From cfc871cce6aefaa0ff64619780a807cba761c6b2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 30 Jan 2023 12:20:23 +0100 Subject: ... --- hosts/surtr/email/ca/gkleen@sif.key | 9 ++------- hosts/surtr/email/default.nix | 22 +++++++++++++++------- hosts/surtr/email/spm-keys.json | 16 ++++++++-------- 3 files changed, 25 insertions(+), 22 deletions(-) (limited to 'hosts/surtr/email') diff --git a/hosts/surtr/email/ca/gkleen@sif.key b/hosts/surtr/email/ca/gkleen@sif.key index 4578f4c2..5654d1d7 100644 --- a/hosts/surtr/email/ca/gkleen@sif.key +++ b/hosts/surtr/email/ca/gkleen@sif.key @@ -10,14 +10,9 @@ "mac": "ENC[AES256_GCM,data:A81DUOL1HrVuDyPUvVzqCk0MZB6PfOc0SRp6fg+EIiup28VIi+m3fbaiekEHGGRCAWJpmVJdS6ZZjfME92apl4264RxGZQ19apEYvdS2U2Oz3yC2G46ms3kUPfo2CGWw9bo2u9dOido3SA6SE7gnxzonAW4/JPpiSQaYCDLhJ68=,iv:+d1a55uqKCzp8DVcDypFgLrp8OPRy2i+r++Eu2xhPHU=,tag:wUvunpEkpa7poQsmrFYMRQ==,type:str]", "pgp": [ { - "created_at": "2022-11-07T15:55:22Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAnyLj503gWwWQEwVhWGx7IawWB7ISqFZk3EDGrlBLv3ww\n69Kbr5bqYg4guusvifS9KHBun8sIuHWf6QImZk5ugNBDLjHiHgqZq7mfhHXX0dUh\n0l4BqKsVGFprOOKAPT6hfXzXx0riJiaVSHAyJHyJkSygMgtZvROU2MbI0yqpO8RL\no495NGNGUPd6LQZMfQ/vHu6ZDFdz0O+pyuu6gOkixAMZCtvge4S4pCJnyJ4bW+x9\n=ExO9\n-----END PGP MESSAGE-----\n", + "created_at": "2023-01-30T10:58:17Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAPvQbjiSDLyHSZCnkrXCCY84/Q37oh4owBhYkV+6KuAEw\nuJnPKkKZ1tSZtBqBdGpQbO3pBPaDsYZ4oAQuyAp7ppjEWS5K2uLzsiaWeWv2tWik\n0l4BahpAbfvJr4tX1PRKixd2RT7rB7NpBv5GJ/5XgwxeMZ1t+Rtbzro3jXz8VQPX\nBS7SWk/TcyR2oljQxKCvQe7PZXmQ7Ue4sa5rtBCQwdYKz4c4OiNWE4lIt208xY3x\n=+UgS\n-----END PGP MESSAGE-----\n", "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" - }, - { - "created_at": "2022-11-07T15:55:22Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdA6ksiCbMWMGNLINj9knm+fZSLmCts8JkDWsWxm6VkSCgw\nB/EhaM8A6dWTJYG8T1hSFLak+FVl64g7ZeDW7dCp2sqJAMJ6DOOADsbWv2daVYP0\n0l4Bg39WApIorvMyTuZkmIwAQezucXJpI2rP/ZtximsG+ykFU2xpymL0+nCLbAcU\nRmVEiJERyrhWXVIQo0Czicis11LwS9thp4xseejpFAoSR5yse7oIAm8NJ6SRCpWg\n=bfoG\n-----END PGP MESSAGE-----\n", - "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" } ], "unencrypted_suffix": "_unencrypted", diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 0d1ccf30..0e2a78eb 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -663,13 +663,18 @@ in { }; }; - security.acme.domains = { - "surtr.yggdrasil.li" = {}; - } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains) - // listToAttrs (concatMap (domain: - map (subdomain: nameValuePair subdomain {}) - [domain "mailin.${domain}" "mailsub.${domain}" "imap.${domain}" "mta-sts.${domain}"] - ) emailDomains); + security.acme.rfc2136Domains = { + "surtr.yggdrasil.li" = { + restartUnits = [ "postfix.service" "dovecot2.service" ]; + }; + } // listToAttrs (map (domain: nameValuePair "spm.${domain}" { restartUnits = ["nginx.service"]; }) spmDomains) + // listToAttrs (concatMap (domain: [ + (nameValuePair domain { restartUnits = ["postfix.service" "dovecot2.service"]; }) + (nameValuePair "mailin.${domain}" { restartUnits = ["postfix.service"]; }) + (nameValuePair "mailsub.${domain}" { restartUnits = ["postfix.service"]; }) + (nameValuePair "imap.${domain}" { restartUnits = ["dovecot2.service"]; }) + (nameValuePair "mta-sts.${domain}" { restartUnits = ["nginx.service"]; }) + ]) emailDomains); systemd.services.postfix = { serviceConfig.LoadCredential = [ @@ -824,6 +829,9 @@ in { }; }; systemd.services."postfix-ccert-sender-policy" = { + after = [ "postgresql.service" ]; + bindsTo = [ "postgresql.service" ]; + serviceConfig = { Type = "notify"; diff --git a/hosts/surtr/email/spm-keys.json b/hosts/surtr/email/spm-keys.json index cefe27b1..92d07326 100644 --- a/hosts/surtr/email/spm-keys.json +++ b/hosts/surtr/email/spm-keys.json @@ -5,19 +5,19 @@ "gcp_kms": null, "azure_kv": null, "hc_vault": null, - "age": null, + "age": [ + { + "recipient": "age19a7j77w267z04zls7m28a8hj4a0g5af6ltye2d5wypg33c3l89csd4r9zq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UndNL21iM2plWnJPS1FC\nK0JCWDhtT25UaW93azZFZXdRR2V2Wmd6d1FJCmJFbEVzUzNKOHBKK0dvVUJMNjRG\nR25nbHBIU2tKSjVRS0tWdU1GVldkNTgKLS0tIG5yTDJmU1dLZk5VQ2xMSjRJVVd1\nblFkeGVqYm12Y3AyUmVKc3hEWk9Cd3MKkJMsM1B5AYx7Y133EQsMMddMGAqWuFNl\nMGQtdf7dyF2UmKFRZRztJiH+z5vf0UY9pHpQHYvW77NMHbtzo/360Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], "lastmodified": "2022-05-19T18:42:23Z", "mac": "ENC[AES256_GCM,data:dQAeiVPBGotOd3dnD9P3o1dlDIrOom369SAlzY9VHe4y/Bck8brrx4fUjjxfFB9/Oew83Pdpl1WXbVp6RVrsdY/xTmVD+1bgZJJRJ5KYe0QcoWl4Sv1E6Y1b5jKZVYbeiCU7NI6gITmM5sLNBzEm2WYsYBtRCxWMh3iGV7ZqmAk=,iv:loxamarLwR6NCHaH/K8tq8XQj7Xl+Onbgu3hEYZycKQ=,tag:WojOpPzi/ajmzBAKKJ7g1Q==,type:str]", "pgp": [ { - "created_at": "2022-05-19T18:42:23Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAy74slNS/OZAJ2BczfZtCWNdIfrCpT9qg3K17zaam930w\nWRVJeL/4JLyaCvDybqNjyoi7TkCxMtKNu5LzWv+c7iTQgAwyH/aRdaLx4HmEnwqW\n0l4BsKAIB+GNBAO/HUrjrxc16euyNPP0zbguiEUxhzNGb3xwngixbcDBIe8d4yXa\nHQ+mhjG35wQbjcPrQFUvZ5YWkwthL3pY1Jx8l/9V8ajTC3SbHlI2akbun6EMuoZo\n=LKNF\n-----END PGP MESSAGE-----\n", + "created_at": "2023-01-30T11:02:06Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAlJMfokF5FgwyUTPEyFucysg7qXbeSbIxupFJDtAwqn8w\nq3mrEfNT36IccWSoLy+x0hR+VuQPg5cmptv8fV4I5QXZ6TVVgFzgioVn2kNOuFdB\n0l4BtfZmibSpsdtd+kShIOpf8S0Jdai/VuvByOtJ5fX0UmVxEJpYXd3KtYZcuBFT\ny2RPDdTibNmxcj7KW8R53hzrGM11oumnYMu7DeKPwIFUt1Elzmymw6u0NPRuHAMt\n=SwFl\n-----END PGP MESSAGE-----\n", "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" - }, - { - "created_at": "2022-05-19T18:42:23Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAT8dopGD88h4G6EBdFbDWizpUreWer6d7U+ii48YYe2Aw\nh8NZe+WplrMmjIWalVylf/MqQKlAwbOZBj5PpFIxFXKvtRxGGYKZ7mBj7kkFaDKG\n0l4BkYVQRhouZdVFcpTtTPlG7ATVpJQAi8UiBuO0HhQBmxQUGLl5vM9bvb9cY5mH\nBnBOWYzff/f0Jl8gn3tGMr9Sxeg7VRcCm+YGMPMQSimKbEZnXUjGEYuflXzopY09\n=6n0A\n-----END PGP MESSAGE-----\n", - "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" } ], "unencrypted_suffix": "_unencrypted", -- cgit v1.2.3