmw+bVqiRnRExy8lJXdb3Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-27T14:23:04Z",
+		"mac": "ENC[AES256_GCM,data:8EPTej63BLWSW1h6bGPBymbmxn/MTAYGlQXfNAZYOG7bvOT/OJEepZGM+GpwbTDT5adDC9BIwjIaIuvN2YxyQxamC0v2kt64JIfOJqNcL2YDkKF6GgQkdo86T+5N/xq/gma6JIrl1ZHromiUJIU/nTgkU4ouaX+syXQ+H3TgxFE=,iv:nUNYWMXB4QHKT70B01AQiw4utByAMCSY54Zo5XJ6C3E=,tag:NsEyfxPfgCIQZsKIFQTuiw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-12-27T14:23:04Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAeGtiVx4eUHTbjv3xB+wVYZawZIS/a2EmY47xxDX8O2gw\njMHI7vF4bQGlWbwnJLMXIfxtK5gUontCZgTHneqClXPF78hibtCUBuhvAvsu5DCs\n0l4ByzrIpQSjo51JYx0mmaPifSN30EvYbgtYRgExQ+b0FAUAzh7DyNvb++3kz1DI\nOUJ5Fwt6nwVdBZlgAPHIJaCF91DNhav833U/tY8DA9IzigAA5dVhB4pR0OMMsLND\n=nJtD\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-12-27T14:23:04Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAUE75g5kvTpMz2+wm0CKP2P0AfSMADGKQ/GW5kz4Rkmkw\nqUIe0vaLueUkbvAzgHvoNC+og+CUQo9qhSozK/vJLfxmKZ0gNbc2H56w3IKexoZs\n0l4BWF9JMxJPysnr19GW9kEstGT6cLCEzumojbsRqtOkEsISrHhHUjv2IYD1Tvpt\n0s9gdLIrr9ovwJV09LeUZOZZS+a4hBa3tGfFnWw81dAGnuZlXeC0kmTYV3Xn5cH5\n=i4Df\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3