summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/kay/configuration.nix1
-rw-r--r--hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone1
-rw-r--r--hosts/kay/modules/dns/ddns.nix7
-rw-r--r--hosts/kay/modules/dns/sinanmohd.com.zone21
-rw-r--r--hosts/kay/modules/hurricane.nix1
-rw-r--r--hosts/kay/modules/mail.nix103
-rw-r--r--hosts/kay/modules/www.nix13
-rw-r--r--hosts/kay/secrets.yaml8
8 files changed, 148 insertions, 7 deletions
diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix
index 78385d1..1e264e2 100644
--- a/hosts/kay/configuration.nix
+++ b/hosts/kay/configuration.nix
@@ -7,6 +7,7 @@
./modules/www.nix
./modules/sftp.nix
./modules/acme.nix
+ ./modules/mail.nix
./modules/dns
./modules/sshfwd.nix
../../common.nix
diff --git a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
index 3991e1f..69b3524 100644
--- a/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
+++ b/hosts/kay/modules/dns/5.6.e.e.0.7.4.0.1.0.0.2.ip6.arpa.zone
@@ -11,3 +11,4 @@ $TTL 2d
IN NS ns1.sinanmohd.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.sinanmohd.com.
+7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mail.sinanmohd.com.
diff --git a/hosts/kay/modules/dns/ddns.nix b/hosts/kay/modules/dns/ddns.nix
index 6d0a944..e6e417a 100644
--- a/hosts/kay/modules/dns/ddns.nix
+++ b/hosts/kay/modules/dns/ddns.nix
@@ -9,8 +9,11 @@
server 2001:470:ee65::1
zone sinanmohd.com.
- update delete sinanmohd.com. A
- update add sinanmohd.com. 180 A $4
+ update delete sinanmohd.com. A
+ update add sinanmohd.com. 180 A $4
+
+ update delete mail.sinanmohd.com. A
+ update add mail.sinanmohd.com. 180 A $4
send
EOF
diff --git a/hosts/kay/modules/dns/sinanmohd.com.zone b/hosts/kay/modules/dns/sinanmohd.com.zone
index 5833a2a..5fb9ca5 100644
--- a/hosts/kay/modules/dns/sinanmohd.com.zone
+++ b/hosts/kay/modules/dns/sinanmohd.com.zone
@@ -1,8 +1,8 @@
$ORIGIN sinanmohd.com.
$TTL 2d
-@ IN SOA ns1 sinan (
- 2024021100 ; serial
+@ IN SOA ns1 hostmaster (
+ 2024022500 ; serial
2h ; refresh
5m ; retry
1d ; expire
@@ -17,8 +17,25 @@ $TTL 2d
30 IN A 127.0.0.1
30 IN AAAA ::1
+ IN MX 10 mail
+
+ IN TXT "v=spf1 mx -all"
+_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@sinanmohd.com; ruf=mailto:postmaster@sinanmohd.com; adkim=s; aspf=s"
+
+ed25519._domainkey IN TXT "v=DKIM1; k=ed25519; p=EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU="
+rsa._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4HEqO63fSC0cUnJt9vAQBssTkPfT4QefmAK/1BtAIRIOdGakf7PI7p3A1ETgwfYxuHj7BUSzUtESsHMThbhB1Wko79+AR+5ZBDBmD8CE0dOnZfzeG8xIaGfYkaL4gana6YZWiBT2oi/CimJfc22wacF01SufOs4R8cDpy4BZIgDD/zfF4bFTORQ0vMSJQJkp1zdQelERDU5CEezgxgVYgoSmdEpgkhc23PJSyj4Z7hA69N0amsb3cVVrfVXcYvSqTK3S2vLLA89ws4CUjCCpUW40gVIP8QP6CqTL76936Oo7OVWgmV3Sn3wa8FMN6IATY+fbMlrdOMsPY5PauJyEoQIDAQAB"
+
ns1 IN AAAA 2001:470:ee65::1
+mail 30 IN A 127.0.0.1
+mail IN AAAA 2001:470:ee65::1337
+smtp IN CNAME @
+imap IN CNAME @
+mta-sts IN CNAME @
+
+_mta-sts IN TXT "v=STSv1; id=2024022500"
+_smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@sinanmohd.com"
+
www IN CNAME @
git IN CNAME @
bin IN CNAME @
diff --git a/hosts/kay/modules/hurricane.nix b/hosts/kay/modules/hurricane.nix
index ede8e8f..9e22bf5 100644
--- a/hosts/kay/modules/hurricane.nix
+++ b/hosts/kay/modules/hurricane.nix
@@ -33,6 +33,7 @@ in
(makeAddr prefix64 "1")
(makeAddr prefix48 "1")
+ (makeAddr prefix48 "1337")
];
};
diff --git a/hosts/kay/modules/mail.nix b/hosts/kay/modules/mail.nix
new file mode 100644
index 0000000..b255650
--- /dev/null
+++ b/hosts/kay/modules/mail.nix
@@ -0,0 +1,103 @@
+{ config, ... }: let
+ ipv6 = "2001:470:ee65::1337";
+ domain = config.userdata.domain;
+
+ username = config.userdata.user;
+ secret = "$argon2i$v=19$m=4096,t=3,p=1$SWV5aWU3YWUgZWFTNm9oc28gTGFvdDdlRG8ga2FTaWVjaDYgYWV0aDFHb28$O/sDv7oy9wUxFjvKoxB5o8ZnPvjYJo9DjX0C/AZQFF0";
+ email = [
+ "${username}@${domain}"
+ "sinanmohd@${domain}"
+ "me@${domain}"
+
+ "postmaster@${domain}"
+ "hostmaster@${domain}"
+ "admin@${domain}"
+ ];
+
+ credentials_directory = "/run/credentials/stalwart-mail.service";
+in {
+ networking.firewall.allowedTCPPorts = [
+ 25 # smto
+ 465 # submission
+ 587 # submissions
+ 993 # imap ssl
+ 4190 # managesieve
+ ];
+
+ sops.secrets = {
+ "mail.${domain}/dkim_rsa" = {};
+ "mail.${domain}/dkim_ed25519" = {};
+ };
+
+ services.stalwart-mail = {
+ enable = true;
+ loadCredential = [
+ "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}"
+ "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}"
+
+ "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem"
+ "key:${config.security.acme.certs.${domain}.directory}/key.pem"
+ ];
+
+ settings = {
+ macros = {
+ host = "mail.${domain}";
+ default_domain = domain;
+ default_directory = "in-memory";
+ default_store = "sqlite";
+ };
+
+ queue.outbound = {
+ ip-strategy = "ipv6_then_ipv4";
+ source-ip.v6 = "['${ipv6}']";
+ tls.starttls = "optional";
+ };
+ server.listener = {
+ smtp.bind = [ "[${ipv6}]:25" "0.0.0.0:25" ];
+ jmap.bind = [ "[::]:8034" ];
+ };
+
+ signature = {
+ rsa = {
+ private-key = "file://${credentials_directory}/dkim_rsa";
+ selector = "rsa";
+ set-body-length = true;
+ };
+ ed25519 = {
+ public-key = "EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU=";
+ private-key = "file://${credentials_directory}/dkim_ed25519";
+ domain = "%{DEFAULT_DOMAIN}%";
+ selector = "ed25519";
+ headers = [ "From" "To" "Date" "Subject" "Message-ID" ];
+ algorithm = "ed25519-sha256";
+ canonicalization = "relaxed/relaxed";
+ set-body-length = true;
+ report = true;
+ };
+ };
+
+ certificate."default" = {
+ cert = "file://${credentials_directory}/cert";
+ private-key = "file://${credentials_directory}/key";
+ };
+
+ storage.blob = "fs";
+ store = {
+ fs.disable = false;
+ sqlite.disable = false;
+ };
+
+ directory."in-memory" = {
+ type = "memory";
+ options.subaddressing = true;
+
+ principals = [{
+ inherit email;
+ inherit secret;
+ name = username;
+ type = "admin";
+ }];
+ };
+ };
+ };
+}
diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix
index a0b9c20..1447b1e 100644
--- a/hosts/kay/modules/www.nix
+++ b/hosts/kay/modules/www.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
let
domain = config.userdata.domain;
@@ -117,6 +117,17 @@ in
extraConfig = "add_header Content-Type text/html;";
};
};
+
+ "mta-sts.${domain}" = defaultOpts // {
+ locations."= /.well-known/mta-sts.txt".return = ''200 "${
+ lib.strings.concatStringsSep "\\n" [
+ "version: STSv1"
+ "mode: enforce"
+ "mx: mail.${domain}"
+ "max_age: 86400"
+ ]
+ }"'';
+ };
};
};
}
diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml
index 11bebda..47be11b 100644
--- a/hosts/kay/secrets.yaml
+++ b/hosts/kay/secrets.yaml
@@ -10,6 +10,10 @@ dns: ENC[AES256_GCM,data:Pa6Oo7UFDqo5ZN+eyz9MKy0p4KU1ePTpWQ+R8PuSFO9JjFt/I86ru/q
matrix-sinanmohd.com:
key: ENC[AES256_GCM,data:xsSYua3g+ySUVBtfVZ2uZR4761MC5LeJGxmcgf+dWb5+tBSmgzAQL9FFcl7GLzhTmvlq13lARUr599wShS/C9IyMVGOOT9A8hxLFF9Kak64hmM7ERGrwbmzBY1mdTtvibJqzHaeybUVIMbDagczF54zpjDGLmdC5V84wduPFCndSA5FW+4Hhqw==,iv:KJtqrGNPgMDR6Sg/fOUzVAiwnPZwve9wpVfDQPc4g/c=,tag:E2jlbt5WbRA9wu16Lr69Bg==,type:str]
sliding_sync: ENC[AES256_GCM,data:ubFeb/OgYYHaIHVky6KS3icORbpqf7PO3p8bONA8mwG8vU1LB0TDqVm6vQTa8G9pe96JzJ8+IAgSZafG9PaEJc/Bpj53aWRFO3HEV0Pj,iv:P8VD8utVEwNoeQEZUdS2R9GuDe20nKiXYCfKJl0Id3E=,tag:VksV/4IaKN0C2g/alw6r4Q==,type:str]
+mail.sinanmohd.com:
+ dkim_rsa: ENC[AES256_GCM,data:lwdVm4BIUHTipsHAQuJ7rI2TJnWXv6OzBP6komprUCqVjYz7PKlwltqxNvYRnjmOoFg+G4TrHaBCwVtlqlprkr7o7xeQ1omd9xbaYdWmNHhRNvxejGYF9oldK+zVPj9za/PSk2eXkL9b3ByIxyWQKkO9+UXQjs+C33heY+6MIJRvg/+8FX8RnFgjIMIBwvakBAVQSzveJPDB0TL/CF4avijQD1C6ayjqqarhkDu2kQhGO+95DYR9VWL2k3c8YdsQnbah3u7qBHGJpGfbh+r6ZtK4tdvCxg9b/nJo2QfPovsZy8NRIbEe6xiGQL/1Wt+GD/+08b/yq2Q6ao5Dmlqq12Y2KHPJp/EneqOgPKq3qMQOay1mPTnTzV/HP5irOS/gMg3+7ewCX7EuGOCCf4xFmEctbiePvkBbo0J00raUPrbC/tPWZpWSeTo/11jstRmFW593FnaBBcwlvqAm83QNulpWktQZXwM6inabh9XdTcnFga9lRh9XFfkW93wtzsbUNAhrKpSpuhf6fHBm0wZQdUW8K1AGdTVluiSCdrUvSollf8RZQ60zedlq8H3rZnFUnlyaBaguSu4eTSLoA4sXst0xMD5PuWgtiNrKnOdAnbnyEznwxqaJQvOLZN35nfjUIosFqjAZAxSL8FvMPAMikbGvqvnKPI6uI/sC5JymulcpXdSYikco0xvxiszM8E9SHDjHOCEp5mnMv70dk3t/fwwJ8RvQpsef7h5KGFGNEFeWP47s30uJdEXUxNl9pmT5M3C8r8IpThEF2gzpg5IY6/IOnJvaLadsMBpkXp5qlrNBgPJNfwSGoM2tt8DG6wNlae9Yyr6ayt0OASP25XFMTwSbJ/30Gjqf90m/iKIOAsFYXTtqL9FJ9H/X2QKBGGAuA7gsZCJzpW5b8KQh4UO8AgISXaYxxFmnngDRqVLMhWTDJhfwtSXisVE3g3epJe0ZQbjpLGp+HOpUVKskIvuT/f6abNsVGbI+D2k1UPHZH8BhXImfy/lbrcsYUer/RX9D3ifP5RdYcIbzb77pXmPLEsnmMlKO/K9V0M9i/+wByRgHAnQkD6sCL3ZnpL3Q46cEAOwR4vM8yg1CnwGIGYSPTtSbjpUBk5xNVKMUt5nVdaY/nji9h6HS0loQVm/glBZGf/r0hBQ0VmpDXd6NsD0dropF/0nQfqToHQcZmjYsi1Q72vVo492H7b7QYbD5fMPN/iWQIhUyFylYcNxdhllB1OfSdgGAB1XHsXI3x3c/ePTID2q5gBVUWs2EyYU2sxL81xL3I91Xp/IB8hw7hlmJAftWZ3Ol418uQkv5A2+zPkL+T9AcOeZwyPAur/pN145Yv5SxlhFn26jzz2gJC/HxKxG12M2WH5vPwstHWZtefirXgclMRzDAarT8wGWEXBuYNWhPAXSapa5fKi90MJsvMbs38OVz/M9eyAuNgoOqKHF/ZGSiDs050LoTSQCeUGB7EZVlA+GVHeVG2nCAv/MRdu2m5joqxKTUZt6HPMCFMcoT8mmAbDQdWMAxKs1yJ7urogrEzfdneaLGVArlnAv5+XJUDXhZ7JftJitJ0sLkkRP9k46aAfGulmO5YEF9t2jHYkc1Hzi1nGZZ9IiUdRZup5fb5EI6i+I4gawLPZ+JKYHUtKEkkiPvxhAxfG2NIY4/pHJyH0d+Rb6B3DNT+QSoFUI9Ez7lXVFKG3q3QndY9DJsseCde+jFI3v/ENyI2+Ze8FmEvfJKcdPxY9wXJ1xd/E59NbDzdnU+Y3Uph3uojdOOP/N7x9AqhoYGo8xAZIhIFio4zXhHLvLCs7M6CF7N2sVwj31eE8Yo8QeyYPqd99wJPGdnOIOvL7XooLUAEHJ6NB9UjUbAtNpLguw5FpEqq3WyauB2Ex9G7Uqtli930MkjVWHiiheZkWw8UP5tLFHlsXvxR7NAiI6qNZSIDWr8dwudBZKHz91srlxYhD6DN0xC37TC09RbBUd6mzF5DaOJASD3YOXGA4KAx5Rb/CcCnxxLpna35lJmJjGAd0b8S+f1jzAtoqpYAk/FYlhlX4crKhrqiw9l+EsokYNxKuHFuIKwz4KrdzadT9sUOMJOzU+5SLPNplqmqJBfrp6L0lt/ylPANOO0TiT5IqavjFMPMObP04AQuK30RPrZ1crz06aGo2RK0hYEYYDjoygKFkU+iZYTUcgByKM5bpUlqnNSf3Jq1FEU/nEK6caOHiQ76F1thsm/e1FTvAYg+mOUPYz9/nl0vVFJrtr5cMXtqxh9E/f/ujczI+A=,iv:dPnpNUPSDiq5C14YzDM2K4mFHNRFgc6p+X3Zu33OH60=,tag:MhgfV3z1wcbAfpwZmVWczw==,type:str]
+ dkim_ed25519: ENC[AES256_GCM,data:bberg3vGG9M3iPH1aLA+wIU6KNnxHRZxpGU5zT5Gqo9lohQa1wBDXCwsP0JaSfg56dhh9ZxF5HFd4V0nUzL6QMIeiExGkZmtdluaqki3fwFCssILch9pWOuM71Q1d7vi1eIN5PrAuX+6m8bmQBd1JIR+Kbz8dQ==,iv:C7wEFU7/xCh8LzyKXHSzgTX/L9OkmGWTnl5A94GLogw=,tag:j+sYtzzGN9guWa6T+ZUzbw==,type:str]
+ sinan: ENC[AES256_GCM,data:F3lhwjf6dZpDSmU=,iv:TCIzQeUBqgjqc+/z3Hh1tYpm3OeLGLpVUDeo6ufP7/4=,tag:TXUI8noaK5jyLpo8D+94jQ==,type:str]
misc:
wireguard: ENC[AES256_GCM,data:kbUtxJv3xSmikJWgtu87TSo5N8tUb2BiH3dH3oOV36waYyXI3bp2aBeAl1k=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:BDSD9SfQuQppKT4+6Cu65w==,type:str]
sops:
@@ -36,8 +40,8 @@ sops:
OXgwSml4bkc1dnloNUFsRGFFcXFHc2cK26l2eiKbZUkogmAXoha6HTUs3YFKixYz
bTkpKKyOAIIin3YM975wwvkCuWNG4tbnHBHQFh5JGK2OEyLDXuV7Pg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-02-01T06:10:26Z"
- mac: ENC[AES256_GCM,data:6Gow3dOvqseuuNbpztmm3yNU+6DKo+2LPqigO1cDhmKB509RN/T9GqDQEk/uC/aOyYeYSWrQY3EzZYOXiXgyiH2hurYV8WXGAAjssXog9YaVcC+OiXXv2zDRV8o8VKigc0hlrZJuN8FeL0qxrorojBft0QR/6JhGpV+s1jvS/8o=,iv:wV/WKfl2HPFHX3aoIdMpuK5frVs9imeO6LI0igYi2+Q=,tag:IXs92PzvwQM3FGaHW/qU8Q==,type:str]
+ lastmodified: "2024-02-25T04:23:28Z"
+ mac: ENC[AES256_GCM,data:SUFBHKTM2tQHX1Xtta3spl/GaaNrIAcNrLFzKzqb2ki3FhXnLLYu0wD+IBxuj1nxICn9TDprHFdcDenfFPV1mYWtmXLmWMeDcIGKXedYex2nakdlIYngGiLkEseuehft46YtoEqLJVksBFoLKmywRi+/ZGux/heSIyD14Toxb3Q=,iv:dqYGObF1SV3VBxSZtrggRdD1ROqvlp7tn8xLdNuDxx4=,tag:N/4L6NgIqYKQ8IbpFGru2g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1