From 8b1ac25da8313861252e6015f3827d752d9dd8d9 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 21 Mar 2026 15:43:47 +0100 Subject: ... --- hosts/surtr/dns/default.nix | 7 ++++++- hosts/surtr/dns/zones/consulting.kleen.soa | 9 ++------- hosts/surtr/dns/zones/email.bouncy.soa | 9 ++------- hosts/surtr/dns/zones/li.141.soa | 4 ++-- hosts/surtr/dns/zones/li.kleen.soa | 4 ++-- hosts/surtr/dns/zones/li.yggdrasil.soa | 9 +++------ hosts/surtr/dns/zones/org.praseodym.soa | 4 ++-- hosts/surtr/email/ccert-policy-server/pyproject.toml | 2 +- hosts/surtr/email/default.nix | 8 ++++++++ 9 files changed, 28 insertions(+), 28 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 14d6efd6..c210cb2d 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -46,7 +46,12 @@ in { systemd.services.knot = { unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; - serviceConfig.LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; + serviceConfig = { + LoadCredential = map ({name, ...}: "${name}.yaml:${config.sops.secrets.${name}.path}") knotKeys; + BindPaths = let + dkimBindPath = domain: "/var/lib/rspamd/dkim/${domain}.txt:/var/lib/dkim/${domain}.txt"; + in map dkimBindPath ["yggdrasil.li" "141.li" "kleen.li" "praseodym.org" "kleen.consulting" "bouncy.email"]; + }; }; services.knot = { diff --git a/hosts/surtr/dns/zones/consulting.kleen.soa b/hosts/surtr/dns/zones/consulting.kleen.soa index 0fa920f7..99a88c7b 100644 --- a/hosts/surtr/dns/zones/consulting.kleen.soa +++ b/hosts/surtr/dns/zones/consulting.kleen.soa @@ -1,7 +1,7 @@ $ORIGIN kleen.consulting. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2026031400 ; serial + 2026032100 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -21,12 +21,7 @@ $TTL 3600 @ IN MX 0 mailin.kleen.consulting. @ IN TXT "v=spf1 a:mailout.kleen.consulting -all" -surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. -mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAye6l3utyz6pfRGsW9l49UjNCSkHSUYMAodLBFlHqPJ3VaBdxcsceEZ+J0NHZKWc+s8UYuV+ppXg/WD21RGr2KhxUKa4PZqB8h0YN7+XvwGAgQCIPnHOr73KImmxI5ZH9H1QsEcK3xeb+1VKR8dUXsPSG0UHne6wnsYCMhBJfFnjRnc+kGxiRl7fBPusxR3m9C0LgH17epXOOEGVo3" - "bO6CmPjYbrMqjbRCk8dcfRSLSizEek4ojgLAqx5Hn59dqsl7fg9TNaEKTgg3QO8Yq3AoJYotV7nap+U/XruTv8w9LRmoS+jQJ0pqQ8UHWOeX8JEl7D5WOSLFVidSpYiYzhz8bSuNxqWIganr6uGX6UrnhYMfEpnAWwPcd6L1pu1MsIBJGKLwmhXVUsYSpPlFkL2OrxKPbiz1CmyWeThALyOsbvMatE/ojmj9TUoTuEdcunpOetfir7eyWK9Yx" - "k+z6pSzH0jTO8JLIND8X8rdOpEeSPyMowAsZsbo9uXdcH6j2MUmh7nlqsCM3pjXIwwCnO4OxCQ3O89s/Xe/j1qLtdT3biDpAvoJehzO8UAy69aFTyjZESqTXQt/gUqPFm5prLWp8djWEUBAZxBZHxjwvDZdJ6VEDOZtKfjIHmxSzwtMrzLRm5BYurGYjYl+6sW1Ax5VZ4SENuWAZ2jKvRSmLdCWrMCAwEAAQ==" -) +$INCLUDE /var/lib/dkim/kleen.consulting.txt _dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@kleen.consulting;ruf=mailto:postmaster@kleen.consulting" _acme-challenge IN NS ns.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 4c0c286c..208a89e4 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2026031402 ; serial + 2026032100 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -20,12 +20,7 @@ $TTL 3600 @ IN MX 0 mailin.bouncy.email. @ IN TXT "v=spf1 a:mailout.bouncy.email -all" -surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. -mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAva2iS93SC+SjKdaJYWGf2wEsKxf1MTn6gKK/Gvg+9rnlCaothnaB5PfZj8TpWHFaFLnoOSQ73HwSM6+MjCNnGjcyEHa2dTFljvVAp4xLzFChps5r5dXZX+qarfzqvTjBr7B57PR2L+i/pl+OL+aYl7yM+mLH4VtrS5oxAQRPaIccYXuWqhtL4t51O4rUL2nRHcDAGs6W4O5ns+6tc" - "TXsZC9HBMLbOnr+vhY12aWC4cvZeRYSa1cf7NcRQYgDK+d1tOPZgJPc5nG3mZHx0DjjY9FwBxy3FeJI43aM+q5EW4PdNylqxVPUrajG11O7OZ/gVo1jBr1wQDw+Pluj+RnPTNMrIwL7sYcsPeXcFelQMzyubMChB72HnDOwVnEzGReUOx2OiKfFnukvA2V9Svv4YR6p4rLYGvPVr7+0HCk8ygVkt4p/cDcE7/gjZd8UcCVBCq6pamQFkGIZYg" - "hJFos6UgDdF+2W8FS2u3sAP0q7hhjMcmF/hJfOj1TdZizeNJE1x5xoq6fbn9j2+zgUiTYCQOOu02dWOZnQTGtQhhwllZ0qYgJrn6ZzANvCfoWKbw8ylfj9bg15QYlJAunaz4V3PnPz6uQvBj2yut08835M64vBcPspuOp49d5t4Y/59IdtsojDf4XN1RmDu4d/Zdt9hR4tHQVmdfYkUFjBp7KO3O8CAwEAAQ==" -) +$INCLUDE /var/lib/dkim/bouncy.email.txt _dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email" _acme-challenge IN NS ns.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 78d137bb..bf650a27 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2025060701 ; serial + 2026032101 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -46,7 +46,7 @@ ymir IN MX 0 ymir.yggdrasil.li ymir IN TXT "v=spf1 redirect=ymir.yggdrasil.li" ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li. -surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. +$INCLUDE /var/lib/dkim/141.li.txt _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa index 5dd3e697..cfaaa1f1 100644 --- a/hosts/surtr/dns/zones/li.kleen.soa +++ b/hosts/surtr/dns/zones/li.kleen.soa @@ -1,7 +1,7 @@ $ORIGIN kleen.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2025060701 ; serial + 2026032101 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -28,7 +28,7 @@ $TTL 3600 _acme-challenge IN NS ns.yggdrasil.li. ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li. -surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. +$INCLUDE /var/lib/dkim/kleen.li.txt _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 69479895..e69f764a 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2026010100 ; serial + 2026032105 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -46,7 +46,7 @@ surtr IN TXT "v=spf1 a:surtr.yggdrasil.li -all" vpn IN A 185.243.10.86 vpn IN AAAA 2a03:4000:20:259:: -surtr._domainkey.surtr IN CNAME surtr._domainkey.yggdrasil.li. +mail._domainkey.surtr IN CNAME mail._domainkey.yggdrasil.li. _dmarc.surtr IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li" _acme-challenge.surtr IN NS ns.yggdrasil.li. @@ -141,10 +141,7 @@ ymir._domainkey IN TXT ( "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24" "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ==" ) - -surtr._domainkey IN TXT ( "v=DKIM1;k=rsa;" - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEspNBXjTjPpCqSMkcBUJnSThqMcHwvDP3mOnv8wpDrGTN+1eJ1fzso5GHooGNt0kWHOpcoVwsMDIk81SR3zzNKYWqM40KvQ2ElNJqS5VDIfnxppiG9H5Nu3M7In5jv7OTSKsEi5eDzWqqvaHn6YjNQuKHQsJsAB1zUKoR1gqpvwJlV3tnhfQEl1O3qt0tG1c6JvgZ8R8szrk9" - "uNZzu90PDQY9UH4K1nu+INwlMgz9hzgJHIoNJOdB+1gmvnsI4MgmT/otxwKia/UoddN3Gcu7DO1gjFi5cwOA+zOgMnzzWUbys0Q3loCKp9EYgWUJQ9CCh5U4x4/GpV2VeEJ/0GYQIDAQAB" ) +$INCLUDE /var/lib/dkim/yggdrasil.li.txt _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa index 2b97ca19..5bd627a4 100644 --- a/hosts/surtr/dns/zones/org.praseodym.soa +++ b/hosts/surtr/dns/zones/org.praseodym.soa @@ -1,7 +1,7 @@ $ORIGIN praseodym.org. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2025060701 ; serial + 2026032103 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -33,7 +33,7 @@ surtr IN MX 0 ymir.yggdrasil.li surtr IN TXT "v=spf1 redirect=yggdrasil.li" ymir._domainkey IN CNAME ymir._domainkey.yggdrasil.li. -surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. +$INCLUDE /var/lib/dkim/praseodym.org.txt _xmpp-client._tcp IN SRV 5 0 5222 ymir.yggdrasil.li. _xmpp-server._tcp IN SRV 5 0 5269 ymir.yggdrasil.li. diff --git a/hosts/surtr/email/ccert-policy-server/pyproject.toml b/hosts/surtr/email/ccert-policy-server/pyproject.toml index e93c910e..518bd4f9 100644 --- a/hosts/surtr/email/ccert-policy-server/pyproject.toml +++ b/hosts/surtr/email/ccert-policy-server/pyproject.toml @@ -27,4 +27,4 @@ build-backend = "uv_build" [tool.uv.build-backend] module-root = "." -module-name = [] +module-name = ["ccert_policy_server"] diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 4c7af0c3..4243366c 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -454,6 +454,8 @@ in { milter = yes; timeout = 120s; + client_ca_name = "yggdrasil.li"; + upstream "local" { default = yes; self_scan = yes; @@ -491,6 +493,9 @@ in { servers = "${config.services.redis.servers.rspamd.unixSocket}"; ''; "dkim_signing.conf".text = '' + enabled = true; + allow_username_mismatch = true; + path = "/var/lib/rspamd/dkim/$domain.key"; selector = "mail"; ''; @@ -514,6 +519,9 @@ in { spam = true; } ''; + "logging.inc".text = '' + debug_modules = ["milter", "dkim_signing"]; + ''; # "redirectors.inc".text = '' # visit.creeper.host # ''; -- cgit v1.2.3