email: add mail@b12f.io and mail@hzdomain

2024-08-16 21:33:49 +02:00 · 2024-08-16 21:33:49 +02:00 · 9439ed4c44
parent 34050a14cc
commit 9439ed4c44
13 changed files with 211 additions and 30 deletions
--- a/hosts/frikandel/email.nix
+++ b/hosts/frikandel/email.nix
@ -5,10 +5,16 @@
  lib,
  ...
 }: let
-  # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
+  hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
  dkimDNSb12fio = ''
  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
  '';
+  dkimDNSmezzabiz = ''
+  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
+  '';
+  dkimDNShzDomain = ''
+  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
+  '';
 in {
  age.secrets."b12f.io-dkim-private-rsa" = {
    file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
@ -23,16 +29,44 @@ in {
    owner = "maddy";
  };

+  age.secrets."mezza.biz-dkim-private-rsa" = {
+    file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age";
+    path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key";
+    mode = "400";
+    owner = "maddy";
+  };
+
+  age.secrets."mail@mezza.biz-password" = {
+    file = "${flake.self}/secrets/mail@mezza.biz-password.age";
+    mode = "400";
+    owner = "maddy";
+  };
+
+  age.secrets."hzdomain-dkim-private-rsa" = {
+    file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age";
+    path = "/var/lib/maddy/dkim_keys/hzdomain_default.key";
+    mode = "400";
+    owner = "maddy";
+  };
+
+  age.secrets."mail@hzdomain-password" = {
+    file = "${flake.self}/secrets/mail@hzdomain-password.age";
+    mode = "400";
+    owner = "maddy";
+  };
+
  users.users.maddy.extraGroups = [ "nginx" ];

  security.acme.certs = {
-    "mail.b12f.io" = {
-      reloadServices = [ "maddy" ];
-    };
-    "b12f.io" = {
-      reloadServices = [ "maddy" ];
-    };
+    "mail.b12f.io".reloadServices = [ "maddy" ];
+    "b12f.io".reloadServices = [ "maddy" ];
    "mta-sts.b12f.io" = {};
+    "mail.mezza.biz".reloadServices = [ "maddy" ];
+    "mezza.biz".reloadServices = [ "maddy" ];
+    "mta-sts.mezza.biz" = {};
+    "mail.${hzDomain}".reloadServices = [ "maddy" ];
+    "${hzDomain}".reloadServices = [ "maddy" ];
+    "mta-sts.${hzDomain}" = {};
  };

  services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
@ -52,7 +86,7 @@ in {
          tryFiles = "$uri $uri/ =404";
        };
      };
-    }) {} [ "b12f.io" ];
+    }) {} [ "b12f.io" "mezza.biz" hzDomain ];

  systemd.tmpfiles.rules = [
    "d '/run/maddy' 0750 maddy maddy - -"
@ -62,6 +96,8 @@ in {
    mkdir -p /var/lib/maddy/dkim_keys

    echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
+    echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns
+    echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns
    chown -R maddy:maddy /var/lib/maddy
  '';

@ -76,14 +112,22 @@ in {
    localDomains = [
      "b12f.io"
      "mail.b12f.io"
+      "mezza.biz"
+      "mail.mezza.biz"
+      hzDomain
+      "mail.${hzDomain}"
    ];
    ensureAccounts = [
      "mail@b12f.io"
+      "mail@mezza.biz"
+      "mail@${hzDomain}"
    ];
    ensureCredentials = {
      # Do not use this in production. This will make passwords world-readable
      # in the Nix store
      "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
+      "mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path;
+      "mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path;
    };
    tls = {
      loader = "file";
@ -96,6 +140,22 @@ in {
          keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
          certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
        }
+        {
+          keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem";
+          certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem";
+        }
+        {
+          keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem";
+          certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem";
+        }
+        {
+          keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem";
+          certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem";
+        }
+        {
+          keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem";
+          certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem";
+        }
      ];
    };
    config = ''
--- a/hosts/frikandel/unbound.nix
+++ b/hosts/frikandel/unbound.nix
@ -96,6 +96,16 @@
          "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
          "\"mail.b12f.io. 10800 IN A 10.13.12.7\""
          "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+
+          "\"mezza.biz. 10800 IN A 10.13.12.7\""
+          "\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
+          "\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+
+          "\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
+          "\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
+          "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
        ];

        tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
--- a/modules/printing/default.nix
+++ b/modules/printing/default.nix
@ -22,9 +22,9 @@
  then [ pkgs.cups-brother-hl3140cw ]
  else []);

-  environment.persistence."/persist" = {
-    directories = [
-      "/var/lib/cups"
-    ];
-  };
+  # environment.persistence."/persist" = {
+  #   directories = [
+  #     "/etc/lib/cups"
+  #   ];
+  # };
 }
--- a/secrets/age-yubikey-464-identity.txt
+++ b/secrets/age-yubikey-464-identity.txt
@ -1,7 +1 @@
-#       Serial: 25473464, Slot: 1
-#         Name: age identity bd1ccf37
-#      Created: Fri, 02 Feb 2024 19:26:49 +0000
-#   PIN policy: Once   (A PIN is required once per session, if set)
-# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
-#    Recipient: age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7
 AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837
--- a/secrets/age-yubikey-485-identity.txt
+++ b/secrets/age-yubikey-485-identity.txt
@ -1,7 +1 @@
-#       Serial: 25473485, Slot: 1
-#         Name: age identity ceaabf8b
-#      Created: Fri, 02 Feb 2024 19:28:33 +0000
-#   PIN policy: Once   (A PIN is required once per session, if set)
-# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
-#    Recipient: age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q
 AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7
--- a/secrets/hzdomain-dkim-private-rsa.age
+++ b/secrets/hzdomain-dkim-private-rsa.age
--- a/secrets/mail@hzdomain-password.age
+++ b/secrets/mail@hzdomain-password.age
@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 8bHz7g B8CppVVWblUzZYe4KLZZQg1+Z9HtOZE2riG5rrj7lDc
+BBNd3OpQz+QoPp6mv+P2+eYTMwKt8+ty4ERdO5+2Xtk
+-> ssh-ed25519 n71/yQ 4cDMfD1yorzkNgdqrbmcI6FCDEWlFlZmdedD5O5x/3k
+gvmvNFiPVGZdcIb6PacTn3IKEBEk0TnSaWv30XWX2rY
+-> ssh-rsa kFDS0A
+D/Wxbu8XMyCpYi3b58FKYrYlSog0yCTDV0+cKQssOPyc/NNQ39FviB6HcqahmZfi
+HpXAXdgDBNwHBN+Gmcu4gSFSgogKG3U8UxGmY9kNUUbJ8mKnljGO2rdPPIEbMLEn
+ZmUAK86RYOW4ctRceZ5APR24uLN5DpTnq5phLJgWjh9pvUXrI4SPawkMOq7CxylB
+h2AOYXPso0Iz9SVHl/KRLV+w32US8ISlLzJSUSAMYBY/2uQd2TRDJGdw5Jz/Ih+q
+f/G463YV6opFmYO9odxWPQzuEPmEBKSO7zThXnlCvsW6LDZlJ1IY0SZviPIhO4M8
+RX4jsganUDti19RmiHytDXwKkM4XPCPh5wpE/a6qTVneFhnlXUNiF0Y938dAAMNx
+S1rjS2v5ezHHtofpZqspl1s3WiAmsPzb7+E10ymoyT3elvWehWkTTk8a+HP4SoM+
+QKiig8HaevLWS5Ea/8wO8h8lzEDtda65GBvlARQGTCCPyijwHBAfiivU6Xp2EJQr
+YP3+hxbLO1wmV8QMxUfMrAfbJVhua+o5oDPZSImNwGfEQo4yztL2jit0bOuA3qDF
+6S3Pfvg6YpLcJwKdBCI4t0sBeFCm/Wxk4JT/eh0tdnBHUaviQ0Gj+Bzz1A7J+mek
+Ko/jR43KTFbIz46n/mCeYrtn2MTFl/AOsW+T/XoaOTI
+-> piv-p256 zqq/iw A71bIRILKAlGedebswRMWObcmTf4o0VGarNPs0HwF7pU
+EUfi118cd2/bfnwTXuYAiqx14FawWUf36n66hmpQuIM
+-> piv-p256 vRzPNw Atd637HL03L8GedzPSanEXZt9V85DgGnriZnXngfKRFz
+UiIUX1ADioDqckf0iT04NN5kOhmyRwf+/CG2+THAsrc
+--- uajThUB7bCOg/ahzarVYOMb1c3XR0qrphQ/ehGBQztM
+˜ehCMÅríbIÕ
‘Îcì@sý‹FAS29Ÿ®îÀùœ]‘þØsýip]…ãVÍ‡©<E280A1>5<EFBFBD>‡£Œ$IÙGkœ)ãúü¥¹\ IWNÔo3õÉy©„!:AS!
--- a/secrets/mail@mezza.biz-password.age
+++ b/secrets/mail@mezza.biz-password.age
--- a/secrets/mezza.biz-dkim-private-rsa.age
+++ b/secrets/mezza.biz-dkim-private-rsa.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -99,9 +99,14 @@ in {
  "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;

  "mail@b12f.io-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
-
  "b12f.io-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;

+  "mail@mezza.biz-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
+  "mezza.biz-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;
+
+  "mail@hzdomain-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
+  "hzdomain-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;
+
  "unbound_control.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
  "unbound_control.pem.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
  "unbound_server.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
--- a/terraform/h.net.tf
+++ b/terraform/h.net.tf
@ -63,3 +63,27 @@ resource "hostingde_record" "hz-mta-sts" {
  content = local.domain
  ttl = 300
 }
+
+resource "hostingde_record" "hz-spf" {
+  zone_id = hostingde_zone.hz.id
+  name = local.domain
+  type = "TXT"
+  content = "v=spf1 a:mail.${local.domain} -all"
+  ttl = 300
+}
+
+resource "hostingde_record" "hz-dkim" {
+  zone_id = hostingde_zone.hz.id
+  name = "default._domainkey.${local.domain}"
+  type = "TXT"
+  content = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB"
+  ttl = 300
+}
+
+resource "hostingde_record" "hz-dmarc" {
+  zone_id = hostingde_zone.hz.id
+  name = "_dmarc.${local.domain}"
+  type = "TXT"
+  content = "v=DMARC1;p=none;"
+  ttl = 300
+}
--- a/terraform/mezza.biz.tf
+++ b/terraform/mezza.biz.tf
@ -26,3 +26,68 @@ resource "hostingde_record" "mezza-www" {
  content = "mezza.biz"
  ttl = 300
 }
+
+resource "hostingde_record" "mezza-mail" {
+  zone_id = hostingde_zone.mezza.id
+  name = "mail.mezza.biz"
+  type = "CNAME"
+  content = "mezza.biz"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-autoconfig" {
+  zone_id = hostingde_zone.mezza.id
+  name = "autoconfig.mezza.biz"
+  type = "CNAME"
+  content = "mail.mezza.biz"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-autodiscover" {
+  zone_id = hostingde_zone.mezza.id
+  name = "autodiscover.mezza.biz"
+  type = "CNAME"
+  content = "mail.mezza.biz"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-mx" {
+  zone_id = hostingde_zone.mezza.id
+  name = "mezza.biz"
+  type = "MX"
+  content = "mail.mezza.biz"
+  priority = 10
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-mta-sts" {
+  zone_id = hostingde_zone.mezza.id
+  name = "mta-sts.mezza.biz"
+  type = "CNAME"
+  content = "mezza.biz"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-spf" {
+  zone_id = hostingde_zone.mezza.id
+  name = "mezza.biz"
+  type = "TXT"
+  content = "v=spf1 a:mail.mezza.biz -all"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-dkim" {
+  zone_id = hostingde_zone.mezza.id
+  name = "default._domainkey.mezza.biz"
+  type = "TXT"
+  content = "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB"
+  ttl = 300
+}
+
+resource "hostingde_record" "mezza-dmarc" {
+  zone_id = hostingde_zone.mezza.id
+  name = "_dmarc.mezza.biz"
+  type = "TXT"
+  content = "v=DMARC1;p=none;"
+  ttl = 300
+}
--- a/users/b12f/email.nix
+++ b/users/b12f/email.nix
@ -17,7 +17,7 @@ with lib; let
    realName = psCfg.user.fullName;
    signature = {
      showSignature = "append";
-      text = builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature");
+      text = if (args ? "emptysignature") then "" else builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature");
    };

    folders = {
@ -93,7 +93,7 @@ in {
          config.primary = true;
        }
        {
-          address = "mail@b12f.io";
+          address = mkEmailAddress "mail" "b12f.io";
          host = "mail.b12f.io";
        }
        {
@ -133,8 +133,14 @@ in {
          };
        }
        {
-          address = mkEmailAddress "hetzner" "benjaminbaedorf.eu";
-          host = "mail.hosting.de";
+          address = mkEmailAddress "mail" "mezza.biz";
+          host = "mail.mezza.biz";
+					emptysignature = true;
+        }
+        {
+          address = mkEmailAddress "mail" "h" + "w" + "dz" + "z.net";
+          host = "mail.h" + "w" + "dz" + "z.net";
+					emptysignature = true;
        }
      ];
    };