From 910fd2059e7e95a12702695a4991ea133f7a37a7 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 5 May 2022 11:26:19 +0200
Subject: surtr: bouncy.email

---
 hosts/surtr/dns/default.nix                 |  2 ++
 hosts/surtr/dns/keys/bouncy.email_acme.yaml | 26 +++++++++++++++
 hosts/surtr/dns/zones/email.bouncy.soa      | 52 +++++++++++++++++++++++++++++
 hosts/surtr/tls/default.nix                 |  2 +-
 hosts/surtr/tls/tsig_keys/bouncy.email      | 26 +++++++++++++++
 5 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 hosts/surtr/dns/keys/bouncy.email_acme.yaml
 create mode 100644 hosts/surtr/dns/zones/email.bouncy.soa
 create mode 100644 hosts/surtr/tls/tsig_keys/bouncy.email

(limited to 'hosts')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index e1c24936..aff6e6f3 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -182,6 +182,8 @@ in {
           { domain = "rheperire.org";
             addACLs = { "rheperire.org" = ["ymir_acme_acl"]; };
           }
+          { domain = "bouncy.email";
+          }
         ]}
       '';
     };
diff --git a/hosts/surtr/dns/keys/bouncy.email_acme.yaml b/hosts/surtr/dns/keys/bouncy.email_acme.yaml
new file mode 100644
index 00000000..ef900376
--- /dev/null
+++ b/hosts/surtr/dns/keys/bouncy.email_acme.yaml
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:+wtxY9yDbNOOorVS7Aur1hJjoRSEygv8kyaMT+9zb4hQ0hhaoLMnkKfB4qR56wOvAy7wvW1OhFhICe5Ii1GDEEHWiRXGGm4mICt+DG4xvqYD1uNUWGdwRNWyv1PPfpjV33/rALanlGqvD6K2hMQAKDzWgrI0oIh13N6v+8R13sC+YtcoaKmt+i6w4Pby3w5TmaxZD0Rfm7PcYz+ZOR+552E6y5OZ+69Kb1wFrDWhYrPBHy8zsV2VcQYgzsB0MUgwjpRtz5j1sbA=,iv:5axeSwNOy/Mbk2cLXCb2hyIhhMmufWMmGIBseIoAq8U=,tag:L3qS4esYwH6rLTHclRk0VQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-05-05T09:11:47Z",
+		"mac": "ENC[AES256_GCM,data:BeR4eZ9AR8YGYy7eulvod4QwmFlstjS/ic3EIOpNaqDdeHCz5QCWM2+kR47ZQanSmVP1bFrIrnqIbL0lQXhX5a3mclFla61piC1oUELWXcn6jj6kd9QOZx9ZU/VlcKJEtt82nEXb7y8SEbiEHSs3btmAY9pHtYgLB/5grhBVnm8=,iv:3TEVp5wgtem43WEdh7LpMF77cSoP/+FjcH3oHnmmS4o=,tag:JceRss6y1lUbyem3Rqmd/w==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-05-05T09:11:46Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAN7OICwH4WzjRMo9QTW242OioK0RQufqkN/KbUQUDPyQw\nXvLmJlDZeNKDDw6KWkbb7ZNZuNF1i43BkrwfOQmYAhDDH4Y+vPYhWK6x6umxULko\n0lwB1J0TOLS17TkTO8atGrGo++hu705cokSQ84mpcercl66d7OzpI5N7I0MhM1A2\nfVdlvj7QNM/AnwXYOpxLeoUJl7D3gL/c/LA9/+5WDOMvNQLDgZI8h72J3q10Aw==\n=EdX/\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-05-05T09:11:46Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAmsryLbhFP1Ac3Y5+ROeDOfiNS1E7veMwxHf9S1sZflEw\nQ4/524tpAa8rgikNV5gmVKE4UVxYrLqwJItskzOML8OMqW5QGVKtHweSvPcMhv3E\n0lwB3pOk770dv0wiyxDl4wEWH/NvK+PWwpvcP4hT7PkLRbaUpov63sj41QOxCQMj\npV/Uvzo5/bKN9ZmF5WfPRmRPRsL8CuZoXEV1F9ZxGFyuRHS4pb4TFLHv+rnbhg==\n=xLXq\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.2"
+	}
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
new file mode 100644
index 00000000..d6fdab9b
--- /dev/null
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -0,0 +1,52 @@
+$ORIGIN bouncy.email.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2022050501 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@			IN	CAA	128 issue "letsencrypt.org; validationmethods=dns-01"
+@			IN	CAA	128 iodef "mailto:caa@yggdrasil.li"
+
+@			IN	A	202.61.241.61
+@			IN	AAAA	2a03:4000:52:ada::
+@			IN	MX	0 mailin.bouncy.email.
+@			IN	TXT	"v=spf1 a:mailout.bouncy.email -all"
+
+*			IN	A	202.61.241.61
+*			IN	AAAA	2a03:4000:52:ada::
+*			IN	MX	0 mailin.bouncy.email.
+*			IN	TXT	"v=spf1 redirect=bouncy.email"
+
+mailout			IN	A	202.61.241.61
+mailout			IN	AAAA	2a03:4000:52:ada::
+mailout			IN	MX	0 mailin.bouncy.email.
+mailout			IN	TXT	"v=spf1 redirect=bouncy.email"
+
+mailin			IN	A	202.61.241.61
+mailin			IN	AAAA	2a03:4000:52:ada::
+mailin			IN	MX	0 mailin.bouncy.email.
+mailin			IN	TXT	"v=spf1 redirect=bouncy.email"
+
+mailsub			IN	A	202.61.241.61
+mailsub			IN	AAAA	2a03:4000:52:ada::
+mailsub			IN	MX	0 mailin.bouncy.email.
+mailsub			IN	TXT	"v=spf1 redirect=bouncy.email"
+
+_submissions._tcp	IN	SRV	5 0 465 mailsub.bouncy.email.
+
+imap			IN	A	202.61.241.61
+imap			IN	AAAA	2a03:4000:52:ada::
+imap			IN	MX	0 mailin.bouncy.email.
+imap			IN	TXT	"v=spf1 redirect=bouncy.email"
+
+_imaps._tcp		IN	SRV	5 0 993 imap.bouncy.email.
+
+_acme-challenge       	IN	NS	ns.yggdrasil.li.
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index d1478a5b..0f3a7fec 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -36,7 +36,7 @@ in {
   };
   
   config = {
-    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
+    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email"] (domain: { wildcard = true; });
     
     fileSystems."/var/lib/acme" =
       { device = "surtr/safe/var-lib-acme";
diff --git a/hosts/surtr/tls/tsig_keys/bouncy.email b/hosts/surtr/tls/tsig_keys/bouncy.email
new file mode 100644
index 00000000..f6b8377b
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/bouncy.email
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:A9Z9+ZH8xL+ho8AHY68BPpDwccOCFe6kn6vTe+7xiAa2L4OeAQr6ht2Ps0FN,iv:inoeIthQ0qpV+Fgllhu/7AtTbemkx48dBUpw3B4jnmo=,tag:ST1upRnFaiQWQnhmuwSurQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-05-05T09:11:47Z",
+		"mac": "ENC[AES256_GCM,data:Rp9OZdZ83nXKJqZGq8bEgkrjdDzGIWD1SsaPSEzKdTmL5+N2aqv0hQhmlKqgINSipy3pPr27ojQgDUqSGXNkiOdxOMn1wwxBFL7DBAFOW294KxU1uCXhQMLcYwGHlaEVrzGrNvPE3SEfjgWFTJHyT7j+hI7dVUfPiGYxWJFHg6A=,iv:IQ5x4u8MeChI7Mf5vfUv4s9Y8EaUja8En5yzPP6Vz/U=,tag:64Xu995aal53KQLWl3UOgw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-05-05T09:11:47Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAAg2F1LygQ9z7q2KuTamS1ZyAlKrSsFXevqRRN9LZrzEw\n7JXermDoMQzMuTPdjMUL6E5Rlfk5j2UTHKqa1SoQyUDgmF1hCOny/8+gbVqQySLw\n0lwB2MNRJGOcLWSoxEXHU+bIRiwLX5QZ8MFFrtxkk1hd28RL8JozFio/ZwuNSFSK\nU3jNEajWwxX/Y1ct0KmcVvhhCOwKTinZCebCocB0I12V7ZRMbDzKUc1avLIoVA==\n=JlNZ\n-----END PGP MESSAGE-----\n",
+				"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+			},
+			{
+				"created_at": "2022-05-05T09:11:47Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAfoOzVooUt/RCvN/Gyzfg/Ci/6SPOavIFz6a1VY8RCTsw\nbdfL6HQaU+I14B6DdJYV3ThZTvchspexKCt/3tve4fQtLS4YP43Yc/cKyuvJjKhi\n0lwBdH92sKoNZCF8sC+AoH8fOP20jR6DvIXcvvnYrlpOPolQ2xJffrzpFnDmxSC5\n5tKMotnX5iPi0zNR4riAf+li0vboFYpOWyO1vJWtF97EaMdrIaqqC5i98/5qlg==\n=iFkv\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.2"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3