b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

email: add mail@b12f.io and mail@hzdomain

Browse source
This commit is contained in:
b12f 2024-08-16 21:33:49 +02:00
parent 34050a14cc
commit 9439ed4c44
Signed by: b12f
GPG key ID: 729956E1124F8F26
13 changed files with 211 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
hosts/frikandel/email.nix
View file

@ -5,10 +5,16 @@
lib, lib,
... ...
}: let }: let
# hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
dkimDNSb12fio = '' dkimDNSb12fio = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
''; '';
dkimDNSmezzabiz = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
'';
dkimDNShzDomain = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
'';
in { in {
age.secrets."b12f.io-dkim-private-rsa" = { age.secrets."b12f.io-dkim-private-rsa" = {
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
@ -23,16 +29,44 @@ in {
owner = "maddy"; owner = "maddy";
}; };
age.secrets."mezza.biz-dkim-private-rsa" = {
file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key";
mode = "400";
owner = "maddy";
};
age.secrets."mail@mezza.biz-password" = {
file = "${flake.self}/secrets/mail@mezza.biz-password.age";
mode = "400";
owner = "maddy";
};
age.secrets."hzdomain-dkim-private-rsa" = {
file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/hzdomain_default.key";
mode = "400";
owner = "maddy";
};
age.secrets."mail@hzdomain-password" = {
file = "${flake.self}/secrets/mail@hzdomain-password.age";
mode = "400";
owner = "maddy";
};
users.users.maddy.extraGroups = [ "nginx" ]; users.users.maddy.extraGroups = [ "nginx" ];
security.acme.certs = { security.acme.certs = {
"mail.b12f.io" = { "mail.b12f.io".reloadServices = [ "maddy" ];
reloadServices = [ "maddy" ]; "b12f.io".reloadServices = [ "maddy" ];
};
"b12f.io" = {
reloadServices = [ "maddy" ];
};
"mta-sts.b12f.io" = {}; "mta-sts.b12f.io" = {};
"mail.mezza.biz".reloadServices = [ "maddy" ];
"mezza.biz".reloadServices = [ "maddy" ];
"mta-sts.mezza.biz" = {};
"mail.${hzDomain}".reloadServices = [ "maddy" ];
"${hzDomain}".reloadServices = [ "maddy" ];
"mta-sts.${hzDomain}" = {};
}; };
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
@ -52,7 +86,7 @@ in {
tryFiles = "$uri $uri/ =404"; tryFiles = "$uri $uri/ =404";
}; };
}; };
}) {} [ "b12f.io" ]; }) {} [ "b12f.io" "mezza.biz" hzDomain ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/run/maddy' 0750 maddy maddy - -" "d '/run/maddy' 0750 maddy maddy - -"
@ -62,6 +96,8 @@ in {
mkdir -p /var/lib/maddy/dkim_keys mkdir -p /var/lib/maddy/dkim_keys
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns
echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns
chown -R maddy:maddy /var/lib/maddy chown -R maddy:maddy /var/lib/maddy
''; '';
@ -76,14 +112,22 @@ in {
localDomains = [ localDomains = [
"b12f.io" "b12f.io"
"mail.b12f.io" "mail.b12f.io"
"mezza.biz"
"mail.mezza.biz"
hzDomain
"mail.${hzDomain}"
]; ];
ensureAccounts = [ ensureAccounts = [
"mail@b12f.io" "mail@b12f.io"
"mail@mezza.biz"
"mail@${hzDomain}"
]; ];
ensureCredentials = { ensureCredentials = {
# Do not use this in production. This will make passwords world-readable # Do not use this in production. This will make passwords world-readable
# in the Nix store # in the Nix store
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
"mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path;
"mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path;
}; };
tls = { tls = {
loader = "file"; loader = "file";
@ -96,6 +140,22 @@ in {
keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem"; keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem"; certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
} }
{
keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem";
certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem";
certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem";
}
]; ];
}; };
config = '' config = ''

10
hosts/frikandel/unbound.nix
View file

@ -96,6 +96,16 @@
"\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.b12f.io. 10800 IN A 10.13.12.7\"" "\"mail.b12f.io. 10800 IN A 10.13.12.7\""
"\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mezza.biz. 10800 IN A 10.13.12.7\""
"\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
"\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
]; ];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";

10
modules/printing/default.nix
View file

@ -22,9 +22,9 @@
then [ pkgs.cups-brother-hl3140cw ] then [ pkgs.cups-brother-hl3140cw ]
else []); else []);
environment.persistence."/persist" = { # environment.persistence."/persist" = {
directories = [ # directories = [
"/var/lib/cups" # "/etc/lib/cups"
]; # ];
}; # };
} }

6
secrets/age-yubikey-464-identity.txt
View file

@ -1,7 +1 @@
# Serial: 25473464, Slot: 1
# Name: age identity bd1ccf37
# Created: Fri, 02 Feb 2024 19:26:49 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7
AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837 AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837

6
secrets/age-yubikey-485-identity.txt
View file

@ -1,7 +1 @@
# Serial: 25473485, Slot: 1
# Name: age identity ceaabf8b
# Created: Fri, 02 Feb 2024 19:28:33 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q
AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7 AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7

BIN
secrets/hzdomain-dkim-private-rsa.age Normal file
View file

Binary file not shown.

23
secrets/mail@hzdomain-password.age Normal file
View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g B8CppVVWblUzZYe4KLZZQg1+Z9HtOZE2riG5rrj7lDc
BBNd3OpQz+QoPp6mv+P2+eYTMwKt8+ty4ERdO5+2Xtk
-> ssh-ed25519 n71/yQ 4cDMfD1yorzkNgdqrbmcI6FCDEWlFlZmdedD5O5x/3k
gvmvNFiPVGZdcIb6PacTn3IKEBEk0TnSaWv30XWX2rY
-> ssh-rsa kFDS0A
D/Wxbu8XMyCpYi3b58FKYrYlSog0yCTDV0+cKQssOPyc/NNQ39FviB6HcqahmZfi
HpXAXdgDBNwHBN+Gmcu4gSFSgogKG3U8UxGmY9kNUUbJ8mKnljGO2rdPPIEbMLEn
ZmUAK86RYOW4ctRceZ5APR24uLN5DpTnq5phLJgWjh9pvUXrI4SPawkMOq7CxylB
h2AOYXPso0Iz9SVHl/KRLV+w32US8ISlLzJSUSAMYBY/2uQd2TRDJGdw5Jz/Ih+q
f/G463YV6opFmYO9odxWPQzuEPmEBKSO7zThXnlCvsW6LDZlJ1IY0SZviPIhO4M8
RX4jsganUDti19RmiHytDXwKkM4XPCPh5wpE/a6qTVneFhnlXUNiF0Y938dAAMNx
S1rjS2v5ezHHtofpZqspl1s3WiAmsPzb7+E10ymoyT3elvWehWkTTk8a+HP4SoM+
QKiig8HaevLWS5Ea/8wO8h8lzEDtda65GBvlARQGTCCPyijwHBAfiivU6Xp2EJQr
YP3+hxbLO1wmV8QMxUfMrAfbJVhua+o5oDPZSImNwGfEQo4yztL2jit0bOuA3qDF
6S3Pfvg6YpLcJwKdBCI4t0sBeFCm/Wxk4JT/eh0tdnBHUaviQ0Gj+Bzz1A7J+mek
Ko/jR43KTFbIz46n/mCeYrtn2MTFl/AOsW+T/XoaOTI
-> piv-p256 zqq/iw A71bIRILKAlGedebswRMWObcmTf4o0VGarNPs0HwF7pU
EUfi118cd2/bfnwTXuYAiqx14FawWUf36n66hmpQuIM
-> piv-p256 vRzPNw Atd637HL03L8GedzPSanEXZt9V85DgGnriZnXngfKRFz
UiIUX1ADioDqckf0iT04NN5kOhmyRwf+/CG2+THAsrc
--- uajThUB7bCOg/ahzarVYOMb1c3XR0qrphQ/ehGBQztM
˜ehCMÅríbIÕ Îcì@sýFAS29Ÿ®îÀùœ] þØsýip]…ãV͇©<E280A1>5<EFBFBD>‡£Œ$IÙGkœ)ãúü¥¹\ IWNÔo3õÉy©„! :AS!

BIN
secrets/mail@mezza.biz-password.age Normal file
View file

Binary file not shown.

BIN
secrets/mezza.biz-dkim-private-rsa.age Normal file
View file

Binary file not shown.

7
secrets/secrets.nix
View file

@ -99,9 +99,14 @@ in {
"invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys; "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"mail@b12f.io-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "mail@b12f.io-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
"b12f.io-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys; "b12f.io-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;
"mail@mezza.biz-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
"mezza.biz-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;
"mail@hzdomain-password.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
"hzdomain-dkim-private-rsa.age".publicKeys = frikandelKeys ++ baseKeys;
"unbound_control.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "unbound_control.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
"unbound_control.pem.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "unbound_control.pem.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
"unbound_server.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys; "unbound_server.key.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;

24
terraform/h.net.tf
View file

@ -63,3 +63,27 @@ resource "hostingde_record" "hz-mta-sts" {
content = local.domain content = local.domain
ttl = 300 ttl = 300
} }
resource "hostingde_record" "hz-spf" {
zone_id = hostingde_zone.hz.id
name = local.domain
type = "TXT"
content = "v=spf1 a:mail.${local.domain} -all"
ttl = 300
}
resource "hostingde_record" "hz-dkim" {
zone_id = hostingde_zone.hz.id
name = "default._domainkey.${local.domain}"
type = "TXT"
content = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB"
ttl = 300
}
resource "hostingde_record" "hz-dmarc" {
zone_id = hostingde_zone.hz.id
name = "_dmarc.${local.domain}"
type = "TXT"
content = "v=DMARC1;p=none;"
ttl = 300
}

65
terraform/mezza.biz.tf
View file

@ -26,3 +26,68 @@ resource "hostingde_record" "mezza-www" {
content = "mezza.biz" content = "mezza.biz"
ttl = 300 ttl = 300
} }
resource "hostingde_record" "mezza-mail" {
zone_id = hostingde_zone.mezza.id
name = "mail.mezza.biz"
type = "CNAME"
content = "mezza.biz"
ttl = 300
}
resource "hostingde_record" "mezza-autoconfig" {
zone_id = hostingde_zone.mezza.id
name = "autoconfig.mezza.biz"
type = "CNAME"
content = "mail.mezza.biz"
ttl = 300
}
resource "hostingde_record" "mezza-autodiscover" {
zone_id = hostingde_zone.mezza.id
name = "autodiscover.mezza.biz"
type = "CNAME"
content = "mail.mezza.biz"
ttl = 300
}
resource "hostingde_record" "mezza-mx" {
zone_id = hostingde_zone.mezza.id
name = "mezza.biz"
type = "MX"
content = "mail.mezza.biz"
priority = 10
ttl = 300
}
resource "hostingde_record" "mezza-mta-sts" {
zone_id = hostingde_zone.mezza.id
name = "mta-sts.mezza.biz"
type = "CNAME"
content = "mezza.biz"
ttl = 300
}
resource "hostingde_record" "mezza-spf" {
zone_id = hostingde_zone.mezza.id
name = "mezza.biz"
type = "TXT"
content = "v=spf1 a:mail.mezza.biz -all"
ttl = 300
}
resource "hostingde_record" "mezza-dkim" {
zone_id = hostingde_zone.mezza.id
name = "default._domainkey.mezza.biz"
type = "TXT"
content = "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB"
ttl = 300
}
resource "hostingde_record" "mezza-dmarc" {
zone_id = hostingde_zone.mezza.id
name = "_dmarc.mezza.biz"
type = "TXT"
content = "v=DMARC1;p=none;"
ttl = 300
}

14
users/b12f/email.nix
View file

@ -17,7 +17,7 @@ with lib; let
realName = psCfg.user.fullName; realName = psCfg.user.fullName;
signature = { signature = {
showSignature = "append"; showSignature = "append";
text = builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature"); text = if (args ? "emptysignature") then "" else builtins.readFile (./.config/neomutt + "/${builtins.replaceStrings ["@"] ["_"] address}.signature");
}; };
folders = { folders = {
@ -93,7 +93,7 @@ in {
config.primary = true; config.primary = true;
} }
{ {
address = "mail@b12f.io"; address = mkEmailAddress "mail" "b12f.io";
host = "mail.b12f.io"; host = "mail.b12f.io";
} }
{ {
@ -133,8 +133,14 @@ in {
}; };
} }
{ {
address = mkEmailAddress "hetzner" "benjaminbaedorf.eu"; address = mkEmailAddress "mail" "mezza.biz";
host = "mail.hosting.de"; host = "mail.mezza.biz";
emptysignature = true;
}
{
address = mkEmailAddress "mail" "h" + "w" + "dz" + "z.net";
host = "mail.h" + "w" + "dz" + "z.net";
emptysignature = true;
} }
]; ];
}; };