diff options
Diffstat (limited to '')
| -rw-r--r-- | hosts/by-name/server2/configuration.nix | 54 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/backup/backuppass.age (renamed from hosts/by-name/server2/secrets/backuppass.age) | 0 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/backup/backupssh.age (renamed from hosts/by-name/server2/secrets/backupssh.age) | 0 | ||||
| -rwxr-xr-x | hosts/by-name/server2/secrets/dkim/gen_key.sh | 33 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age | 16 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public | 1 |
6 files changed, 97 insertions, 7 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix index de9fc4d..7f0502d 100644 --- a/hosts/by-name/server2/configuration.nix +++ b/hosts/by-name/server2/configuration.nix @@ -14,19 +14,27 @@ vhack = { back = { enable = true; - repositories = { - "${config.services.gitolite.dataDir}/repositories/vhack.eu/nixos-server.git" = { - domain = "issues.foss-syndicate.org"; - port = 9220; - }; + domain = "issues.foss-syndicate.org"; + settings = { + scan_path = "${config.services.gitolite.dataDir}/repositories"; + project_list = "${config.services.gitolite.dataDir}/projects.list"; }; }; backup = { enable = true; - privateSshKey = ./secrets/backupssh.age; - privatePassword = ./secrets/backuppass.age; + privateSshKey = ./secrets/backup/backupssh.age; + privatePassword = ./secrets/backup/backuppass.age; user = "u384702-sub3"; }; + dns = { + enable = true; + openFirewall = true; + interfaces = [ + "185.16.61.132" + "2a03:4000:a:106::1" + ]; + zones = import ../../../zones {}; + }; etesync = { enable = true; secretFile = ./secrets/etesync/secret_file.age; @@ -49,10 +57,42 @@ enable = true; fqdn = "mail.foss-syndicate.org"; }; + stalwart-mail = { + enable = false; + fqdn = "mail.vhack.eu"; + admin = "admin@vhack.eu"; + security = { + dkimKeys = let + loadKey = name: { + dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public"); + dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age"; + keyAlgorithm = "ed25519-sha256"; + }; + in { + "mail.vhack.eu" = loadKey "mail.vhack.eu"; + }; + verificationMode = "strict"; + }; + openFirewall = true; + principals = [ + { + class = "individual"; + name = "soispha"; + secret = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + email = [ + "soispha@vhack.eu" + "abuse@vhack.eu" + "postmaster@vhack.eu" + "admin@vhack.eu" + ]; + } + ]; + }; nginx = { enable = true; redirects = { "source.foss-syndicate.org" = "https://git.foss-syndicate.org/vhack.eu/nixos-server"; + "source.vhack.eu" = "https://source.foss-syndicate.org"; }; }; nixconfig.enable = true; diff --git a/hosts/by-name/server2/secrets/backuppass.age b/hosts/by-name/server2/secrets/backup/backuppass.age index 5fd5568..5fd5568 100644 --- a/hosts/by-name/server2/secrets/backuppass.age +++ b/hosts/by-name/server2/secrets/backup/backuppass.age diff --git a/hosts/by-name/server2/secrets/backupssh.age b/hosts/by-name/server2/secrets/backup/backupssh.age index c2d3abb..c2d3abb 100644 --- a/hosts/by-name/server2/secrets/backupssh.age +++ b/hosts/by-name/server2/secrets/backup/backupssh.age diff --git a/hosts/by-name/server2/secrets/dkim/gen_key.sh b/hosts/by-name/server2/secrets/dkim/gen_key.sh new file mode 100755 index 0000000..61da156 --- /dev/null +++ b/hosts/by-name/server2/secrets/dkim/gen_key.sh @@ -0,0 +1,33 @@ +#! /usr/bin/env nix-shell +#! nix-shell -p rage -p openssl -p bash -i bash --impure + +# shellcheck shell=bash + +cd "$(dirname "$0")" || { + echo "No basedir?!" + exit 1 +} + +key_name="$1" +[ -z "$key_name" ] && { + echo "Usage: $0 KEY_NAME IDENTITY" + exit 2 +} + +openssl genpkey \ + -algorithm ed25519 \ + -out - | + tee >(openssl pkey \ + -pubout \ + -out - | + openssl asn1parse \ + -offset 12 \ + -noout \ + -out - | + base64 --wrap 0 >"$key_name-public") | + rage --encrypt \ + --armor \ + --recipient "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn" \ + >"$key_name-private.age" + +# vim: ft=sh diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age new file mode 100644 index 0000000..586a266 --- /dev/null +++ b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TXdkcGE3VDhPVFd1aThX +dno3RWtMbE9vR1NuQjJXR003NmxrbllSTVhVCit5aExOb2NVSzFKZWswNlQ3R3ds +Rkt3QjU4dlUyVEdQaWFFbU9iejJOV28KLT4gWDI1NTE5IFFoVjFhMWlzUUlPWUFK +cEcwVlQrbzhkRjdEU2FoNmJ2MGpkc1NLcG5zZ1EKNnc0R3BGR0FSQWUvTlIyTk94 +ME82VDRnTytwZnAvVUl6bEFzSTFNUm5BQQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +eFRmUlY2QUhUdUNWQ0xMai9IMEFJZWQxWG9MUktDMnIycnNIS3NELzFGMApxbkx3 +ZlFJTzVNTjlKSzNkOW9reXFYM04xQThQNGgvblNBRUJyZk1HUUZZCi0+IHozLWdy +ZWFzZSBuJT0Ka3NhLzVpY0Z0TW5HckJYUEhpZWlRazFjbzZEMTBwanRFdVA2WWNx +SUpLQitzNUlCQlpQQkZrZDRvbFdBMUgzVApnZ3MyMzF6dlRKZmxmd3NQejJJeE1q +YTVvUExxTTVIVkNNWldyWkY4b3cKLS0tIHYyRWV4WEo4RW1aK3E0MkNucnp1SVVQ +ZHdORjY2Z2IvMkI3a0VQbllWdncKej5N7MfXO+6MbxluZfM+Df75nBiNAEhrkvqX +dHB6qKXScbQHQp9Dpsuv/eR+vaW3rMstOMkAas4RDCii1iDwv2MjXtrFcPKXCBiz +/aiPvmn/7f/cXFw6pTSmLsF2AXGy2wepOEdIVQM4Gml7yVgVhQ3cK4QRGzPjW4Yf +urNumFlJQ7a8NVFNK2C9a+bfIz0eUYcJrOOjBg== +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public new file mode 100644 index 0000000..7654a2c --- /dev/null +++ b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public @@ -0,0 +1 @@ +U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg= \ No newline at end of file |