diff --git a/hosts/frikandel/email.nix b/hosts/frikandel/email.nix index 480a8c1..bb91aba 100644 --- a/hosts/frikandel/email.nix +++ b/hosts/frikandel/email.nix @@ -5,10 +5,16 @@ lib, ... }: let - # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; + hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; + dkimDNSmezzabiz = '' + default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ; + ''; + dkimDNShzDomain = '' + default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ; + ''; in { age.secrets."b12f.io-dkim-private-rsa" = { file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; @@ -23,16 +29,44 @@ in { owner = "maddy"; }; + age.secrets."mezza.biz-dkim-private-rsa" = { + file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age"; + path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."mail@mezza.biz-password" = { + file = "${flake.self}/secrets/mail@mezza.biz-password.age"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."hzdomain-dkim-private-rsa" = { + file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age"; + path = "/var/lib/maddy/dkim_keys/hzdomain_default.key"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."mail@hzdomain-password" = { + file = "${flake.self}/secrets/mail@hzdomain-password.age"; + mode = "400"; + owner = "maddy"; + }; + users.users.maddy.extraGroups = [ "nginx" ]; security.acme.certs = { - "mail.b12f.io" = { - reloadServices = [ "maddy" ]; - }; - "b12f.io" = { - reloadServices = [ "maddy" ]; - }; + "mail.b12f.io".reloadServices = [ "maddy" ]; + "b12f.io".reloadServices = [ "maddy" ]; "mta-sts.b12f.io" = {}; + "mail.mezza.biz".reloadServices = [ "maddy" ]; + "mezza.biz".reloadServices = [ "maddy" ]; + "mta-sts.mezza.biz" = {}; + "mail.${hzDomain}".reloadServices = [ "maddy" ]; + "${hzDomain}".reloadServices = [ "maddy" ]; + "mta-sts.${hzDomain}" = {}; }; services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { @@ -52,7 +86,7 @@ in { tryFiles = "$uri $uri/ =404"; }; }; - }) {} [ "b12f.io" ]; + }) {} [ "b12f.io" "mezza.biz" hzDomain ]; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" @@ -62,6 +96,8 @@ in { mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns + echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns + echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns chown -R maddy:maddy /var/lib/maddy ''; @@ -76,14 +112,22 @@ in { localDomains = [ "b12f.io" "mail.b12f.io" + "mezza.biz" + "mail.mezza.biz" + hzDomain + "mail.${hzDomain}" ]; ensureAccounts = [ "mail@b12f.io" + "mail@mezza.biz" + "mail@${hzDomain}" ]; ensureCredentials = { # Do not use this in production. This will make passwords world-readable # in the Nix store "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; + "mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path; + "mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path; }; tls = { loader = "file"; @@ -96,6 +140,22 @@ in { keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem"; } + { + keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem"; + certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem"; + certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem"; + certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem"; + certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem"; + } ]; }; config = '' diff --git a/hosts/frikandel/unbound.nix b/hosts/frikandel/unbound.nix index 26ba8d1..380e325 100644 --- a/hosts/frikandel/unbound.nix +++ b/hosts/frikandel/unbound.nix @@ -96,6 +96,16 @@ "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"mail.b12f.io. 10800 IN A 10.13.12.7\"" "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + + "\"mezza.biz. 10800 IN A 10.13.12.7\"" + "\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"mail.mezza.biz. 10800 IN A 10.13.12.7\"" + "\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + + "\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\"" + "\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\"" + "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" ]; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; diff --git a/modules/printing/default.nix b/modules/printing/default.nix index 9bb30a4..03caa88 100644 --- a/modules/printing/default.nix +++ b/modules/printing/default.nix @@ -22,9 +22,9 @@ then [ pkgs.cups-brother-hl3140cw ] else []); - environment.persistence."/persist" = { - directories = [ - "/var/lib/cups" - ]; - }; + # environment.persistence."/persist" = { + # directories = [ + # "/etc/lib/cups" + # ]; + # }; } diff --git a/secrets/age-yubikey-464-identity.txt b/secrets/age-yubikey-464-identity.txt index f12dc2f..e696507 100644 --- a/secrets/age-yubikey-464-identity.txt +++ b/secrets/age-yubikey-464-identity.txt @@ -1,7 +1 @@ -# Serial: 25473464, Slot: 1 -# Name: age identity bd1ccf37 -# Created: Fri, 02 Feb 2024 19:26:49 +0000 -# PIN policy: Once (A PIN is required once per session, if set) -# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds) -# Recipient: age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7 AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837 diff --git a/secrets/age-yubikey-485-identity.txt b/secrets/age-yubikey-485-identity.txt index 88b82c8..b4c90ef 100644 --- a/secrets/age-yubikey-485-identity.txt +++ b/secrets/age-yubikey-485-identity.txt @@ -1,7 +1 @@ -# Serial: 25473485, Slot: 1 -# Name: age identity ceaabf8b -# Created: Fri, 02 Feb 2024 19:28:33 +0000 -# PIN policy: Once (A PIN is required once per session, if set) -# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds) -# Recipient: age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7 diff --git a/secrets/hzdomain-dkim-private-rsa.age b/secrets/hzdomain-dkim-private-rsa.age new file mode 100644 index 0000000..d1bf391 Binary files /dev/null and b/secrets/hzdomain-dkim-private-rsa.age differ diff --git a/secrets/mail@hzdomain-password.age b/secrets/mail@hzdomain-password.age new file mode 100644 index 0000000..b4c910f --- /dev/null +++ b/secrets/mail@hzdomain-password.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g B8CppVVWblUzZYe4KLZZQg1+Z9HtOZE2riG5rrj7lDc +BBNd3OpQz+QoPp6mv+P2+eYTMwKt8+ty4ERdO5+2Xtk +-> ssh-ed25519 n71/yQ 4cDMfD1yorzkNgdqrbmcI6FCDEWlFlZmdedD5O5x/3k +gvmvNFiPVGZdcIb6PacTn3IKEBEk0TnSaWv30XWX2rY +-> ssh-rsa kFDS0A +D/Wxbu8XMyCpYi3b58FKYrYlSog0yCTDV0+cKQssOPyc/NNQ39FviB6HcqahmZfi +HpXAXdgDBNwHBN+Gmcu4gSFSgogKG3U8UxGmY9kNUUbJ8mKnljGO2rdPPIEbMLEn +ZmUAK86RYOW4ctRceZ5APR24uLN5DpTnq5phLJgWjh9pvUXrI4SPawkMOq7CxylB +h2AOYXPso0Iz9SVHl/KRLV+w32US8ISlLzJSUSAMYBY/2uQd2TRDJGdw5Jz/Ih+q +f/G463YV6opFmYO9odxWPQzuEPmEBKSO7zThXnlCvsW6LDZlJ1IY0SZviPIhO4M8 +RX4jsganUDti19RmiHytDXwKkM4XPCPh5wpE/a6qTVneFhnlXUNiF0Y938dAAMNx +S1rjS2v5ezHHtofpZqspl1s3WiAmsPzb7+E10ymoyT3elvWehWkTTk8a+HP4SoM+ +QKiig8HaevLWS5Ea/8wO8h8lzEDtda65GBvlARQGTCCPyijwHBAfiivU6Xp2EJQr +YP3+hxbLO1wmV8QMxUfMrAfbJVhua+o5oDPZSImNwGfEQo4yztL2jit0bOuA3qDF +6S3Pfvg6YpLcJwKdBCI4t0sBeFCm/Wxk4JT/eh0tdnBHUaviQ0Gj+Bzz1A7J+mek +Ko/jR43KTFbIz46n/mCeYrtn2MTFl/AOsW+T/XoaOTI +-> piv-p256 zqq/iw A71bIRILKAlGedebswRMWObcmTf4o0VGarNPs0HwF7pU +EUfi118cd2/bfnwTXuYAiqx14FawWUf36n66hmpQuIM +-> piv-p256 vRzPNw Atd637HL03L8GedzPSanEXZt9V85DgGnriZnXngfKRFz +UiIUX1ADioDqckf0iT04NN5kOhmyRwf+/CG2+THAsrc +--- uajThUB7bCOg/ahzarVYOMb1c3XR0qrphQ/ehGBQztM +ehCMrbI c@sFAS29] sip]V͇5$IGk)\IWNo3y! :AS! \ No newline at end of file diff --git a/secrets/mail@mezza.biz-password.age b/secrets/mail@mezza.biz-password.age new file mode 100644 index 0000000..0d622cf Binary files /dev/null and b/secrets/mail@mezza.biz-password.age differ diff --git a/secrets/mezza.biz-dkim-private-rsa.age b/secrets/mezza.biz-dkim-private-rsa.age new file mode 100644 index 0000000..b4b17e6 Binary files /dev/null and b/secrets/mezza.biz-dkim-private-rsa.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6b5048c..9815018 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -99,9 +99,14 @@ in { "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys; "mail@b12f.io-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; - "b12f.io-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys; + "mail@mezza.biz-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; + "mezza.biz-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys; + + "mail@hzdomain-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; + "hzdomain-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys; + "unbound_control.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "unbound_control.pem.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "unbound_server.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; diff --git a/terraform/h.net.tf b/terraform/h.net.tf index e770345..5b80edf 100644 --- a/terraform/h.net.tf +++ b/terraform/h.net.tf @@ -63,3 +63,27 @@ resource "hostingde_record" "hz-mta-sts" { content = local.domain ttl = 300 } + +resource "hostingde_record" "hz-spf" { + zone_id = hostingde_zone.hz.id + name = local.domain + type = "TXT" + content = "v=spf1 a:mail.${local.domain} -all" + ttl = 300 +} + +resource "hostingde_record" "hz-dkim" { + zone_id = hostingde_zone.hz.id + name = "default._domainkey.${local.domain}" + type = "TXT" + content = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" + ttl = 300 +} + +resource "hostingde_record" "hz-dmarc" { + zone_id = hostingde_zone.hz.id + name = "_dmarc.${local.domain}" + type = "TXT" + content = "v=DMARC1;p=none;" + ttl = 300 +} diff --git a/terraform/mezza.biz.tf b/terraform/mezza.biz.tf index d07bfd5..9ae72ce 100644 --- a/terraform/mezza.biz.tf +++ b/terraform/mezza.biz.tf @@ -26,3 +26,68 @@ resource "hostingde_record" "mezza-www" { content = "mezza.biz" ttl = 300 } + +resource "hostingde_record" "mezza-mail" { + zone_id = hostingde_zone.mezza.id + name = "mail.mezza.biz" + type = "CNAME" + content = "mezza.biz" + ttl = 300 +} + +resource "hostingde_record" "mezza-autoconfig" { + zone_id = hostingde_zone.mezza.id + name = "autoconfig.mezza.biz" + type = "CNAME" + content = "mail.mezza.biz" + ttl = 300 +} + +resource "hostingde_record" "mezza-autodiscover" { + zone_id = hostingde_zone.mezza.id + name = "autodiscover.mezza.biz" + type = "CNAME" + content = "mail.mezza.biz" + ttl = 300 +} + +resource "hostingde_record" "mezza-mx" { + zone_id = hostingde_zone.mezza.id + name = "mezza.biz" + type = "MX" + content = "mail.mezza.biz" + priority = 10 + ttl = 300 +} + +resource "hostingde_record" "mezza-mta-sts" { + zone_id = hostingde_zone.mezza.id + name = "mta-sts.mezza.biz" + type = "CNAME" + content = "mezza.biz" + ttl = 300 +} + +resource "hostingde_record" "mezza-spf" { + zone_id = hostingde_zone.mezza.id + name = "mezza.biz" + type = "TXT" + content = "v=spf1 a:mail.mezza.biz -all" + ttl = 300 +} + +resource "hostingde_record" "mezza-dkim" { + zone_id = hostingde_zone.mezza.id + name = "default._domainkey.mezza.biz" + type = "TXT" + content = "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" + ttl = 300 +} + +resource "hostingde_record" "mezza-dmarc" { + zone_id = hostingde_zone.mezza.id + name = "_dmarc.mezza.biz" + type = "TXT" + content = "v=DMARC1;p=none;" + ttl = 300 +} diff --git a/users/b12f/email.nix b/users/b12f/email.nix index 4e14a69..88bb3a6 100644 --- a/users/b12f/email.nix +++ b/users/b12f/email.nix @@ -17,7 +17,7 @@ with lib; let realName = psCfg.user.fullName; signature = { showSignature = "append"; - text = builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature"); + text = if (args ? "emptysignature") then "" else builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature"); }; folders = { @@ -93,7 +93,7 @@ in { config.primary = true; } { - address = "mail@b12f.io"; + address = mkEmailAddress "mail" "b12f.io"; host = "mail.b12f.io"; } { @@ -133,8 +133,14 @@ in { }; } { - address = mkEmailAddress "hetzner" "benjaminbaedorf.eu"; - host = "mail.hosting.de"; + address = mkEmailAddress "mail" "mezza.biz"; + host = "mail.mezza.biz"; + emptysignature = true; + } + { + address = mkEmailAddress "mail" "h" + "w" + "dz" + "z.net"; + host = "mail.h" + "w" + "dz" + "z.net"; + emptysignature = true; } ]; };