From 84c79ad5a262728f4cbae83f51b7764b5fe850d3 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 5 May 2022 14:12:31 +0200 Subject: surtr: email --- hosts/surtr/default.nix | 2 +- hosts/surtr/dns/default.nix | 2 + hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml | 26 +++ hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml | 26 +++ .../surtr/dns/keys/mailsub.bouncy.email_acme.yaml | 26 +++ hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml | 26 +++ hosts/surtr/dns/zones/email.bouncy.soa | 9 +- hosts/surtr/dns/zones/li.yggdrasil.soa | 8 +- hosts/surtr/email/ca/.gitignore | 3 + hosts/surtr/email/ca/ca.crt | 11 + hosts/surtr/email/default.nix | 230 +++++++++++++++++++++ hosts/surtr/tls/tsig_keys/imap.bouncy.email | 26 +++ hosts/surtr/tls/tsig_keys/mailin.bouncy.email | 26 +++ hosts/surtr/tls/tsig_keys/mailsub.bouncy.email | 26 +++ hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li | 26 +++ 15 files changed, 466 insertions(+), 7 deletions(-) create mode 100644 hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml create mode 100644 hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml create mode 100644 hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml create mode 100644 hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml create mode 100644 hosts/surtr/email/ca/.gitignore create mode 100644 hosts/surtr/email/ca/ca.crt create mode 100644 hosts/surtr/email/default.nix create mode 100644 hosts/surtr/tls/tsig_keys/imap.bouncy.email create mode 100644 hosts/surtr/tls/tsig_keys/mailin.bouncy.email create mode 100644 hosts/surtr/tls/tsig_keys/mailsub.bouncy.email create mode 100644 hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li (limited to 'hosts') diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index ca51d4fb..cb452df3 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus + ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus ./email ]; config = { diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index aff6e6f3..d665714d 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -156,6 +156,7 @@ in { ${concatMapStringsSep "\n" mkZone [ { domain = "yggdrasil.li"; addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; + acmeDomains = ["surtr.yggdrasil.li" "yggdrasil.li"]; } { domain = "nights.email"; addACLs = { "nights.email" = ["ymir_acme_acl"]; }; @@ -183,6 +184,7 @@ in { addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; } { domain = "bouncy.email"; + acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "bouncy.email"]; } ]} ''; diff --git a/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml new file mode 100644 index 00000000..f57a5b9f --- /dev/null +++ b/hosts/surtr/dns/keys/imap.bouncy.email_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:xcDcVLIIZXus19oDIoFvZsyy0XUN26/B2yFQpt/apVBmhxC4qmHf+5SuzXx6KnL+LRCFnh0kxw5NUnLFaADUesUAWSBTCMLyirIT37NMUNAnGcP8ikqmOk2HUHE8/3BSER9Sr/9bXhA4ikzJnWVOWGJ9lT6qkw+DUHihundf+tHKnutxP/CoXM84T0YU4U6Jzw55BhyavaT7hSjm5Pa/CmvzUfu57GK8LBQchULqPXL1/GkcZbm/BJwI2RrYkhZG8CieRiey0WaD16qxsJ4lnhSb,iv:Spb+VtjR0XEj0HldOFNORYFbPDPeS7XgTdqZPi45wuw=,tag:QRQfOTwuh6lWJNrXZkNl0w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:35Z", + "mac": "ENC[AES256_GCM,data:fQmb4Az33ypsJowyPrwBlkDYDNNtJWev5RzOQdvk3FOXINfeVXqBqRmK/FqYTwonWg+oQ1j7HptvEHXnNBXyHSjLs0eBNUwQAGDVYCQO2zGwmvwnRoyvSfgqESAeSWKMhzHvEA67dAm8l1HZuAXOKpnfMF2y2Z2bD4t6Ipz1FOU=,iv:UzpWjwBiC7te1IxneH/rueVKyRQ8IulRQYAQ9AybueI=,tag:s+FpPWQ0qu187LRcFb+7eg==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAl2GftHJU72CZwTRupXE9S1Z/w7vwrRQlFrme9woZ2QUw\nvan+u4DvpbWsv8jH4rPERxz7aIHcIUMnnDHMls7Ma8rqwE4GzjBnqJ4afYEgbUyc\n0l4B9IVHcML8hwLMRnox+/+DqMw9QJALjiLshid+6lxQOjiKj7AvLCsMA3llsT7H\ncyGwyhm99BaLO48zsXlSmGgg2/YSTPuiJtddwp9CWv0oeOrySnw5Rk0VqdVTzreK\n=EV9D\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAHdryYLAJhmbfQOq+tXxuuOYuB2stUUnq8/lRg6/nDyMw\nMeq1lqDPZmqcMGPuz1gaopZ+I30FBdASTaLMt2jPhd09mVccpY0nFuyvjJHHV32R\n0l4B2kHMD+NWtWCxPWGAUYBHI73xggVNMkDbr2FhwJgruN/4WRNGlgEszl6MQ43v\nI98doI69oLocwl7ZmXurspzyJA4btFIayAUgKc0uF28k4ulniTPlB75QxLAvXHNy\n=AQHH\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml new file mode 100644 index 00000000..495af908 --- /dev/null +++ b/hosts/surtr/dns/keys/mailin.bouncy.email_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:aRpq+iUmoEQoy7wlDjTorLK0hUQdUE0RrlFAPYzoInAxrtm58xWLWYBb6FSm7oPv+B+uM04hXbTyH9xh4ZIogiV95qva1FaK+OSO9zkhP2i4SyroRyT4IKhs8ajCAj2wRSXCcUgK13UotF45y+2yJyPEOAsIossOaAJceQdi+fbW7L5z93copWyPa5XG3/KUZBNAoGFprTzB0c9luGWp8GmJ0zFZhbI+ZnKFgL9ZDTfh2e8N0VUih748AZw7YzL3uEu68BWPdXhgDo+f/DJARizmH/NyMQ==,iv:AomUPijrVdXiYI3fl8PAbJEjWZIeh7tuIZaDzJOieDk=,tag:AWkWJ+I9m7TrKKBL5cYWVw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:33Z", + "mac": "ENC[AES256_GCM,data:o2QxYW9SPIbOWP/iQ2Mk1imSUWBwPOkPUTIVub/Y4Yse0RkR6qp1LlRdhB5aOKirInKNulA0iCm5uiDyGS02N52wrmQpnWjeMcFysZ9rzzRPIaEUa31GIWRQAt11amO56hM9JTBZGmq5bhPVRxRBfMT4PSgUT/KrRJSQCVXGyAs=,iv:OWk/08GxYylbjqcOjJnC81L4P+QyUkyxYaJ+qReGzIo=,tag:4r4eVCB5s462uMbb8lrnXg==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAymwXeFtQyiAgb+/Rm5jxPCnKWG3n7libf3zmYbQw7B0w\ndAmL/pukd3B8n3+lcdHDZodtr3W4LyatgdSXOUG51hRoqEq16b2MmCM43jTUnYQd\n0l4BWTk98DfAZ/6z7ulexqbCmfJSfJzUJGBnLqTBq2dnxeHHWpY/tpGp6BAi2n+p\nxtooPP9PUC2wbXFyf0FB5nGg+JvsNi4FspDwFYljnDKmXBnn1H3IfCmUhy1chWty\n=a8nm\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA0t4v/UKyR3uWG2NpFqxZRG7Hj05+akMq5ZnU7B/VrgQw\n4WIpnT+nqxM7c+vFNe/AVyO+R82qQrMbTL0QHpD5rUDdszFVw1UH/ELMH3rrcRlz\n0l4Bf8bWylnKOvPqeyklEktiSUXoMWqs0AbD+LuTUgqz/JvuO6AqvgbfPUvm5eOM\npI2DEW11SZeqiUai3N/H34myzQ7kSoVSfJobUfmBazIq69DBSSWz0sksMw98+yWK\n=q0Ui\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml new file mode 100644 index 00000000..63d18e50 --- /dev/null +++ b/hosts/surtr/dns/keys/mailsub.bouncy.email_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:wjU+ojwNIfiQamoOpB2MVyOB6WCCjpt1xwWO/LYD2YJqXkjl8ko4hf/wC+Q1SPkvvHPFtxxiQh1dzcl+8Wh6Xicb5HNMxiAXUQAr7gMG25nfyv3m0vB9msPDeEcbrE4t7bXOuZUBuOx9iU5UmA5kN9oTOcCT5i/db9ILEjcSvkvysk10WytyXK5CEHu5Y+gwlIJ+tP/eG/zEcXGHbDb/feQSn+Xwt3Jrdef9cau+pZB7zexIpMkvwryG9cpZCJUUDBYOhaHO+iLiO3+IEoDpr5Dabsuk9Nez,iv:ogd5X7Ss0Izl7AuJ0NvO4zKsMDDjsew3JLb0wElFhHE=,tag:f2IWgpCELipQdM+4IrtIVg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:34Z", + "mac": "ENC[AES256_GCM,data:cCqLh/qhAiicPFl1p16icG8JacpQTYjnRByjRVkD1wZ2i+M/4/LXL1O46GZJvNMNlOTN6Be6IIeazGnO7MP6oxo6He2hovD0Ej5WbSruiwL2cuVvZ3vSpFI8psWS22NBgnNXCcxA+giS5b/jlRI7pcTQ2Knwwzh7Y4Xdp/UBAi8=,iv:6wC4JpdL90zwezMsoLeE5XGwxMvUdHGaVnZqfLcd//M=,tag:7peBKCXYlivsVY9hgNojyA==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAJ2Nl+Jhuqa6LwqsC/EPuYPU9YzPaD11JMhPxyMnk2CMw\nIJWVCeIbXlUWulQF497/yvCX+gpODsk//xTc9J1Uv02uH0HZPYQaVMVs9sqg1NW/\n0l4BpYd98/J0fFwvjhlu/6AB8zrQ2OEegjlOSGDhrAObOBx5xly3IJOF0dObl3fO\nKuauEC3fXJ/s6dugdGDklNhrdRSlfgmigSErUyB0kjo9mF/mAQ8lbzw6b5OXXBwE\n=U3Fx\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAuAXp4XtRgiQe/Nhs1oBhZxxre6e6R8uBXCUuLgp5IxIw\nUZNOL8NJB94jyqC1yxOr9mILMJw0+cQYFq8CuwSea7Cuz3WOgtVRl1ezKQlpusu5\n0l4BK5ByaesUw7P+wYuXC9VDFnKUCkSn+AA76zikuHHFu9KMd/4p6FcHboQyFz54\nguRNReB6U3y2g9KIwKo/hAk+8NHnuqH9w9Cfb2IIsU5a663AhLv/GKKkCbo0s7Ur\n=jNYe\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml b/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml new file mode 100644 index 00000000..4523b3ba --- /dev/null +++ b/hosts/surtr/dns/keys/surtr.yggdrasil.li_acme.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:4+Pvq42ibLYLxaBBf0Q8gVYglcCdABu8R3M5haawnPSadC53u1+2vx5cujznaUE0vpNJKRDhrHKmctbY6azhgWWvd+PIJ7QtbIEn+9ZhFPsaufrVxXCF/2/wPR505cJiIx0ydeE5G8a8AwsSexLPNg8cBENjkPlImd9LnxIVM3xwpjnNasV7B+OkOnK9twAh51waJLsVYrlS1VOJRh3Q7tuJWlBtQu0YWdImmxvtrz30h2MHg8g03bkL91z5NSf6mbMkLwj6dRZYlXpPMKMi4ZjsXFk=,iv:7bXn7FQwQbLF8gp115OAO+r1eqjlQklar/ADrVJaJOw=,tag:R2NmSMATA1rRQazoV6WfMw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:30Z", + "mac": "ENC[AES256_GCM,data:fLYGT6nZqQEE71WV6lhmXcX2HpQBwqRqd4j9D7YwXXCQolK2v4vqND8cjn2Ni71eWxoJRqHSVWOcvK39EM+kphcmH/wqLMYhdfjkP+DisYecO8LSF8MC1mhADz/YAQQfSs1Fp73JBEOruWqeyXsCB0uSfuIk5w6P0oihzZEddys=,iv:kdLy5pPPfOhyT4E0PV+cbb/007A5maBtQ90ZaCvUHGM=,tag:QJrlCAoFTosBYTgqfca/SA==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAO6YzCUEucOdXkrSHAVb7Evv2ouIgsI44bvG39sM9mTcw\nExiQR9nGBTrVUIRX7Gcb6GbDOHfYiSXhIi6CVzF7gRwe1iJGM1T6fheA30VuJ4uk\n0l4B3F4m/Pqvgp9NaBGQQDQOaCTD5NjwK/2lZtuMckQMUi9df4nEA9khJHsw8nx5\nSGU8QZquE4Kyi//pEFycoQ2q0QvKqg8JoT2m7TG5EBFXea1xfbZOZNIANUB8LnOW\n=vaJN\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAgqn8CAAZu2yB5YUfmQtMxMNJr3D40jzBH1oVmV862lYw\nlEAvxqlzV7xj/pLLfcQm/fxVu6c1tQlD4nA00VceQVZN8bm0kOzwbl+MnCYBiHps\n0l4Bcus9lKpaEpz/SB2no38/VCeM2mFnWPkUuyaLN0+xlosq4/laLhLe4NzXW8BX\nQKv8FLX0GxywRzonaLBf4p9Za8EXKXv9xMf5iYst4vG0epj4MCCxp6IH/uNDJwFt\n=yguK\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index d6fdab9b..2123c0bf 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022050501 ; serial + 2022050503 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -20,6 +20,8 @@ $TTL 3600 @ IN MX 0 mailin.bouncy.email. @ IN TXT "v=spf1 a:mailout.bouncy.email -all" +_acme-challenge IN NS ns.yggdrasil.li. + * IN A 202.61.241.61 * IN AAAA 2a03:4000:52:ada:: * IN MX 0 mailin.bouncy.email. @@ -34,11 +36,13 @@ mailin IN A 202.61.241.61 mailin IN AAAA 2a03:4000:52:ada:: mailin IN MX 0 mailin.bouncy.email. mailin IN TXT "v=spf1 redirect=bouncy.email" +_acme-challenge.mailin IN NS ns.yggdrasil.li. mailsub IN A 202.61.241.61 mailsub IN AAAA 2a03:4000:52:ada:: mailsub IN MX 0 mailin.bouncy.email. mailsub IN TXT "v=spf1 redirect=bouncy.email" +_acme-challenge.mailsub IN NS ns.yggdrasil.li. _submissions._tcp IN SRV 5 0 465 mailsub.bouncy.email. @@ -46,7 +50,6 @@ imap IN A 202.61.241.61 imap IN AAAA 2a03:4000:52:ada:: imap IN MX 0 mailin.bouncy.email. imap IN TXT "v=spf1 redirect=bouncy.email" +_acme-challenge.imap IN NS ns.yggdrasil.li. _imaps._tcp IN SRV 5 0 993 imap.bouncy.email. - -_acme-challenge IN NS ns.yggdrasil.li. diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa index 74b7170e..c43f7b0d 100644 --- a/hosts/surtr/dns/zones/li.yggdrasil.soa +++ b/hosts/surtr/dns/zones/li.yggdrasil.soa @@ -1,7 +1,7 @@ $ORIGIN yggdrasil.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022040800 ; serial + 2022050501 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -37,8 +37,10 @@ ymir IN TXT "v=spf1 redirect=yggdrasil.li" surtr IN A 202.61.241.61 surtr IN AAAA 2a03:4000:52:ada:: -surtr IN MX 0 ymir.yggdrasil.li -surtr IN TXT "v=spf1 redirect=yggdrasil.li" +surtr IN MX 0 surtr.yggdrasil.li +surtr IN TXT "v=spf1 a:surtr.yggdrasil.li -all" + +_acme-challenge.surtr IN NS ns.yggdrasil.li. prometheus.surtr IN CNAME surtr.yggdrasil.li. diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore new file mode 100644 index 00000000..7c894574 --- /dev/null +++ b/hosts/surtr/email/ca/.gitignore @@ -0,0 +1,3 @@ +ca.key +ca.cnf +*.old \ No newline at end of file diff --git a/hosts/surtr/email/ca/ca.crt b/hosts/surtr/email/ca/ca.crt new file mode 100644 index 00000000..a4a46000 --- /dev/null +++ b/hosts/surtr/email/ca/ca.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmjCCAUygAwIBAgIUb0fWK0YOiuanuqOsKemfDMb+LlUwBQYDK2VwMBcxFTAT +BgNVBAMMDHlnZ2RyYXNpbC5saTAgFw0yMjA1MDUxMTMxMzZaGA8yMDkwMDUyMzEx +MzEzNlowFzEVMBMGA1UEAwwMeWdnZHJhc2lsLmxpMCowBQYDK2VwAyEAuven1BCF +gNJtOa5Uga4opO6CD6anTdLHMYEgax6bFbejgacwgaQwHQYDVR0OBBYEFO+nGZ+J +ea3aQyWPNG53isOP91OVMFIGA1UdIwRLMEmAFO+nGZ+Jea3aQyWPNG53isOP91OV +oRukGTAXMRUwEwYDVQQDDAx5Z2dkcmFzaWwubGmCFG9H1itGDormp7qjrCnpnwzG +/i5VMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE +AwICBDAFBgMrZXADQQD9C+L1EUIARdzeEvzGkBhcgggQQC4DKlLt0mpuUuGLxdfS +xwAHTGd6PLER3DMTMob4olsGkl09g6fqj9iJRrkM +-----END CERTIFICATE----- diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix new file mode 100644 index 00000000..49f156eb --- /dev/null +++ b/hosts/surtr/email/default.nix @@ -0,0 +1,230 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + postfix_map = tableType: tableName: "${tableType}:/run/postfix/maps/${tableName}"; + postfix_hash = postfix_map "hash"; +in { + options = { + services.postfix.mapFilesRun = mkOption { + type = types.attrsOf (types.either types.path (types.submodule { + options = { + type = mkOption { + type = types.str; + default = "hash"; + }; + + path = mkOption { + type = types.nullOr types.path; + default = null; + }; + + text = mkOption { + type = types.nullOr types.lines; + default = null; + }; + }; + })); + default = {}; + }; + }; + + config = { + services.postfix = { + enable = true; + hostname = "surtr.yggdrasil.li"; + recipientDelimiter = "+"; + setSendmail = true; + postmasterAlias = ""; rootAlias = ""; extraAliases = ""; + destination = []; + sslCert = "/run/credentials/postfix.service/surtr.yggdrasil.li.pem"; + sslKey = "/run/credentials/postfix.service/surtr.yggdrasil.li.key.pem"; + networks = ["127.0.0.0/8" "[::ffff:127.0.0.0]/104" "[::1]/128" "10.141.0.0/16"]; + mapFilesRun = { + "relay_ccert" = { text = ""; }; + "sni" = { text = '' + bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem + mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem + mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem + .bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem + '';}; + "esmtp_access" = { type = "cidr"; text = '' + # Allow DSN requests from local subnet only + 192.168.0.0/16 silent-discard + 172.16.0.0/12 silent-discard + 10.0.0.0/8 silent-discard + 0.0.0.0/0 silent-discard, dsn + fd00::/8 silent-discard + ::/0 silent-discard, dsn + '';}; + }; + config = { + #the dh params + smtpd_tls_dh1024_param_file = toString config.security.dhparams.params."postfix-1024".path; + smtpd_tls_dh512_param_file = toString config.security.dhparams.params."postfix-512".path; + #enable ECDH + smtpd_tls_eecdh_grade = "strong"; + #enabled SSL protocols, don't allow SSLv2 and SSLv3 + smtpd_tls_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; + smtpd_tls_mandatory_protocols = ["!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"]; + #allowed ciphers for smtpd_tls_security_level=encrypt + smtpd_tls_mandatory_ciphers = "high"; + #allowed ciphers for smtpd_tls_security_level=may + #smtpd_tls_ciphers = high + #enforce the server cipher preference + tls_preempt_cipherlist = true; + #disable following ciphers for smtpd_tls_security_level=encrypt + smtpd_tls_mandatory_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; + #disable following ciphers for smtpd_tls_security_level=may + smtpd_tls_exclude_ciphers = ["aNULL" "MD5" "DES" "ADH" "RC4" "PSD" "SRP" "3DES" "eNULL"]; + #enable TLS logging to see the ciphers for inbound connections + smtpd_tls_loglevel = "1"; + #enable TLS logging to see the ciphers for outbound connections + smtp_tls_loglevel = "1"; + + smtpd_tls_ask_ccert = true; + smtpd_tls_CAfile = toString ./ca/ca.crt; + + smtp_tls_security_level = "dane"; + smtp_dns_support_level = "dnssec"; + + tls_server_sni_maps = postfix_hash "sni"; + + local_recipient_maps = ""; + + # 10 GiB + message_size_limit = "10737418240"; + # 10 GiB + mailbox_size_limit = "10737418240"; + + smtpd_delay_reject = true; + smtpd_helo_required = true; + smtpd_helo_restrictions = "permit"; + + smtpd_recipient_restrictions = [ + "reject_unauth_pipelining" + "reject_non_fqdn_recipient" + "reject_unknown_recipient_domain" + "permit_mynetworks" + "check_ccert_access ${postfix_hash "relay_ccert"}" + "reject_non_fqdn_helo_hostname" + "reject_invalid_helo_hostname" + "reject_unauth_destination" + "reject_unknown_recipient_domain" + "reject_unverified_recipient" + ]; + + smtpd_relay_restrictions = [ + "permit_mynetworks" + "check_ccert_access ${postfix_hash "relay_ccert"}" + "reject_unauth_destination" + ]; + + propagate_unmatched_extensions = ["canonical" "virtual" "alias"]; + smtpd_authorized_verp_clients = "$authorized_verp_clients"; + authorized_verp_clients = "$mynetworks"; + + milter_default_action = "accept"; + smtpd_milters = [config.services.opendkim.socket]; + non_smtpd_milters = [config.services.opendkim.socket]; + + alias_maps = ""; + + queue_run_delay = "10s"; + minimal_backoff_time = "1m"; + maximal_backoff_time = "10m"; + maximal_queue_lifetime = "100m"; + bounce_queue_lifetime = "20m"; + + smtpd_discard_ehlo_keyword_address_maps = postfix_map "cidr" "esmtp_access"; + + sender_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.forwardPort}"; + sender_canonical_classes = "envelope_sender"; + recipient_canonical_maps = "tcp:localhost:${toString config.services.postsrsd.reversePort}"; + recipient_canonical_classes = ["envelope_recipient" "header_recipient"]; + }; + masterConfig = { + smtps = { + type = "inet"; + command = "smtpd"; + args = [ + "-o" "smtpd_tls_wrappermode=yes" + "-o" "smtpd_tls_req_ccert=yes" + "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" + "-o" "smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_tls_all_clientcerts,reject" + ]; + }; + }; + }; + + services.postsrsd = { + enable = true; + domain = "srs.surtr.yggdrasil.li"; + separator = "+"; + excludeDomains = [ "surtr.yggdrasil.li" + ".bouncy.email" "bouncy.email" + ]; + }; + + services.opendkim = { + enable = true; + # user = "postfix"; group = "postfix"; + # socket = "local:/run/opendkim/opendkim.sock"; + domains = ''csl:${concatStringsSep "," ["surtr.yggdrasil.li" "bouncy.email"]}''; + selector = "surtr"; + configFile = builtins.toFile "opendkim.conf" '' + Syslog true + MTACommand ${config.security.wrapperDir}/sendmail + LogResults true + ''; + }; + + security.dhparams = { + params = { + "postfix-512".bits = 512; + "postfix-1024".bits = 2048; + }; + }; + + security.acme.domains = let + mkSNI = '' + cat key.pem full.pem > sni.pem + ''; + in { + "bouncy.email" = { + certCfg.postRun = mkSNI; + }; + "mailin.bouncy.email" = { + certCfg.postRun = mkSNI; + }; + "mailsub.bouncy.email" = { + certCfg.postRun = mkSNI; + }; + "surtr.yggdrasil.li" = {}; + }; + + systemd.services.postfix = { + preStart = concatStringsSep "\n" (mapAttrsToList (to: from: let + cont = {type, path, text}: assert !(isNull path && isNull text); let + path' = if isNull path then pkgs.writeText to text else path; + in '' + ln -sf ${path'} /run/postfix/maps/${to} + postmap ${type}:/run/postfix/maps/${to} + ''; + in if builtins.isPath from then cont { path = from; } else cont from + ) config.services.postfix.mapFilesRun); + + serviceConfig = { + RuntimeDirectory = ["postfix/maps"]; + LoadCredential = [ + "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem" + "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem" + "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem" + "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem" + "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem" + ]; + }; + }; + }; +} diff --git a/hosts/surtr/tls/tsig_keys/imap.bouncy.email b/hosts/surtr/tls/tsig_keys/imap.bouncy.email new file mode 100644 index 00000000..d3f86b23 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/imap.bouncy.email @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:V3upBG5uxBdr9mfEyRqJMhcPJ/zjLXACJObpjAm/zl8hPQMnLBID74+e6kap,iv:1qnlvtXKbSUGiMR5wE2XWM5L+COTzzaMlu0w8gPaiGA=,tag:xpMWaiuFAeKfhyYKdW+tmQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:35Z", + "mac": "ENC[AES256_GCM,data:C8C327hR+CdEZjqkQUoPNCXXmUbNSl2oHChLQuz0MOSvU0laN7rLcdJ2Mb/WodVgHdVNXtzAzLdOluXi5ikW6pZH4ZAkV1Dsr5E/WLR3TuSr0ULJx3+ZQnT6XJkzKn0MSS5/u/ctUpGoFki+xG2S4yQiGqArqXUktEF2XAROBSw=,iv:Sp22bqbXBBWX3wLWBqHuZaQ4ki3PNx7BFKb16uHHU7U=,tag:OxVOI2K0Tliven8sPXnzlw==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:35Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAg+bD8OFCZiufY4QRUyLA3K0UMJS9rEbyE7vCExAazhUw\nYLPtQLtH3MFfS+HoDqrOtTy/1FadBbSBO8YC6bEeBpTksLpH5o3dqYCOPEzYWTKN\n0l4B66Bq+BgNuR+Ld4A+TdzNOfsmjIsEtVh2AKyfKFsg4+29MH5ImX11Wd4ek/5R\n1qD8evoz8DT+1sE2mX7gpGZj24x4A8CzhOPU/zQBaD7tf8omw6okERIi03jCpfml\n=C4Vt\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:35Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA2g2y4txmaQ1pjMKcRqwjqCSzdOeyxqgaO7hNzVzRvwgw\nXggd7yj7dSW+JZ1/SOmeMDR2aL28B6lB89q2IdGDORBaa8/m6mSSnP/aNiMtj71M\n0l4BgV6lelcYvGJfqb9TDZFZVsCYAiONBzhOjJ4y31H09BTFrFEnTOK+iipiqjti\nlM4ejpSuKPrSwx16+7B/Pa/OEMWfRWn7tIIoRC8rEdWKCm1utKLlOoqpR4OA+5mT\n=VcqH\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/tls/tsig_keys/mailin.bouncy.email b/hosts/surtr/tls/tsig_keys/mailin.bouncy.email new file mode 100644 index 00000000..b7dbe8b9 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailin.bouncy.email @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:nvMkj1Mqz8/QCN2n1m4hMGDCMIM7OcX81yS4N3+ZsGWc/p6RtwogKp53ypd5,iv:UB70UEDF0znqZpA3Ov+EGQkH/ix0A6I6JwpHAFEcNqU=,tag:lJJ7AtVa35TJVdNIEPXu3Q==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:34Z", + "mac": "ENC[AES256_GCM,data:bIjM+KaKivOu3xy4+p+zXaQtzRGO5wQ/tZXCgEBA9TEjkTli+ypzUlaf8gtjPOED2nCie9+GX+6kKhopP+P28/PoIGVmTpMLtRgInpNh8/APlTN2TQoVyCld2zEJDi+Cqa+nMBispyQF06bB3UGeOdGnlZwgW2IlYH5wUcgGBng=,iv:SMJMogMoLmCFaBqMjgB2P+pVhC8JVZS3BzZyEjqhDM8=,tag:07SSpA0HP3oIpTzyUExr+Q==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAfNwDDkgU3oYgQQzWu808G0xd8wwbDdRPzAvZpSW4ZUAw\nGKXrug34UAsJoCezXIArCbAXq8DGnsejkca90qS8JQAw94QxW/EVwjXXG1aUs2+2\n0l4B1WxA5Lt2/nQyeJjTOBcbTz07SPBlkdG5tZQEmJvoP33CTUUHNMQ9D1n3BFwZ\nOuWzFDBTXLqOzseL6PYCdjHMaU5fIll+GCIBufG9lZuqfP1YTyqLhgPLNpaO5kCX\n=4dC9\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActPNakdiaMdVMhHlp0L77VgtR6x7NZmJ2RU1pKcqCnsw\n4hJbSauDdaUXirG6ircfJeKfwSOobdDjFmrVfkhpV2JKRc8XQyKm9nx8B3nHLPRb\n0l4BY8LfKmiH4lSocO/3thKurtZKOCmk5kfvCTVC96aWOFab6+YapJvRIqvgupap\nM+bRH+xEqS5rmooQBwsFFya5kykVVODiwAkh9dIV0EdGhqJgChjd+LHetch08iyw\n=KnpG\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email b/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email new file mode 100644 index 00000000..ec2fa339 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/mailsub.bouncy.email @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:tJbGR8t8/CWyY8TnOtY+5Na+RuphkrMqm1qYnuF40AH84mjyVELH2Jskx5Cx,iv:i8uEr7cltXRubU7vXr+NSL4qnCbN/foyjobM9XyhiN8=,tag:zDpagteTiEpq29pN9byWOg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:34Z", + "mac": "ENC[AES256_GCM,data:4RGSNI/aLfDMTH2r95uo+5bYNj1oIaKTSIuLu+a9jnihnoJgh1BIpi6q7ayTV25J31WvpqUdYtHmAqp0cgsgPnxleCA0rmL4KupMPPTx4RNmMDzPfHb+mez6iFwepkLpPSqLMs2hPvc9PuSJDY7r7gkGvRfxqT5U+1+d2m/31LM=,iv:5fEkvnz9HzUAV/Nxd0Y0OYUdNiqEkMwPkgQ+wA5u6nE=,tag:/LyrsMWedbpLOifj0/k9Ug==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAwar8wbCJkkIsCWa4ADR82XxMQ9uywWi+1kOv0Hz3cSAw\nk4KuWWFjXhuRPGN+ueRrWaZbL2035RL9qjz6AzTf7dYd06q9uY/StQ4iwFGTrSWk\n0l4BSx9tzJ17BfrmDc8gHi7iJJzVWrSQS2BEkjQBvOqOz1RUFnyboe/whdBe3GLD\nTKN0tMUts9wliS2w1qtMrZJhHS4vNRICKlNcmVlShH42En4T9hlcIjwcdeX3Abjb\n=0DrA\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAkd4osWJcn0o+iwi+92bCRf5PvZ++tKLOgUmzZ6AUIQ8w\nRRLkK9U03T6UFMeWvBv5oHLJIgtaseqQJ7P8YG3fhFFdKYkjpoFSvz0ofcdPpORE\n0l4BqBwoLFoVNF9vmjdm7Ggb3JeSRlp5dvn4ihppN5sMOVNMP9iVjFGZr4lHO6m3\n0sInfK2Gz1HZ+u74RaR+urMzr5kfD5ZAFymE93Ae9QASBBj98qM462w6vT2izVgV\n=ZDDP\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file diff --git a/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li b/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li new file mode 100644 index 00000000..6b3648e0 --- /dev/null +++ b/hosts/surtr/tls/tsig_keys/surtr.yggdrasil.li @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:OJbgB/u+4bo4mKVUGuULGeObTMsd83l1Q6nFiWAT5CN+jrX78g+iVR5QotOt,iv:Zoyn2dGBrXrAnKtGGW/r8WJDfbILOczQGQLgRlc0Xts=,tag:x5wrx92umguadfj6ARfsGg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-05-05T11:44:33Z", + "mac": "ENC[AES256_GCM,data:LffMGjgzNp1gQQPBF+hUDh1YvgZqRYnS5521s0P1I0/1QlXj/iLYhNwIaTdBxYWFoeBcmvdkOXJV4YcTNqCmw8XaV9bNfezQTRlbskvAKZ1NPU6RRx6horWpguSWONnCMoFk5eaqeQA2Nr5rJ4kn8MSo46TMmHfR9Aj0fctuY1Q=,iv:E6Hu/jyY8WV+lm1AzRHVhI2Mdj2vDDwZcdR+KhM6gkc=,tag:I3F4gAQ3Eo86KL3fdeBz3g==,type:str]", + "pgp": [ + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA37udf4bGP58tefZPCe6GXJMyu+cCzmVwUh0Y78MZ4BEw\nC0kHrjRb/2EZHrWPiFrEuTipIw3GVe5THmQfQwA6AJnmYtIZywCB07SFF+myS1Qz\n0l4BY2H6MsZEhPUxEK/ek83XMzLdcm0uLbIoEZFjL6lM47v3C8/MipxE2+zqzzUr\n7KWtpZekshX3kc5Qgj+Brs+X+Vz35PheGgHs6mX1rOFbHGxcOcNlu1UK3n8p3W9i\n=B4Qz\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-05-05T11:44:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdALq2tsHKjoVkxuF2LubirDKj1mXBL8D9gEtBAgUL+e1Ew\nCircY5+tjUj067L94tbr59tyqVdbXhEXZWfk+yqarIErIlwW7VKYM4RMc+0ePUjA\n0l4BYQIILqERGv4uJG7nZhDVu4YMatMR9ALgED47OhXwjnVG40Ncwt669YpRqmcF\nlxCgqbcBcCc1MfRn+C7Q7hYmruqc9cIBRYlssZmMC10CCETRASxTgeNcDve24AVo\n=z5ML\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.2" + } +} \ No newline at end of file -- cgit v1.2.3